March 9, 2017 By Rick M Robinson 3 min read

We recently looked at nine security tips that go outside the box of conventional thinking. Along with thinking about security practices creatively, however, we need to be aware of the shortcomings that come with standard defensive and protective measures.

InfoWorld recently published a report, titled “18 Surprising Tips for Security Pros,” that looked at widespread practices and tools that may end up offering a false sense of security. It’s not that these practices are ineffectual — it’s that their effectiveness is limited and they do not fully address the challenges security professionals face.

Nine Security Practices to Reconsider

There are common cybersecurity practices that could potentially lull IT professionals into complacency. Below are nine roadblocks that may speak to security leaders.

1. Antivirus Software Is Limited

Once upon a time, antivirus programs could be counted on to recognize most viruses, worms and other malware. Today, many end users still assume that having antivirus software means they are safe, but malware now evolves and proliferates so quickly that antivirus vendors cannot keep up.

2. Firewalls Are Even More Limited

The goal of firewalls is to block unwanted software, specifically malware. But most malware now relies on social engineering schemes to bust through firewalls. As a result, despite multiple firewall barriers, security teams face more penetrating attacks than ever.

3. Even Patching Is Limited

Security professionals have long pointed to updating software with security patches as the most important measure that users can take. Unfortunately, keeping patches updated is tricky, and patch managers usually fall short. Even more unfortunately, the rise of social engineering attacks has made traditional software vulnerabilities a relatively minor factor, so patching now protects against only 10 to 20 percent of attacks, according to the report.

4. Poor User Education

The security community has been warning end users about unsafe practices since the dawn of time, but users keep engaging in them. In the age of social engineering, user blunders seem more egregious than ever. Better application security and well-designed default prompts will do more to protect people than another lecture about bad security practices.

5. Strong Passwords Won’t Save You

Yes, on the whole, users’ password habits are especially execrable. Multiple studies have shown that people will happily reveal their passwords to almost anyone. But even strong passwords won’t help if attackers trick users, gain admin access, harvest the password hashes and stroll cheerfully through the checkpoints — and unfortunately, this is what a growing number of cybercriminals are doing.

6. Intrusion Detection Can’t Judge Intent

The purpose of an intrusion detection system (IDS) is to warn of suspicious activity. But what counts as suspicious? From the activity that the IDS sees, a fraudster using stolen credentials to access financial data looks just like a legitimate user performing a routine action. Uncertainty and false positives can render these warnings ineffectual.

7. The Public Key Infrastructure Is Broken

The system of public and private encryption keys has become the foundation of our encryption protection. Mathematically, it is the picture of elegance. But in the real world, numerous certification organizations have been breached, resulting in the proliferation of fraudulent keys. Moreover, how many users even care or change their behavior if a website is flagged as untrusted?

8. Appliances Are Easy to Attack

Appliances, in the IT sense, are supposed to enhance security by limiting the functionality of specialized devices such as routers. Yet, in practice, all too many appliances come with malware. Since appliances and their firmware are harder to update, if they can be updated at all, this malware is almost impossible to get rid of. Appliances have their advantages, but security is not one of them.

9. Sandboxes Don’t Stay Sandboxed

The goal of sandboxing is to let applications that may not be trustworthy run in a controlled environment where their access to system resources is limited. Still, cybercriminals regularly penetrate sandboxes and manage to do real-world harm to the systems the sandbox was supposed to protect.

Curtain Call for Security Theater

The unfortunate fact of life, according to the InfoWorld report, is that too many of our security practices can be chalked up to “security theater.” That is, they give the impression of security by flashing badges and imposing some inconveniences but don’t actually provide much protection against threats.

The security practices listed are not wrong, but they are insufficient to address the real security threats teams face today.

More from CISO

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today