We have written on multiple occasions regarding the impact that the pandemic has had on the world of cybersecurity. This as criminals have become more brazen as more people are working from home, opening up opportunities for vulnerabilities to be actively exploited.
While a generally stronger stance on cybersecurity needs to be adopted by all organisations, there are still many who do not take the proper precautions. As the Rapid Response team from cybersecurity specialists Sophos explain, these are often born out of misconceptions.
Below they detail the top 10 misconceptions regarding cybersecurity, as well as dispelling them. The team notes that these misconceptions have been compiled from what it has encountered in the last 12 months while neutralising and investigating cyberattacks in a wide range of organisations.
More vulnerable than you think
There is no specific order here, but the first misconception sounds fairly common given panel discussions and roundtables on security we have taken part in, in the past. That is the belief that it will never happen to me.
“Many cyberattack victims assume they are too small, in a sector of no interest or lacking the kind of lucrative assets that would attract an adversary. The truth is, it doesn’t matter: if you have processing power and a digital presence, you are a target,” stresses Sophos.
“If you believe that your organization is not a target, you are probably not actively looking for suspicious activity on your network – such as the presence of Mimikatz (an open-source application that allows users to view and save authentication credentials) on your domain controller – and you could miss the early signs of an attack,” it warns.
The second is that an organisation does not need advanced security technology installed everywhere.
Here, Sophos highlights the fact that most IT teams are satisfied with securing the endpoint. “Some IT teams still believe that endpoint security software is enough to stop all threats and/or they don’t need security for their servers. Attackers take full advantage of such assumptions. Any mistakes in configuration, patching or protection make servers a primary target, not a secondary one as might have been the case in the past,” they point out.
“The list of attack techniques that try to bypass or disable endpoint software and avoid detection by IT security teams grows longer by the day,” adds Sophos.
The next is a misconception that is only half true, where organisations must have robust security policies. While that is indeed important, Sophos notes that the policies need to be checked and updated constantly as new features and functionality are added to devices connected to the network.
“Verify and test policies, using techniques such as penetration testing, tabletop exercises and trial runs of your disaster recovery plans,” the specialists advise.
The following misconception is a rather technical one, but it is the belief that RDP servers can be protected from attackers by changing the ports or introducing MFA. If those abbreviations were foreign to you, this misconception pertains to Remote Desktop Protocol (RDP) servers and Multi-Factor Authentication (MFA).
Sophos explains that these two approaches are often ineffective as the ports for RDP servers are standardised, so attackers will not know precisely which points of entry to look for and while introducing multi-factor authentication is important, it won’t enhance security unless the policy is enforced for all employees and devices.
With state-sponsored attacks more prevalent than ever, organisations think blocking IPs from specific locations like Russia, China and North Korea is effective protection. While this is a handy approach, it also breeds a false sense of security in Sophos’ experience.
“Adversaries host their malicious infrastructure in many countries, with hotspots including the US, the Netherlands and the rest of Europe,” according to the cybersecurity firm.
False sense of security
One type of cyberattack that is on the rise is ransomware, and organisations think a backup will safeguard against impact of ransomware.
As Sophos crucially points out, “Keeping up-to-date backups of documents is business critical. However, if your backups are connected to the network, then they are within reach of attackers and vulnerable to being encrypted, deleted or disabled in a ransomware attack.”
The cloud may not prove any safer in this regard too, as the Rapid Response team highlights a recent incident it encountered.
“Storing backups in the cloud also needs to be done with care – in one incident Sophos Rapid Response investigated, the attackers emailed the cloud service provider from a hacked IT admin account and asked them to delete all backups. The provider complied.”
The next is one we’ve also heard on a number of occasions, and that is our employees understand the importance of security.
Here there is a fundamental difference between understanding and practicing.
“According to the State of Ransomware 2021, 22% of organizations believe they’ll be hit by ransomware in the next 12 months because it’s hard to stop end-users from compromising security,” notes the company.
“Social engineering tactics like phishing emails are becoming harder to spot. Messages are often hand-crafted, accurately written, persuasive and carefully targeted. Your employees need to know how to spot suspicious messages and what to do when they receive one,” advises Sophos.
We recently saw social engineering play out during the Twitter hack.
Next is the belief that incident response teams will recover everything after an attack. While Sophos’ will try to do so, there is no guarantee. This is because cybercriminals these days are more organised than ever.
“Attackers today make far fewer mistakes, and the encryption process has improved, so relying on responders to find a loophole that can undo the damage is extremely rare. Automatic backups like Windows Volume ShadowCopies are also deleted by most modern ransomware as well as overwriting the original data stored on disk making recovery impossible other than paying the ransom,” explains the company.
Sticking with what happens after an incident, is that paying a ransom will get you back your data. This is also very rarely the case when it comes to ransomware attacks, even if you comply and pay what is being demanded.
Here Sophos cites the State of Ransomware 2021 report again, were only 8 percent of those who paid the ransom actually saw their data again. Remember we’re not dealing with people who stick to their word here.
The last misconception is that if you survive the initial ransomware attack, you’re in the clear. Once again, this is often only the start of your businesses’ woes.
“The ransomware is just the point at which the attackers want you to realize they are there and what they have done,” says Sophos.
“The adversaries are likely to have been in your network for days if not weeks before releasing the ransomware, exploring, disabling or deleting backups, finding the machines with high value information or applications to target for encryption, removing information and installing additional payloads such as backdoors. Maintaining a presence in the victim’s networks allows attackers to launch a second attack if they want to,” they soberingly conclude.
While a lot of the above may sound like scare tactics, it is very real and it is therefore more critical than ever for organisations to take cybersecurity seriously, because the criminals certainly do.
[Image – CC 0 Pixabay]