While organizations are deploying firewalls, public key cryptography and complying with various security and privacy regulations, many of them are still hanging onto certain misperceptions, "falsehoods" and approaches that don't work, Charles Pfleeger, a security consultant and principal of the Pfleeger Consulting Group, said in a keynote speech at a recent security event jointly held by Kaspersky Lab and NYU-Polytechnic University in New York City. "There are a lot of dumb ideas," Pfleeger said, noting that some of the misconceptions can be found within the security community itself. In his keynote speech, Pfleeger used construction analogies to illustrate the importance of building applications and designing IT architectures with security in mind. It's easier to build a house with electricity from the start, rather than breaking into a freshly painted wall later to install cables, Pfleeger said. IT and security professionals should learn to recognize bad ideas for what they are and counter the erroneous notions when they come across them, he said. For this slide show, eWEEK chatted with security experts to expand on Pfleeger's initial list to highlight myths and fatuous ideas that put enterprises and users at risk.
of
We'll Do Security Later
This kind of thinking is very common during a merger or an acquisition or when the company is rushing out a new product. Since systems and networks are continuously evolving and getting more complicated, it is always difficult to retrofit security at a later date. Security should be considered from the start, not afterward.
We'll Do Privacy Later
The same is true regarding the erroneous thinking about security: It might seem more important to get a new Internet service up and running and to start building up the online buzz before all the privacy policies and protections are in place. Organizations have to comply with a mishmash of regulations to ensure user privacy, so it's best to have all the ducks in a row before the regulators come knocking.
Encryption Is Enough
After practically every data breach, the organization is criticized for not encrypting the data. While it's important to protect sensitive data, it's important to think about the architecture and make sure the network is still secure. Insiders have to still be monitored to ensure they aren't abusing their privileges. People expect encryption to solve all problems, forgetting that implementation flaws, such as improperly storing the keys, can render encryption moot.
One Tool to Defend Them All
Pick the security technology, and there's someone out there convinced that it is the cure-all and the only thing needed for security utopia. It doesn't exist. While there are excellent antivirus, intrusion prevention, network monitoring and forensics tools available, none of them can do everything. Security tools are specialized, and there is no silver bullet. Focus on layered security, not a one-size-fits-all approach.
Security Must Be Perfect
Some executives have the attitude that if security can't be guaranteed, then it's not even worth talking about, putting the security professional in a position of having to downplay security risks or over-promising security. Organizations need to have metrics to measure risks and decide when it's "good enough" and focus on other areas. Security is about balancing protection and cost.
Security Is Easy … DIY Security
It's easy to look at the landscape and available technology and conclude that it can't be that hard to take charge of security. However, it's best to let people who have done it many times and know what they are doing take charge of security, instead of handing it over to someone who may not know how to deal with rough spots or unexpected situations. "How hard is that?" Plenty hard. Leave security to the professional.
Find and Patch Is Sufficient
While regular testing is necessary to look for and patch flaws, it's not a replacement for having security by design. All penetration testing is doing is plugging holes to harden a broken product, which forces the organization to always be reactive. True security is making sure the common issues are not in the application in the first place and addressing subtle, more complex problems that are discovered down the road.
We Aren't a Target
Wrong! Practically every organization, big and small, in all industries is a target. The threat actor can be the frustrated insider, disgruntled ex-employee, a person out to make a political point, a cyber-criminal looking for the fastest way to make money or corporate spy. The Sonys of the world aren't the only ones under attack. Small credit unions and mom-and-pop operations are targeted, too.
No One Knows About It
Security by obscurity sounds good in theory. If the attacker can't just Google the software you are running to find known vulnerabilities, then surely, it's safe from attack. The most common attack vector is cross-site scripting and SQL injection, attacks that are easily preventable, but often overlooked by developers. If an attacker really wants to get in, they will do the research necessary.
We Just Need to Train the Users
It's another idea that sounds good in theory, but it's no excuse to skimp on the technology. Users need to be taught to not click on dodgy attachments, but they also shouldn't be seeing those files in their in-box in the first place. It's difficult for the savviest Internet user to identify some of the latest scams. While technology can be patched, the human brain can't.
Windows Azure is a public cloud platform for building, hosting and scaling applications. Try Windows Azure free for 90 days and get 20GB outbound and unlimited inbound data transfer.
IT Security & Network Security News & Reviews News & Reviews 
Cloud Data Backup Now Makes Sense for SMBs: 10 Reasons Why 
HP, Lenovo, Asus Laptops, Desktops Offer Consumer Style for Busin[..]
Microsoft`s F#: 10 Reasons Why It`s a Hot Programming Language fo[..]
Data Center Efficiency: 10 Tips to Boost Productivity, Reduce Pow[..]
iPhone Apps to Kick Off the 2012 Summer Season 
Email Security: 10 Steps for Dealing With Dangerous Messages
See All Slideshows
While organizations are deploying firewalls, public key cryptography and complying with various security and privacy regulations, many of them are still hanging onto certain misperceptions, "falsehoods" and approaches that don't work, Charles Pfleeger, a security consultant and principal of the Pfleeger Consulting Group, said in a keynote speech at a recent security event jointly held by Kaspersky Lab and NYU-Polytechnic University in New York City. "There are a lot of dumb ideas," Pfleeger said, noting that some of the misconceptions can be found within the security community itself. In his keynote speech, Pfleeger used construction analogies to illustrate the importance of building applications and designing IT architectures with security in mind. It's easier to build a house with electricity from the start, rather than breaking into a freshly painted wall later to install cables, Pfleeger said. IT and security professionals should learn to recognize bad ideas for what they are and counter the erroneous notions when they come across them, he said. For this slide show, eWEEK chatted with security experts to expand on Pfleeger's initial list to highlight myths and fatuous ideas that put enterprises and users at risk.