Virtualization Technology News and Information
8 Outdated Cybersecurity "Tips" to Stop Using

By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies

When it comes to cybersecurity, if you're not evolving, you're almost certainly falling behind... and becoming vulnerable. Yet some old cybersecurity tips and best practices continue to live on long after they should. Truisms that may have made sense 10, 5 or even 2 years may no longer make sense today. Sometimes, they're just no longer relevant, but in some cases, they can actually make us less safe. Here are 8 old security saws that need to be retired:

Passwords should be at least eight characters 

One of the first cybersecurity tips an average user hears is to use a long password. But how long is long enough? For ages, the common wisdom was that passwords should be at least eight characters long. A decade ago, this made sense, since eight characters offers hundreds of billions of potential combinations. But now modern computers with powerful GPUs can go through hundreds of millions of guesses in seconds. Combine that with pre-calculated rainbow tables that contain all of the possibilities for passwords of eight characters and less and eight characters is now far too short for a secure password. Today, 12 has become the new eight. But to be extra safe, I would recommend using passwords that are 16 characters and above. However, below I'll talk about why focusing on password strength alone is an outdated tip, too.  

Change your passwords regularly 

Another outdated authentication related tip is to change your passwords regularly (or to force your users to). When passwords were all that protected us, this made sense. Passwords do get stolen, leaked, or cracked - it's estimated that there are more than 24 billion stolen credentials available on the dark web - and users often reuse the same password or set of passwords at multiple sites. So, if a user's personal password leaked from a third-party site, it could give an attacker their corporate password, too. Since it wasn't possible to know if a password was compromised unless a breach made the news (most don't), it was considered good practice to regularly change passwords just in case.

Here's the problem: most people already have trouble following the basic best practice of using long, complex passwords, and even when they do, they don't like to change them. Forcing users to change passwords regularly often leads them to try and game the system. For instance, they'll just change a digit or make other trivial (and easy to guess) changes to an existing password. If passwords are the only thing protecting your organization, you might still want to change passwords regularly, but the real solution is multi-factor authentication (MFA). If you add the additional protection of MFA, I recommend you don't require users to change passwords regularly, except when their existing passwords are part of a a known or potential compromise. 

Pushing strong password practices 

So here comes a controversial one! Despite what I just covered in the previous two sections, I'm now going to tell you that insisting that your users follow strong password best practices is an outdated waste of time! 

Don't get me wrong; technically, it's good security. Unfortunately, the right best practice is to use different, completely random, 24-character passwords for every site. But since no ordinary human can remember hundreds of long, random passwords without technical assistance, you should be recommending just two things: use a password manager and use MFA whenever you can.

Think of a password manager as a way to automate password best practices. You can set it to generate completely random 24-characters passwords and even enter them for you when you visit sites and get password prompts. Deployed organizationally, password managers can be used to enforce a strong password policy. If there are leaks, a password manager can also automatically change one (or all) of a user's passwords. Instead of many passwords, users just have to remember one - and that needs to be a very strong one. For that they can use a "password sentence," e.g., a short sentence with spaces and punctuation. That will provide the length and complexity required to make a strong password, while also remaining easy to remember. Combining MFA and a password manager will provide very strong authentication (and eliminate the need to convince users to memorize and use many long passwords).  

Be skeptical of links and attachments from strangers 

This tip is outdated not because it's wrong, but because it's not inclusive enough. You should tell your users to be skeptical of links and attachments from everyone, even people who they recognize. Since bad actors often try to spoof people you know or hack your friends and coworkers to send correspondence directly from their accounts, you should always be skeptical about links and attachments in messages that seem strange in any way. If you get a document from your boss that is unexpected and out of character to how you normally work together, be suspicious. Take the time to verify with your boss (or whomever) through another channel that they are the sender. Yes, you can eventually trust, but first verify. 

You can't fix the user 

This is an outdated tip among IT and Infosec professionals. Many have given up on trying to train or adjust the behavior of users, deeming it a waste of time. They often make jokes like "PEBKAC" (problem exists between keyboard and chair), or that it's a layer-8 (human) problem.  They are convinced that since users will always make mistakes, it's better to concentrate on forceful controls that technically limit them. This is wrong thinking! 
You can't expect an accountant, salesperson, or support rep to be a technology or security expert, but that doesn't mean they can't learn basic security practices. People are generally smart enough and capable of learning new things if you actually take the time to train them properly. However, treating them like idiots is not useful. IT folks who think training is not worth it because it won't prevent every mistake miss the point entirely. While you can never eliminate human mistakes, you can greatly decrease the number of them. Yes, every time you have an accidental click, it does create work and incident response for your IT and security team. But reducing the number of accidental clicks from 15 a quarter to 1 a quarter is a huge win in terms of the time and effort your team must exert to respond.

And that kind of improvement is entirely achievable. Many phishing test campaigns have shown bad click rates of up to 35% percent go down to 3-4% after repeated trainings. Yes, you'll still need preventative security controls as a safety net in the event a user makes a mistake, but training is absolutely worth it! 

Firewalls and antivirus are good enough

Relying on firewalls and antivirus for security today would be like trying to stop a modern army with cavalry. The current security environment is incredibly complex and gets more so every day. With the rise of distributed enterprises and remote and hybrid work, many employees are working outside the main corporate network and beyond the firewall. They use their own personal devices for work and connect over both secure and unprotected networks. They use third-party services and applications. As a result, threat actors have a much larger attack surface to work with and employ new tools (like fileless and encrypted malware) and tactics (like "living off the land" attacks) that can easily evade firewalls and traditional anti-virus. With stolen credentials obtained online or through phishing attacks, bad actors can simply bypass even strong defenses and just log in to your network.

To have meaningful protection, organizations need layered defenses that include firewalls and anti-virus, but also endpoint protection, detection and response, secure wi-fi, and advanced authentication with MFA. More importantly, today's unified threat management (UTM) or next-generation firewalls (NGFW) go well beyond just a "firewall," with many additional network security services like IPS, multiple malware detection engines, DNS and web filtering, and more; offering 10 times the defensive layers as a traditional firewall. Organizations that convince themselves that they can "get by" with minimal security need to rethink their level of risk; one major data breach or ransomware attack could easily outweigh cost of a more complete security infrastructure and put their entire business on the line.

Security tools alone are enough to protect us

If technology alone were enough to keep organizations safe, the job of most infosec professionals would be a lot easier. But the reality is that many successful attacks aren't a failure of some security system or another, they're caused by human error, lack of education or poor security practices. As I mentioned above, instead of hacking into a network, bad actors often obtain credentials through phishing, malicious websites or social engineering and just log into networks, bypassing most security measures. In other cases, they take advantage of misconfigurations or systems that aren't patched with that latest software or have out-of-date firmware. Yes, properly implemented security tools can certainly prevent many attacks and limit the damage even when attacks are initially successful, but security tools by themselves aren't enough. Organizations need to invest the time and energy into training everyone in cybersecurity best practices and to helping them understand the consequences of a security failure. They should also make sure they have written and shared security policies, like an "acceptable use policy" with their employees, to let them know what they can and can't do on the company's technology.

Let IT or the CISO bear the responsibility for cybersecurity

Effective cybersecurity isn't a black box. Yes, IT and the CISO are responsible for building and maintaining the security infrastructure and responding to threats as they happen. But no system is perfect, and technology is only part of the solution. People across the organization - from the C-suite on down - need to be made aware of the risks, regularly trained on cybersecurity best practices, encouraged to report suspicious activity and not ridiculed or demeaned for making mistakes. The CISO can implement great technical solutions but she needs employees help to avoid the more human-related threats. In other words, the most effective way to be safe is to create a culture of cybersecurity across the organization. While some within the organization will have roles that are dedicated to cybersecurity, it should be seen as everyone's responsibility.

It's surprising how often the "conventional wisdom" is either outdated or just plain wrong. But when it comes to cybersecurity, we can't afford to cling to old maxims or misguided ideas. The stakes are too high and the consequences of being wrong are just too great.



Corey Nachreiner, Chief Security Officer, WatchGuard

Corey Nachreiner

Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology vision and direction. Previously, he was the director of strategy and research at WatchGuard. Nachreiner has operated at the frontline of cyber security for 16 years, and for nearly a decade has been evaluating and making accurate predictions about information security trends. As an authority on network security and internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, eWeek, Help Net Security, Information Week and Infosecurity, and delivers WatchGuard's "Daily Security Byte" video on Facebook.
Published Friday, November 04, 2022 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>