The IT security industry is no stranger to urban myths: stories that spread and, over time, become accepted as general truths. I’ve been surveying the security community, mainly through Facebook and Twitter, asking which myths come to mind when talking about antivirus security companies. Below I look at the top five answers:
- Antivirus security companies make the viruses. This is a claim I have often heard throughout my career in security, and no doubt the same goes for other companies in the sector. The claim is absurd, particularly if you think that my company receives around 55,000 new viruses every day. What’s more if it were true, such a scandal would surely have been uncovered in the 20 or more years that the sector has been protecting users. One of the main problems that the industry has had to resolve has been how to cope with the workload of processing such an enormous number of threats to keep our users protected.
- Security companies hire hackers. Of course I can’t speak on behalf of the entire industry, but this issue has been a concern for me and I have never knowingly contracted ‘black hat’ hackers. I have however hired – and am always looking out for – ‘white hat’ (basically, the good guys) hackers. Another variation of this myth is that you have to be an IT engineer to work in IT security, which is also false. The profile of those who work at my company is highly varied: engineers, mathematicians, physicists, self-taught, etc. What all of them have in common is a genuine interest -sometimes a real passion – in IT security.
- There are no viruses for Mac, Linux or cell phone platforms. I would all like this to be true! It is commonly held that none of these present any risks to users, as viruses are only designed for Windows platforms. The truth is that there are viruses for all these platforms. The difference lies in the amount of threats circulating in comparison with those designed for Windows. The explanation is simple: hackers are looking for profit. If the aim is to reach as many people as possible and consequently more potential victims to steal from, what is the best target? A platform with 10 million users or one with 500 million? The answer is obvious.
- It requires considerable knowledge to be a hacker, develop viruses, infiltrate systems… in some cases yes, in others no. Some years ago it was difficult to develop viruses, worms, Trojans, etc., and it required technical know-how. In fact many hackers started out “just messing around” while they learnt, and acquired significant knowledge of programming languages, communication protocols, etc. Today this is no longer necessary, as in the case we witnessed recently with Operation Mariposa, those responsible had quite limited knowledge. This is because kits are sold across the Internet which allow the uninitiated to generate and configure malware. I wouldn’t quite say that anyone can do it, but with a little bit of knowledge and dedication, it’s possible to construct, for example, a botnet capable of infecting 13 million computers around the world.
- Women don’t work in security companies. This assumption is as frequent as it is untrue. At my company the truth is quite different: more than 30% of the workforce is female, and many women are working in technical or management areas. This figure is growing, as an increasing amount of women are training for sectors such as IT security.