Johnson: The well-known saying comes to mind -- "You can lead a horse to water, but you cannot make it drink." Training raises the bar and reduces overall incidents, but training users to think securely should be the goal.
Lacey: You can achieve a substantial improvement, but people are not foolproof. See my forthcoming book, Managing the Human Factor in Information Security, due out in January, for details of how to do this.
11. Don't worry, the government has a secret cyber-defense capability.
Selby: In the same drawer as its secret economic fix-it plan.
Lacey: It certainly does. How do you think they spy on other nations?
Yeomans: Of course it does. But unless you're in a business that can't be allowed to fail, don't depend on the government to help you. They will have more important people who need help.
Schneier: If they do, then we really should worry -- because it's not working very well.
Johnson: They do, but it doesn't extend to defending your privacy.
Pescatore: Well, this is true but the secret strategy is to disconnect from the Internet. The strongest attacks are coming from cybercriminals, not governments or nations. The strongest defenses [that don't involve isolation] are seen in private industry, not government.
12. The longer the key length, the stronger the encryption.
Yeomans: And the greater the chance that the weak point is elsewhere. I've rarely seen key protection that was as strong as the encryption. If you protect a key with an eight-character 'strong' password, it won't matter whether the key is 64 bits or 256 bits. And don't forget the choice of algorithm matters when mentioning key length: 256-bit AES is far stronger than 256-bit RSA.
Lacey: For the same algorithm and key material, that's absolutely correct.
Schneier: A long key length is essential for good security, but it is not sufficient. There are lots of ways to break encryption systems that completely bypass the key length.
Johnson: Yes, but only if the algorithm, the implementation and associated processes are good.
Pescatore: When stronger means harder to brute-force, this one is true. However, putting 10 locks on your front door just means your hinges are now the weak point. Brute-forcing encryption is almost never the path of least resistance, so increasing key sizes (beyond recommended minimal lengths) is rarely any increase in security.
This story, "Myth or truism? IT security experts render judgment on 12 beliefs" was originally published by Network World.