Common Myths About Network Security
Most of the myths mentioned here leave the believer feeling confident in a simple single security solution. There is no singular solution. Therefore, to avoid cyber-attacks, users must be continually educated as new threats emerge and as you update safe computing guidelines. The best network security solutions will accommodate the full range of attacks and will provide your company a secure business network.
Another CIS blog post (Hackers Are Ready for You, Are You Ready for Them?) provides some recommended cybersecurity best practices. The last section (What Can I Do to Prevent Hackers from Invading Our Network?) helps you understand the range of cybersecurity issues that need to be addressed. While the list is not exhaustive, it provides a backbone for essential network security. A complete solution will require customizing to account for network architecture and the range of applications available on your network.
Myth: Our Network is Secure If We Use a Good Anti-Malware and Anti-Virus Software
Truth: Targeted cyber-attacks can occur after attackers have been surveying the system for weeks or months. During this time, the attackers learn ways around the security scans, and find security weaknesses in the system. The cybercriminal plans the attack to do damage without immediate detection by the security software. Hence, you need additional barriers to prevent and quickly respond to evolving cyber threats. You can read about many of these cyber threats, solutions, and cybersecurity best practices in the CIS blog post titled ‘Hackers Are Ready for You, Are You Ready for Them’.
Myth: Our Network is Secure if Our Users Don’t Visit Malicious Websites
Truth: Some users believe that malware and viruses can invade only by downloading from malicious websites. They believe that avoiding downloading from the web will prevent cyber-attack. The truth is that malicious code can gain access to a user’s computer and the network through a variety other sources.
When employees open email attachments without properly verifying security of the files, they risk downloading malicious code. All email attachments should be scanned and checked for virus and malware before opening. Even this measure will not provide 100% protection against cyber threats. New threats are constantly emerging and cybersecurity software does not always update in time to catch new threats.
Similar problems can arise from clicking on links in emails. The link can provide connection to a malicious website, or it can open a hidden file attached to the email note. Another common point of invasion is corrupt files located on storage devices such as thumb drives. You and your employees need to follow all prescribed security measures.
Myth: Changing User Passwords Frequently is Enough to Make Our Network Secure
Truth: Many companies have only one barrier between their computing network and external threats: a single password sign in. Regardless the complexity the password requirement, a single password sign in is still only one barrier. A Single Factor Authentication (SFA) will not always stop a cyber-attack. The best network security practices include Multi-Factor Authentication (MFA). MFA provides additional barriers to network access, and reduces potential for unwanted network invasion.
MFA requires two or more independent credentials. Most of them fit within one of three categories:
- Biometrics – Fingerprints, retina scans, facial recognition, etc.
- Knowledge – Personal information such as birth date, mother’s maiden name, PIN, etc.
- Physical ‘Key’ – Employee ID card, SIM card, key fob, etc.
A secure business network typically requires a combination of user ID and password to access to the network. It also may require a password to access to specific applications on the network. Additionally, a combination of user ID and password provides access to a large number of web based applications, cloud based storage, etc. Most people have a difficult time keeping track of a large number of independent complex passwords they accumulate over time.
Consequently, some people respond to these difficulties by using the same PW repeatedly, thereby losing PW independence. If a hacker finds the common PW, he/she can access every bit of information the PW protects. To avoid this risk, some people keep a documented list of user ID and PW combinations referenced to the specific folder, file, application, or whatever the UID/PW was meant to protect. Discovery of the list, whether by electronic means or physical means, will provide the hacker with access to protected information.
A Password Manager (software) provides a safe method to store all of your user ID / PW combinations in one package. Most PW Managers use encryption and a master password to secure the user ID / PW combinations. Look for a discussion on the benefits and liabilities of using a PW Manager in a future CIS blog post.
Myth: I Can Stop Cyber-Attacks by Rebooting My Computer When the Attack Starts
Truth: You may have a limited degree of success thwarting some cyber-attacks by rebooting your computer at the first sign of trouble. This can work because rebooting often activates the anti-virus and anti-malware software to scan the system. In some cases this may disable the resident malicious code. However, you should not rely on this mechanism for several reasons.
- You may not notice the full effects of a cyber-attack right away.
- Anti-virus and anti-malware software are not 100% effective in stopping all cyber-attacks.
There is probably no harm in turning off your computer if you suspect a cyber-attack. Turning it off may be better than rebooting, so that you have opportunity to engage technical support to assist with start-up. They may be able to effect isolation and/or repairs using a separate boot up routine stored on a separate drive.
Myth: If I Use a Firewall and Security Software, My Network is Secure
Truth: In Barkly conducted a survey of 60 companies who suffered ransomware attacks in 2016. The report states some alarming statistics.
- 100% of the attacks bypassed antivirus
- 95% of the attacks bypassed the victim’s firewall(s)
- 77% of the attacks bypassed email filtering
- 52% of the attacks bypassed anti-malware
- 33% of the attacks were successful even though the victim had conducted security awareness training
Although this survey and results focused on ransomware, we can safely assume that other types of attacks can bypass these barriers in similar fashion. We learn from this information that there is not a simple solution to preventing cyber-attacks. Effective cybersecurity requires a multi-dimensional approach.
Myth: Network Security is the Responsibility of the IT Department
Truth: The IT department bears responsibility for defining and implementing the various elements of network security protection. However, the IT department cannot control all actions taken by employees. If employees do not strictly follow cybersecurity policies, then risks of invasion will exist. Additionally, new cyber threats constantly emerge. Therefore, holes always exist in network security systems, if just for a short time.
You may wonder why a Network Administrator cannot implement very strict policies, which allow employees access only to pre-scanned and approved data, information, and applications. In fact, a few companies implemented this type of strict policy in the past. These policies failed because compliance resulted in restricting employees having very limited access to information. Competition demands that modern businesses allow employees to leverage information available on the internet.
Myth: Cyber-Attacks Only Come From External Sources
Truth: Employee activity remains a key source of cyber-attacks. Employees who initiate attacks may or may not do so intentionally, and may not even be aware they have done it. However, cybersecurity policies are in place to prevent such activity. Regardless, the employee is responsible for the attack if it was a result of cybersecurity policy non-compliance. We do not make this statement to blame employees. We merely want to stress the importance of continually educating employees about cybersecurity policy and about new threats as they emerge.
You can read about various types of employee induced cyber-attacks here.
Myth: Mobile Devices Do Not Present Network Security Risk When Not Connected to Network File System
Truth: A BYOD (mobile device) that connects to the internet through the company network can present a gateway to cyber-attack. This holds true even when the mobile device does not transfer data to and from the network data storage sites. A mobile device containing a virus or malware can inadvertently transfer the malicious code to the network servers through the network server’s internet gateway.
Myth: Your Data is More at Risk if Stored on The Cloud
Truth: Data storage location does not necessarily change the potential for a cyber-attack. Whether data is stored in local network or on a cloud server, both are subject to intrusion and both have to put in safeguards to keep cyber-attack at bay. Cloud data storage management services provide a range of security solutions. You can achieve the same level of data security with cloud storage as you can by storing data on your own network. Regardless of the storage location, you are responsible to understand the data security solution you use is sufficient to protect your data.
Myth: A Password Protected WiFi is Safe From Cyber-Attack
Truth: Often, public WiFi owners require a password solely to restrict the volume of traffic that the WiFi handles. Unless you verify the WiFi security details, you are ignorant of the level of cybersecurity risk when using public WiFi. The WiFi router will identify the level of security provided, if any. The most common wireless security protocols used include WEP, WPA, WPA2, and WPA3.
- WEP has many security holes. Do not rely on WEP security to protect your data from interception by other devices in the area.
- WPA provides better security than WEP however still provides a low level of protection.
- WPA2 provides much better security than WPA, primarily due to use of AES (Advanced Encryption Standard) which the US government uses to protect transmission of sensitive information. However, WPA2 does have vulnerabilities for enterprise level networks. These vulnerabilities are not likely to present a problem for short term use of public WiFi. Intrusion through this security hole to a network will likely take 2 to 14 hours.
- WPA3 is superior to WPA2 in that it includes enhance encryption features. However, the WiFi Alliance does not expect broad implementation until early 2019 at the earliest.
Even using WPA1 you cannot be certain that your data is safe from interception. If you want a truly secure connection to your server from a public WiFi, connect through a VPN.