IT Security Common Misconceptions

The IT Security industry specializes in the protection of information processed, transferred or somehow controlled on computer systems. Yet there are several aspects of computer security that are misconstrued by those who just casually interact with computers to even those in the computer profession. With a topic so broad, it’s difficult to summarize in just a few short words. We could simply inform everyone to ensure their anti-virus software is scanning for malware or be careful as to where you enter sensitive information. These are important considerations but it’s only by understanding risks of computer systems and the information collectively, that we can comprehend the challenge.

In a video blog by Intel’s CISO Malcolm Harkins, he describes a common misperception of risk when it comes to information people are willing to share to the world through social media. For me, this brought up other parts to IT Security that are also misunderstood and compels us as information security professionals to share what we can whenever possible in order to help communicate that security is everyone’s job in an organization, and important knowledge for any computer user.

One area that presents many misconceptions is computer and network security. The computing environment does play major part of the risk equation because we need to verify it has the capability to provide a level of security required for its location. But a common misconception here is that by using a firewall to block unwanted external traffic or running antivirus software, all malicious traffic or software will be prevented from entering. In addition, having all computer systems protected with the same level of security throughout the infrastructure regardless of its purpose creates a one size fits all security model that is much more costly to maintain.

Another misconception is in the area of data classification and compliance. The concepts used to evaluate risk should not be based on the type of information alone but also where it resides, who needs access to it and what technology can be used to protect it. The scenario that evaluates the data alone may give the misconception that compliance is security. Compliance by itself is not security and may lead to a false sense that security can be achieved by following a checklist. The classification of information along with how it will be accessed is an important consideration for the risk equation because it allows for an evaluation of possible threats specific to that data, but it is also equally important to consider the computing environment by which it will be protected.

Perimeters that are protected with a firewall are no longer sufficient alone against more sophisticated targeted attacks. It’s important for constant re-evaluation of the security posture for any organization because of the growing list of factors to consider for securing information stored or processed on computer systems. Expanding on the security-in-depth strategy, the White Paper titled “Rethinking Information Security to Improve Business Agility”, leading information security experts at Intel IT describe a strategy for evaluating risk based on the location of the information along with the requesting user’s location and referred to these locations as “security zones”. Some of these zones can be considered trusted based on a score that evaluates the source of the request and destination of the data. Depending on the score, even a legitimate user might end up with only limited access to data due to factors such as trust level of the user’s current location.  This new paradigm for information security is designed to meet a broad range of evolving protection requirements that include the assessment of new usage models and threats. Additionally, the expectation that preventative controls such as firewalls are good enough for security; detective and corrective controls are also a very important part of an information security process as well as evaluating each for their effectiveness on an ongoing basis.

For these reasons, I believe that one of the most common misconceptions is that computer security is not a “set it and forget about it” list of security options but rather an ongoing process that evaluates risk based on both the type of information and the computing environment being used. Just as the bad guys are going through the same process to try and circumvent mitigating controls, we must continue to evaluate whether the appropriate countermeasures are in place. Information security is an ever changing challenge and the industry must constantly prepare for technology changes in order to prepare for the next wave of vulnerabilities and associated risks. The important thing is that we are now more commonly asking the questions about security implications for any new computing technology. Using cloud computing as an example; there is a greater concern about sensitive information being placed on uncontrolled or non-trusted computers systems than ever before. We can only hope that trend will continue.