Dana Epp's ramblings at the Sanctuary: 7 Myths about Network Security


« SBS MVPS Community Groups Outreach - Canadian Workshops Tour 2005 \| Main \| Application Insecurity --- Who is at Fault? » April 04, 2005 7 Myths about Network Security So this evening I was doing the dew and catching up on some reading when I came across an interesting article on Security Pipeline about the "7 Myths of Network Security". It is well worth the read. In summary, the article breaks down the 7 Myths as: Myth: Encryption guarantees protection Myth: Firewalls will make you bulletproof Myth: Hackers ignore old software Myth: Macs Are safe Myth: Security tools and software patches make everybody safer Myth: As long as your corporate network is unbreached, hackers can't hurt you Myth: If you work for a security enterprise, your data is safe. So, as you can imagine, the article discusses how the opposite of the myths are true. Notice #4? I talked about that a bit last week. These are good points that I see on a regular basis. Please spread the word to others, and bust these myths. Happy reading. Posted by SilverStr at April 4, 2005 10:32 PM \| TrackBack Comments #5 is (perhaps purposely?) written in a somewhat misleading way. On re-reading #5 and the underlying assumptions given at (http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=18201800), one can see how the wording is misleading. What they really meant to say is that by releasing a patch, vendors make it easier to reverse engineer the original vulnerability into an exploit. In other words, if you /don't/ apply a released patch, you're probably /more/ vulnerable than you were before the patch was released. Moral of #5: patch as soon as you can, and you'll be safer. Moral of all the myths: there's no silver bullet. Everyone, no matter how diligent, has a level of vulnerability. It's possible to be 'more secure', but never possible to be 'completely secure'. Of course no professional is surprised by this. Posted by: Bryan at April 5, 2005 07:29 AM Bryan, Completely agree with you. Good points. As attackers get more lazy, they continue to rely on these patch cycles to find what has been broken. The sad state of affairs is that on a lot of recent attacks, they were in RESPONSE to a patch that wasn't widely applied. Patch management is still a weak piece of the puzzle. I think Debian Linux has the right idea with apt. I only hope things like WUS get this good to include 3rd party packages. Posted by: SilverStr at April 5, 2005 07:56 AM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

April 04, 2005

7 Myths about Network Security