6 information and cyber security nightmares—and how to prevent them

Published in

Pluralsight

6 min readOct 10, 2017

In today’s Internet of Everything world, we’re more connected than ever before — which means more opportunity for security threats and data breaches. And 2017 has been quite the year for them. Think Equifax, Wikileaks, WannaCry, Chipotle…. the list goes on.

Since October is National Cyber Security Awareness Month (NCSAM), we asked our in-house experts and the security-savvy Pluralsight author community what their biggest security nightmares are, and more importantly, how to prevent them. Here are just a few scary stories to teach you a thing or two about security.

Ransomware rages on

When it comes to security threats, I believe that the biggest damage caused to people will continue to be the ever-increasing amount of ransomware. It’s quite easy to block traditional malware by using whitelisting techniques like Windows AppLocker, but it is very hard to prevent people from damaging their own or shared data.
Solution: Since anti-malware is basically useless against the hundreds of thousands of new samples found every day, you must adopt proactive measures like PoLP (principle of least privilege), whitelisting and network authentication to stay safe. From my perspective, the most common ways that companies get hacked are still somehow related to social engineering or people neglecting to read instructions. For that, the only fix out there is training and increasing awareness.
- Sami Laiho, Pluralsight author

Stolen (bank) passwords

I’ve had a lot of security nightmares, but the worst is related to passwords — specifically bank passwords. What happens when a hacker gets a password to a company’s ETF’s FTP account? Bad, bad things — the hacker extracts account numbers and personal information about the bank’s clients. You guess the ending of the story.
Solution: Employee awareness training.
- Gus Khawaja, Pluralsight author

Never-ending data breaches (a.k.a. current reality)

My biggest nightmare is that the trend of ever increasing data breaches — increasing in both frequency and size — continues on. Oh sure, medical devices being exploited and IoT going wrong to the extent that it hurts people en masse is all very scary, but the reality that hurts us most is the billions of records we see flooding the internet. My biggest nightmare is the continuing reality.
Solution: My courses and Pluralsight’s other security training are a great start. These sites are very frequently compromised by vulnerabilities built into the code of the site, and the best way we can fix this is to educate developers and stop building vulnerable code in the first place.
- Troy Hunt, Pluralsight author

An ignorant IT team

My biggest nightmare is when I meet with IT teams and they tell me they’re secure because they have an IDS, Anti-Virus and proper firewalling across their networks and devices. Yet, they’ve never looked at the logs or don’t know where their most risky data is and how people can access it. Or even worse — don’t even know what they have, if they have policies, and no documentation.
Solution: We need to make sure we’re educating our IT teams on the threats that are present and the risk data holds. And, at the same time, we need to implement security procedures into the culture of the team and company, and regularly review/test those procedures. Security isn’t a add-on or an afterthought — it needs to be a core focus that is part of the IT team’s thought process throughout the development and administration lifecycles.
- Gary Eimerman, Pluralsight VP of Content Production

The wild world of wireless & weak passwords

Beyond the evil clown craze, I’d have to say that wireless is the scariest thing as of late. We’re all addicted to our wireless devices, be it smartphones, tablets, TVs or gaming consoles. Even doorbells, dishwashers, cars and refrigerators are coming with wireless built into them. And my concern is how wireless works. We’re becoming a generation of “I don’t care how it works, as long as it works.” And that’s scary.
Even if you’re using secure encryption like WPA2, you’re not “totally secure.” Want to hear a scary story? Did you know that I can reset your connection on your device and pick up the handshake you make with your wireless router/AP? All I have to do is run that handshake through a quick dictionary attack tool and if your wifi password is weak (a weak password equates to using passwords that are made up of less than 14 characters and are based on real words), I’ll be trick-or treating all over your network.
Solution: Make sure your wifi passwords are STRONG. The second thing you can do is not “automatically connect” to the wifi access point. I know it’s convenient, but any time we look at security and convenience is involved, you’re losing your security posture. I know it means two or three more clicks, but that’s nothing compared to being subjected to an evil clone attack! (Hey wait a minute…evil clown, evil clone…hmmmm).
- Dale Meredith, Pluralsight author

Overlooking the obvious

As a CTO, my biggest security nightmare is when we, as technology pros, miss something obvious. When we overlook something like cross-site scripting or injection vulnerabilities, it’s easy for someone to gain access to sensitive data that could potentially shut down your entire site and result in serious, ongoing consequences. In today’s hyper-connected world, EVERYONE is at risk to get hacked at some point. But, as a company that provides technology training, specifically security training, we need to be sure we don’t miss those obvious and also not-so-obvious things.
Solution: Some obvious things companies should do to protect themselves are create awareness within the org and provide training for your teams. Also, conduct third party penetration tests and share the results within the organization — this can really highlight the risks and bring them home for people.
- Jody Bailey, Pluralsight Chief Technology Officer

Recognize Cyber Security Awareness Month, every month

These security stories aren’t meant to scare you—they’re meant to inform you. Let’s stop looking at security as something you should be scared into doing, and something you should do because you care.

In the words of Don Jones, Pluralsight’s Curriculum Director for IT Ops Content:

“Security isn’t scary — it’s a lifestyle. Security isn’t something you do from fear. Security is something you do because it’s your job. Because it’s the right thing to do. You don’t protect your children because you’re scared of something — you protect them because you love them, and because it’s the right, natural thing to do. So love your infrastructure. Love your career. Get your InfoSec ducks in a row because it’s the right thing to do.”

On that note, see how your security skills stack up with this free assessment: Security for Hackers and Developers, and join the conversation on Twitter with #NCSAM and #CyberAware.