[ISN] The Four Most Dangerous Security Myths

InfoSec News isn at c4i.org
Wed Oct 12 00:08:29 EDT 2005


http://www.informationweek.com/story/showArticle.jhtml?articleID=172300043

By Matthew Friedman
Networking Pipeline 
Oct. 10, 2005 

Network security is all about nightmares. As organizations have become
increasingly dependent on their networks and the Internet to provide
that essential link of data, capital and business intelligence, they
have also opened themselves up to potential risk - potentially immense
risks.

The litany of companies that have been burned by hackers, worms,
viruses and simple human error has made organizations wary of the
perils of the networked economy. There's so much out there in the
digital ether that can jump up and bite you. On the other hand, says
Justin Peltier, a senior security consultant with Peltier Associates
and leader of Web hacking seminars for the Computer Security
Institute, there are also a lot of myths out there.

"Network security has a particularly affinity for myths," he says.  
"It's hard to change an opinion once it's made, and a lot of IT and
security professionals have based their opinions on received wisdom.  
They've heard about security risks, but they haven't tried it for
themselves. Some of these opinions might have been based on reality
but are no longer valid, and some is just based on what we've been
told."

What they've been told is often only partly true, if at all, he says.  
It's often based on misconceptions and preconceptions. These myths can
lull organizations into a false sense of security or distract them
from the real business at hand. Either way, they are legion, though
Peltier says that any organization serious about security can address
the handful the biggest and most egregious myths through a combination
of experience and common sense.

"If you look at most other disciplines, you see facts and statistics
to back things up," he says. "That's not always true about security.  
It's not enough to just hear about something, you have to check it out
for yourself."

To help you separate truth from fiction, here are four of the most
dangerous security myths.


1. Patches always fix the security hole: Peltier is particularly
troubled by the complacency he sees surrounding patching. "An awful
lot of people think that, once you've applied a security patch, you'll
be okay," he says. "That just isn't true. Sometimes it works,
sometimes it moves the vulnerability somewhere else, and sometimes it
creates a new hole."

Above all, patches only address published exploits and just because
the hole hasn't been published doesn’t mean it isn't there. The
problem is that networking is based on technologies developed in an
earlier, more innocent time, and many of the biggest vulnerabilities
are inherent flaws in the architecture of TCP/IP. Network miscreants
are probing networks right now, looking for weaknesses, and there is
"almost inevitably" a lag between what they know and what vendors and
security professionals know.

"You need to find the holes before the bad guys do," he says. "Most
people think defensively, but you have to think offensively. It's
jujitsu."

The bottom line is that the only thing that will improve the situation
is a new architecture -- specifically IPv6. Peltier expects that
wholesale migration to the new version of TCP/IP will be motivated by
an inevitable wave of distributed denial of service attacks, "and
that's a good thing. Organizations have to start to plan for migration
now."


2. SSL is secure: Secure sockets layer (SSL) encryption has become so
ubiquitous that the last thing anyone wants to hear is that it's
fundamentally insecure, but Peltier says that our faith is unfounded.  
"No one is getting burned yet, but they will be," he says. "You see
the lock icon, and you assume you're safe -- but you're not."

The problem is that it's a negotiated security standard with two major
flaws, both of which can be exploited by man-in-the-middle attacks.  
"The first thing is that SSL depends on a negotiated certificate, but
when there is a problem in the negotiation, the only thing that
happens is that an alert window pops up. SSL hijacking is so easy
because of the implicit trust we have in the digital certificate."

The other problem is that SSL still supports export-grade 40-bit
encryption. The SSL transaction will negotiate down to the lowest
common level, Peltier says. "That's a big problem," he says. "Security
people don't get into SSL because they think it's a Web thing. But it
can open up the network, so it's really a network thing."


3. Theoretical vulnerabilities don't pose a danger: There are, Peltier
says, any number of vulnerabilities that are theoretically known, "but
can't yet be proven through proof of concept code." The operative
term, of course, is "yet," and even though door hasn't been pried
open, doesn't mean it won't be.

The problem is that you never know. "Vendors will often ignore
theoretical vulnerabilities until they become a really high profile
thing." Peltier says. "The best known one recently was the Windows
password hashes vulnerability."

Because it's impossible to say when a theoretical flaw will become an
exploit, Peltier says that organizations can't wait for vendors to
notify them of vulnerabilities. A complete security plan should
include keeping tabs on what the hacker and security research
community is talking about.

"These things don't come out of left field," he says. "There's always
a warning. There are always people jumping up and down saying 'there's
a hole here, there's a hole here,' when someone discovers an exploit.  
If you don't stay on top of this stuff, you're going to take six times
as long to fix the vulnerability because you won't know what part of
your anatomy to cover with your hand."


4. Wireless networks are inherently insecure: Wireless networking gets
a bad rap. The conventional wisdom holds that Wi-Fi is inherently less
secure than wired networks because in its early days, Peltier
concedes, the Wired Equivalency Privacy (WEP) protocol had more
security holes than Swiss cheese. The point, however, is that wireless
security has gone far beyond WEP; users just have to enable these
security features.

"Properly configures, wireless is actually much more secure than wired
networking," he says. "Proper configuration is everything, of course,
and you have to turn on WPA (Wi-Fi Protected Access) shared key
security, but it's not exactly difficult. You just have to select the
option from a drop-down menu."

With the Institute of Electrical and Electronics Engineers (IEEE)  
802.11i wireless security specification finalized and products already
shipping, Peltier hopes that Wi-Fi's bad rap will be laid to rest. "So
many people have been brainwashed to believe that wireless is
insecure, though," he muses.





More information about the ISN mailing list