Nine Security Practices That May Not Be Effective
We recently looked at nine security tips that go outside the box of conventional thinking. Along with thinking about security practices creatively, however, we need to be aware of the shortcomings that come with standard defensive and protective measures.
InfoWorld recently published a report, titled “18 Surprising Tips for Security Pros,” that looked at widespread practices and tools that may end up offering a false sense of security. It’s not that these practices are ineffectual — it’s that their effectiveness is limited and they do not fully address the challenges security professionals face.
Nine Security Practices to Reconsider
There are common cybersecurity practices that could potentially lull IT professionals into complacency. Below are nine roadblocks that may speak to security leaders.
1. Antivirus Software Is Limited
Once upon a time, antivirus programs could be counted on to recognize most viruses, worms and other malware. Today, many end users still assume that having antivirus software means they are safe, but malware now evolves and proliferates so quickly that antivirus vendors cannot keep up.
2. Firewalls Are Even More Limited
The goal of firewalls is to block unwanted software, specifically malware. But most malware now relies on social engineering schemes to bust through firewalls. As a result, despite multiple firewall barriers, security teams face more penetrating attacks than ever.
3. Even Patching Is Limited
Security professionals have long pointed to updating software with security patches as the most important measure that users can take. Unfortunately, keeping patches updated is tricky, and patch managers usually fall short. Even more unfortunately, the rise of social engineering attacks has made traditional software vulnerabilities a relatively minor factor, so patching now protects against only 10 to 20 percent of attacks, according to the report.
4. Poor User Education
The security community has been warning end users about unsafe practices since the dawn of time, but users keep engaging in them. In the age of social engineering, user blunders seem more egregious than ever. Better application security and well-designed default prompts will do more to protect people than another lecture about bad security practices.
5. Strong Passwords Won’t Save You
Yes, on the whole, users’ password habits are especially execrable. Multiple studies have shown that people will happily reveal their passwords to almost anyone. But even strong passwords won’t help if attackers trick users, gain admin access, harvest the password hashes and stroll cheerfully through the checkpoints — and unfortunately, this is what a growing number of cybercriminals are doing.
6. Intrusion Detection Can’t Judge Intent
The purpose of an intrusion detection system (IDS) is to warn of suspicious activity. But what counts as suspicious? From the activity that the IDS sees, a fraudster using stolen credentials to access financial data looks just like a legitimate user performing a routine action. Uncertainty and false positives can render these warnings ineffectual.
7. The Public Key Infrastructure Is Broken
The system of public and private encryption keys has become the foundation of our encryption protection. Mathematically, it is the picture of elegance. But in the real world, numerous certification organizations have been breached, resulting in the proliferation of fraudulent keys. Moreover, how many users even care or change their behavior if a website is flagged as untrusted?
8. Appliances Are Easy to Attack
Appliances, in the IT sense, are supposed to enhance security by limiting the functionality of specialized devices such as routers. Yet, in practice, all too many appliances come with malware. Since appliances and their firmware are harder to update, if they can be updated at all, this malware is almost impossible to get rid of. Appliances have their advantages, but security is not one of them.
9. Sandboxes Don’t Stay Sandboxed
The goal of sandboxing is to let applications that may not be trustworthy run in a controlled environment where their access to system resources is limited. Still, cybercriminals regularly penetrate sandboxes and manage to do real-world harm to the systems the sandbox was supposed to protect.
Curtain Call for Security Theater
The unfortunate fact of life, according to the InfoWorld report, is that too many of our security practices can be chalked up to “security theater.” That is, they give the impression of security by flashing badges and imposing some inconveniences but don’t actually provide much protection against threats.
The security practices listed are not wrong, but they are insufficient to address the real security threats teams face today.