Like the Fallacies of Distributed Computing, these are assumptions made about security by those that use the network. And, like those other fallacies, these assumptions are made at the peril of both project and productivity.
1. The network can be made completely secure.
2. It hasn’t been a problem before.
3. Monitoring is overkill.
4. Syslog information can be easily reviewed.
5. alerts are sufficient warning of malicious behavior.
6. Our competition is honest.
7. Our users will not make mistakes that will jeopardize or breach security.
8. A perimeter is sufficient.
9. I don’t need security because nobody would want to hack me.
10. Time correlation amongst devices is not that important.
11. If nobody knows about a vulnerability, it’s not a vulnerability.
Effects of the Fallacies
1. Ignorance of network security leads to poor risk assessment.
2. Lack of monitoring, logging, and correlation hampers or prevents forensic investigation.
3. Failure to view competitors and users with some degree of suspicion will lead to vulnerabilities.
4. Insufficiently deep security measures will allow minimally sophisticated penetrations to succeed in ongoing and undetected criminal activity.
I wrote this list for the purpose of informing, educating, and aiding any non-security person that reads it. Failing that, it serves as something that I can fall back on when commiserating with other security guys.