Part of the problem is that the websites and programs using digital certificates have been lackadaisical in their use, allowing certificate error messages to become an everyday occurrence. End-users who did not ignore digital certificate error messages would not be able to participate in a large segment of legitimate online life, sometimes including remote access to their own workplace systems. Browser vendors could enforce digital certificate errors so that any error, earned or mistaken, would result in the site or service not being presented, but customers would revolt and choose another browser. Instead, everyone blithely ignores our broken PKI system. On the whole, the masses don't care.
The main benefit of appliances -- increased security -- hasn't panned out. By having a smaller OS footprint, usually a locked-down version of Linux or BSD, appliances promise to be less exploitable than fully functional computers running traditional OSes. Yet, in more than 10 years of testing security appliances for InfoWorld, I've only once been sent an appliance that didn't contain a known public exploit. Appliances are nothing but operating systems on closed hard drives or firmware, and those designs are innately harder to keep patched.
For example, last week in the midst of red-team testing against a large Fortune 100 company, I found that each of the hundreds of wireless network controllers had unpatched Apache and OpenSSH services running; both would have let hackers on the public wireless network reach their internal corporate networks as admin. Their IDS and firewall devices contained public scripts that had long ago been found to have remote bypass vulnerabilities to get around any silly authentication. Their email appliance was running an insecure FTP service that allowed anonymous uploads.
These are not unusual findings. Appliances often contain just as many vulnerabilities as their software-only counterparts; they're just harder to update and usually aren't. Instead of being hardened security devices, they are an attacker's dream. I love doing penetration testing on environments with lots of appliances. It makes my life significantly easier.
I sigh every time a new security sandbox is announced. These sandboxes are supposed to make exploits against the software they protect impossible or at least significantly harder to pull off. The reality is that every security sandbox developed so far has fallen under hacker attention.
Today the biggest security sandboxes are probably best represented by Java and Google's Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn't stop the dreamers who think they'll find one that will halt all exploits and put down computer maliciousness forever.
Unfortunately, a lot of computer security is more security theater than protection. Your job is to pick through the myriad solutions and employ the ones that truly reduce risk. The security practices listed above are overhyped. How do you know? Because IT is implementing every one of them and malicious hacking and exploitation is more popular than ever. You can't ignore the facts.
- 10 crazy IT security tricks that actually work
- Malware Deep Dive Report
- Data Loss Prevention Deep Dive Report
- Insider Threat Deep Dive Report
- Malware IQ test: Round 2
- Malware IQ test: Round 1
This story, "9 popular IT security practices that just don't work," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.