7 Myths of Network Security
Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: 7 Myths of Network Security

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    7 Myths of Network Security

    Found this tonight .. thought it would be a good base for discussion..

    7 Myths about Network Security

    So this evening I was doing the dew and catching up on some reading when I came across an interesting article on Security Pipeline about the "7 Myths of Network Security". It is well worth the read. In summary, the article breaks down the 7 Myths as:

    1. Myth: Encryption guarantees protection
    2. Myth: Firewalls will make you bulletproof
    3. Myth: Hackers ignore old software
    4. Myth: Macs Are safe
    5. Myth: Security tools and software patches make everybody safer
    6. Myth: As long as your corporate network is unbreached, hackers can't hurt you
    7. Myth: If you work for a security enterprise, your data is safe.
    #5 has me thinking

    Full Artical : http://www.securitypipeline.com/show...0401820&pgno=1

    there you go have a read... and discuss
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member
    Join Date
    May 2004
    Posts
    519
    If security software patches don't make you safer then why would they distribute them?

    Obviously nothing makes you inpenetrable but patching helps

  3. #3
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    "8. Myth: So long as the box is updated, patched and secured, end-user knowledge of security is irrelevant. "

    bah - or just a myth *I* must refute on a day-to-day basis, anyway...

    -Wiski C.
    My Corner of the Intarwebz: Jeremy Dean Online

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I wonder if #5 refers to a false sense of security. Just because you patch doesn't mean you're 100% safe. There have been Microsoft patches and linux kernel fixes (e.g., ptrace exploits) where the patch worked but the attackers figured out new ways around the patch. This might be partially why MS made the statement that exploits are only created after the patch is released.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    May 2004
    Posts
    519
    Maybe they meant they don't make you safer because there is always another way in. Still though they do make you safer

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    If security software patches don't make you safer then why would they distribute them?
    a coder reverse engineering a patch to create a work around..in other words look for a hole in the patch.

    I think wiskic10_4 covers it with this reply..
    "8. Myth: So long as the box is updated, patched and secured, end-user knowledge of security is irrelevant. "
    the weakest link in any system is the end user.. perhaps that should be Myth # 9 ..
    The weakest link is our assuming that the end user has an intelligence.. perhaps I am harsh.
    In a business enviroment the first weak link is insufficient training, the assumption that computer litterate means knows the difference between Executable and a Image file, that a *.PIF and *.SCR are files that could be harmful. (dont get me on the subject of trainers.. ****ing **** some of these dont know the difference between an operating system and an application, what hope is there for correct information on security.. and the lessons are taught as this is it.. all you need to know)
    Follow this with Poor Policey and even poorer enforcement..
    then we get down to the systems themselves..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    I think #5 refers to the fact that just because a patch is release, doesn't mean everyone has it applied. In a lot of cases there would be little to no exploit code released if the patch/exploit was never released at all. There would be a large hole, but noone would know it was there.

  8. #8
    Member
    Join Date
    Mar 2004
    Posts
    81
    Everthing with security is constant viligance. There is no, and proably will never be, an install and forget method. Everything should be checked : Log files, AV updates, OS patches. Admin policies and procedures should be double checked. The end users normal day to day practices should be checked and, if needed, informed why a certain activity is not acceptable in the office.

    Nice article. Thanks for the link.

    ~Halv

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Since you pointed to #5, that is what I will address, but I did not think the article referenced was well written or well thought out.
    Myth #5: Security tools and software patches make everybody safer
    Incorrect and naive, no stupid statement. Of course they make everybody safer, the question is to what extent.

    Just because security tools can be used by hackers does not mean they are not used to tighten security by those that give a damn. Hackers can use them to exploit systems managed by the sick, lame, and lazy, granted. But they can also be used to tighten systems, even systems that the average user ( those who I imagine the article was written for ) doesn’t even know affects their system(s).

    And just because someone can reverse engineer a patch does not mean they are going to find another exploit, it means they can find the one the patch fixed. So if the exploit wasn’t released they may be able to find a way to exploit un-patched systems. If it was released, they do not need to reverse engineer it from the patch.
    But if ( yeh, right ) people patched properly it won’t make a difference, it will help “ everybody” , especially if the upgrades are for things like DNS servers *** time stamp here *** .... anyone remember the advisories to update to latest version of BIND ???? Recent DNS cache poisoning come to mind here? ( Also has to do with Myth #3 )

    Perhaps it could have been worded better.

    Security tools and software patches prevent exploits

    Just my thoughts.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Security tools and software patches prevent exploits
    No they don't. They only prevent exploitation of existing and known vulnerabilities. I still view it as a false sense of security, almost like those firewalls that claim to be 100% hacker-proof. Load of crap. Too much FUDing is a bad thing as is too much blind faith in patches being the be-all-end-all solution. Patches have been known to make things worse (some open up old holes inadvertantly or create new paths to those holes). IMO the statement should be:

    Security tools and software patches may prevent exploitation of your system. But you should double check everything regularly to be sure.


    Maybe I'm too paranoid.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •