9 popular IT security practices that just don't work

The security products and techniques you rely on most aren't keeping you as secure as you think

When it comes to IT security, FUD (fear, uncertainty, and doubt) is more than just the tool of overhyping vendors hoping to sell their next big thing. It is the reality that seasoned IT security pros live in, thanks in large part to the -- at times gaping -- shortcomings of traditional approaches to securing IT systems and data.

The truth is most common IT security products and techniques don't work as advertised, leaving us far more exposed to malicious code than we know. That's because traditional IT security takes a whack-a-mole approach to threats, leaving us to catch up with the next wave of innovative malware, most of which rolls out in plain view on the Internet.

[ Verse yourself in 10 crazy security tricks that actually work. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

Until we solve that problem -- that is, when a critical mass of people wants to end this issue -- we will devise, deploy, and depend on security solutions that will never keep us as safe as we need to be, given the daily escalation of malware aimed at compromising our systems and extracting valuable data.

In the vein of forewarned is forearmed, here are 10 common IT security practices and products that are not guarding your systems as well as you think.

malware app, you located a detector program built specifically for that malware and ran it. If you found the malware, you looked for its companion removal program. John McAfee's ViruScan and VirexPC were among the first all-in-one antivirus programs created, moving us beyond the single-malware, single-solution era.

Back in the early 1990s, these all-in-one programs, now known as antimalware scanners, could reliably detect every one of the dozens of viruses, worms, and Trojans in the wild. At the time, I volunteered for the PC Antivirus Research Foundation, started by Paul Ferguson, now of TrendMicro fame, disassembling and testing newly found computer viruses. I remember everyone thinking antivirus programs had become so accurate and freely available, and we all assumed that computer viruses and their ilk would be gone in a couple of years.

Boy, we were wrong. The professional bad guys now put out hundreds of thousands -- if not millions -- of new malware programs each month, far too many for any single antivirus program to reliably detect. This persists despite claims from nearly every antivirus vendor that they reliably detect 100 percent of the common malware submitted to them. They can show you their multiple awards attesting to their incredible accuracy, but reality argues otherwise.

Every one of us is constantly faced with new malware that our particular antivirus engine doesn't detect. It's not a rare event. If you've ever submitted a malware sample to one of the multiple engine checking sites, like VirusTotal, you know it's fairly common for antivirus engines to miss new breakouts, sometimes for as long as days. Weeks later, antivirus engines can still bypass a particular Trojan or worm.

I don't blame the vendors. With literally more bad files in existence than legitimate files, antivirus scanning is a tough job and begs for whitelisting programs. They have to store database signatures for hundreds of millions of devious, hididen programs and detect brand-new threats, for which there is no signature, all the while not slowing down the protected host's operations.

While the Internet is too scary of a place to go without antivirus protection, they've long since stopped being the reliable programs as touted by their vendors.

firewall protection is becoming even less relevant than antivirus scanners. Why? Because the majority of malware works by tricking end-users into running a forbidden program on their desktops, thus invalidating firewall protection. Moreover, the bad programs "dial home" using port 80 or 443, which is always open outbound on the firewall.

Most people are protected by multiple firewalls on the perimeter, on the desktop, and filtering applications. But all that bastion host-port isolation doesn't appear to be working. We're as exploited as ever.

Java, Adobe Reader, Flash, and more. Or they don't patch in a timely fashion. Or they don't follow up on why some percentage of their population doesn't take the latest applied patch, so there's always a vulnerable portion of users. Even in the best cases, getting patches out to the masses takes days to weeks, while the latest malware spreads across the Internet in minutes or hours.

Even worse, social engineering Trojans have essentially done away with that No. 1 advice. Consider this: If all software had zero vulnerabilities (that is, if you never had to patch), it would reduce malicious exploits by only 10 to 20 percent, according to most studies. If you got rid of the exploits that required unpatched software to be present, the hackers relying on unpatched software for their dirty work would move to other avenues of maliciousness (read: social engineering), and the true reduction in cyber crime would probably be much less.

producing better, more targeted end-user education.

Security fail No. 6: Intrusion detection systems can't determine intentIDSes (intrusion detection systems) are the kind of security technology you want to believe in. You define a bunch of "attack" signatures, and if the IDS detects one of those strings or behaviors in your network traffic, it can proactively alert you or possibly stop the attack. But like the rest of the security technologies and techniques on display here, they simply don't work as advertised.

First, there's no way to put in all valid attack signatures needed to account for the malicious activity heaped on your enterprise. The best IDSes may contain hundreds of signatures, but tens of thousands of malicious attempts will hit your systems. You could add tens of thousands of signatures to your IDS, but that would slow down all monitored traffic to the point where it wouldn't be worth the effort. Plus, IDSes already put out so many false positives that all event alerts end up being treated like firewall logs: neglected and unread.

But the demise of the IDS is due to the fact that most bad guys are piggybacking on legitimate access. How can an IDS tell the difference between the CFO querying his financial database and a foreign attacker using the CFO's computer and access to do the same? They can't -- there's no way to determine intent, which is needed to decide if the network stream should create an alert or be passed as normal, operational business.

Public Key Infrastructure is mathematically beautiful in every way. I love it, and I install a fair amount of PKI in businesses each year or improve on the ones they have. The problem is that many of PKIs are hideously configured, woefully insecure, and mostly ignored, even when they function perfectly in the public sector.

In the last year or two, we've seen several legitimate public Certification Authorities be horribly hacked. They've allowed hackers to gain access to their signing keys, which should have been protected more strongly than any other information in their environment, and to issue fraudulent keys for use by other hackers, malware, and possibly interested governments.

But even when PKI is perfect, remaining strong and unhacked, people don't care. Most end-users, when warned by their browser that the presented digital certificate is untrusted, can't wait to click the Ignore button. They're happy to bypass the security inconvenience and get on with their computing lives.

Part of the problem is that the websites and programs using digital certificates have been lackadaisical in their use, allowing certificate error messages to become an everyday occurrence. End-users who did not ignore digital certificate error messages would not be able to participate in a large segment of legitimate online life, sometimes including remote access to their own workplace systems. Browser vendors could enforce digital certificate errors so that any error, earned or mistaken, would result in the site or service not being presented, but customers would revolt and choose another browser. Instead, everyone blithely ignores our broken PKI system. On the whole, the masses don't care.

appliances -- increased security -- hasn't panned out. By having a smaller OS footprint, usually a locked-down version of Linux or BSD, appliances promise to be less exploitable than fully functional computers running traditional OSes. Yet, in more than 10 years of testing security appliances for InfoWorld, I've only once been sent an appliance that didn't contain a known public exploit. Appliances are nothing but operating systems on closed hard drives or firmware, and those designs are innately harder to keep patched.

For example, last week in the midst of red-team testing against a large Fortune 100 company, I found that each of the hundreds of wireless network controllers had unpatched Apache and OpenSSH services running; both would have let hackers on the public wireless network reach their internal corporate networks as admin. Their IDS and firewall devices contained public scripts that had long ago been found to have remote bypass vulnerabilities to get around any silly authentication. Their email appliance was running an insecure FTP service that allowed anonymous uploads.

These are not unusual findings. Appliances often contain just as many vulnerabilities as their software-only counterparts; they're just harder to update and usually aren't. Instead of being hardened security devices, they are an attacker's dream. I love doing penetration testing on environments with lots of appliances. It makes my life significantly easier.

Google's Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn't stop the dreamers who think they'll find one that will halt all exploits and put down computer maliciousness forever.

Unfortunately, a lot of computer security is more security theater than protection. Your job is to pick through the myriad solutions and employ the ones that truly reduce risk. The security practices listed above are overhyped. How do you know? Because IT is implementing every one of them and malicious hacking and exploitation is more popular than ever. You can't ignore the facts.

Related articles

This story, "9 popular IT security practices that just don't work," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.

This story, "9 popular IT security practices that just don't work" was originally published by InfoWorld.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon