There are many misconceptions about cyber security. Here are a few common examples, as well as how to better prepare for and avoid them.
Myth #1: Cyber hackers only target large businesses
Reality: If you’re a small and medium-sized business, you may think your data isn’t valuable to hackers. But small and medium-sized businesses are one of the top targets for hackers. A recent report from Cybersecurity Magazine indicated 43% of all data breaches were against small businesses and 83% of small and medium-sized businesses are not financially prepared to recover from a cyber-attack.
Myth Busted: No business – regardless of size – is immune to computer hackers and malicious attacks. That’s why small and medium-size businesses need to commit the necessary resources to protect themselves – and their customers – from cyber-attacks. They can cause serious interruptions to your business. According to CyberCrime Magazine, 60% of small companies close within six months of being hacked
Myth #2: You can trust files that are hosted on legitimate websites
Reality: We should know not to download files from seedy websites, but what about places like Google, iCloud, and Dropbox? While the sites themselves are legitimate, and would never knowingly host things like malicious files, there is no way to keep them out of their systems. Attackers can easily upload malicious documents, or even scripts and executables, that will infect user machines.
Myth Busted: Never trust files/links unless you can verify who put them there – that link your friend or colleague just emailed you might just have been sent by a hacker.
Myth #3: If it’s in an App store it’s safe
Reality: Similar to the file-sharing site example, curated app stores, like those for IOS, Android, Windows, Mac, Chrome, Firefox, etc., do take steps to block malicious apps from being added to their stores. But it is a constant game of cat and mouse with hackers continuously finding new ways to hide their malicious code.
Myth Busted: Don’t trust that an app/extension is safe just because it’s hosted on a reputable site. Sometimes even an application that was created by a legitimate developer can be sold off to another entity that inserted malicious code in an update. Whenever possible avoid installing applications that aren’t necessary or created by lesser-known entities and one-off developers.
Myth #4: Using password protected Public Wi-Fi is safe
Reality: Using public Wi-Fi, like those found in coffee shops and airports, always carries a certain amount of risk. An open Wi-Fi network does not require a password to join. This is the lowest level of security because it doesn’t encrypt network traffic between your device and the Wi-Fi access point (AP), making it easy to intercept this data and perform other types of attacks.
Myth Busted: Wi-Fi access points that require a password are better because the connection between the AP and the device is more secure. However, if the AP is poorly configured or malicious, the data coming from your device is still vulnerable. Using a VPN or your mobile phone’s hotspot are good ways to help protect traffic from malicious activity on public Wi-Fi networks.
Myth #5: Antivirus will protect my computer
Reality: Antivirus, while an important application that uses signatures and heuristics to block viruses, struggles to stay in step with constantly evolving methods of evasion and obfuscation of malicious software. There are also many threats that fall outside of executing malicious software on a machine – such as phishing attacks targeting credentials.
Myth Busted: Just like an airbag is not a replacement for responsible driving, antivirus is a safety measure that is no replacement for good user decisions.
Myth #6: You’ll know if your PC is infected
Reality: Tying in with the previous myth, most malware wants to remain unnoticed by users with the exception of attacks like ransomware that will let you know that you’ve been compromised once your machine is already encrypted to demand payment.
Myth Busted: Glitching screens, skull and crossbones, and other Hollywood theatrics have nothing to do with how the malware operates within a system.
Myth #7: A secure HTTPS connection means a site is safe to visit
Reality: HTTPS is an extension of HTTP (the primary protocol used to connect to websites) and includes great features such as assigned certificates and encryption of data in transit, which means:
1) the site has a certificate from a trusted certificate authority (CA) for its domain and
2) the data is encrypted in transit to protect it from being tampered with or viewed.
However, none of this means that the site itself is safe. Phishlabs recently found that 74% of malicious sites had valid HTTPS connections. That percentage is likely even higher today.
Myth Busted: For a few dollars, an attacker can get a certificate from a CA for their domain. With this in place, a browser will say a site has a valid/secure connection, even if the site is hosting malware or phishing credentials. This is especially tricky when combined with typosquatting attacks where attackers will use URLs that look very similar to legitimate websites (google[.]com vs goggle[.]com).
Myth #8: A difficult password to remember is difficult to guess
Reality: A short password with nonsense series of characters (i.e. S3cu%1t$) isn’t terribly intuitive to remember, but even worse it can easily be cracked by a computer. On the other hand, a nonsensical passphrase of random words (i.e. truckbreadspecialistcorrect) would take the same computer 100 times longer to guess – add any capital letters, numbers, and punctuation and brute force cracking that passphrase is essentially impossible. That’s because computers typically must try every character in a password, so length significantly increases the difficulty. For a user, on the other hand, remembering a few words is simple.
Myth Busted: Using a strong passphrase and two-factor authentication (2FA/MFA), in case that passphrase is ever stolen, will significantly strengthen the security of your credentials. When used with a secure password vault, you can securely manage hundreds of long unique randomly generated passwords for all your sites and services.
Myth #9: You have to do something to be compromised
Reality: A great deal of emphasis is on user awareness and training because most cyber-attacks are based on stealing credentials or getting a user to download and trigger malware on their machine. That’s half the picture.
Myth Busted: While far from an exhaustive list, failing to do any of the activities below is a recipe for compromise:
- keeping applications patched
- retiring end of support devices (i.e. smartphones)
- changing passwords after data breaches
Myth #10: It’s possible to have perfect security
Reality: A system that is properly configured, completely updated, and controlled by a user that makes the right decisions 100% of the time, can still be compromised by skilled attackers especially when zero-day (previously unknown) vulnerabilities come into play.
Myth Busted: Good security focuses on addressing a wide breadth of risks and building layers of defense with the understanding that it is a matter of time before a system is compromised. Defense-in-Depth focuses on bolstering defenses at every level (including the user), while accepting the fact that it’s only a matter of time before an incident happens. Identifying and mitigating that incident quickly is key to keeping the damage to a minimum.
Born and raised in Northern Wisconsin, Casey has an Associate’s Degree from Northwood Technical College in Computer Networking Technology and a bachelor’s degree from UW Stout in IT Management. He joined WIN Technology nine years ago working in Network Engineering and currently in Security Operations.