他们是安全的神话,经常重复的和普遍接受的关于IT安全的概念是......根本就不是真的。当我们做了一年前, we've asked security professionals to share their favorite "security myths" with us. Here are 13 of them (if you'd prefer to zip through a slideshow version of this, click这里).
安全误区1:“反病毒保护您免受恶意软件的有效方式。”
Raimund Genes, Trend Micro CTO, says businesses use anti-virus because otherwise, "your auditors would kill you if you didn't run A/V." But A/V can't reliably protect against a targeted attack because before it's launched, attackers have checked to make sure it won't be caught by A/V software.
[15 (FREE!) Security Tools You Should Try]
Security Myth #2: "Governments create the most powerful cyberattacks."
约翰·佩斯卡托
约翰·佩斯卡托, director of emerging security trends at SANS, says most government attacks are simply re-using criminal-owned attack resources. And the U.S. Department of Defense likes to hype the threat from nation states to boost its budget. The sad truth is that denial-of-service attacks against banking Web sites such as Citibank can be stopped but there hasn't been enough effort to do that. And governments going after other governments for espionage is nothing new, with China, the U.S., France, Russia and others at it for decades.
Pescatore also has two other favorite myths that concern cloud security that put together are contradictions in themselves: that "cloud services can never be secure" because they're shared services that can change whenever they want to, and the second that "the cloud is more secure because the providers do it for a living." About these two contradictory myths, Pescatore points out, "Many of the providers, like Google, Amazon, etc. did not build their clouds to provide enterprise class services or protect other people's information. In fact, Google built a very powerful cloud expressly to collect and expose other people's information via its search services."
但佩斯卡托还指出,谷歌和基于电子邮件的云服务Microsoft, for example, have so far shown that when customer data was exposed, it was very rarely the fault of the provider and could mostly be ascribed to phishing attacks on customers. But the enterprise customer is still grappling with how to appropriately change its processes to match the cloud service providers in terms of incident response.
Security Myth #3: "All our accounts are in Active Directory and under control."
大肚Ylonen,SSH和SSH通信安全公司的首席执行官的发明者说,这种错误是常见的,但大多数组织已经建立了 - 并且在很大程度上被遗忘 - 通过使用功能性账户applications和automated processes, often managed by encryption keys and never audited. "Many large organizations have more keys configured to access their production servers than they have user accounts in Active Directory," Ylonen points out. "And these keys are never changed, never audited and not controlled. The whole identity and access managed field generally manages interactive user accounts, and consistently ignores automated access by machines." But these keys intended for automated access can be used for attacks and virus spread if not properly managed.
安全误区4:“风险管理技术都需要IT的安全性。”
理查德·斯蒂农,在IT收获首席研究分析师表示,尽管风险管理“已成为公认的管理技术,”在现实中“它着重于一个不可能完成的任务:确定IT资产及认可自己的价值。”不管这是怎么尝试,它“不会反映袭击者放在知识产权的价值。”斯蒂农认为“唯一的做法,实际上会提高企业的能力来应对有针对性的攻击是威胁管理这需要对手和他们的目标和方法的深刻理解。”
安全误区五:“有应用程序安全‘最佳实践’”
Jeremiah Grossman, CTO at WhiteHat Security, says security professionals commonly advocate for "best practices" thought to be "universally effective" and worthy of investment since they're "essential for everyone." These include software training, security testing, threat modeling, web application firewalls, and a "hundred other activities." But he thinks this typically overlooks the uniqueness of each operational environment.
安全误区6:“零日漏洞是生活和不可能的因素来预测或有效的回应。”
H.D.穆尔
零日漏洞尚未一般称为那些针对网络漏洞。但H.D.穆尔,CSO在Rapid7和Metasploit的渗透测试工具的创造者,他认为与此相反,认为“安全专业人员实际上可以做预测和避免问题的软件的一个好工作。”如果组织取决于是‘不可能’的任何软件以功能没有,应该有地方,如果该软件成为一个安全隐患做什么的计划。选择性启用并限制该软件接收都是很好的策略特权。”他还表示,另一个最喜欢的安全神话是,‘你可以告诉如何保护的产品或服务是基于公开披露的漏洞的数量。’他说,一个良好的例子是概念,即“WordPress是可怕的,看看有多少漏洞,迄今已找到了!”但他说,“软件缺陷的深厚的历史可以是一个软件的自然结果越来越受欢迎。”摩尔总结说:“与此相反,也有几十种产品没有公布缺陷,往往比一个更知名的和更广泛的应用审计安全得多。总之,公布了一个软件安全漏洞的数量是如何保护最新版本的软件,是一个可怕的指标“。
Security Myth #7: "The U.S. electric grid is well-protected under the North American Electric Reliability Corp.'s Critical Infrastructure Protection (CIP) requirements."
管理合伙人乔维斯应用控制溶胶utions, argues that's a myth because CIP, drawn up by the industry itself, applies only to bulk distribution of power, not the entire distribution system, and also specifies only a certain size of power generation. "80% of the generation in the U.S. doesn't have to be looked at under CIP."
Security Myth #8: "I am compliant, therefore I am secure."
鲍勃·鲁索,在PCI安全标准委员会总经理说,这是一个普遍的观点,即企业认为,一旦他们得到符合支付卡数据安全规则,他们是“安全的一劳永逸。”但是,检查合规函中只表示了“时间快照”,而安全是关系到人民群众,技术和工艺一个持续的过程。
Security Myth #9: "Security is the chief information security officer's problem."
菲尔·邓克尔伯格,一个总统d CEO at start-upNok Nok Labs说,首席信息安全官是要获取数据泄露的责任,主要是因为他们的工作已经将它们设置策略或技术课程。但许多组织中其他人,尤其是IT操作人员,也是“自身安全”,他们需要承担它更多的责任。
安全误区十:“你在移动设备上比计算机更安全。”
休·汤普森博士,RSA大会程序委员会主席,认为,尽管这种“频繁假定”有一些优点,它低估了如何对计算机的一些传统的保障措施,如掩盖密码和网址预览,今天不适用于移动设备。“因此,尽管移动设备仍提供比笔记本或台式机更多的安全保障,是残破可以离开你一样脆弱的几个传统安全的做法。”
Security Myth #11: "You can be 100% secure but you need to give up personal freedoms."
CEO和启动Cylance总裁斯图尔特·麦克卢尔说,不买网上打击坏人的说法,我们必须“提交所有我们的流量给政府做这件事。”更好地了解坏人真的很好,“预测他们的举动,他们的工具,”和“进入自己的皮肤。”
安全神话#12:“点即时安全是所有你需要阻止恶意软件”
Martin Roesch, founder of Sourcefire and inventor of the Snort intrusion-detection system, says security defense too often is limited to catching or not catching any type of attack, and if it's missed, that defense "practically ceases to be a factor in the unfolding follow-on activities of an attacker." A newer model of security operates continuously to update information even if the initial attack on the network is missed in order to understand the scope of the attack and contain it.
Security Myth #13: "With the right protection, attackers can be kept out."
Scott Charney, Microsoft corporate vice president Trustworthy Computing, says, "We often associate security with keeping people out; locks on our doors, firewalls on our computers. But the reality is that even with sophisticated security strategies and excellent operations, a persistent and determined attacker will eventually find a way to break in. Acknowledging that with reality, we should think differently about security." For the entire security community, that means a "protect, contain and recover" approach to combat threats today and in the future.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.推特:MessmerE。电子邮件:emessmer@nww.com.