They're security myths, oft-repeated and generally accepted notions about IT security that ... simply aren't true.
As we did a year ago, we've asked security professionals to share their favorite "security myths" with us. Here are 13 of them (if you'd prefer to zip through a slideshow version of this, click here).
[ Also on InfoWorld: The cyber war is real -- and our defenses are weak. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Security Myth #1: Anti-virus is protecting you against malware in an efficient way.
Raimund Genes, Trend Micro CTO, says businesses use anti-virus because otherwise, "your auditors would kill you if you didn't run A/V." But A/V can't reliably protect against a targeted attack because before it's launched, attackers have checked to make sure it won't be caught by A/V software.
Security Myth #2: Governments create the most powerful cyber attacks.
John Pescatore, director of emerging security trends at SANS, says most government attacks are simply re-using criminal-owned attack resources. And the U.S. Department of Defense likes to hype the threat from nation states to boost its budget. The sad truth is that denial-of-service attacks against banking Web sites such as Citibank can be stopped but there hasn't been enough effort to do that. And governments going after other governments for espionage is nothing new, with China, the U.S., France, Russia and others at it for decades.
Pescatore also has two other favorite myths that concern cloud security that put together are contradictions in themselves: that "cloud services can never be secure" because they're shared services that can change whenever they want to, and the second that "the cloud is more secure because the providers do it for a living." About these two contradictory myths, Pescatore points out, "Many of the providers, like Google, Amazon, etc. did not build their clouds to provide enterprise class services or protect other people's information. In fact, Google built a very powerful cloud expressly to collect and expose other people's information via its search services."
But Pescatore also points out that e-mail-based cloud services from Google and Microsoft, for example, have so far shown that when customer data was exposed, it was very rarely the fault of the provider and could mostly be ascribed to phishing attacks on customers. But the enterprise customer is still grappling with how to appropriately change its processes to match the cloud service providers in terms of incident response.