Security Market Segment LS
Wednesday, 21 December 2016 10:42

Cyber security myths that just won't die


Believing in Santa does no harm; believing misconceptions about the security of your organisation, however, does.

Brian KimeSecureworks' cyber intelligence senior adviser Brian Kime, former senior intelligence analyst with the United States Army 355th Signal command, senior intelligence officer US Army, Combined Joint Special Operations Task Force, Afghanistan, has heard these wonderful cyber security myths and prays they will be debunked soon.

Kime writes, "As security resident consultants providing full-time security expertise for large national companies I see a lot of mystifying things across the cyber security world – not on an eight tiny reindeer level or a jolly old man all decked out in red sliding down a chimney, but close."

Kime has set out some of the most common cybersecurity myths SecureWorks experts run into, and what the real facts are.

"I’d like to look at it as our Cyber Security Naughty or Nice List. Some of these truths may be hard to swallow and require a massive overhaul in how things are and have been done in organisations," he says.

Specifically, for organisations that have performed business a certain way for generations, it isn’t a simple task of “clicking and dragging” the IT and information security teams to new ways of thinking. However, if companies want to protect their data, they must be ready to change because nobody wants a lump of coal and heaps of security breaches going into the new year.

#1 Naughty List Myth: It’s a good idea to mix your IT and cyber security teams

Some companies like to mix their cyber security teams with their IT team and think that they can all function in the same roles as one collective team. WRONG.

The fact is, the cyber security team’s sole focus is to manage risk while the IT team is responsible for delivering services to the company that will enrich the efficiency of the organisation. Unfortunately, while the IT team is doing its job in bringing in new technology and services, it opens the company to more risks and vulnerabilities.

Naturally IT teams want to spend the budget on getting and implementing the best systems and operating systems to make the business run smoothly – usually, cyber security team gets the scraps and it is not enough to sufficiently protect their organisation’s data.

Cyber security teams function better under the risk management branch of the organisation or underneath direct oversight of the CEO or board of directors.

#2 Naughty List Myth: It’s ok to shrug off security policy violations that don’t result in a compromise

Companies often fail to act against employees for violating security policies. WRONG

For example, many have walked away from a workstation without logging out, it only takes a moment for someone else to gain access to that workstation. Many download games and shadow IT applications onto their workstation opening more risks. Even the smallest security violation like inserting a stray USB stick can end up having a lasting and significant effect on confidentiality, integrity, and availability of an organisation’s information.

Small mistakes can have big consequences. Building a culture of security requires that leadership enforce all information security policies. First-time offenders usually only need to be educated on the risks of their careless behaviour.

The cyber security team should report all offenders to the CISO, the HR director, or to someone at the company who will use that information to help change the culture and enforce policies. Enforcing even small security violations builds a culture of security awareness across your workforce.

#3 Naughty List Myth: Tools and technology should be the focus of security strategy

Many companies think that if they have all the newest cutting edge technology they will be secure. WRONG.

Having the latest and greatest seems awesome, but without people that know how to maximise it you are wasting money and hurting productivity. Without the proper policy and procedures, security teams can suffer from, “alert overload”. Companies also tend to acquire too many tools that don’t communicate with one another, often have tools that are redundant, yet too few employees who can effectively operate the tools.

Prioritising tools and technology over people and process result in tools and people that do not work well together.

People can form a human firewall around your network. For that reason, security awareness training is critical, as is establishing smart processes around policy enforcement.

#4 Naughty List Myth: It's ok to ignore strange events if they don't trigger an actual alert

IT Help Desk often disregard spurious security events and issues. WRONG.

IT help desks often close tickets for security issues just because they can’t diagnose or replicate the problem. For example, if a Windows User Account Control (UAC) prompt inexplicably appears asking for administrator credentials, it may be a sign of infection.

It is important that your cyber security team educate and integrate your Help Desk and Network Operations Centre (NOC) into your overall information security standards and procedures.

There should be a communications channel between your IT Help Desk, NOC and your incident response team to ensure security issues are handled appropriately. All security events should be "warm transferred" up the chain to ensure prompt and complete responses.

#5 Naughty List Myth: There are security holes too small for hackers to notice

Companies often neglect to patch browser plugins, especially when their risk assessments are rated as medium or low criticality. WRONG.

Ironically few browser or browser plug-in patches require users to restart their computers to finish applying the patch. Patches for browsers like Google Chrome and Mozilla Firefox, and browser plug-ins like Adobe Flash, can be deployed in a 100% transparent manner to users. The most users usually must do is restart the browser.

Failing to include browser plugins like Java, Adobe Flash, Adobe Reader, and Microsoft Silverlight in your vulnerability management program can have disastrous effects.

Rob Joyce, the head of the National Security Agency's Tailored Access Operations unit, said, "Don't assume a crack is too small to be noticed, or too small to be exploited." If you do a penetration test of your network and 97 things pass the test but three seemingly insignificant things fail … those vulnerabilities are the ones nation states and other attackers will exploit.

#6 Naughty List Myth: Default settings will keep me safe

And you believe in the Easter Bunny too. WRONG.

There are three common mistakes regarding network attached devices:

  • They don't use the security controls, they only use some of the security controls, or they keep the default settings. Examine the default settings of all devices and customize the policies and rules to fit your organization's risk profile.
  • When configuring any new security control, always change the default administrator credentials.
  • Work with vendors to understand all the capabilities of your security controls to maximize ROI. By default, most Web proxy solutions do not block websites that are "uncategorized" - those that have not been analysed and categorized.

#7 Naughty List Myth: Using free software is just as good as their paid alternatives

Free software is just as good as paid – we can use the money elsewhere. WRONG

Using free software on the network can be in violation of a software licence agreement that prohibits corporate usage may increase the risk to the organisation from lawsuits from the software vendor. Additionally, free versions of software rarely have all the capabilities of the paid, licensed version.

Often, IT teams aren't aware of all the tools the organisation has, so they download tools they don't even need – which may introduce even more risk to the organisation.

Organisations wishing to use free tools need to carefully read the software licenses, end-user licence agreements, and terms of service regardless whether it is free open-source software or whether it is a trial version of a subscription or licensed application.

Free open source software should be evaluated for vulnerabilities just like any paid software.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News