Security Insights - Cybersecurity for Real-World Workplaces

Cybersecurity Myth Busting

Ivanti Season 1 Episode 21

Host Adrian Vernon sits down with Daniel Spicer to bust some cybersecurity myths! The list of myths include:

  • Passwords should be changed every 30 days
  • You shouldn't write down your password
  • Multi-factor Authentication is not secure
  • You don't need antivirus
  • VPNs keep my devices safe and secure
  • IT is responsible for all of the cybersecurity at an organization

"Stay safe, be secure, and keep smiling!"

  • Join the conversation online on LinkedIn (linkedin.com/company/Ivanti)

Adrian: Well hi everybody, welcome to another edition of Ivanti Insights, and we're here with Daniel Spicer, our Chief Security Officer. And Daniel, I've got some news for you. You ready?


Daniel: I'm ready!


Adrian: Okay, there we go. All right, so Daniel, this is our 20th episode. I know there are podcasts out there, hundreds if not thousands of episodes but hey, 20, it's a nice little milestone. I think it's a reason to celebrate. 


Daniel: Absolutely. 


Adrian: And you know what, as we wind down the year, this is our last podcast of 2021, but what better way to close it out and to talk about some cybersecurity myths. So here Daniel, we may refer to you today as the ‘myth-buster’, and so let's start with the first one-Passwords. And you know what boy, ideally we'd have biometrics and other kinds of authentication and not have to worry about passwords in an ideal world, but there's still a necessary evil right now. And there's really no running away, at least in the near future. So myth number one, here's the question for you, passwords should be changed every 30 days. Your thoughts on this?


Daniel: On the surface, it may make sense to be constantly changing passwords and having users change their passwords as often as possible, but there's a lot of risks that come with that. The most common one is users tend to make bad passwords, right? They'll make things that are easy to crack or they're iterations on the password. You know, the old common jokes about changing the 1 to a 2 or changing 21 to 22, has it kind of is with the end of the year. That makes them really susceptible to password spraying attacks. What's really important here is users create strong passwords that are unique for each of their accounts and making passwords that are difficult to crack that aren’t susceptible to again, password spraying attacks, or dictionary substitution attacks.


One of the things that we always recommend is password managers. For home and individual users, use a password manager that helps create those really strong passwords. If that's not really an option, or you're thinking about your active directory, long passwords with shorter change times. Or long passwords without even complexity are typically going to present a better password that has more entropy that's harder to brute force and guess. I like to refer to NIST 800 63B, and these scenarios have really talked about what a strong password can be. Now on the enterprise side, I always tell people, start looking at SSO if you're not already using a single sign-on, and you're not being aggressive. And only using applications that have SSO, definitely be doing that, and then after that start thinking about passwordless authentication. 


Adrian: Okay, for the next one, let's continue with the theme of passwords. Myth number 2, Mr. Daniel Spicer, our myth-buster today, do not write down your passwords


Daniel: Yeah, so obviously you don't want to have your password written down in a place where everyone can see it, like in a cubicle in a shared space. But forgetting your password in a lot of scenarios is worse, especially when it's related to encryption. So if you forget that password, theoretically, there is no way to get around that encryption ever again. And so having a way to back that up is really important. Storing passwords on a word document, storing passwords in an office cubicle, probably not the best idea. But trying to put passwords in a password manager or in some kind of shared vault is always very positive. Along with that, make sure your vault is backed up. You never want to be in a scenario where all the critical passwords for encryption, the encryption keys, your network device route passwords are lost because of some kind of hardware failure or worst-case scenario, ransomware. So always try to put these into a vault that you have access to, and always make sure that you have that in an offline backup as well.


Adrian: And let me ask you this Daniel, so for an old-style guy like me where maybe I don't have a vault and some of the things that you're talking about here. If I'm writing it down in a journal, like physically writing it down at my desk, it's kind of in my office, no one's going to be able to crack into that from out there in the online world. So am I okay there in writing it down the old-fashioned way, like keeping a password journal?


Daniel: Absolutely. I know a couple people do that. A certain family member of mine does actually maintain a password journal and they have a safe and they just store it with the safe, with their birth certificates and their passports and other critical documents. So it's not about do you write it down or do you not write it down, it's where do you keep it when you write it down. Making sure that that's kept in a secure place. 


Adrian: Bingo, that makes sense. Daniel, let's talk about multifactor authentication. It's something that's been gaining popularity, but there's also some talk that multi-factor authentication or MFA is not a secure way to keep online accounts and data safe. So myth number three, MFA is not secure and should be avoided. Your thoughts. 


Daniel: Absolutely not true. MFA is an absolutely critical control and businesses have been rolling it out a lot. I encourage you in your personal life and as consumers to also try to use MFA in as many places as you can. This myth is a bit of a complex one because it really originates from a particular type of MFA, which we call SMS-based multi-factor authentication. Which is essentially that little six to eight-digit code that gets sent to you in a text message. And that is not safe because there are a couple of different attacks so that sophisticated threat actors can reroute those messages to their phones. There are a couple of different attacks. The most common one is a SIM swapping attack. So if you implement MFA properly, though it's such an important security measure, it will protect you so many times. 

You hear about these data breaches and these password leaks all the time, and a shout out to the haveibeenpwned.comwhere you can look and see where your credentials may have been exposed. But you're really reducing the risk of those password exposures when you have MFA because that second factor is not available. If you only have the ability to use an SMS-based multi-factor authentication, use it. You’re better off using something rather than nothing. But in a lot of cases, Google and Microsoft have authenticator apps, these soft token applications that provide security that’s really difficult to beat. And going back to our previous one, they'll give you the ability to have recovery codes. So talking about your password journal again Adrian, go ahead and put those recovery codes in there because if your phone ever dies, then it makes it really hard to get back into those accounts. 


Adrian: All right, let's switch gears now, let's talk about antivirus. I remember a little while ago, an executive at an antivirus company came out and said that AV (antivirus) is dead. Now people in organizations, they're all over the world, they're still using AV today. So is it true that it's dead? And that leads us to myth number 4, you don't need AV. Speak to that please.


Daniel: Yeah, this is a little bit more marketing than reality. I would say that traditional antivirus is probably not as effective as it used to be. What we see as it's being replaced by more sophisticated methods of detection and response, but in general, AV is not really going anywhere yet. It's more kind of embedded into these other products and solutions kind of a bit of a standard. In fact, most of your modern operating systems, including Windows and Mac, come with some kind of AV solution already built-in. Now for your organizations, definitely want to be managing that and probably going a step farther and finding an EDR (Endpoint Detection and Response) solution. Which goes a little bit beyond AV and looks for different tactics and techniques that are used with traditional tools that are built into operating systems and environments so that you can detect attacks that use Living off the Land techniques. 

Adrian: All right, myth number five Daniel, let's talk about virtual private networks, VPNs. A lot of VPNs that are geared toward consumers make it seem like if you turn it on, then your device is protected, is that truly the case? So here's myth number five, a VPN can keep my devices safe and secure.


Daniel: So VPN is a really great technology. There's a bit of a challenge here though, as we have a lot of these consumer-focused VPN technologies really going after users and trying to convince them that a VPN will somehow prevent their computer from getting malware and protect them. What those VPN systems really do is protect your data in transit when you’re at a coffee shop or at a hotel. In a lot of cases, most websites now use modern encryption that would protect you from a lot, but not all of the issues that would kind of plague you when you're using a shared WiFi space. So no, VPN does not protect you from getting malware on your system. For corporations and enterprises, what VPN does is help protect remote communications when your users are work from home as who we all are these days, and trying to access internal resources. And making sure that connection is secure and making sure most importantly, that the way that the users come in and authenticate and kind of authorize their actions and activities is through a centralized location. So you should definitely not be using RDPs and enterprise to allow users to access internal resources. You really need that VPN, but for you consumers out there, most of the time you really don't need this. It doesn't hurt by any means, it's definitely a nice add-on, but you still want something like an antivirus, like we were just talking about to really protect you from malware. 


Adrian: Okay, we are wrapping things up with our myth-buster today, Daniel Spicer. All right Daniel, one more myth that we're going to bus today is that cybersecurity is the sole responsibility of a company's IT department. So myth number six, IT is responsible for all of the cybersecurity at an organization.


Daniel: Absolutely not, there's only so much that your security team can do to keep you and your organization safe and secure. We can implement controls and advise people on the best thing, but we talk about it all the time, the number one weakness in the chain at the end of the day is the user. And that's why we pour so much time and effort into training and outreach of users and hope that those messages don't end up in spam or deleted unreadbecause it really is critical for users to have a healthy layer of skepticism when they're receiving an email asking them for their password. Or when someone calls and asks them to make a wire transfer outside of the normal procedures. So it really is important that security kind of starts at the user layer, and we talk a lot about having a culture of security in organizations. I think it's critical that we talk about that, but you'll also notice that there's a lot more shifting of security functions into IT. When we talk about vulnerability management and patch management, when we talk about validating users when they ask for password resets, these are all places where the IT organization is deeply involved in security. And quite frankly, without an IT organization that pays attention to security, security programs will fail because we rely on them to help us implement our controls and maintain those processes.

Adrian: All right Daniel, well listen, we appreciate your serving as our myth-buster today and doing it solo without the assistance of our other security expert Mr. Chris Goettl who's normally on Ivanti Insights. And Daniel, before I let you go, as you're aware, but we're going to make everyone else aware, this is my last Ivanti Insights broadcast. I'm going to be leaving Ivanti later this month in December, moving on to another company. But Ivanti Insights, folks, will continue in 2022 with Daniel, with Chris, and whoever else they can find to fill my seats. So you'll still get the same insights, so keep tuning in and Daniel, just want to wish you and Chris in absentia, happy holidays.


Daniel: Thanks Adrian, take care of yourself. 


Adrian: All right, and happy holidays everyone. And remember, during the holiday season especially, stay safe, be secure and keep smiling.