Cyber Disinformation Month Wrap-Up

Each weekday this October I posted Cybersecurity Disinformation on LinkedIn. I was tired of the same old "bad advice" we seem to give out as an industry during Cybersecurity Awareness Month, so I went another direction.

This is a recap of all of those posts and a discussion around each topic.

Tuesday, October 1, 2024

The beauty of MFA is that you can start reusing your passwords everywhere that offers MFA since we all know that it is the SMS code that really matters anyway.

There is a natural tendency in many of us to relax one control when we believe there is another in place. Whether that's cybersecurity, fire safety, or knife safety (I've "cut" my fingers in the kitchen more times when I was wearing a Kevlar glove than I ever have without one on) we seem to let our guard down when we think there is another layer of protection that will keep us safe. No, Multi-Factor Authentication (MFA) isn't an excuse to use poor password hygiene, it is an escalation in security over just using strong passwords.

October 2, 2024

You should use every port in a switch or hub. Unused ports lead to data leakage. If you don't have enough devices to connect, just buy some short Ethernet cables to fill two ports at once.

Data leakage is a serious issue. but heeding uninformed advice about how to prevent it is just plain wrong. Healthy skepticism, supported by research, is always appropriate for any cybersecurity advice. Be careful where you get yours from.

October 3, 2024

Cybersecurity should be a lower priority the smaller your organization. If you're a home user the appropriate priority for cybersecurity should be just after renovating your walk-in-closet as an Air B&B.

Cybersecurity, like fire protection, needs to be a priority everywhere. While cyber incidents aren't as likely to be life threatening as a fire can be, significant financial damage is often a result, This doesn't change at home, just like fire prevention doesn't stop when you get home either. You may not need all the same controls, but you should still practice good security to protect your assets.

October 4, 2024

For the Csuite: Your organization is very likely to experience a cybersecurity event due to an action or lack of action taken by an employee. To minimize this risk, lay everyone off. Your shareholders will reward you for such forward thinking.

This one is a combination of me being testy and an important reality. People are still at the heart of well more than 60% of breaches and incidents, whether by being a malicious insider, inattentive configuration or administration resource, or unwitting target of a malicious actor. But as an industry and society we focus so much on technical controls and so little on making our people resilient that we're spending our money in the wrong ways.

Monday, October 7, 2024

Every problem in cybersecurity can be solved by buying another technology solution. Don’t know what devices are on your network? Buy some software! Keep getting malware infections? Buy some software! Employees stealing private secrets? Buy more software!

Software, and to a lesser extent hardware, is where we tend to spend our money on cybersecurity. Study after study bears this out. Don't believe me? Just check out the vendors at Blackhat, RSA, or any other cybersecurity trade show - the vast majority of them aren't selling training as their primary offering are they? You know they wouldn't be selling software if people weren't likely to buy it, right?

October 8, 2024

Manning your SOC 8x5 is perfectly ok. As we all know, malicious actors work Eastern Standard Time banker’s hours.

I've spent over a decade in cybersecurity services. One of the worst ideas I've ever seen is the idea that a SOC is a 40 hour/week idea. This one manifests in two basic ways:

• A company that builds their NOC for 8x5 and struggles to deal with "out of window" incidents. This leads to really ugly Monday mornings and loads of issues that either get ignored or don't get investigated for hours or days.
• A company that wants an MSSP/MDR company to supplement their 8x5 SOC by covering the other 128 hours per week. This sort of "hand off" always leads to very large cracks in the system that allow issues to slip through the transitions. I've counseled many a company against this approach over the years.

If you can show me a SOC that functions with 8x5 coverage I'll show you a SOC that is either not monitoring everything or your company literally shuts EVERYTHING off daily at 5:00 pm and leaves it off over the weekend.

October 9, 2024

Learn from Southwest Airlines’ experience during the CrowdStrike issue in July 2024: they were running old, unsupported versions of Windows and because of that didn't have a problem.

I can't tell you the number of times I've run into this general idea. This is right up there with "security through obscurity," in terms of the quality of the idea. And while it is true that this is part of why Southwest Airlines didn't have the outage issues Delta did, this is like saying that at least the house didn't burn down because it was already flooded. Running out of support software is never a good idea, security-wise. IT-wise either, but there are times when it just has to happen.

October 10, 2024

Point-in-time assessments are all you need for good security. After all, if you were secure 18 months ago surely you're still secure today.

I get it, those penetration tests are costly. Those assessments take time and effort. But in our environments today few things remain static for even a year, let alone a few months. If you aren't testing frequently you're leaving yourself exposed by your own changes in your environment every time.

October 11, 2024

Recall that your SaaS provider vendors all have your best interests at heart. If they want to use your data for their purposes I say trust em!

This was said so tongue in cheek that I nearly bit my own tongue typing it. Your SaaS providers are not there to protect your data - especially if you're in individual, They're there to make money off of you and your data. Unless and until regulation better confines their behavior you need to be vigilant for changes in their activities and agreements.

Monday, October 14, 2024

Tech debt is a myth and there is no reason you can't still run that Windows NT Server instance another 15 years with no issues. After all, your 1974 Dodge Monaco is still running just fine so long as you replace the cigarette lighter.

There is tech debt in IT and cybersecurity both. Yet we seem to cling to an "if it ain't broke don't fix it" mentality, not recognizing that those older systems are vulnerabilities in and of themselves, even if they seem to be working. Often those older systems lack modern security tools and can't be upgraded.

October 15, 2024

Hackers have stopped trying common passwords when they try hacking into things. This is a great time to switch back to Password123 as your password for everything - hackers don't believe anybody is this lazy anymore.

Some of the most commonly utilized intrusion tools exist unchanged for nearly a decade. Bad passwords are still being used, and the list of them hasn't changed appreciably in forever. Hackers know we still do the basics poorly, and they still try those old techniques and passwords.

October 16, 2024

The more Identity monitoring services you have the more safe you are, especially given all the financial, legal, and crime investigation resources these company being to bear on your behalf.

Somehow we've normalized the idea that when a company loses your data a period of time subscribed to an identity monitoring service is appropriate compensation. But most people aren't really aware of how little these services actually can do. They can help you detect some things and...and that's about it. Don't let yourself believe you are somehow protected by these services.

October 17, 2024

The fact that your security team hasn't identified a breach is a strong indication that you haven't been breached. Job done, you can stop spending on security now.

One of the major issues with the entirety of the profession and industry of cybersecurity is that we're graded on being able to prove a negative. "Success" is measured either in metrics that have no actual value, or in the idea that no breaches were detected, and therefore success was achieved. But absence of evidence is not evidence of absence, or put another way, just because you didn't see it doesn't mean it didn't happen.

October 18, 2024

Most security technology is like your refrigerator: once you deploy it you can safely ignore it for years and years, unless there's a long power outage. Then throw everything out.

There's a bit of math here, but it is reasonable to suggest that every security department has at between 2 and 5 security tools per security team employee. As a practical matter that means that assuming 3 shifts per day and 2 shifts weekends, every employee is responsible for the operation of somewhere between 10 and 50 tools while on shift. No wonder we treat them as "fire and forget," ignoring the fact that most need constant attention to be valuable.

Monday, October 21, 2024

The best way to ensure nobody can get data off of old cell phones is to make the battery catch fire. For this I recommend using a neon sign transformer connected directly to the usb charging cable.

Cell phones, tablets, thumb-drives, etc. are great places to forget that sensitive data lives. But for most of us, the simple expedience of resetting the device to factory defaults and erasing all the data that way is probably good enough. Thumb drives, and even modern "gum stick" style SSDs are easy enough and inexpensive enough to mechanically destroy before recycling them. But that doesn't mean that there aren't plenty of esoteric recommendations out there for how to make the devices unreadable.

October 22, 2024

Make sure your security cameras blanket bare external walls, because you never know who is going to cut a hole through them to enter your building - doors and windows are for chumps.

Be wary of the urge to over-protect. Yes, I'm a cybersecurity professional and I'm telling you that there is such a thing as over-spending and over-focusing on security. Unless your facility is about to be breached by Fiona Glenanne,¹ odds are extremely low that someone is going to go through a solid wall instead of a door or window. So too, with cybersecurity. Sure, good cybersecurity means overlapping controls and redundancies where appropriate, but it also means not wasting time on the unimportant, unless you are in the rarest of organizations that happens to have unlimited cybersecurity funds and resources. (If you are, please reach out, I've always wanted to see a unicorn in person)

October 23, 2024

The world's best security programs are 100% compliance based. After all, if the government didn't ratify a law or at least a rule about it, how important can it be?

Beware the "compliance based" security program. Compliance is the excuse to spend the least possible effort on cybersecurity. Not unlike building code, it sets a minimum expectation - not a recommended peak for good cybersecurity. Many compliance requirements also have little to do with practical cybersecurity outside of a very narrow range of content, such as credit card data.

October 24, 2024

Your company's security isn't your problem, that's why they have a cybersecurity team! Just like accounting and finance isn't your issue.

From the first month of my first job out of college I was responsible for traveling on behalf of my employer. Every dollar spent on every trip was my responsibility to either account for or pay for myself. Yet my role was never that of an accountant or finance resource.

It seems silly to have to use that analogy, but when is the last time you recognized your own responsibility to all the various things your company has to be responsible for outside of your job focus? Like it or not, you are responsible for at least a small part of all of those things, cybersecurity included.

October 25, 2024

The free market is handling cybersecurity issues without any need for government interference. Just look at all the companies who have been devastated by significant breaches: Home Depot, TJ Maxx, Target, AT&T, T-Mobile, MGM Resorts…need I go on? Nobody even uses any of these companies anymore.

Sorry to all the strict "free market" disciples out there, but cybersecurity events aren't causing companies to close right and left as they have breaches. There isn't a single national cellular provider who hasn't had at least one customer data breach. Customers don't have enough options to "vote with their wallets" after a company loses their data. Even worse for the customers is that even leaving that vendor doesn't fix the problem that their data is now leaked. Until extremely recently, breaches have been settled with veritable "slaps on the wrist," and no truly meaningful improvement, change, or commitment to doing better. Unfortunately government needs to step in here. That said, there's a strong argument to be made that governments should be focusing more on carrots for good cybersecurity practices rather than sticks for breaches.

Monday, October 28, 2024

Storing your passwords in a document works much better if you store that document in your cloud storage solution. This is such a good idea that you should include your financial information and SSN in the same file. Always name it “passwords” so you will never forget it.

We all tell ourselves silly stories about how we're keeping our data safe. One of my favorite is the online spreadsheet of passwords. Yes, I know people who have these. Yes, I beg them to find a different solution. Free cloud storage isn't particularly secure, especially when the terms of service indicate that the cloud storage provider has the right to read any of your content for their own purposes - only "corporate" cloud offerings usually have some sort of real privacy expectations associated with them.

October 29, 2024

Your PII is already everywhere on the web. This means you can start just claiming any purchases or financial transactions you don't want to be responsible for was the work of hackers and everyone has to believe you.

This is a variation of the "you can't win, might as well give up" attitude, mixed with some absurdity. Yes, your data may be lost. But how about your children? Their children? There data may not even exist yet. Even if you're ready to give up on your own situation (which I don't recommend) we need to continue to strive to make things more secure for those not yet impacted. Ignoring the problem only allows it to continue to snowball.

October 30, 2024

Cybersecurity isn’t that important, after all it’s only data. Not like anybody can get injured or anything.

Sure, the hospital is an overused cliche. But we know that hospitals impacted by cybersecurity incidents have lead to deaths and to delayed service for people with health emergencies. We also know that cybersecurity intersects directly with the real world every day, whether it is the "autopilot" feature in a car or the management of a fuel pipeline, there are crossovers everywhere. The idea that cybersecurity is just about "data" was never accurate, even from the very earliest days of computing, computers were always connected to the real world.

October 31, 2024

I’m not a target, I don’t have anything somebody would want.

Perhaps the granddaddy of all the lies we tell ourselves about cybersecurity. If there's one thing we all should have learned in the age of ransomware it is this: if your data or systems are critical to your ability to do business, then you can be extorted by interrupting that data and those systems. That's it. Every one of us, from individuals through to global enterprises, are targets for this sort of attack. We may only be targets of opportunity, but that isn't the same thing as being "safe" from being targeted.

Further, as has been demonstrated time after time, consumer products - such as routers and firewalls - are prime targets for botnets, taking over the very systems we depend on at home to be the basis of malicious attacks carried out for anything from ransomware to espionage and per-staging for state-sponsored attacks.

Putting a Bow On It

Mixing metaphors with the image at the beginning of the article, I hope you've chuckled, shaken your head, rolled your eyes, and exercised your gray matter with this list. 23 days worth of cyber disinformation has been handed out and dissected. Hopefully suffering through all of these will help you question the next bit of cybersecurity "truth" you run across, and help you separate the good ideas from the fertilizer.

^{1 Fiona is a fictional character from the USA series "Burn Notice," and her solution to most problems involved C4.}