InfoSec MythBusters: quelling common misconceptions

The folklore genre of mythology consists of narratives that play a fundamental role in our society – usually involving demi-gods or supernatural humans with mysterious, far-fetched powers. While it’s hard to believe any real truth behind Jason and the Argonauts, Odysseus’ treacherous journey to Ithaca, or Orpheus and Euridice’s episodes in the Underworld, their messages of bravery, loyalty, and faith in mankind still stand. On the other side of the coin, myths can be defined as widely held but actually false beliefs. In this sense, our own expert team of Prometheuses, security deities, and supernatural content engineers have dug into the myths of information security, and why we shouldn’t always believe what we hear.

“This security tool will solve our problem!”

Dan Butcher, Principal Content Engineer

From my time spent in a SOC and working as a security engineer, I've had exposure to my fair share of security tools. Some were deployed as a result of a gap in coverage and others in response to a particular incident. While many of these tools were valuable additions to the suite, more often than not the tools installed as a reaction to an incident took great deals of engineering time and effort to deploy, configure, and maintain. They were basically seen as a waste of time, effort, and money.

Across many organizations, security tools are deployed as a silver bullet to a problem which could be solved through other means, consuming valuable resources which could otherwise be spent maintaining and improving upon existing tooling, infrastructure, and processes.

“Security is not my problem. It’s the IT department’s responsibility”

Oisín Brennan, Junior Cyber Content Engineer

False! Every employee of a company is responsible for ensuring its security within the cyber realm. All staff are potential causes of cybersecurity breaches. While phishing was the most common initial access vector for cyberattacks in 2019, there’s also been a sharp increase in the unauthorised use of credentials by cyber criminals, as well as the remaining problem of watering hole attacks.

In addition, high-level executives are often the target of whaling attacks – scams that usually arrive in the form of an email apparently from a trusted source. In 2017, Google and Facebook were scammed out of over $120 million by a criminal parading as Quanta Inc, a company that supplies hardware to the two tech giants. The attacker focused on the financial departments of each company, sending forged invoices and contracts and requesting payments into falsely named bank accounts.

Therefore everybody, not just the IT department, should be wary of malicious links in emails. Avoid downloading attachments from untrustworthy websites and ensure your passwords are secure and changed regularly.

“CAs that issue free certificates are less secure than paid-for certificates”

Sean Wright, Lead Application Security SME

In its simplest form, a certificate confirms the identity of an object – typically a server – that a user connects to. From a security perspective, it’s important to ensure you’re communicating directly with the server that you intended, or you could be in the midst of what’s known as a man-in-the-middle attack. Only an authorized server should be able to obtain a certificate for itself, otherwise anyone (especially attackers!) could grab a certificate and pretend to be any system they like. CAs must validate requests for certificates to ensure that they are legitimately from the specific server owner.

This is where the myth comes into play. It’s assumed that because CAs issuing free certificates don’t have the capital, they cannot ensure the same level of standards as commercial CAs (with which a user must pay to obtain certificates). This is simply not true, largely because of the CAB Forum Baseline Requirements. These are a set of standards with regular audits that all CAs must conform to if they are to be trusted by applications like web browsers or operating systems. Both free and commercial CAs must meet these standards to be trusted by a web browser.

Another argument is that there is no incentive for these CAs to perform well. I couldn’t disagree more – if anything, they’re likely to perform better! These CAs aren’t driven by profits or commissions and the fact they’re motivated out of their own pocket shows how much they care. Automation should also be considered. CAs such as Let’s Encrypt have done a fantastic job of automating their processes and have significantly reduced their overhead costs in doing so. Finally, while CAs such as Let’s Encrypt are a non-profit organization, they still receive a healthy dose of donations and sponsorships from large organizations.

Part of this myth stems from the idea that paid-for certificates provide greater encryption. Again, this is untrue. The strength of the encryption algorithm used to encrypt data is independent of the certificate and is defined by the cipher suites which are supported by both the client and server.

While the likes of Let’s Encrypt have faced some issues in the past, they have been incredibly quick and open about them. On the other hand, Symantec once issued certificates to servers posing as Google. This rather alarming security incident eventually led to them selling off their entire PKI to DigiCert.

Verdict: Myth busted!

“Our company is too small to be at risk!”

Rae Jeffries-Harris, Content Engineer

It’s a common misconception that only large, established corporations are targeted in cyberattacks. Companies will often consider themselves too small or insignificant to be at risk. Unfortunately, this is not true. In a recent survey released by the UK government it was found that 43% of micro firms (under 10 employees), 62% of small firms (10-49 employees), and 68% of medium firms (50-249 employees) had experienced breaches or cyberattacks over a 12-month period.

So why would a malicious hacker target a company with few employees? Surely the payout would be minimal? The answer, put bluntly, is that smaller companies often make for easier targets. Research carried out by the Federation of Small Businesses in 2019 found that one in three small firms had not installed security software over a two-year period, two in five admitted they don't regularly update software, and less than half had any sort of strict password policy for devices. That most security solutions are aimed at larger companies who can afford the price tags associated with securing themselves doesn’t help the issue. Given all the above, it’s hardly surprising that smaller companies are frequent victims of cybercrime, and woefully clear that this sector could benefit from increased cybersecurity awareness.

“Blockchain will change the world!”

Robert Klentzeris, Vulnerable App Developer

With so much hype surrounding blockchain technology over the last decade, we have seen promises ranging from a new way to make secure payments to revolutionizing the entire world. But how can a technology whose core principle is to provide a distributed append-only database coexist with GDPR, which operates under the assumption that data can be modified or erased entirely (Article 17)?

Using blockchain networks, "resilience through replication" can be an attractive option for businesses looking for a catch-all way of improving their security and avoiding a central point of attack. However, before implementing blockchain technology into your business, consider whether the increased difficulty or potential impossibility in complying with GDPR is worth it.

Check out our lab on why cybersecurity is everyone’s business, or book a demo below.

TOPICS
Blog
PUBLISHED

28 August 2020

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal