8 Myths of Computer Security
by Ross Oliver
Mark Twain said it best: "It ain't what you don't know, it's what you know that ain't so." Just as any other industry, Information Security has its myths and misconceptions. They can be harmful if they cause us to squander our limited resources in the wrong areas, or rely on faulty ideas and techniques. Here are 8 of the most prevalent:
Myth #1: Complex passwords provide the best security
Many organizations have long lists of rules governing the content of passwords: they must be a certain minimum length, must not contain words found in various dictionaries, must contain non-alphanumeric characters, etc. The myth of the complex password stems from the need to thwart "exhaustive search" password cracking, in which every possible password is attempted until the correct one is found (also known as the "brute force" approach). By making the password as long and complex as possible, the time necessary to execute an exhaustive search is made prohibitive.
Yet exhaustive search attacks continue to succeed regularly. Rapid advancement in computing power and failure of many organizations to adequately monitor for failed login attempts erodes the value of the password as a single line of defense.
Complex passwords have an additional weakness: because they are difficult to remember, their owners are more likely to write them down. This substantially increases the risk of unauthorized password use. Another price to be paid is the expense of generating suitable passwords, enforcing the password rules, and supporting users who have forgotten their password. Furthermore, users develop a disdain toward a system that imposes so many rules and regulations, and that they perceive as a burden and difficult to use.
Designers of access control systems should take a lesson from the banking industry. Automated Teller Machine (ATM) cards are able to use simple 4-digit numeric passwords (known as PINs) because ATMs will disable a particular card if an incorrect PIN is given three times in succession. A computer access control system could perform a similar function. If an account registers three successive failed login attempts, the system should automatically lock out that account. To prevent denial-of-service attacks that would lock out legitimate users, the system should automatically remove the lock-out after some period of time, such as 15 minutes. Thus the temporary lock-out would be of only a minor inconvenience to a forgetful or sloppy-typing user, but enough to make exhaustive search attacks impractical. Thus a system of simple, easy-to-remember passwords combined with temporary lockouts would be able to defend against exhaustive search attacks, while at the same time eliminating the cost and usability problems of complex passwords.
Myth #2: Mandatory password changes improves security
A frequent companion to the rules governing password content is a rule requiring mandatory password changes. Some organizations even specify minimum password ages (to prevent users from immediately switching back to the previous password), password histories to prevent re-use of passwords, and minimum number of characters to change to assure that a new password is "different enough" from a previous one. All of these elaborate rules conspire to prevent mere mortal humans from accessing the systems they need, while driving up administrative and support costs for implementing and enforcing the rules.
The desire for mandatory password changes stems from belief that passwords to "leak out" over time. But mandatory password changes address only a symptom, not the underlying cause of these leaks. Eliminating account sharing, prompt account closing when users depart, regular auditing of all accounts, and educating users not divulge passwords under any circumstances would be far more effective for addressing the source of the leaks.
Myth #3: Intrusion detection is the wave of the future
Vendors of intrusion detection systems (IDS) prey on one of the greatest fears of IT managers: that an intruder could be inside their network without their knowledge. One of the leading advocates of intrusion detection systems, Bruce Schneier of Counterpane Internet Security, claims that IDS should come before firewalls, system hardening, and security policies. He calls this approach "Monitoring First." Such an approach could be a very effective sales pitch to harried IT executives hard-pressed to keep up with the latest security patches. "No need to secure your infrastructure, we'll watch out for you."
The fundamental flaw with all IDS products and methodologies is there is no evidence that they actually prevent intrusions, or mitigate their effects. The reason is response time. If the security alarm of an office building is triggered, there is a reasonable chance that the police can arrive in time to catch the burglar. But Internet security incidents happen at lightning speed; an incident can begin and end in a fraction of a second. Networks can be disrupted, software erased, and valuable data stolen before any response can be mounted.
To address the response time problem, some IDS advocates propose automated responses such as breaking network connections or shutting down services. However, this introduces a new problem: false alarms. Law enforcement agencies report that the false alarm rate of typical building burglar alarms can be as high as 95%. There is no evidence that network intrusion detection systems would be any less susceptible to false alarms. So, the automated responses would become a new impediment to legitimate users. An attacker could even use a network's own IDS to commit denial-of-service attacks.
The most effective security measures are proactive, not reactive. If an intrusion or misuse can be detected, then it can also be prevented. Intrusion Prevention Initiatives such as system hardening, applying security patches, using realistic access control systems, and regular auditing will provide the most protection against the actual effects of security incidents.
Myth #4: Biometrics will solve all access control problems
The strong appeal of biometric authentication is twofold. First is eliminating the cost of distribution, maintenance, and replacement of authenticators such as key cards or passwords. Second is ease of use: rather than struggle to remember a complex password or fumble with a lost or broken key card, the user simply touches her index finger to a small oval opening, and she is granted access almost as if by magic.
However, biometric devices have their drawbacks. For a population of any significant size (such as customers of a financial institution), no single biometric can fit 100% of the target population. There will always be a few people who lack thumbs, fingers, eyes, voices, or whatever particular biometric is selected.
There is a mistaken belief that because biometric devices rely on some physical characteristic, they cannot be fooled. Because of this belief, biometric devices are frequently deployed as single-factor identification systems (i.e. requiring no password or PIN code in addition to the biometric). However, biometric devices can be compromised by replay attacks and forgeries.
Using biometrics as single-factor authentication makes key theft a serious problem. If someone steals electronic copies of your fingerprints, what do you do? You can't get new ones. The results would be similar to the recent rash of personal identity theft cases, caused by the pervasiveness of the Social Security Number in the USA.
Storage, archiving and purging of biometric data also pose unanswered questions. When you change employers, change banks, or move to a different state, are the relevant biometric databanks purged? If a key employee leaves to take a job with a competitor, can the previous employer exploit any of that employee's biometric data?
Biometric devices do have great potential, but they must be used only as part of two-factor authentication system, along with a password or PIN. This will be more costly than using the selected biometric as a single-factor authentication, but is necessary as protection against forgeries, replays, and data theft.
Myth #5: Anti-virus software will save me from viruses
Nearly every personal computer sold today has some sort of anti-virus software pre-installed on it at the factory. Most enterprise servers also run virus scanners. And yet there continue to be frequent outbreaks of malicious viruses, causing untold harm to thousands of organizations around the world. What's the problem?
The Achilles heel of all anti-virus software is that it can detect and counteract viruses only after the initial outbreak. At today's lightning-fast Internet speeds, a new virus can wreak havoc on thousands of sites before a "software vaccine" is produced and distributed. And virus scanners are impotent in the most dangerous virus situation: where a malicious entity crafts a new and unknown virus targeted specifically at your organization.
In addition to failing to prevent the spread of new viruses, anti-virus software is becoming a serious impediment to legitimate software. False positives are becoming more common, and nearly every PC software package includes an admonishment to disable any virus scanner before installing.
The ultimate solution is the complete elimination of mobile code. Email, the most common method for spreading viruses, should be restricted to carrying information only, no actions permitted. Computer designers learned the importance of this concept long ago. Modern computer Central Processing Units (CPUs) segregate the data being processed from the instructions for processing, and keep them in separate areas of computer memory. Any attempts to execute instructions from the data area, or process data from the instructions area is flagged as a serious program error, and prohibited by the CPU. Until such data and code separation is enforced by Internet applications, and most especially email applications, viruses will continue to thrive.
Myth #6: Encrypting the data channel is enough to protect my data
In the early days of the Internet, there was a great deal of concern about "eavesdropping," on data in transit across town or around the world. This spawned the development of data channel encryption technologies such as SSL, SSH, PGP, and VPNs. But actual experience has shown that very little data is lost to eavesdropping. The mother lode of data theft has turned out to be the vast reservoirs of sensitive data stored in databases on inadequately secured systems and networks.
Channel encryption is only a portion of the protection your sensitive data needs. A comprehensive security policy and regular audits are also necessary to ensure the best protection of your valuable data.
Myth #7: The greatest security threat is from the Internet
While external attacks attract the most media attention (especially those with visible evidence such as defaced web sites) statistics show that 80% of the incidents which resulted in significant financial loss were perpetrated by insiders. Insiders know your systems, procedures, and weaknesses, and therefore can do much more damage. Insider incidents are often treated as personnel issues, and are not included in the security model.
Increasing use of contractors, consultants, and outsource vendors increases your exposure to "outside insiders". Bottom line: protect your systems from everyone.
Myth #8: Hiring hackers is the best way to secure my enterprise
The FBI is recruiting at DefCon. Venture capitalists shower "reformed" hacker bad boys with startup funding. In the home town of the alleged author of the Kournikova virus, the mayor wants to give the perpetrator a job. Pacific Bell runs television commercials proudly announcing that it hires hackers. But does employing "reformed" hackers really lead to better security?
The fact that a hacker can break into a system does not mean he has the skills to keep someone else out. Most hackers are opportunists, and lack the methodical, systematic approach vital for a successful security professional. A true hacker has already proven his disdain for rules and lack of respect for the rights of others. These rebellious attitudes are likely to be carried into the workplace, exposing his employer to serious liability problems.
Whether or not hackers make good security people, the practice of hiring of hackers actually causes a significant number of security incidents. Young security wanna-be's believe that perpetrating a security incident is a short-cut to a lucrative security job. Ending the practice of rewarding perpetrators would significantly reduce "resume building" security incidents.