Myth: For every bad security practice an end user may engage in, technology can be applied to prevent or curtail it
Myth Exposed: Most employees don’t have more than a basic understanding of security and so they make bad decisions, and expose the organization. An effective security policy needs to fully accept and understand this partner in the security process. End user training is not enough. The IT organization must employ safeguards that assume the employee will click the wrong button or use simple passwords etc. Phishing scams using link manipulation and other techniques to take unsuspecting users to spoofed websites has become common in legitimate, online sites, such as news sites. Posters, policies, and annual training will always fail to prevent people from making day-to-day faulty security decisions.
—
Myth: IDS/IPS are sufficient tools for detecting intrusions today.
Myth Exposed: Intrusion Detection Systems and methods rely on watching inbound traffic to a target. There’s nothing wrong with this model, but it is mostly concerned with detecting attacks against listening services–against server-side exploits. Extrusion Detection, however, is concerned about identifying unauthorized activity by inspecting outbound traffic. Offices today must also defend against client-side attacks targeting their employees. This is where Extrusion Detection prevails, when IDS/IPS are inherently incapable of detecting such threats.
—
Myth: Security Trumps Convenience
Myth Exposed: People today have become “convenience junkies.” We want information and we don’t want to have to wait for it, coupled with that; we are on the go more than ever. The rise of portable electronic devices attests to our appetite for immediacy. Admittedly, we regularly disregard those “pesky” security measures meant to protect sensitive data so that we can access info without delay. Anti-phishing browser cues and popup warnings etc are largely ineffective and frequently ignored by users.