I gave a presentation today at Security Decisions on the Top Ten Security Myths. Here they are:
- Security through obscurity is a bad idea.
- Strong passwords are strong.
- Altruistic bugfinding is beneficial.
- You can’t quantify risk.
- You can’t get ROI from security.
- Security is about process, not product.
- SSNs are secret.
- Program x is more secure than program y.
- Stand up to your boss and "just say no."
- Security is failing.
To be clear, I disagree (totally or in part) with all of these things. What do you think?
Well I’m not sure I agree with that everything you have up there is a myth or not, but several I certainly agree with. I’m particularly curious about items 6 and 9. Can you elucidate further and/or post your slides from the presentation?
1. Security through obscurity is a bad idea.
((Yes, because the failure mode is ugly))
2. Strong passwords are strong.
((Sounds reasonable, but only true if the registration and deprovisioning process are any good))
6. Security is about process, not product.
((It is at least part process because the threat landscape is changing))
7. SSNs are secret.
((If only our cybersecurity czar would read this blog))
8. Program x is more secure than program y.
((Hmmm…not all of us are on the rubber chicken circuit, I mean the conference circuit, perhaps you can expand on this))
9. Stand up to your boss and “just say no.”
((See above))
10. Security is failing
((Hasn’t failed yet, check back for tomorrow’s forecast after headline news))
Hey Pete,
I saw your presentation in Chicago. I liked the “Donahue” approach to getting the audience involved but I’m not sure the “myths” are all that controversial. All the myths presented can be argued either way based on your level of risk. Also, I think some of the comments seem to contradict themselves……
An example that I didn’t get a chance to comment on at the conference has to do with process and ROI. Your example that patch management doesn’t have to follow a defined process to be effective. While I can see your point (to a limited extent), it throws the ROI argument out the window. You won’t get ROI by manually patching workstations and servers with an “all hands on deck” approach. I’m willing to bet you could justify the cost for an automated solution on a single worm outbreak using the manual method of patching. X engineers at X dollars per hour times X number of machines per patch cycle or incident makes a pretty compelling argument for a defineable, repeatable process. Right?? I guess that is a long-winded way of saying process, combined with the right product can demonstrate ROI.
Regarding strong passwords – well, that argument is hardly new and as always, based on the level of risk an individual or organization is willing to take to protect their data. Spafford made similar assertions back in April and this issue is getting a lot more attention from pundits, media and security professionals. multi-factor authentication, IMHO, is ripe for the taking and I am hopeful we are months rather than years away from seeing widespread adoption.
As always, great job at the conference and good luck at RSA in February.
@Darrin -
Thanks for the comments. To whatever extent these actually aren’t myths, well, good news for me, I guess!
Any other candidates come to mind?
Regarding process and ROI contradiction, we are talking about two different things. ROI is an efficiency exercise, it says nothing about strengthening security, per se – and that is the intent of the security is about process comment. I can see where my wording may need more clarity, but I don’t see it as contradictory at all.
@arthur -
6. Security is about process, not product. Typically used to suggest that you will have “better security” if you have better security admin processes. Potentially true, but having inline security solutions is much more likely to provide much higher benefits.
9. Just say no. Security folks often encourage each other to stand up to executives who want to do something that is “risky” in some way. We are the routinely paranoid types, and my suggestion (not really a new one) is to provide more information about the alternatives involved than to reject every proposal.
Send me an email if you want the slides (there isn’t much detail, however).
10. Security is failing
From Noam Eppel’s Security Absurdity article:
http://www.securityabsurdity.com/comments.php
* Financial Cryptographer Ian Grigg starts his April 2006 article in the Journal of Internet Banking and Commerce by saying, “It is slowly dawning on the world that Internet security isn’t working.”
* Jon Oltsik, Senior Analyst at Enterprise Strategy Group wrote a May 2006 article saying it’s, “Time to face the truth about data security”. He writes, “When it comes to confidential and private data security, the tired tech industry buzz phrase of ’people, process and technology’ is truly in play. Each of the three areas is badly broken and in dire need of repair.”
* Brent Huston wrote a September 2002 article for ITWorld titled, “Why Current Internet Security is Failing Us”. In it he wrote, “Face it, the system is broken. Internet security is in a state of decline, and if present trends continue, it will be an abysmal failure within five years.”
* David D. Clark of MIT In the Technology Review’s December/January 2006 cover story, “The Internet Is Broken” where he claims the Internet’s lack of security has decreased the ability to accommodate new technologies. And he delivers a strikingly pessimistic assessment of where the Internet will end up without dramatic intervention. “We might just be at the point where the utility of the Internet stalls — and perhaps turns downward”.
* Ken Birman of Cornell University wrote an article for the IEEE computer society in February 2006 where he said we are experiencing a, “profound failure in the area of security.” And Birman says that, “For all the hype about more secure versions of the major platforms and popular products, and the heavy investment in safeguarding the Internet, security has been a catastrophe.
* Bruce Schneier, founder and Chief Technology Officer at Counterpane Internet Security Inc, commented on my article saying, “It sounds like something I would write.” In fact, Schneier has been claiming security has been failing us for years such as when he told the US Senate’s Subcommittee on Science, Technology and Space that, “Every year, the problem gets worse. Security is failing us.” At this year’s Hack in the Box Security Conference (HITB) in Kuala Lumpur, Malaysia, Schneier repeated the message saying, “I don’t think, on the whole, we are winning the security war; I think we are losing it.”
* Professor Eugene H. Spaffords, who is one of the most senior and recognized leaders in the field of computing, stated during the keynote address at the recent AusCERT 2006 conference that, “Trends over the last 10 years indicate nothing related to overall information security is getting better.”
* Marcus Ranum has long spoken about our security failures. During a June 2005 interview he stated, “I believe we’re making zero progress in computer security, and have been making zero progress for quite some time.”
* Bruce Sterling claims in an article for PCWorld that, “the Internet is now in a golden age of criminal invention” and that, “the Internet’s running amok. We’re in a dark period for law and order.”
* Richard Forno, consultant for KRvW Associates argues that we are failing to acknowledge or fix an infrastructure plagued with problems and instead we are simply placing more complexity on top of existing (and flawed) complexity, in his article titled, “Why Internet security continues to fail”.
* Abe Kleinfeld, CEO of nCircle wrote in a May 2004 article, “For many reasons, network security is failing and corporations need to undergo a fundamental shift in how they approach security…”
* Tim Wilson, Site Editor of the Dark Reading Security site says that despite various government initiatives and organizations attempting to fight cybercrime, “computer criminals are winning the war. Phishing, spam, and identity theft are at all-time highs. There are more than enough gaps in our defenses to be exploited, and there are enough loopholes in the laws to make these vulnerabilities attractive lines of business for both casual hackers and organized crime.”
* Dan Hubbard, vice president of security research at Websense recently stated in a talk at Defcon 2006 that, “We are getting our butts kicked, there is no doubt about it”.
@Visitor -
Yes, I know that we in our industry suggest that security is failing. The myth part is simply that the users of the Internet (enterprises and users) clearly don’t. Else, they wouldn’t use the Internet, right?
Pete