When it comes to securing your most valuable asset there is nothing worse than having the wrong perception of what threats you can receive or ignoring the risks of exposing the vulnerabilities of your assets.
It doesn’t matter if it’s your wallet which you have with you all the time, your car which you sometimes set the alarm twice just to make sure it is locked and protected or your house when after you leave to work you start wondering if you turned off the stove, or closed the garage door.
It is no different when it comes to your digital information. Knowing what’s threatening your personal or company’s data is of utmost importance to create a defense system that can help minimize the impact of such threat. Also, knowing and understanding the risks and vulnerabilities of the systems that contain your data can prepare you on implementing preventive mechanisms to close the gap between the exposure of such vulnerabilities and the management of their solution.
Following is a list of common misconceptions and myths I have encountered during my professional career in both, as a manager and as a consultant. These are cybersecurity misconceptions and myths that most of the people I had contact with thinks is not to worry about, when in fact most of these can be used as a psychological backdoor for an attack.
1- My password is hard to guess.
The fact is that it doesn’t matter how complicated your password can be or how hard it is to guess, there are social engineering techniques designed to take your password from you and the worst thing is that you will be giving it willingly and voluntarily. Sometimes there’s not much you can do about it, except to get educated and trained on the latest phishing techniques for defensive scam prevention.
Protecting your password: Storing -vs- Using your password
Storing your password
Storing and using your password are two different things. A way to protect your passwords while you store them is to use an application that provides protection and storage for your passwords. These applications also can be used as random password generators, so that it gets hard to guess and also prevents you from using the same password over and over on different accounts.
When you feel lazy on not having to “remember” or type a different password for a different account, these applications can work for you. These applications create a password for you, stores the password and you can assign the account that you will be using the password for. One of the most used of these applications is LastPass. It is also available for iOS and Android.
The beauty of this application is that it synchronizes your passwords between your configured devices (Laptops and smartphones) so that you can use your passwords without having to remember them all the time when you need them the most.
Using your password
Using your password is a different story. The best way I can recommend for you to use your password is to never use just your password, when possible.
For example, there are applications that now provides what is known as Two-Factor Authentication or 2FA. This is a process in which you can still use your password as you normally do, but with another layer of security authentication.
An application that is being used the most for this second layer of protection is known as Google Authenticator. It is completely free and is very secure. The way it works is by providing you with a random numeric code which changes every certain amount of seconds. This application works as a smartphone application and is available for iOS and Android.
For example, let say that you are going to log into your twitter account on your laptop. Twitter will ask you for your ID and password, which after you enter this information Twitter will also ask for this code. If you don’t have access to your smartphone, then you can’t access Twitter. If by accident someone finds out what your Twitter password is, then they still can’t access your account, because they still need access to your smartphone to use Google Authenticator.
That is how your password is protected while being used.
Another way to use 2FA is by sending a random numeric code via text message. Some applications allow you to preconfigure in your account settings to send you authentication codes via text message after logging in with your ID and password. Only by using this code you can access and use your application.
For example, Twitter allows you to set this up.
2- My PCs already have an antivirus installed
Your antivirus is as good as the latest library update and still, there are no signatures for all the malicious codes out there in the wild that are unknown to the majority. There are malicious codes that could take from days to years or decades to be detected by humans, which spells trouble for all antivirus software.
I’m not saying that you shouldn’t use an antivirus software for your Windows computer. On the contrary, you should have one. I use Windows defender for my personal computers and for my clients as my only antivirus. Is free and is from Microsoft, which updates as soon as a new library is available.
The story is not that different for Mac and Linux. I don’t use antivirus on them, for now, as they don’t usually get in trouble (meaning that I don’t use them to access into weird or the dark websites and that’s why I have virtual machines for), but there are several applications that are ready to be used for them from Open Source to commercial applications targeting malware mostly.
Although we don’t hear as many stories of malware infection on Macs and Linux as in Windows, it doesn’t mean that it doesn’t exist. Is just that the people who write code for malware attacks are more interested in Windows workstations because these are the predominant in the market.
3- Large corporations are the ones subject to attacks
Nothing could be further from the truth. Did you know that the best way to go against large corporations is by targeting their weakest links? And who are these weak links, you may ask?
These are the contractors and service providers that are provided with access to the large corporation’s computer network. These are the small business people, not the large companies.
There are many variables to consider when performing a risk assessment when exposing vulnerabilities in a system. One of such variables are the people with access to these systems.
When I was in charge of an IT division for a Fortune 500 company, one of my many roles was to audit all access systems and the people accessing them. I had to make sure that 100% of the system’s users had the training and adherence to the Standard Operating Procedure governing the system access. This was a pharmaceutical company which happens to be a highly regulated industry.
From training to system access logs, everything happened to be documented. A daily checklist was performed to monitor for irregularities such as an abnormal amount of failed logins. This was critical to determine if anyone unauthorized was trying the get access without authorization. We had several defense mechanisms to prevent this and other things.
I happened to also be in charge of the Incident Response team. These were the people to call when something needed to get fixed and when something (or someone) was not doing what was suppose to.
The advantages of being in charge of the access systems audit and Incident Response team are enormous. One big advantage was that I had a response plan containing the defense and offense mechanism to protect the company’s access system and the incident response personnel trained and certified to do the job.
4- My PCs and servers are encrypted
What good is an encrypted PC or server if half your department shares an account with administrative privileges?
Out of all the corporate clients that hired me to perform system access audit, 90% of them shared the same account with administrative privileges without proper traceability of how many users are using this account. These happen mostly on small businesses.
In large corporations that are not highly regulated by any government entity this happened on almost 50% of my audits, where the IT department was sharing the same account with administrative privileges for computer room operations tasks such as backups and access to the main server.
This is definitely not the way to practice good system security. This creates a backdoor for social engineering my way into accessing those systems without too much effort.
Employees with low morale are the perfect target. These are the first type of employees I look for when I have to social engineer my way into trying to obtain access to a company’s network.
Disclaimer: Prior to executing my plan to perform any social engineering and pentesting, I obtain a written consent and authorization to execute any audit according to the client’s scope of work. NEVER do this without a written consent from your client and ALWAYS stay within the agreed scope of work. This will save you from a lot of trouble later on.
5- Threats always come from the outside – Everyone inside the company can be trusted.
Ok, then answer the following questions:
-How many emails do you get on a daily basis?
-Which of these emails have an attachment or a link to an outside network?
-Is your IDS configured to filter packets from inbound and outbound for access to certain networks?
-If so, which signatures are you using?
-Which networks are you blocking, if any?
And the list of questions goes on…
I tend to be very inquisitive in my audit interviews and there is a reason for this. I literally play 20 questions with my clients and then some to gather as much information as possible.
This is how I get a baseline on their thoughts about system configuration and computer user discipline. Later, I compare this with my own research of their configuration and written policies and adherence practices to establish how wide is the gap between what they said versus what they really are doing and show them the truth.
The truth is that your worst threat is working every day next to you and you don’t even realize it.
Every cybersecurity professional has the duty to do his/her job and that includes documenting what they do and how they did it. One way that we as professionals achieve this is by creating instructions on how to proceed with certain work tasks.
I use to call them Work Instructions (WI). These are the same as Standard Operating Procedures (SOP), but with more technical step by step instructions on how to do things. This could only be performed by the person trained and certified to do this job.
The purpose of having this document, and most importantly adhering to it is to make sure that the person assigned to do a specific task can follow protocol, thus minimizing the risks of making a mistake either by act or by the omission of steps.
This is how I did to minimize any threat that came from the inside, by creating and following protocols.
Most companies have an Incident Response Team. In my case, I use to have one with several roles, one of them being forensics. Having one is like having a firehose in every hall. You never know when you’re going to need it to put out a fire.
Forensics is not only for when they have to trace a threat from the outside. They also work when threats are detected from the inside, and trust me they do happen and it happens in every company large or small. No one is exempt from internal threats.
When employees do things on their computers that they shouldn’t be doing, the first team to call are the Incident Response Team. There were times when my Incident Response team (Forensics team) had to go and retrieve data from a computer which would be used as evidence against an employee doing the wrong thing.
Read “How to Create a Culture of Cybersecurity Awareness” to learn more with a real example of how I implemented a cybersecurity awareness program in a company highly regulated by the federal government.
6- My network monitoring system will alert me of every problem
Did you know that in order to gain unauthorized access to a network, you first need access to an application?
For example, “What’s the preferred form of phishing attacks?”
Any email system requires an application layer from which you will use your credentials to gain access to your email communications. Even though it is a system, it still uses the application layer to gain access.
This is only one of several reasons that trusting only on the network monitoring system isn’t enough to protect it.
You need to have protocols in place to protect the access to the network. It starts with the simplest one, physical access.
- What control system do you have in place to access the computer room?
- Do you use an old fashion key? (By the way, this is a No no…)
- Do you use an access card?
- Do you use a biometric access?
- What forms of traceability do you have in place to track your entry logs?
- Do you have a security camera in the room?
And the list goes on… and this is just for the physical access. Just imagine the rest.
I’ve seen janitor’s closets and bathrooms more and better protected than some computer rooms and I’m not joking.
In fact, I had an offsite vault vendor where I use to store my backup tapes. They had a bathroom and in order to get to it, you needed to access 3 vaults, one inside the other to get to this bathroom.
WOW… and talk about privacy.
Another angle you need to look for when protecting a network is what controls do you have for the system access via your login credentials. How often you perform an audit of your network accounts will determine how well protected your system is from the perspective of the maintenance of the accounts.
How clearly defined are the roles of the accounts and what type of access privileges do they have among other things will determine the level of management and controls you have over your network system.
You should know and understand how your network system works starting from the application layer down to how it is configured. A network monitoring system is as good as the people who operate it. If the people that are supposed to be monitoring the network are not well trained on how to configure the system or how to use it, then there is no use of having such system.
This is why in my post “How To Setup Your Own Cybersecurity Lab” I insist that you should have your own cybersecurity lab with your own network. One very important reason for this is that you need to know and understand how to make a system, how to break a system and how to put it back together in case you need to (think of it as your own Disaster Recovery Plan).
As a Manager, I’d seen when an employee who works in any IT or Cybersecurity related position fails when they have to face a similar challenge in their work. The reason for this is mostly because they don’t have the basic understanding of making and breaking a system.
This should be your mentality if you wish to pursue any IT or Cybersecurity related career path because the truth is that this is the mentality of those looking to get access illegally into the system you are supposed to protect at all cost.
You should understand the application layer of your network system and how it works because this is the gate where unauthorized personnel gets access through to your network.
There is no amount of pop-ups messages or red flags from your network monitoring system that can save you from a threat. Usually, when your monitoring system gives you the red alert, that’s when the damage is already done.
7- If I use the incognito method while browsing, then no one can see what I’m doing
What is incognito browsing and what it is used for?
Incognito or anonymous browsing from whatever device you are using means that you are navigating around the web without storing any cookies or creating a history log in that specific device you are using.
It doesn’t mean that no one can see you.
For example, let say that you were invited to your friend’s house to a customs party. You are going to make sure that no one knows who you really are (this is the incognito part). You left your house and went to your friend’s house had some fun and then came back to your house.
Someone smart can detect the traces you left while in the party, put this parts together and see who you really are.
How can someone smart (the network administrator) know who you really are and trace you back to your home (your computer)?
Every network communication leaves a trace. This trace can be seen in the company’s router communication log and in the ISP’s router communication log. The network administrator will see every single place you went while online.
The difference is that while you are using incognito mode in your browser, you are not storing these traces in your browser history, but still, you are leaving traces around the web because you still need an IP address to navigate around and everything can be traced back to you thanks to this IP address.
This was one example of an internal threat and how ignorance can play a role in this.
This is something that happens in every company, large or small. No company is exempt from this.
8- Hiring more IT security personnel takes care of security issues
For what I’ve seen, it doesn’t matter what the statistics say about the number of open positions related to cybersecurity. Neither does any propaganda you see and read throughout the web about the millions of cybersecurity professionals the world needs to fulfill the requirements of the private and the public sector.
It won’t matter if those seeking to enter this profession are not prepared with the tools and basic requirements a cybersecurity professional should have.
Everything begins with the basics. Those looking to start a new career in cybersecurity should know where to begin with their research and what are the basic requirements to become employable.
In other words, how to minimize the odds of being rejected in an interview.
Everyone assumes that just because you got accepted into college and receive your degree that you will be employable and your career will take off. I’m sorry for bursting your bubble, but this doesn’t work in this field.
In my post “Should I Get a Cybersecurity Degree or Certification” I explain in detail how to start the right way into this field based on my experience as an IT Manager.
Later, in my post “How To Excel in Cybersecurity” I explain with real examples and ideas that worked for me, how to promote yourself to the world to start looking for your first job. This also works for those already in this field by teaching you how to search for another job when you feel is time for a change.
My advice for the beginner is that knowing the basics of IT will help you succeed in cybersecurity in an entry-level position. Once you start working in an entry-level position, is up to you to keep your curiosity awake and your desire to learn fired up.
Also, is very important to practice everything you want to learn. Reading the latest news about the latest malware or reading about the latest system or software, isn’t going to cut it!
You need hands-on experience and one way to achieve this is by having your own cybersecurity laboratory, which I show you how you can have one up and running in my post “How To Setup Your Own Cybersecurity Lab”.
For example, during my interviews as a Manager, I always had my candidates do some sort of hands-on equipment fix adjusted for complexity depending on the level of the position. This would prove how hands-on they were. I wasn’t the typical manager of just asking questions in interviews. I would put you to work on them to test if you know what you say in your resume. This would prove how practical you were and if you could do the required work.
Also, by asking questions such as “What type of network do you have in your home?” would tell me if the candidate was someone curious and with the initiative for research.
These methods would help me filter out the type of candidate I was looking for. Many Cybersecurity and IT managers, if not all, use these same methods when interviewing candidates.
This is because we need people with skills right from the bat. I took care of my people by getting them the training they needed to keep learning and maintaining their knowledge of the systems and software we were using in the company. That’s the manager’s job.
Is your job, as a professional, to keep yourself updated with the trends in the field.
9- Cybersecurity is just for nerds
Knowing how to protect your information from any external or internal threat isn’t something reserved only for nerds or geniuses. This is something that anyone can practice by applying common sense and keep learning new things either by practice or by making mistakes.
An example of how to protect your information is by not sharing too many details about your life on social media. Today, if I want to know some details about anything or anyone, I can just open a browser and “click, click…” I got you!.
It actually takes more than just a couple of clicks, but you get the point.
Don’t blame me. You are doing this to yourself by posting information about your life for anyone to see. This information, by law (although this can be argued), is no longer private once you post your life’s details online.
Don’t trust that Facebook says that only “friends” or “friends of friends” can see what you post. There are ways that any well-versed cybersecurity professional or security researcher can get your information from social media. Once something is out there on the Internet, is difficult, if not impossible to take back.
If what I just said happens at a personal level, imagine the consequences when it happens at a National level. I’m referring to the whole government.
I dislike it when people from high ranks in the government disregard cybersecurity as if it has to do with some kid in a basement not having anything better to do decides to crack (not just hack) whatever government’s office or company’s website he or she deems as playable.
This shows the level of ignorance of the people selected by those elected by us and who are left to decide the future of the cornerstone of our national security.
Cybersecurity has to be front and center in the conversations of our elected officials, looking for ways on how to improve our cyber resilience in the military and in the public and private sectors.
Dear elected official,
Stop playing and tossing us around like ragdolls. We are our nation’s best hope to protect it from all threats, internal and external. We are the future because the future is digital.
We also are armed with the best tools and our best asset, which is our brain. Let us help in assessing our nation’s security risks and recommend what’s best for all.
We do this every day in our daily lives and in our jobs. Let us do this for our nation!
10- We don’t have anything valuable – No one will attack us
The best state of mind an individual or a company can have and promote in order to become a target is by thinking that nothing is going to happen to them.
You are already defeated the moment you begin thinking like this. The proof is in the fact that, according to research, 40% of companies don’t even have a plan to implement cybersecurity strategies to protect their own assets.
The way I can recommend a company to begin with the implementation of a cybersecurity strategy to protect their assets is by recognizing that they need to implement an awareness program. This will be the project that will make everyone aware of how to protect the company’s data.
Cybersecurity starts at the very bottom of the company’s organizational chart. Most would argue that it starts with the C-Suits and stakeholders, meaning the very top of the chart, but I disagree. As a manager, my experience has been that C-Suits are being informed of a situation because they are the ones who approve the budget, but the real action is taken elsewhere.
In my post “How to Create a Culture of Cybersecurity Awareness” I explain how I implemented an awareness program that created a culture of threat prevention in the pharmaceutical company I used to work for.
We are as strong as our weakest team member
Every company should have an Incident Response Team with continued enhancements by providing the required training and certification update with continued education. As a manager, what I did was to align these training with the employee’s performance appraisal review.
By preparing your first level of response (or second if you count the Help Desk as Level 1) the Incident Response Team would play an important and invaluable role in containing threats and implementing prevention methods to minimize issues.
By indoctrinating and culturizing our company’s employees into cybersecurity awareness, we make sure that they understand how to minimize threats by applying the lessons learned during their training. I know this because this is how we did it in my company and I witnessed how the awareness seed turned into a sprout, and then into a solid branched tree.
11- My SCADA (Supervisory Control And Data-Acquisition) or my ICS (Industrial Control System) are in complete isolation
There is no such thing as a completely isolated system. It might be physically or virtually segregated, but never completely isolated.
Let me illustrate you with some examples.
Every single system on this planet requires some form of maintenance. Therefore, it indirectly or directly needs to have some form of contact with the outside world.
When you call your vendor from which you purchased the SCADA or ICS system, one thing they have to do to run whatever form of maintenance or calibration is to connect your production equipment with theirs, thus no more isolation.
Another form of contact with the outside world is when untrained personnel decides to insert some USB drive they found in the parking lot and labeled as “Confidential” or “Personnel Salary” into the so-called isolated system.
Don’t believe me? Search Google for what happened on 2009-2010 to the Iranian nuclear plant and search for “Stuxnet”. Or when several Daimler-Chrysler plants got infected in 2006 by the Zotob worm. Nothing more with the witness.
These aren’t the only examples. There are many more cases but the majority of them weren’t made public in order to protect the company’s reputation.
This is why you shouldn’t equate isolation with protection.
The best way to protect your SCADA or ICS equipment is by having protocols in place that will let their users and system administrator know how to proceed based on different scenarios. I’m referring to written down old fashion procedures for Business Continuity purposes.
There are several applications that can help you automate a recovery process for a system. But what if Murphy decides to apply his law and the application stops working altogether. What alternate method would you use to rebuild, for Business Continuity purposes, a system such as SCADA or ICS?
Always be prepared with a protocol to guide you through every step on how to protect the business.
12- Outsourcing my network monitoring would provide more security to my systems
It’s not that simple. This isn’t like when you outsource your home alarm monitoring system to the company you purchased the service from, where security calls you whenever the alarm has been triggered.
It might work for some but not everyone.
As a manager, you still need to do your due diligence before vesting the people and company that you want to hire for this purposes. You might think “But if they are certified, then they know what they are doing”. Please, don’t think like that.
This is more like when interviewing candidates for vacant positions. The certifications are just part of the requirements, not all that is needed. You need to ask for referrals and other customers experiences. Also, depending on the industry you work in, you have to certify this company and qualify them to work with your systems.
That’s how we did it with vendors when we needed them to work on-site or when we had to store our assets in their premises, for example, offsite retention of backup media. Remember the offsite vault storage I mentioned before?
13- All computers and devices are connected to the network, no physical inventory is necessary
This reminds me when every time I had to configure an employee’s company BlackBerry (years ago, way before the advent of the iPhone) and I had to read the following: “The quick brown fox jumps over the lazy dog”. This sentence stuck with me that I still remember it.
This sentence reminds me of someone ready to take over a system when the system owner is not taking action.
As part of my roles, I was in charge of the Asset Management Program which periodically required to do a physical inventory. We reconciled the information in our database application with what we physically had, not the other way around. The system could automatically detect an asset as long as it was connected to the network, but it was used solely for location purposes.
We had what we called in our industry a qualified network. These means that only approved and documented applications and systems can run through this network.
Any new system or application has to go through a rigorous process of qualification and validation by documenting its description, its purpose and everything related to its maintenance and vulnerability management process.
The reason for this is because we were manufacturing pharmaceutical products that saved lives.
As a requirement by the federal government through its regulatory agencies, any system that handles one way or another or that intervenes in the manufacturing process of any pharmaceutical product, was required to be governed by a policy which established the requirements for a system design and implementation.
This meant that every asset in the network was required to be properly documented with their precise location.
We knew where each and every asset was no matter how deep in the building or facility this asset was installed.
14- As long as our systems, processes, and procedures are well documented we will always be in compliance
Actually, you are 50% in compliance. Documenting a system is one thing. Documenting processes and procedures is another.
Without getting too much into the differences, let’s just focus on the similarities between the two, specifically on documentation and execution.
IT Department Audit
For highly regulated companies, when an IT department fails on an audit, it tends to be mostly because:
- A person executing a job wasn’t trained on an existent procedure.
- A person was executing a proper procedure, but the procedure was outdated or it didn’t specify the version number.
- A person was executing a job (i.e. system update, new peripheral installation), but resulting in too many fails during the process. The auditor finds out during logs audit of the server or system that stored such logs and provides the observation that a procedure is required for such a process to minimize errors. HINT: Have a procedure for any repetitive process.
There are other observations from an auditor to fail an IT audit, but in general, these are most of the reasons that you could encounter on highly regulated companies.
Don’t get me started on non-regulated ones such as brick ‘n mortar stores.
Another reason an IT Department could fail goes beyond having the proper documentation for systems, processes, and procedures.
Here comes the other 50%.
Lack of adherence and evaluation procedures are some of the reasons why an IT Department fails and even worse, some companies get attacked by cybercriminals.
Even though these companies had the proper documentation for the systems, processes, and procedures they don’t follow up on evaluating their daily operations. By not following up on evaluating their daily operations, they fail on evaluating the adherence to the documentation for systems, processes, and procedures.
For example, one renowned brick ‘n mortar store that was hacked some time ago (I won’t mention the name due to a confidentiality agreement) from which millions of customer’s credit card information was obtained.
One reason observed in the post-mortem audit was that even though they had one of the best network monitoring system and the best-trained employees to do the job, there was no evaluation process to measure the adherence to their own procedures.
This means that management didn’t know if the employees were just filling out at the very last moment the checklist form to comply with the procedure after monitoring the network nor did they know if systems were being updated following their own vulnerability management process according to their own procedures.
Every monitoring process goes together with a checklist that proves that systems were evaluated and at what time this checklist was executed. HINT: Replace the paper checklist with a tamper-proof system checklist.
Every system update needs a Standard Operating Procedure or a similar more detailed procedure, that indicates how to capture and properly document the evidence of such an update. This after-the-fact documentation will form part of the Change Management that contains the authorization signatures from the department head, the compliance manager or specialist, the executor of the change and the reviewer (witness) of the change.
by Edgar Vera, MS Cybersecurity