By Corey Nachreiner, Chief Security Officer, WatchGuard
Technologies
When it comes to cybersecurity, if you're not
evolving, you're almost certainly falling behind... and becoming vulnerable. Yet
some old cybersecurity tips and best practices continue to live on long after
they should. Truisms that may have made sense 10, 5 or even 2 years may no
longer make sense today. Sometimes, they're just no longer relevant, but in some
cases, they can actually make us less safe. Here are 8 old security saws
that need to be retired:
Passwords should be at least eight characters
One
of the first cybersecurity tips an average user hears is to use a long
password. But how long is long enough? For ages, the common wisdom was that passwords
should be at least eight characters long. A decade ago, this made sense, since
eight characters offers hundreds of billions of potential combinations. But now
modern computers with powerful GPUs can go through hundreds of millions of
guesses in seconds. Combine that with pre-calculated rainbow tables that contain
all of the possibilities for passwords of eight characters and less and eight
characters is now far too short for a secure password. Today, 12 has become the
new eight. But to be extra safe, I would recommend using passwords that are 16
characters and above. However, below I'll talk about why focusing on password strength
alone is an outdated tip, too.
Change
your passwords regularly
Another
outdated authentication related tip is to change your passwords regularly (or to
force your users to). When passwords were all that protected us, this made
sense. Passwords do get stolen, leaked, or cracked - it's estimated that there
are more
than 24 billion stolen
credentials
available on the dark web - and users often reuse the same
password or set of passwords at multiple sites. So, if a user's personal password
leaked from a third-party site, it could give an attacker their corporate
password, too. Since it wasn't possible to know if a password was compromised
unless a breach made the news (most don't), it was considered good practice to
regularly change passwords just in case.
Here's the
problem: most people already have trouble following the basic best practice of
using long, complex passwords, and even when they do, they don't like to change
them. Forcing users to change passwords regularly often leads them to try and
game the system. For instance, they'll just change a digit or make other trivial
(and easy to guess) changes to an existing password. If passwords are the only
thing protecting your organization, you might still want to change passwords
regularly, but the real solution is multi-factor authentication (MFA). If you
add the additional protection of MFA, I recommend you don't require users to
change passwords regularly, except when their existing passwords are part of a
a known or potential compromise.
Pushing
strong password practices
So here
comes a controversial one! Despite what I just covered in the previous two
sections, I'm now going to tell you that insisting that your users follow
strong password best practices is an outdated waste of time!
Don't get me
wrong; technically, it's good security. Unfortunately, the right best
practice is to use different, completely random, 24-character passwords for
every site. But since no ordinary human can remember hundreds of long, random
passwords without technical assistance, you should be recommending just two
things: use a password manager and use MFA whenever you can.
Think of a
password manager as a way to automate password best practices. You can set it
to generate completely random 24-characters passwords and even enter them for
you when you visit sites and get password prompts. Deployed organizationally, password
managers can be used to enforce a strong password policy. If there are leaks, a
password manager can also automatically change one (or all) of a user's
passwords. Instead of many passwords, users just have to remember one - and
that needs to be a very strong one. For that they can use a "password
sentence," e.g., a short sentence with spaces and punctuation. That will
provide the length and complexity required to make a strong password, while
also remaining easy to remember. Combining MFA and a password manager will provide
very strong authentication (and eliminate the need to convince users to
memorize and use many long passwords).
Be
skeptical of links and attachments from strangers
This tip is
outdated not because it's wrong, but because it's not inclusive enough. You
should tell your users to be skeptical of links and attachments from
everyone, even people who they recognize. Since bad actors often try to
spoof people you know or hack your friends and coworkers to send correspondence
directly from their accounts, you should always be skeptical about links and
attachments in messages that seem strange in any way. If you get a document from
your boss that is unexpected and out of character to how you normally work
together, be suspicious. Take the time to verify with your boss (or whomever)
through another channel that they are the sender. Yes, you can eventually
trust, but first verify.
You can't
fix the user
This is an
outdated tip among IT and Infosec professionals. Many have given up on trying
to train or adjust the behavior of users, deeming it a waste of time. They
often make jokes like "PEBKAC" (problem exists between keyboard and chair), or
that it's a layer-8 (human) problem. They are convinced that since users will
always make mistakes, it's better to concentrate on forceful controls that
technically limit them. This is wrong thinking!
You
can't expect an accountant, salesperson, or support rep to be a technology or
security expert, but that doesn't mean they can't learn basic security
practices. People are generally smart enough and capable of learning new things
if you actually take the time to train them properly. However, treating them
like idiots is not useful. IT folks who think training is not worth it because
it won't prevent every mistake miss the point entirely. While you can never
eliminate human mistakes, you can greatly decrease the number of them. Yes, every
time you have an accidental click, it does create work and incident response
for your IT and security team. But reducing the number of accidental clicks
from 15 a quarter to 1 a quarter is a huge win in terms of the time and
effort your team must exert to respond.
And that
kind of improvement is entirely achievable. Many phishing test campaigns have
shown bad click rates of up to 35% percent go down to 3-4% after repeated
trainings. Yes, you'll still need preventative security controls as a safety
net in the event a user makes a mistake, but training is absolutely worth it!
Firewalls and antivirus are good
enough
Relying
on firewalls and antivirus for security today would be like trying to stop a
modern army with cavalry. The current security environment is incredibly
complex and gets more so every day. With the rise of distributed enterprises
and remote and hybrid work, many employees are working outside the main corporate
network and beyond the firewall. They use their own personal devices for work and
connect over both secure and unprotected networks. They use third-party
services and applications. As a result, threat actors have a much larger attack
surface to work with and employ new tools (like fileless and encrypted malware)
and tactics (like "living off the land" attacks) that can easily evade firewalls
and traditional anti-virus. With stolen credentials obtained online or through
phishing attacks, bad actors can simply bypass even strong defenses and just
log in to your network.
To have meaningful protection, organizations
need layered defenses that include firewalls and anti-virus, but also endpoint
protection, detection and response, secure wi-fi, and advanced authentication
with MFA. More importantly, today's unified threat management (UTM) or
next-generation firewalls (NGFW) go well beyond just a "firewall," with many
additional network security services like IPS, multiple malware detection
engines, DNS and web filtering, and more; offering 10 times the defensive
layers as a traditional firewall. Organizations that convince themselves that
they can "get by" with minimal security need to rethink their level of risk;
one major data breach or ransomware attack could easily outweigh cost of a more
complete security infrastructure and put their entire business on the line.
Security
tools alone are enough to protect us
If technology alone were enough to keep
organizations safe, the job of most infosec professionals would be a lot
easier. But the reality is that many successful attacks aren't a failure of
some security system or another, they're caused by human error, lack of
education or poor security practices. As I mentioned above, instead of hacking
into a network, bad actors often obtain credentials through phishing, malicious
websites or social engineering and just log into networks, bypassing most security
measures. In other cases, they take advantage of misconfigurations or systems
that aren't patched with that latest software or have out-of-date firmware.
Yes, properly implemented security tools can certainly prevent many attacks and
limit the damage even when attacks are initially successful, but security tools
by themselves aren't enough. Organizations need to invest the time and energy
into training everyone in cybersecurity best practices and to helping them
understand the consequences of a security failure. They should also make sure
they have written and shared security policies, like an "acceptable use policy"
with their employees, to let them know what they can and can't do on the company's
technology.
Let
IT or the CISO bear the responsibility for cybersecurity
Effective cybersecurity isn't a black box. Yes,
IT and the CISO are responsible for building and maintaining the security
infrastructure and responding to threats as they happen. But no system is perfect,
and technology is only part of the solution. People across the organization -
from the C-suite on down - need to be made aware of the risks, regularly
trained on cybersecurity best practices, encouraged to report suspicious
activity and not ridiculed or demeaned for making mistakes. The CISO can
implement great technical solutions but she needs employees help to avoid the
more human-related threats. In other words, the most effective way to be safe
is to create a culture of cybersecurity across the organization. While
some within the organization will have roles that are dedicated to
cybersecurity, it should be seen as everyone's responsibility.
It's
surprising how often the "conventional wisdom" is either outdated or just plain
wrong. But when it comes to cybersecurity, we can't afford to cling to old
maxims or misguided ideas. The stakes are too high and the consequences of
being wrong are just too great.
##
ABOUT THE AUTHOR
Corey Nachreiner, Chief Security Officer, WatchGuard
Recognized
as a thought leader in IT security, Nachreiner spearheads WatchGuard's
technology vision and direction. Previously, he was the director of
strategy and research at WatchGuard. Nachreiner has operated at the
frontline of cyber security for 16 years, and for nearly a decade has
been evaluating and making accurate predictions about information
security trends. As an authority on network security and internationally
quoted commentator, Nachreiner's expertise and ability to dissect
complex security topics make him a sought-after speaker at forums such
as Gartner, Infosec and RSA. He is also a regular contributor to leading
publications including CNET, Dark Reading, eWeek, Help Net Security,
Information Week and Infosecurity, and delivers WatchGuard's "Daily
Security Byte" video on Facebook.