Network security is all about nightmares. As organizations have become increasingly dependent on their networks and the Internet to provide that essential link of data, capital and business intelligence, they have also opened themselves up to potential risk – potentially immense risks.
The litany of companies that have been burned by hackers, worms, viruses and simple human error has made organizations wary of the perils of the networked economy. There's so much out there in the digital ether that can jump up and bite you. On the other hand, says Justin Peltier, a senior security consultant with Peltier Associates and leader of Web hacking seminars for the Computer Security Institute, there are also a lot of myths out there.
"Network security has a particularly affinity for myths," he says. "It's hard to change an opinion once it's made, and a lot of IT and security professionals have based their opinions on received wisdom. They've heard about security risks, but they haven't tried it for themselves. Some of these opinions might have been based on reality but are no longer valid, and some is just based on what we've been told."
What they've been told is often only partly true, if at all, he says. It's often based on misconceptions and preconceptions. These myths can lull organizations into a false sense of security or distract them from the real business at hand. Either way, they are legion, though Peltier says that any organization serious about security can address the handful the biggest and most egregious myths through a combination of experience and common sense.
"If you look at most other disciplines, you see facts and statistics to back things up," he says. "That's not always true about security. It's not enough to just hear about something, you have to check it out for yourself."
To help you separate truth from fiction, here are four of the most dangerous security myths.
1. Patches always fix the security hole: Peltier is particularly troubled by the complacency he sees surrounding patching. "An awful lot of people think that, once you've applied a security patch, you'll be okay," he says. "That just isn't true. Sometimes it works, sometimes it moves the vulnerability somewhere else, and sometimes it creates a new hole."
Above all, patches only address published exploits and just because the hole hasn't been published doesn’t mean it isn't there. The problem is that networking is based on technologies developed in an earlier, more innocent time, and many of the biggest vulnerabilities are inherent flaws in the architecture of TCP/IP. Network miscreants are probing networks right now, looking for weaknesses, and there is "almost inevitably" a lag between what they know and what vendors and security professionals know.
"You need to find the holes before the bad guys do," he says. "Most people think defensively, but you have to think offensively. It's jujitsu."
The bottom line is that the only thing that will improve the situation is a new architecture -- specifically IPv6. Peltier expects that wholesale migration to the new version of TCP/IP will be motivated by an inevitable wave of distributed denial of service attacks, "and that's a good thing. Organizations have to start to plan for migration now."
2. SSL is secure: Secure sockets layer (SSL) encryption has become so ubiquitous that the last thing anyone wants to hear is that it's fundamentally insecure, but Peltier says that our faith is unfounded. "No one is getting burned yet, but they will be," he says. "You see the lock icon, and you assume you're safe -- but you're not."
The problem is that it's a negotiated security standard with two major flaws, both of which can be exploited by man-in-the-middle attacks. "The first thing is that SSL depends on a negotiated certificate, but when there is a problem in the negotiation, the only thing that happens is that an alert window pops up. SSL hijacking is so easy because of the implicit trust we have in the digital certificate."
The other problem is that SSL still supports export-grade 40-bit encryption. The SSL transaction will negotiate down to the lowest common level, Peltier says. "That's a big problem," he says. "Security people don't get into SSL because they think it's a Web thing. But it can open up the network, so it's really a network thing."