The software giant held a session titled 'Debunking Security Myths' for developers and other IT workers at its Tech.Ed conference. Jesper Johanssen, enterprise security architect at Microsoft, told delegates and news media at the conference that business users often failed to realise that security was always a trade-off.
"We ask,'is our network secure?'," he said. "The truth is that the correct answer is 'no'. Your network is not secure. The truth really is that your network is at best, 'protected'."
A truly secure network, Johanssen pointed out, would allow no traffic through. The best way to secure one's network was to unplug all the boxes and fill all the ports with epoxy glue.
Filling the ports with epoxy would, of course, make the equipment useless. Security was always a trade-off between useability and price. A network that was cheap would make concessions to usability to maximise security, for example, Johanssen said.
What was wanted was a network that was as secure as it could possibly be for the price without compromising business activity and processes. That was how businesses should really be thinking about security, he said.
"The real answer shouldn't be 'high' or 'low'. It depends. You need to have 'just enough'," said Steve Riley, another security specialist at Microsoft's security business and technology unit.
Riley said a lot of security practices commonly used did little or nothing to protect business networks.
For example, many businesses forbade users to write down their network passwords. That effectively forced users to pick passwords that were easy to remember. Yet such passwords were easily cracked, he pointed out.
Many users had large numbers of passwords, compounding the difficulty. When one password was cracked, the hacker could then use that password to get deeper into the network and gain access to more sensitive information, Riley noted.
Instead, system administrators should be teaching users to use long, unique strings of information. An easy way of doing it was to think of a "pass-phrase" rather than a password. A pass-phrase could be a sentence that included upper and lower case letters and numbers that could be easily changed for each specific purpose.
For example, a home desktop pass-phrase for one employee might be something like: "My 2 dogs and I play Solitaire." One for the work human resources database could be: "My 2 dogs and I look for a job." For email, you could have: "My 2 dogs and I check the mail."
Riley said there were many other things people commonly did that did not actually help network security. For example, security policies should dictate outcomes, not processes.
Otherwise, system administrators ended up being forced to perform certain processes -- disable this feature, enable that one -- because they were written into the policy, regardless of whether they were productive for the company, Riley said.
An example was turning off SSID broadcasting to ensure nobody could find an access point. But hackers were already writing attacks that could guess the data needed, so it wasn't a very effective strategy, Riley said.
"If that's the only thing that stands between them getting in, then nothing will, and you're in serious trouble," Johanssen said.
Riley said system administrators who decided instead to simply ignore a business inhouse security policy risked losing future job opportunities when beancounters that didn't understand security or the job involved tried to assess their performance.
He said businesses should concentrate on physical security rather than on making "tonnes" of little changes to their IT security software, disabling things and hiding functions. "Security by obscurity is a relatively weak defence," he said.
Johanssen said salespeople that took laptops off site and wanted to connect to the office network were often a company's biggest security risk. But the most effective way to tackle the problem was staff training.