March 9, 2017 By Rick M Robinson 3 min read

We recently looked at nine security tips that go outside the box of conventional thinking. Along with thinking about security practices creatively, however, we need to be aware of the shortcomings that come with standard defensive and protective measures.

InfoWorld recently published a report, titled “18 Surprising Tips for Security Pros,” that looked at widespread practices and tools that may end up offering a false sense of security. It’s not that these practices are ineffectual — it’s that their effectiveness is limited and they do not fully address the challenges security professionals face.

Nine Security Practices to Reconsider

There are common cybersecurity practices that could potentially lull IT professionals into complacency. Below are nine roadblocks that may speak to security leaders.

1. Antivirus Software Is Limited

Once upon a time, antivirus programs could be counted on to recognize most viruses, worms and other malware. Today, many end users still assume that having antivirus software means they are safe, but malware now evolves and proliferates so quickly that antivirus vendors cannot keep up.

2. Firewalls Are Even More Limited

The goal of firewalls is to block unwanted software, specifically malware. But most malware now relies on social engineering schemes to bust through firewalls. As a result, despite multiple firewall barriers, security teams face more penetrating attacks than ever.

3. Even Patching Is Limited

Security professionals have long pointed to updating software with security patches as the most important measure that users can take. Unfortunately, keeping patches updated is tricky, and patch managers usually fall short. Even more unfortunately, the rise of social engineering attacks has made traditional software vulnerabilities a relatively minor factor, so patching now protects against only 10 to 20 percent of attacks, according to the report.

4. Poor User Education

The security community has been warning end users about unsafe practices since the dawn of time, but users keep engaging in them. In the age of social engineering, user blunders seem more egregious than ever. Better application security and well-designed default prompts will do more to protect people than another lecture about bad security practices.

5. Strong Passwords Won’t Save You

Yes, on the whole, users’ password habits are especially execrable. Multiple studies have shown that people will happily reveal their passwords to almost anyone. But even strong passwords won’t help if attackers trick users, gain admin access, harvest the password hashes and stroll cheerfully through the checkpoints — and unfortunately, this is what a growing number of cybercriminals are doing.

6. Intrusion Detection Can’t Judge Intent

The purpose of an intrusion detection system (IDS) is to warn of suspicious activity. But what counts as suspicious? From the activity that the IDS sees, a fraudster using stolen credentials to access financial data looks just like a legitimate user performing a routine action. Uncertainty and false positives can render these warnings ineffectual.

7. The Public Key Infrastructure Is Broken

The system of public and private encryption keys has become the foundation of our encryption protection. Mathematically, it is the picture of elegance. But in the real world, numerous certification organizations have been breached, resulting in the proliferation of fraudulent keys. Moreover, how many users even care or change their behavior if a website is flagged as untrusted?

8. Appliances Are Easy to Attack

Appliances, in the IT sense, are supposed to enhance security by limiting the functionality of specialized devices such as routers. Yet, in practice, all too many appliances come with malware. Since appliances and their firmware are harder to update, if they can be updated at all, this malware is almost impossible to get rid of. Appliances have their advantages, but security is not one of them.

9. Sandboxes Don’t Stay Sandboxed

The goal of sandboxing is to let applications that may not be trustworthy run in a controlled environment where their access to system resources is limited. Still, cybercriminals regularly penetrate sandboxes and manage to do real-world harm to the systems the sandbox was supposed to protect.

Curtain Call for Security Theater

The unfortunate fact of life, according to the InfoWorld report, is that too many of our security practices can be chalked up to “security theater.” That is, they give the impression of security by flashing badges and imposing some inconveniences but don’t actually provide much protection against threats.

The security practices listed are not wrong, but they are insufficient to address the real security threats teams face today.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today