Dark Reading's Top 10 IT Security Myths Demystified - Part 3

Returning for Day 3 of my series picking apart Dark Reading's Top 10 Security myths, let's do #5 and #6. The link to the main article is here.

Myth #5 - Employees Always Trustworthy (link here)

Our experts agree that any security strategy which doesn’t include the end user is doomed to failure.

I've been harping on the need for end user awareness training for as long as I've been doing Incite, so I'm totally on board with this one. Actually I think the title of the myth is a bit misleading, they do mention the insider threat as kind of an after-thought, but most of the piece focuses on training and ensuring the policies and defenses factor in the human element. That means people will do stupid things, even if they are not stupid people.

Thus far, this is the best myth-buster of them all. Correct perspective and written clearly. This one gets an A.

Myth #6 - Bad Guys are Winning (link here)

Behind every successful exploit is usually an improperly configured, maintained, or patched computer, or a clueless user (think lame passwords or clicking on suspicious links or emails). There's plenty of security technology out there, but if you don't deploy it properly, you're asking for it.

Because we are making it easy for them doesn't mean the bad guys aren't winning. Got that? So yes, I totally agree that the most secure firewall in the world isn't worth crap if you don't have the rules configured properly, and that's where many of the incidents originiate. They are correct in saying there is plenty of technology to solve the problems, but that doesn't mean we are using it correctly.

That being said, the bad guys are certainly not losing because there seem to be more of them everyday. I'm a firm believer in market economies and hacking is a booming market. Why? Because these folks are making money. Pure and simple. Whether it's consumer stupidity, configuration ignorance, or bad guy innovation - attacks are working enough of the time to generate a return. So in that matter, the bad guys certainly are winning.

But to me, macro generalizations like that aren't worth much. All that matters is whether they are beating YOU. If your environment is secure and you can prove it to management and the auditors, then YOU are winning. The rest of the world be damned. Too bad for them if they aren't in the same spot.

This one gets a C. Interesting thoughts, but to say that configuring everything correctly will make the problem go away is wrong.