Because one blog isn't enough when the subject is cybersecurity myths, this post will dive into a few more examples of the popular misconceptions our resident consultants run into in the field.
Myth #4: It's OK to Ignore Strange Events if They Don't Trigger an Actual Alert
It is a mistake for your IT Help Desk to disregard security events and issues. SecureWorks resident consultants have seen IT help desks close tickets for security issues just because the IT help representative was unable to diagnose the problem. For example, if a Windows User Account Control (UAC) prompt inexplicably appears asking for administrator credentials, it may be a sign of infection. While it may be tempting to tell the user to ignore it, the prompt might be the only initial indication that the user has a malware infection.
It is important that your incident response team educate and integrate your Help Desk and Network Operations Center (NOC) into your overall information security standards and procedures. There should be a communications channel between your IT Help Desk, NOC and your incident response team to ensure security issues are handled appropriately. Standards and procedures must be in place for security issues to be escalated to the incident response team. All security events should be "warm transferred" up the chain to ensure prompt and complete responses.
Myth #5: There are Security Holes Too Small for Hackers to Notice
Companies often neglect to patch browser plugins, especially when their risk assessments are rated as medium or low criticality. This neglect often stems from a mandate that prohibits interrupting an employee's productivity. However, few browser or browser plug-in patches require users to restart their computers to finish applying the patch. Patches for browsers like Google Chrome and Mozilla Firefox, and browser plug-ins like Adobe Flash, can be deployed in a 100 percent transparent manner to users. The most users usually have to do is restart the browser.
Failing to include browser plugins like Java, Adobe Flash, Adobe Reader, and Microsoft Silverlight in your vulnerability management program can have disastrous effects. Apply all security patches, regardless of a vendor's criticality rating. Earlier this year Wired reported that Rob Joyce, the head of the National Security Agency's Tailored Access Operations unit, said in a presentation, "Don't assume a crack is too small to be noticed, or too small to be exploited." If you do a penetration test of your network and 97 things pass the test but three seemingly insignificant things fail, don't assume they don't matter. Those vulnerabilities are the ones nation states and other attackers will exploit.
Myth #6: Default Settings Will Keep Me Safe
Sometimes the above statement is true, but not always. SecureWorks' resident consultants find that companies often make one or all three of these mistakes regarding devices: They don't use the security controls, they only use some of the security controls, or they keep the default settings. Examine the default settings of all devices and customize the policies and rules to fit your organization's risk profile. When configuring any new security control, always change the default administrator credentials. Work with vendors to understand all the capabilities of your security controls in order to maximize ROI. By default, most Web proxy solutions do not block websites that are "uncategorized" - those that have not been analyzed and categorized. The CIS Critical Security Controls recommends blocking uncategorized websites.
Myth #7: Using Free Software is Just as Good as Their Paid Alternatives
Again, sometimes this is true, sometimes it isn't. Using free software on the network in violation of a software license agreement that prohibits corporate usage may increase the risk to the organization from lawsuits from the software vendor. Additionally, free versions of software rarely have all the capabilities of the paid, licensed version. One company had been directing its IT help desk to use a free version of a popular anti-malware tool -- despite the fact that on all its managed laptops, desktops, and servers, the company had a powerful endpoint protection tool that included anti-virus capabilities. Often, IT teams aren't aware of all the tools the organization has, so they download tools they don't even need – which may introduce even more risk to the organization.
With tight security budgets – often due to the security budget being part of the overall IT operations budget – free tools may be appealing. Organizations wishing to use free tools need to carefully read the software licenses, end-user license agreements, and terms of service regardless whether it is free open-source software or whether it is a trial version of a subscription or licensed application. Free, open source software should be evaluated for vulnerabilities just like any paid software. Educate your IT help desk about the tools your organization already has that can respond to security events. That way they are less likely to install more tools that are redundant. If an anti-virus tool is already installed and centrally managed, that should be the help desk's first choice!
Myths may give us comfort, but they can also cause misery when they are exposed. Your company may not believe in all of these, but if you recognize that any of these misconceptions exist in your company, they need to be addressed at once. You can prioritize any changes you need to make based on one of the many reputable frameworks like the NIST Cybersecurity Framework or the CIS Critical Security Controls. Small changes can have significant ROI. Use data to support your recommendations. And don't give up. Convince your leaders that a good cybersecurity program gives your company a competitive advantage. When the company understands the benefits of a robust information security program, change is more likely to come.