10 Cybersecurity Myths You Need To Be Aware Of

TOM: Thank you, Kindsey, for taking care of that and getting the poll started. Today is 10 cybersecurity myths, and maybe a little extra one in there. This is part of our Deeper Dive Quicklook series. Many of you have been on other webinars of ours, especially I guess the NRWA webinar. It’s all related to that webinar, where we paint a big, big picture of the cybersecurity industry, and then we just touch on some things that in the Deeper Dive Quicklook, we’re getting into in a little more detail to help get everybody’s security awareness, what to look for, things like that, and so forth.

Having said that, let’s look at #1: “My passwords are strong.” If you’re using pets’ names, children’s names plus their birthday, family names, your grandmother’s name, these are things that you answer as security questions on a banking website to prove – reset password, it’s very common. I’ve also seen people put this up on Facebook, just for fun. Little quizzes, like “What’s your mother’s maiden name?” and “What’s your first pet’s name?” And people answer them on Facebook, not realizing that they’re getting scammed.

So that’s a no-no. If you think your passwords are strong and it contains children, pets, anything like that in there at all, first car you ever owned, where you graduated from high school, your high school mascot – that’s not a strong password.

Another thing is reused credentials. Many, many people are guilty of this, and it’s reusing a set of credentials. For Facebook, you use this email address and this password, and just because it’s easy to remember, you also use it on all your other websites. Hopefully you don’t use it on your credit card or banking websites, but some people do. So you have to remember that when Facebook gets breached again, any site or application or what have you that requires credentials, the Facebook credentials are shared. They share across sites if you duplicate username and password just so it’s easy to remember.

Hackers have access to all of those different things. Credit cards, all of that stuff. Email. And if they get into your email, they can pretty much get into anything else because email is the typical way that passwords are reset. So you can’t reuse credentials. Every set of credentials must be unique.

So how do I do that? You’ve got to use a password manager. I will promise you – well, let me rephrase that. I have yet to see anyone that doesn’t use a password manager that has strong passwords. Never seen it. And even if they have strong passwords, chances are they’ve been reused.

A good password manager not only will store the credentials safely, unhackably – because that’s their business – but it also gets you to the point where you don’t even care what the password is because you’re going to use a tool in there to automatically generate a long character string. So you won’t even care because you can automatically put it into the website.

And then finally, multi-factor authentication. That is a third layer to add to your credentials for a website. You typically see these on banking websites, but it may be an app you download to your phone, or you’ve got a little hardware MFA device where you punch a button on it and it generates a 6- or 8-digit code. You have to have that present with you, and that time-sensitive code you generated on the fly, and that’s a third set. So you should always use MFA wherever possible. I use it on Facebook and other things as well. Of course, all the computers have MFA on them.

“Too small to be hacked.” This comes up all the time. Here’s the deal. Hacking is a huge, huge worldwide business. 2017, a study was done that estimated the criminals worldwide that engaged in hacking – and we’re talking nation-states and criminal enterprises – made $1.4 trillion. This hacking is done at scale. That means they’re distributing a million emails or 10 million emails at a time, maybe 100,000 emails at a time of ransomware attacks, all over the world. So when you’re doing at scale, you don’t have time to find people to be a victim. You just shotgun it and hope you hit something.

So not only do they not know who you are, they don’t even care who you are. They don’t care that that email goes to a Fortune 5 company or goes to your grandparents’ computer. All they want is the $300 or $3,000 worth of ransom, in the case of ransomware. The other hacking things – there’s other ways to make money besides ransomware, but especially in the case of ransomware. They don’t know who you are, they don’t care who you are, and the majority of data breaches occur to small businesses. Over 50%.

“Protecting yourself is good enough.” What do I mean by protecting yourself? What I’m really saying is protecting me and my company is good enough. The problem with that myth is you’ve got to think about the entire ecosystem. Do you deal with subcontractors? Do you have subsidiaries? You’ve got to consider your vendors and what their security posture looks like, and also the accounting firms. Outside accounting firms usually have access to your QuickBooks or whatever you may use for your financial stuff. Threats can come from a vendor or come from a subsidiary or come from a subcontractor, so you’ve got to see where they are and understand that you’ve got a threat there.

But probably the most important one of all of these is you’ve got to make sure that if you’re outsourcing your IT – it’s your sister-in-law or you’ve got a little company down the road or whatever and they’re doing your IT just when something’s broken – well, if they’ve got any kind of remote access, if the hackers discover this IT firm – and believe me, they are looking for them. We have to implement tons of security ourselves because they’re targeting us. We’ve been targeted many, many times.

Wasn’t it the Texas water utility that 20 something water utilities got breached? It was through an IT firm. They were all using the same firm, and that IT firm got breached. I think they didn’t turn on MFA or something like that, which is utterly ridiculous – which is also related to the next slide. There’s a lot of IT people – well, I’ll talk about it on the next slide. But you’ve got to make sure that IT firm is using MFA, is getting security training.

We continuously get security training, as do our clients. And it’s the same stuff. We’ve got people in our office that are not IT experts. But all it takes is one of those people to click on the wrong file attachment, and now we’ve got a whole problem. Not only are we compromised, but it potentially could be our clients. So we go through all of this stuff, and you’ve got to make sure your IT firm is top quality.

Another one that we hear a lot is “Our IT guy takes care of it.” Well, IT is a huge, huge business. A lot of people don’t realize just how big IT is. It’s not uncommon, when things are relatively normal in the world, for 30% of the people on an airplane – and it’s higher if you’re flying to San Francisco or Austin, Texas – but it’s not uncommon for 30% of the people on a commercial airliner to be involved in the IT business itself. We fly all over the place all of the time, and the reason is there’s all kinds of specialties. Just like a hospital has cardiologist, pulmonologist, radiologist, dermatologist, so does the IT business.

It’s very, very difficult – in fact, nobody can be an expert at every component of IT. I hear often that people assume that programmers must know everything. No, they know code, and chances are they only know one or a handful of different languages out of the hundreds there are. Network admins don’t know anything about programming. Programmers usually aren’t very good network administrators. There’s just so many different – project managers and security awareness experts and SOC managers. That’s a security operations center that we work with.

There’s so many specialties out there that a general interest, a GP, a general practitioner in the IT business is not who you want to go to if you’re having security issues, just like you don’t want to go to your general practitioner doctor to get your heart bypass surgery done. You want to go to specialists on that because they can’t be an expert at everything.

Another thing is you’ve got to have administrative controls. There’s a whole thing with security that the IT person may not – first of all, they’re not even responsible for, and you can’t just assume that these things are taken care of. So how does your business resilience plan look? Where are your backups? How frequently are those backups done?

Who monitors to make sure the backups are done? Is it continuously monitored by my sister-in-law down the street? If you’re not paying them on a monthly basis, chances are it’s not. What they’re going to rely on is they’re going to cross their fingers that that backup is going to be there when they need it. You’ve got to continuously monitor backups. You have to have all these administrative controls in there to wrap everything around, look at it from a management perspective. You’re responsible for the security, not your IT guy.

And the reason – you want to create a security-first environment, so you involve your whole team. All of your colleagues, all of your reports, anyone above and below you that touches that network must get not only security awareness training, but they must be all mindful of creating and keeping a security-first environment. It’s got to be baked into your company culture.

This is a new one. I haven’t ever talked about this. Sometimes we hear “Air gapping is secure.” That means maybe your SCADA computer or PC is not connected to your network, so it’s air gapped. There’s no cable between that PC and the internet or your organization network. Air gapping is secure, right? No, it’s not. And here’s why.

If you remember the Iranian centrifuge deal where it’s rumored that the United States and Israel created a virus to get on the centrifuges to make them spin up too fast and break them – it happened I think 10 years ago, give or take. Maybe a little bit more. If the U.S. and Israel did it, then those two countries broke their centrifuges so they couldn’t refine plutonium. It slowed down their nuclear development program. Those centrifuges and the controlling computers were air gapped, and they were enclosed within an incredibly – you can imagine how secure the facility itself was. Biometric scanners, limited access, approved access. All kinds of security measures to keep the wrong people out.

How did they do that? The rumor has it they dropped some USB flash drives in the parking lot, and all it takes is one person to pick up that drive, bring it into the facility, and insert it in a computer. And then the network’s infected. So just because they’re air gapped, doesn’t mean they can’t be penetrated. That’s the main reason all the social engineering thing is done. Over 90% of breaches require a human being to do something on the network. Over 90% of them.

Another problem with air gapping is chances are the updates are never done, or the software is never patched. Even those industrial control systems require firmware updates. In fact, they’re really vulnerable right now. They’re really improving the quality of them as we go forward, but they’re still going to have to be patched. That firmware is really nothing but software. It’s no different than Microsoft Word or your browser. It’s just a piece of software. They call it firmware because it’s embedded inside the hardware. It still has to be patched. So the hackers can still get in even if it’s air gapped.

“We don’t need tests or training.” It’s break this down a little bit. The testing part is part of the training, but what you want to do is test your network, your computers for vulnerabilities. Like, what patches have not been applied to this network? This is a part of our vulnerability testing that we do for clients. We go in, do internal and external scans to not only do a baseline – the very first one is our baseline. We see the things that need to be fixed, we fix those over time, we take care of new things that come onboard, and then we periodically do it again. Every 3 months or 6 months or a year, depending on what our risk posture looks like.

So a year later, we come back and do another one and may discover new vulnerabilities that were introduced for whatever reason. New things that have to be considered, new equipment that’s been placed on the network. So from a hardware standpoint, or a network standpoint, we’ve got to do those vulnerability tests just to see what’s open. Where’s my weaknesses?

But you also have to do training, because remember, over 90% of breaches require human interaction. This is why relying on your IT person or persons to take care of all of this is not the right way to do it. You’ve got to give everybody training. It’s got to be baked into the culture, and those administrative controls around password complexity and not sharing passwords, not reusing credentials – all of that takes administrative and managerial implementations, and to make sure it’s enforced, and to create that culture where everybody understands and respects why they have to go through these extra steps. The only way that can happen is with management believing in it and implementing it. So that’s another myth busted.

I don’t hear this one very often, but sometimes I hear “Our cybersecurity system is perfect.” Yeah, it never does get perfect. All of the hacking tools, the software changes, exploits in Windows operating systems and Mac operating systems and control systems like industrial control systems, new vulnerabilities are discovered every day in all of these things. That’s why you do the patching.

Besides all the technical stuff with updates and patches, you’ve got to change and update administrative controls as well. You’ve got to change those constantly. So there’s no way the system is ever going to be perfect, even if you could make it perfect at one snapshot in time. But yeah, it’ll never be perfect, and I’ve got another slide towards the end here that we’ll go into that a little bit more.

This one comes up a lot. “Antivirus is all I need.” “That’s as good as it gets.” I hear that one, too. Well, here’s the deal. Antivirus is pretty much useless today. In our IT division, we are actually discontinuing not only the selling of antivirus as of July 1st, but also even the support of antivirus because ethically it’s not the right thing to do. Especially since 2017, antivirus is pretty much useless.

And remember, the #1 threat that you’ve got to worry about is ransomware, and antivirus can’t detect most ransomware attacks because antivirus can only detect signatures of a virus, and ransomware attacks have no signature. Everything it does on the network is using the stuff built into Microsoft Office or Microsoft Windows. It’s encrypting the files with the Windows encryption tool. So there’s no virus to detect.

Then a lot of people are surprised to learn that antivirus vendors, sometimes even if they identify a virus, sometimes it’s days, weeks, or even months before they’ve got a fix in the software for a particular virus. Sometimes months. Sometimes never. I know I was surprised several years ago when I learned that. So if you’re relying on antivirus to protect you, you’re just about one step above not having anything.

“Threats are only external.” I’ve said this a couple of times; the majority of breaches require an insider. Could be disgruntled employees, ex-employees with a grudge, or – I hate to use the word “ignorant” because it has negative connotations. To me it doesn’t, but I know most people think of it like that. It just means people that don’t know any better because they haven’t gotten training. You can’t expect everybody in your office to be security experts. So don’t look at just your external stuff. Most of them are fired off by people on the inside.

“Total security is possible.” No, and I’m going to show you a slide here a couple of slides after this to give you an idea of the scope here. It’s not. It doesn’t matter who you are. The NSA, National Security Administration, one of the premier cryptology nation-state organizations in the world, if not the best, was breached in 2017. And their hacking tools are now available for sale at very inexpensive prices on the Dark Web. So that’s why things changed in the last couple of years, and one of the reasons why antivirus is pretty much useless anymore. If the NSA can get breached, anybody can.

So as part of AWIA or the NIST Cybersecurity Framework, if you’re familiar with that – but AWIA touches on it – you’ve got to plan for a breach. What are your policies and procedures? Where is your backup? What are you going to do? What did this affect? Was it customer data, was it financial data, was it the billing software that’s been encrypted? You’ve got to plan for this and what you’re going to do to respond to it. And if you implement the right technical and administrative controls, you’ll also have a response plan as well.

So wat’s the solution? We went through I think 10 different myths. The solution is a layered defense system. Sometimes it’s referred to as a Swiss cheese strategy. If you imagine these red lines coming through the slices of cheese there, they’re attacks, each one. What we hope is going to happen is we’ve got enough layers that if one layer misses a particular threat, another layer will pick it up and stop it.

In the case of a ransomware attack, if the spam filter lets it get through – which happens, because they’re always improving their skills and their techniques – then we hope that the user identifies that the email could be a phishing attempt, that it’s trying to get them to click on a file attachment. So we’re hoping that security awareness training layer catches it. And then if that doesn’t happen, they click on it and double-click on it and everything, then we want to know about it immediately, we want to be alerted for it.

But more importantly, we want to intercept it and kill it by using a product that doesn’t use signature-based detection. It uses machine learning and artificial intelligence, and it’s updated practically in real time, worldwide, to stop and quarantine or kill the execution of the process. So that’s yet another layer. It’s a whole different class of products. It’s much broader and smarter than an antivirus.

So those multiple layers – the contrast would be the French Maginot Line, World War II. That was a single layer strategy. Once the Germans got around it and got through it, there was nothing else. The French had blown their whole budget on building this magnificent Maginot Line. They had no decent air support, they had no decent artillery, they had no decent tanks. Once that single layer was breached, it’s all over. Paris falls in 6 weeks. What we do is use best of breed administrative and technical tools and then layer them. So we’ve got the best airplanes, we’ve got the best tanks and all of this stuff. We do the same thing; we just do it in the cybersecurity world.

This is not a complete list of security layers. We consider all of these and others every time we chat with somebody about their systems, and especially whenever we run a vulnerability assessment. These are just some of the layers that we need to consider any time we are trying to protect a client. Like I said, it’s a big, big business, and all of these things require specialties. We have to have people that are specialists in just some of those things just to run them, much less install them.

Having said that, I guess I’ll ask for Q&A. I’ll hand it back over to Kindsey. I don’t know if you’re ready to pop the poll up. I can’t see the Q&A, by the way, so you’ll have to read them off.

KINDSEY: Yeah, doesn’t look like we have any in there. But if anybody does have any questions, feel free to throw them in the Q&A box. I’m going to go ahead and launch the poll again and see what you guys say. Okay, I just launched it, so I’ll give y’all a few minutes to go ahead and vote.

TOM: This is kind of like an open book test. [laughs]

KINDSEY: I’ll wait a little bit longer.

TOM: I didn’t see how many voted the first time.

KINDSEY: Few more seconds and I’m going to end it. I think I can share the results. We’re going to try that this time and see what that looks like. So I’m going to go ahead and end it. I’m going to share the results from the first one. It looks like 88% said “I’m worried about our vulnerabilities,” 13% said “I’m too small to be attacked,” 38% said “Our IT specialist is protecting us.” And then on Part 2, we had 86% “I’m worried about our vulnerabilities” and 29% “Our IT specialist is protecting us.”

It looks like Mary asked, “What do you recommend as a password manager?”

TOM: 1Password. I know you’ll find some reviews that say LastPass is the highest rated one, but I used LastPass for 20 years, and once I moved to 1Password I’ll never go back to LastPass. That’s what we recommend. We changed all of our clients over quite a while back, and it works on all the platforms. And it syncs to all the platforms, so you’ve got the same password manager on your phone that you do on your laptop. Doesn’t matter if it’s Android, MacOS, Windows. It integrates into the browsers, too.

The iOS, the iPhone integration, is really pretty cool. You can choose to use it instead of iCloud, and that’s especially useful if you have an iPhone but you’re using a Windows laptop, because iCloud is not going to work. Your Keychain, as Apple calls it – although I trust Apple to protect that, but you’re not going to be able to get to your Keychain real easy on a Windows computer.

KINDSEY: I think that is it. If anybody has anything else, throw it in the chat or the Q&A for us. Next week we will be discussing “The Dark Web: Where you are bought and sold.” We would love it if you could join us. I’ll be sending out an email here in a few minutes if you guys want to go ahead and register for that one. If not, I’ll be sending another email out later in the week for it.

TOM: Alrighty. Thanks, everyone, for joining us. We’ll see you next time.

KINDSEY: Thanks, guys.