When it comes to cybersecurity, if you are not evolving, you are almost certainly falling behind and becoming vulnerable. Yet some old cybersecurity tips and best practices continue to live on long after they should and in some cases, they can actually make us less safe. Corey Nachreiner, Chief Security Officer at WatchGuard Technologies, is proposing the practices that need to be retired:
- Passwords should consist of at least eight characters:
A decade ago, the common wisdom was that passwords should be at least eight characters long, since eight characters offers hundreds of billions of potential combinations. But now, modern computers with powerful GPUs can go through hundreds of millions of guesses in seconds. Combine that with pre-calculated rainbow tables that contain all the possibilities for passwords of eight characters and less, this is now far too short for a secure password. I would recommend using passwords that are 16 characters and above.
- Change your passwords regularly:
When passwords were all that protected us, this advice made sense. Passwords do get stolen, leaked, or cracked – it has been estimated that there are more than 24 billion stolen credentials available on the dark web and users often reuse the same password or set of passwords at multiple sites. Since it was not possible to know if a password was compromised unless a breach made the news (most do not), it was considered good practice to regularly change passwords just in case. If passwords are the only thing protecting your organisation, you might still want to change passwords regularly, but the real solution is multi-factor authentication (MFA). You will only require users to change passwords if their existing passwords are part of a known or potential compromise.
- Enforce strong password practices:
So here comes a controversial one – despite what I just covered in the previous two sections, I am going to tell you that insisting that your users follow strong password practices is an outdated waste of time! The right practice is to use different, completely random, 24-character passwords for every site. But since no ordinary human can remember hundreds of long, random passwords without technical assistance, you should be recommending just two things: use a password manager and use MFA whenever you can. Deployed organisationally, password managers can be used to enforce a strong password policy. If there are leaks, a password manager can also automatically change one (or all) of a user’s passwords.
- Be sceptical of unusual links and attachments:
Users should be sceptical of links and attachments from everyone, even people who they recognise. Since bad actors often try to spoof people you know and send correspondence directly from their accounts, you should always be wary about links and attachments that seem strange. If you get a document from your boss that is unexpected and out of character for how you normally work together, be suspicious. Take the time to verify with your boss (or whomever) through another channel that they are the sender.
- You cannot fix the user:
Every employee can and should learn basic security practices – every time there is an accidental click, it does create work and incident responses for your IT and security team. But reducing the number of accidental clicks from 15 a quarter to 1 a quarter is a huge win in terms of the time and effort your team must exert to respond. And that kind of improvement is entirely achievable. Many phishing test campaigns have shown bad click rates of up to 35% percent go down to 3-4% after repeated training.
- Firewalls and antivirus are good enough:
Relying on firewalls and antivirus for security today would be like trying to stop a modern army with cavalry. With the rise of distributed enterprises, remote and hybrid work, many employees are working outside the main corporate network and beyond the firewall. As a result, threat actors have a much larger attack surface to work with and employ new tools (like fileless and encrypted malware). To have meaningful protection, organisations need layered defences that include firewalls and anti-virus, but also endpoint protection, detection and response, secure wi-fi, and advanced authentication with MFA. More importantly, today’s unified threat management (UTM) or next-generation firewalls (NGFW) go well beyond just a “firewall,” with many additional network security services like Intrusion Prevention Service (IPS), multiple malware detection engines, DNS, and web filtering, and more; offering 10 times the defensive layers as a traditional firewall.
- Security tools alone are enough to protect us:
The reality is that many successful attacks are not a failure of some security system or another, they are caused by human error, lack of education or poor security practices. In other cases, they take advantage of misconfigurations or systems that are not patched with that latest software or have out-of-date firmware. Properly implemented security tools can prevent many attacks and limit the damage even when attacks are initially successful, but security tools by themselves are not enough. Organisations should help employees understand the consequences of a security failure and have written and shared security policies with their employees.
- Let IT or the CISO bear the responsibility for cybersecurity:
People across the organisation – from the C-suite on down – need to be made aware of the risks, regularly trained on cybersecurity best practices, encouraged to report suspicious activity, and not be demeaned for making mistakes. The CISO can implement great technical solutions but the most effective way to stay safe is to create a culture of cybersecurity across the organisation. While some within the organisation will have roles that are dedicated to cybersecurity, it should be seen as everyone’s responsibility.
Contact the Dolos team for up-to-date cybersecurity information, and the most relevant and advanced security solutions, tailored to suit your organisation’s unique requirements.