What Are the Most Overrated Security Technologies?

Companies implement multi-factor authentication but don't always get the implementation right

The security community has grown to depend on some basic technologies in the fight against cyber thieves, such as antivirus software and firewalls. But are practitioners clinging to tools that outlived their usefulness long ago? Were those tools ever really useful to begin with?

CSOonline.com recently conducted an unscientific survey on the matter, asking those questions to a variety of security forums on LinkedIn and following it up with e-mails and phone conversations. What follows are four technologies several cited as overrated in today's security fight.

We'll follow up next week with security technologies many believe are underrated. It's safe to predict that some of the technologies on this list will also appear there.

1. Antivirus This one isn't a total surprise. Security experts for years have been complaining that antivirus has grown obsolete because the security vendors can't keep up with all the AV definition changes required to thwart every new piece of malware. In fact, some of the more advanced security practitioners of the world are ditching it altogether. In a previous story on the subject, David Litchfield, a leading database security expert who has authored such books as " Oracle Forensics," " The Oracle Hacker's Handbook" and " The Database Hacker's Handbook," summed up why he's lost faith in AV:

"As an experienced security guy, I have no faith in most of the AV packages out there because they're completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable ActiveX controls," he said at the time. "I've never used AV software and I've never once been infected with a virus."

Most organizations are still advised to have AV software in place. But security experts generally agree IT shops need a variety of other security tools to go with it. In other words, companies need defense in depth.

"Any reactive security technology keeps failing more and more each year. AV does not work, [a fact] proven by a detection rate that degrades each year," said Ari Takanen, founder and CTO of Codenomicon in Finland. "All technologies that look for attacks can be worked around by building a tailored attack that will not be detected. Even if you take a five-year-old attack you probably see that it passes through undetected today. You just cannot keep building more and more walls around bad-quality technology."

2. Firewalls Firewalls have faced equal scrutiny in recent years for similar reasons. But the biggest problem cited in our most recent poll is that the increasingly disappearing perimeter has rendered the technology obsolete.

"The firewall is the most worthless. It's dead. The perimeter is gone. We cannot afford enough firewalls to protect our devices," said Guy Hadsall, a Washington D.C.-based information security specialist. "In most cases, it's protection from ourselves. At best it's a check box on a PCI audit, at worst it's a pacifier to a user base intent on click-thru surfing."

3. IAM AND multi-factor authentication Identity and Access Management and multi-factor authentication are not exactly the same thing. The latter is more a sub-category of access management. But they do have one thing in common, according to those who've become expert at using these technologies -- implementation is key.

The problem here isn't that identity and access management technology doesn't work as advertised. It's that many companies have failed to use it properly. "With any IAM solution, it takes years to get them to work correctly," said Scott Damron, a solutions engineer at Accuvant. Given the rapid evolution of malware and social engineering, companies simply don't have years to get it right, he said.

A similar point was made last week at the Security B-Sides event in San Francisco. There, presenters warned that badly-implemented IAM can be as bad as sticking with the insecure passwords it is meant to replace.

Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in North Carolina, noted how companies implement multi-factor authentication but don't always get the implementation right. That's when the company is left with nothing but "feel-good security."

"We need to draw a line and not pursue solutions that simply offer a feeling of security," she said. "Things make you feel better don't really help."

Michael Santarcangelo, founder of the Security Catalyst Community, noted that users can diminish the usefulness of multi-factor authentication just as they've diminished the usefulness of passwords. "People will write their PINs right on their token. So have we decreased risk? We've created a bigger barrier but that's not enough," he said.

4. NAC Damron, from Accuvant, fingered network access control (NAC) as overrated for the same reason as IAM: "It takes years to get it working correctly," he repeated.

Sharing that view is Tom Giangreco, information security officer at SchoolsFirst Federal Credit Union, formally Orange County Teachers Federal Credit Union.

"I would agree with the NAC appraisal. It's taken us more than three years to get it working according to our requirements and not those of a university campus, which they seem to have been designed for," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsnacsecurityauthenticationantivirus

More about etworkISOOracleOrange

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts