Security Myth #3: All our accounts are in Active Directory and under control.
Tatu Ylonen, inventor of SSH and CEO of SSH Communications Security, says this misconception is common, but most organizations have set up and largely forgotten functional accounts used by applications and automated processes, often managed by encryption keys and never audited. "Many large organizations have more keys configured to access their production servers than they have user accounts in Active Directory," Ylonen points out. "And these keys are never changed, never audited and not controlled. The whole identity and access managed field generally manages interactive user accounts, and consistently ignores automated access by machines." But these keys intended for automated access can be used for attacks and virus spread if not properly managed.
Security Myth #4: Risk management techniques are needed for IT security.
Richard Stiennon, chief research analyst at IT-Harvest, says although risk management "has become the accepted managerial technique," in reality "it focuses on an impossible task: identifying IT assets and ranking their value." No matter how this is attempted, it "will not reflect the value that attackers place on intellectual property." Stiennon argues "the only practice that will actually improve an enterprise's ability to counter targeted attacks is threat management which entails deep understanding of adversaries and their targets and methodologies."
Security Myth #5: There are 'best practices' for application security.
Jeremiah Grossman, CTO at WhiteHat Security, says security professionals commonly advocate for "best practices" thought to be "universally effective" and worthy of investment since they're "essential for everyone." These include software training, security testing, threat modeling, web application firewalls, and a "hundred other activities." But he thinks this typically overlooks the uniqueness of each operational environment.
Security Myth #6: Zero-day exploits are a factor of life and impossible to predict or effectively respond to.
Zero-day exploits are those targeting network vulnerabilities not yet generally known. But H.D. Moore, CSO at Rapid7 and creator of the Metasploit penetration-testing tool, thinks to the contrary, that "security professionals can actually do a good job of predicting and avoiding problematic software. "If the organization depends on any software that is 'impossible' to function without, there should be a plan in place for what to do if that software becomes a security risk. Selective enablement and limiting the privileges that the software receives are both good strategies." He also says another favorite security myth is that "You can tell how secure a product or service is based on the number of publicly disclosed vulnerabilities." He says a good example is the notion that "WordPress is terrible, look at how many vulnerabilities have been found so far!" But he says "the deep history of software flaws can be the natural result of a piece of software becoming popular." Moore concludes, "By contrast, there are dozens of products with no published flaws that are often much less secure than a better-known and more widely audited application. In short, the number of security flaws published for a piece of software is a terrible metric for how secure the latest version of that software is."