Cyber threats pose a growing risk in our digital world, yet many myths and misconceptions persist around cybersecurity best practices. Believing these myths can create a false sense of safety for individuals and businesses alike, when vigilance is required. Proper cybersecurity training is essential for employees at all levels to understand realities and unmask misleading myths. In this three-part blog series, we will shed light on the truths behind common cybersecurity misbeliefs.
In part one, we will tackle myths around the safety of certain devices and software, public Wi-Fi usage and whether small businesses are targeted. Debunking these myths through ongoing education is crucial for constructing robust protections. Leadership must prioritize security, while staff need training to identify risks and dispel myths. With a foundation of cybersecurity facts, organizations can build multi-layered defenses against an array of threats. Knowledge is power in securing systems against rapidly evolving dangers.
Myth #1: Antivirus software is enough to keep me safe
Antivirus software detects known malware through signature matching, heuristics and behavioral analysis. This offers a useful first line of defense against many threats. However, skilled hackers continuously develop new malware and obfuscation techniques to evade antivirus detection. These zero day threats with no known signature slip past antivirus defenses.
Advanced persistent threat (APT) attacks are tailored to specific targets and can disable antivirus before penetrating systems. The infamous Stuxnet worm targeted at Iranian nuclear centrifuges, and the hackers behind the 2013 Target breach, both began by disrupting antivirus software. Once inside the network, customized malware can operate unimpeded. Updating antivirus signatures will then be too late.
Today’s ransomware presents a major threat often missed by antivirus. Multi-vectored ransomware like Ryuk, Hermes and Sodinokibi bypass antivirus using stolen admin credentials for remote desktop access. They utilize “living off the land” system tools to disable security software and encrypt files. Antivirus alone stands little chance against disabling tactics and encryption. Preparation through network segmentation, least privilege access and backups is crucial for ransomware resilience.
Relying solely on antivirus offers a false sense of security. It should be just one component of defense-in-depth including firewalls, access controls, patching, staff training, backups, and disaster recovery. Security teams must think beyond antivirus to build robust protections on all levels. With a hardened environment, antivirus can block opportunistic threats while defenses thwart sophisticated attacks. Antivirus alone is necessary, but never sufficient.
Myth #2: Mac and Linux systems are immune to malware and attacks
The small market share of Mac and Linux systems meant fewer cyber threats targeted them for many years. But their rising adoption in businesses and homes has attracted sophisticated attackers. Modern malware now utilizes cross-platform tools to target Windows, macOS, Linux and more.
On macOS, malware like Mac.BackDoor.iWorm hit in 2014, abusing the Python scripting engine. The Fruitfly malware operated for years undetected on Macs through remote access tools. The 2017 MacRansom encrypted Mac files for ransom by exploiting Java vulnerabilities. Crossrider/Vsearch adware and the OSX.Pirrit Mac adware both highlight persistent Mac malware threats.
On Linux, a major threat came with the 2016 Mirai botnet DDoS attack leveraging compromised IoT devices. Unsecured Linux servers and IoT devices still feed major botnets like Kaiji. Linux ransomware is also on the rise, with tools like KillDisk desiged to disable the system. Cryptocurrency miners have hit Linux servers, consuming resources. Keydnap malware stole SSH credentials from Linux servers in 2016.
While Windows sees the most threats, the surge in Mac and Linux malware proves no single platform has inherent immunity anymore. All organizations need security layers like behavioral monitoring, access controls and patching on Macs and Linux systems. With cross-platform tools for exploitation, attackers will not selectively ignore major operating systems.
Myth #3: I'm not a target. My business is too small.
Small businesses make up over 40% of reported data breaches according to Verizon's research. Smaller companies often have weaker cybersecurity than large enterprises, making them soft targets. Yet they still possess data of value to attackers, including:
- Customer personal information like names, emails, addresses, phone numbers, social security numbers, and credit card data. This can enable identity theft and financial fraud.
- Company intellectual property like proprietary processes and designs. Theft of IP benefits competitors.
- Login credentials to banking sites and payment systems. These directly enable wire fraud and theft.
- Email accounts that can be used for phishing employees or customers.
- Networks that can serve as pivot points to eventually access supply chain partners.
The costs of a breach include legal liability, investigation fees, restoration charges, reputational damage, and potential fines for non-compliance. A major incident could bankrupt a small company lacking adequate insurance or reserves.
Regardless of size, any organization with sensitive data accessible online is a target. Small businesses cannot assume obscurity will protect them. Essential protections like staff training, endpoint security, access controls, encryption and backup must be implemented regardless of company size.
Myth #4: Public Wi-Fi is safe as long as I'm accessing secured websites
The risks of public Wi-Fi go beyond unsecured sites. HTTPS encrypted sites are still not necessarily safe. Sophisticated threats leverage spoofed hotspots and man-in-the-middle attacks to intercept secured traffic.
Attackers can create malicious Wi-Fi hotspots impersonating legitimate public networks. Users may connect without realizing it is an insecure impersonator network. All activity can then be monitored or altered by the hacker.
Man-in-the-middle attacks insert the hacker between your device and the internet. They can leverage tactics like ARP spoofing to silently intercept even HTTPS encrypted connections. Your traffic is decrypted and re-encrypted to the destination, allowing data theft.
Using a VPN provides encryption from device to network, mitigating many public Wi-Fi threats. Alternatively, mobile users can rely on their carrier's cellular data connection when accessing sensitive accounts and transactions outside their own private networks.
Public Wi-Fi presents risks for all users and organizations. When remote workers must use public networks, enterprise VPNs and device management are crucial for security. For sensitive connections, public Wi-Fi of any kind should be avoided.
Myth 5: My data is not valuable to cybercriminals
Nearly all types of data have value to cybercriminals for profit and enablement of additional crimes. Usernames and passwords can be compromised and reused across other sites through credential stuffing. Personal information like addresses, dates of birth, and social security numbers can enable identity theft and financial fraud. Medical records fetch high prices on dark web markets, enabling insurance fraud through false billings. Banking credentials and credit card numbers lead directly to account drainage and fraudulent purchases.
Intellectual property is prized for providing competitive advantage through corporate espionage. Legal contracts and business development information can give insider knowledge for negotiation leverage and targeting sales opportunities. Even mundane data can prove useful when aggregated for profiling. Personal interests, relationship connections and browsing habits allow highly targeted phishing attacks that better impersonate associates.
Back-end databases with customer records, business data and authentication credentials offer jackpot targets. Cybercriminals often seek to escalate access from initial compromised endpoints towards these central repositories through the network. Very little data is truly worthless when in criminal hands. The motives for theft and fraud are extensive. All organizations need to identify and secure sensitive data through access controls, encryption and backups. Assessing your data's value to attackers is a key step in risk analysis and protection planning.
Cybersecurity Myths Unmasked
The threats we face are constantly evolving and require ongoing education. In Parts 2 and 3 of this blog series, we will tackle other common myths around social engineering, compliance, passwords and the dark web. Cybersecurity requires practical defenses rooted in reality, not misconceptions. With cybersecurity training and layered protections, organizations can empower their workforces to make smart security decisions.
Leveraging MSPs like Xperteks provides organizations with the benefit of enterprise-grade cybersecurity tailored to their unique needs and infrastructure. This enables a secure foundation for cloud adoption and operations and enables your organization to unmask these common cybersecurity myths.