Secureworks' cyber intelligence senior adviser Brian Kime, former senior intelligence analyst with the United States Army 355th Signal command, senior intelligence officer US Army, Combined Joint Special Operations Task Force, Afghanistan, has heard these wonderful cyber security myths and prays they will be debunked soon.
Kime writes, "As security resident consultants providing full-time security expertise for large national companies I see a lot of mystifying things across the cyber security world – not on an eight tiny reindeer level or a jolly old man all decked out in red sliding down a chimney, but close."
Kime has set out some of the most common cybersecurity myths SecureWorks experts run into, and what the real facts are.
Specifically, for organisations that have performed business a certain way for generations, it isn’t a simple task of “clicking and dragging” the IT and information security teams to new ways of thinking. However, if companies want to protect their data, they must be ready to change because nobody wants a lump of coal and heaps of security breaches going into the new year.
#1 Naughty List Myth: It’s a good idea to mix your IT and cyber security teams
Some companies like to mix their cyber security teams with their IT team and think that they can all function in the same roles as one collective team. WRONG.
The fact is, the cyber security team’s sole focus is to manage risk while the IT team is responsible for delivering services to the company that will enrich the efficiency of the organisation. Unfortunately, while the IT team is doing its job in bringing in new technology and services, it opens the company to more risks and vulnerabilities.
Naturally IT teams want to spend the budget on getting and implementing the best systems and operating systems to make the business run smoothly – usually, cyber security team gets the scraps and it is not enough to sufficiently protect their organisation’s data.
Cyber security teams function better under the risk management branch of the organisation or underneath direct oversight of the CEO or board of directors.
#2 Naughty List Myth: It’s ok to shrug off security policy violations that don’t result in a compromise
Companies often fail to act against employees for violating security policies. WRONG
For example, many have walked away from a workstation without logging out, it only takes a moment for someone else to gain access to that workstation. Many download games and shadow IT applications onto their workstation opening more risks. Even the smallest security violation like inserting a stray USB stick can end up having a lasting and significant effect on confidentiality, integrity, and availability of an organisation’s information.
Small mistakes can have big consequences. Building a culture of security requires that leadership enforce all information security policies. First-time offenders usually only need to be educated on the risks of their careless behaviour.
The cyber security team should report all offenders to the CISO, the HR director, or to someone at the company who will use that information to help change the culture and enforce policies. Enforcing even small security violations builds a culture of security awareness across your workforce.
#3 Naughty List Myth: Tools and technology should be the focus of security strategy
Many companies think that if they have all the newest cutting edge technology they will be secure. WRONG.
Having the latest and greatest seems awesome, but without people that know how to maximise it you are wasting money and hurting productivity. Without the proper policy and procedures, security teams can suffer from, “alert overload”. Companies also tend to acquire too many tools that don’t communicate with one another, often have tools that are redundant, yet too few employees who can effectively operate the tools.
Prioritising tools and technology over people and process result in tools and people that do not work well together.
People can form a human firewall around your network. For that reason, security awareness training is critical, as is establishing smart processes around policy enforcement.
#4 Naughty List Myth: It's ok to ignore strange events if they don't trigger an actual alert
IT Help Desk often disregard spurious security events and issues. WRONG.
IT help desks often close tickets for security issues just because they can’t diagnose or replicate the problem. For example, if a Windows User Account Control (UAC) prompt inexplicably appears asking for administrator credentials, it may be a sign of infection.
It is important that your cyber security team educate and integrate your Help Desk and Network Operations Centre (NOC) into your overall information security standards and procedures.
There should be a communications channel between your IT Help Desk, NOC and your incident response team to ensure security issues are handled appropriately. All security events should be "warm transferred" up the chain to ensure prompt and complete responses.
#5 Naughty List Myth: There are security holes too small for hackers to notice
Companies often neglect to patch browser plugins, especially when their risk assessments are rated as medium or low criticality. WRONG.
Ironically few browser or browser plug-in patches require users to restart their computers to finish applying the patch. Patches for browsers like Google Chrome and Mozilla Firefox, and browser plug-ins like Adobe Flash, can be deployed in a 100% transparent manner to users. The most users usually must do is restart the browser.
Failing to include browser plugins like Java, Adobe Flash, Adobe Reader, and Microsoft Silverlight in your vulnerability management program can have disastrous effects.
Rob Joyce, the head of the National Security Agency's Tailored Access Operations unit, said, "Don't assume a crack is too small to be noticed, or too small to be exploited." If you do a penetration test of your network and 97 things pass the test but three seemingly insignificant things fail … those vulnerabilities are the ones nation states and other attackers will exploit.
#6 Naughty List Myth: Default settings will keep me safe
And you believe in the Easter Bunny too. WRONG.
There are three common mistakes regarding network attached devices:
- They don't use the security controls, they only use some of the security controls, or they keep the default settings. Examine the default settings of all devices and customize the policies and rules to fit your organization's risk profile.
- When configuring any new security control, always change the default administrator credentials.
- Work with vendors to understand all the capabilities of your security controls to maximize ROI. By default, most Web proxy solutions do not block websites that are "uncategorized" - those that have not been analysed and categorized.
#7 Naughty List Myth: Using free software is just as good as their paid alternatives
Free software is just as good as paid – we can use the money elsewhere. WRONG
Using free software on the network can be in violation of a software licence agreement that prohibits corporate usage may increase the risk to the organisation from lawsuits from the software vendor. Additionally, free versions of software rarely have all the capabilities of the paid, licensed version.
Often, IT teams aren't aware of all the tools the organisation has, so they download tools they don't even need – which may introduce even more risk to the organisation.
Organisations wishing to use free tools need to carefully read the software licenses, end-user licence agreements, and terms of service regardless whether it is free open-source software or whether it is a trial version of a subscription or licensed application.
Free open source software should be evaluated for vulnerabilities just like any paid software.