Sach Ka Samna — Some InfoSec. Myths, Busted
OK, I am not Rajeev Khandelwal, but like our world, information security has its own share of myths, that, over a period of time, have quite a collection of believers behind them, masking the truth. This article is an attempt to rationalize their bust.
Long passwords means secure system
Long passwords means one thing — I will write it somewhere!
No seriously. How else would I remember it ?
Does that mean we should shorten our passwords? Not really. The God is (as has always been) in detail.
What it means is that we have to be careful while choosing a password. Keep it easy to remember, yet tough for others to guess (yeah, all the best!). It also means that everytime we chose to write it somewhere, we are on our way to make our system insecure.
Oh, I almost forgot the mother of all password mistakes — sharing it with others!
Security is a trade-off. Be careful what you trade it for!
Keeping anti-virus updated will save me from viruses
Anti-virus industry is like cops. We all know the probabilities and outcome of a cop vs. thief. Cop has to win everytime, thief only once. What it means is, if you have a paid version AND the anti-virus that you use currently, is the market leader (tough to determine), you can sleep on weekends (in night, sometime).
Does that mean we should shut our systems down and dust our papers and pens off?
Update your anti-virus daily (and keep a licensed copy of it, please. Kaspersky has gone cheap. And no, I have not yet received any commission from them!), and while you are at it, keep a backup of your important data. On a separate media (not on a separate partition on the machine).
Also, think about firewall and getting it installed on your machine.
SSL is secure
Nothing is 100% secure. That small padlock icon means that the data between the client (your browser) and the server (where the website is stored) is encrypted. But it doesn’t mean that people cannot sniff the data (if the server is compromised, or if there sniffed the initial cryptographic key — classic Man In the Middle).
If I don’t access Internet from my machine, my data is secure
True. But then you have to stop using USB sticks, stop using CDs/DVDs. In other words, stop using your computer.
Bottom line, there are more ways to get into your machine than there are hair on my head (I am not bald!). What it takes to secure your machine is a collection of good security practices (including some boring work like patching your machines, changing your password regularly, not sharing your password, etc.)
Linux is more secure than Windows
While I personally like Linux (because of its power), it is also true that mis-configured (or one that is not configured at all) linux is no better than windows.
So, should we dump all our Windows systems and migrate to Linux? The answer to most of us is NO. One, we will have a hard time finding proper versions of everything that we require for our business. Two, the work associated with migration (including testing, and training) doesn’t make it a viable solution.
A possible solution could be to use Linux for some servers (like file and mail servers) while keeping Windows for clients.
Information Security Standards & regulations are just pain-in-u-know-where
I couldn’t agree more! However, regulations are there because they are response to some real pain that business had been facing for quite some time. Regulations like HIPAA, HITECH, SOX evolved out of a business need to secure customer data. Traditionally, they shouldn’t be present. Corporations/enterprises should have included security as part of their SDLC. More on that later, however.
We have to be worry about hackers
Reports have shown that internal threats are more dangerous than outside ones. After all, we know the loopholes, right? Problem is, not everyone is un-professional. People don’t do these kind of things very often (even in a cut-throat world like ours). However, the cost of one incident is so great (IP loss, loss of image, etc.) that organizations have to consider this threat as real. Where there is money, there will be criminals (real or virtual).
Further, increasing reliance on contractors, consultants, and outsource vendors increase the exposure.