Cyber Security — 7 common myths debunked.
Cyber security affects each and every one of us, whatever we do, daily. We continually make security decisions to keep ourselves, and others safe from various cyber attacks.
But, all too often, we can take actions, or not, believing we are safe.
However, over time, common knowledge and basic practices have become distorted, erroneously diluted, or ignored altogether.
We all face this problem with cyber security. With the many amazing people doing amazing things to come up with a number of creative ways to protect us all, we can let our own understanding of threats slide, believing we’re safe.
So, if we want to make things more secure online, then we’ve got to shatter a few long-standing myths.
1. It’s an issue for the IT department
Unfortunately, some attacks don’t come from somewhere far off, via the Internet. Sometimes, the biggest threats can come from in-house. Dejan Kosutica, writing for DefenceSystems.com, highlighted this issue in 2014:
“Imagine this scenario: A disgruntled system administrator intentionally disables your core application and deletes your most important databases. Is this an IT issue? No, this is hardly an IT issue; more like an HR issue. Could this have been prevented by IT safeguards? No. The person in this position is required to have direct access to all of your systems.”
This eloquently shows that some kinds of cyber security are outside the remit of the IT department. Threats affect all the departments across the whole company. Therefore, online security practices need to be combined with effective employee management.
2. Cyber security is a one-off action
No…nothing could be further from the truth.
It’s a process that never ends, and for good reason, too. Dejan Kosutica:
“For instance, if you develop an Incident Response procedure that requires personnel to notify the Chief Information Security Officer on his or her cell phone about each incident, but then this person leaves your agency, you obviously no longer want these calls to go to him or her if you want your system to be functional.”
Not only that, but the threat landscape is constantly evolving. You have to constantly educate yourself about the latest threats. Moreover, you need to analyse and update procedures, software, equipment, agreements — in essence, everything.
It needs to be continuous.
3. It just takes a patch
The myth is this: patches will stop attackers in their tracks.
Unfortunately, it doesn’t work like that.
There’s no question that patching is very important, and you should keep all your systems updated. However, the problem is, people misunderstand the relationship between attackers and vulnerabilities and patches.
The problem is, patching vulnerabilities doesn’t stop attackers from targeting you. Routinely, hackers will try the path of least resistance first, and, if that path is patched, they will escalate their efforts until they do find a vulnerability they can exploit.
Steven Chabinsky, writing for SecurityMagazine.com, states:
“[H]ackers do not simply move on to the next guy when they see a fully patched system. Just because X% of intrusions may take advantage of known vulnerabilities, it does not follow as a matter of logic or industry experience that anywhere close to X% of those intrusions would have been eliminated had those vulnerabilities been patched. Hackers evolve.”
4. Threat intelligence has no value
In order to help keep yourself protected, you need information. Sun Tzu said it best:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
The same holds true when it comes to cyber security.
A threat intelligence system is vital for security. A threat intelligence system allows you to identify tactics, techniques, and procedures (TTPs) of the hackers. Steve Nice, Security Technologist, Node4:
“Gaining information about threats and vulnerabilities inside and outside of your infrastructure, allows businesses to mitigate against the risks and become increasingly predictive rather than reactive, so they can prevent today’s data breaches becoming tomorrow’s news item.”
5. They won’t target SMEs
They will, and they do.
In fact, SMEs are quickly becoming the favoured target of many hackers. Toni Allen, UK Head of Client Propositions at the British Standards Institute, speaking to the Guardian:
“SMEs have not historically been the target of cybercrime but in 2015 something drastically changed. The latest Government Security Breaches Survey found that nearly three-quarters (74%) of small organisations reported a security breach in the last year; an increase on the 2013 and 2014 survey. SMEs are now being pinpointed by digital attackers.”
You may think that you have no data that would interest an attacker. You may be right. But, what if the attacker doesn’t want your data? Perhaps the attacker wants to use your vulnerabilities to attack the real target. Or, maybe they just want to extort a ransom from you.
Sarah Green, a cyber security expert and business manager for Cyber Security at Training 2000, speaking with the Guardian:
“Small businesses may feel that they aren’t likely to be a target due to their size and that hackers couldn’t possibly be interested in what they do — but in reality the exact opposite is true. Hackers prey on the knowledge that small businesses tend to have lower defences than larger organisations, usually due to lack of financial and human resources. By their very nature, thriving small businesses are innovative and niche, which again is very attractive to the bad guys who may be interested in customer data and intellectual property and know exactly how to pick out the weak targets.”
The truth is, every business is a target, SME or not.
6. We’ve not been attacked, so we’re secure
Just because you think you haven’t experienced an attack, it doesn’t mean your systems are secure. The thing is, the cyber security landscape is constantly changing.
Moreover, how do you know that you haven’t been attacked? Not all breaches are the same; in fact, some attackers can enter your systems and leave without giving themselves away.
Nathaniel Borenstein, Chief Scientist at Mimecast, speaking with mrc-productivity.com:
“Unfortunately, Internet-based information attacks are even harder to deal with, in part because one doesn’t necessarily even know when the attack has happened. It would be hard not to notice a hijacked plane flying through the sky, but a clever cyber-attacker has the potential to get into a system, do his dirty work, and get out without being noticed.”
So, while we should have everything in place to tackle cyber attacks, we should also work from the assumption that these systems are not 100% guarantees and, at some point, they will fail.
7. Using HTTPS means I’m safe
In essence, HTTPS, which uses SSL, provides identity verification and security, letting you know you’re looking at the right website, and preventing people from eavesdropping. However, in practice, there can be a problem.
Your browser contains a list of trusted certificate authorities, and only trusts certificates from these authorities. If you visited a site that presented an SSL certificate to your browser from an authority that wasn’t trusted, or, if the certificate was issued for a different domain, then you would get a warning from your browser.
Here’s the problem. There are lots of certificate authorities. Steve Nice, Security Technologist, Node4, explains:
“For example, you might get a genuine SSL certificate for your domain from one particular authority, but then an attacker could trick another certificate authority and get a certificate for your domain, too.”
We’ve provided you with a number of common myths that need to be addressed if you’re going to protect your business from attacks in the future. Take your time to look through the list and ask yourself this question:
Do I believe any of these myths?