Busting/Debunking The Top 5 Mainstream Cyber-Security Myths

By Ashish Thapar, Managing Principal, Investigative Response – APAC, Verizon Enterprise Solutions

India, the fastest growing technology market is expected to grow at 12-14%, from smart wearables to smart homes to smart cities, the technology industry in India is progressing at a lightning speed.

The technology industry has witnessed a remarkable surge and is the fastest growing market across the globe. An individual’s dependency on technology is increasing day by day, we all depend on it and use various technologies to accomplish specific tasks in our lives.India, the fastest growing technology market is expected to grow at 12-14%, as per a recent report by National Association of Software and Services Companies (NASSCOM).From smart wearables to smart homes to smart cities, the technology industry in India is progressing at a lightning speed.

Ashish Thapar, Managing Principal, Investigative Response – APAC, Verizon Enterprise Solutions

With the public nature of the Internet comes the emergence of many new blind spots making critical infrastructure belonging to businesses and the government equally susceptible. Mobile apps, e-commerce, online banking and technologies such as cloud and Internet of Things that have increasingly been adopted by both small and large enterprises, also give rise to newer blind spots in the cyber security protection layers of an organization. This rapid evolution of new-age technology and hyper-connectedness makes it susceptible to hackers and cyber-criminals, who are more funded, smart and focused.

Cyber-crimes reported in India rose 19 times over the last ten years (2005 to 2014), from 481 in 2005 to 9,622 in 2014. India now ranks third–after the US and China–as a source of “malicious activity” on the Internet and second as a source of “malicious code”, according to National Crime Records Bureau (NCRB).

As organizations today realign their business models to the digital world, security of personal and sensitive data has gained paramount importance. The vulnerability of this data is primarily due to the fact that robust and effective cyber security infrastructure is still missing. While some of the organizations still do not implement comprehensive security strategies, others are focused on developing specific tactical solutions that address only temporary problems or merely compliance requirements.

There are a few organizations that are still influenced by the myths surrounding‘cybercrime’. They are often under the delusion that their security strategies of the previous year are sufficient to eliminate the current cyber threats and assume that they can’t be a possible target due to the nature and size of their business. However, even if a critical data of value is easily available to access, then, cyber-criminals intend to make it their mission to obtain it and use the data to their benefit. At the end of the day, nobody is immune to cybercrime and the longer it takes for an organization to discover a breach, the more time attackers have to penetrate its defenses and cause damage.

For years now, there have been a lot of myths surrounding cyber-attacks. The truth is that there is no such thing as an impenetrable system. Let’s take a look at some of these common cyber security myths and dispel them once and for all:

Myth #1: Hackers carefully select their targets

It is believed that hackers always carefully select a target and then hit them with a zero-day attack. An individual always has this myth that hackers investigate and then chose their targets accordingly.

Truth

Contrary to the myth, most of the attacks are opportunistic, indiscriminate and exploit known vulnerabilities across all industries. The top 10 vulnerabilities account for 85% of successful exploit traffic. And the remaining 15% consists of over 900 Common Vulnerabilities and Exposures (CVEs). 

Myth #2: The good guys are catching up quickly to stop these cyber-attacks

Attackers are faster, highly motivated and well-funded at times. It is known that cyber attackers are relentless, agile, fast and resourceful.We always assume that the good guys are catching up and will help to quickly repair the damage caused and fix the issue.

Truth

The gap between the compromise and detection is widening unfortunately with nearly 1 million new malware threats being released every day. In 93% of breaches, attackers take minutes or less to compromise systems. But four out of five victims don’t realize they’ve been attacked for weeks or longer. And in 7% of cases, the breach goes undiscovered for more than a year.

Myth #3: Passwords ‘easily’ reveal one’s identity

Passwords prove the identity of authorized users.

Truth

Generally, passwords are meant to protect our data that we provide online. Many cyber-attacks also happen when the hackers identify an individual’s password. It is always advisable not to provide the same password for all online registrations and more importantly do not use most sensitive passwords to access websites from shared machines/public areas. To avoid data breaches, many websites accept password combinations which are difficult to crack. For instance, a combination of at least one uppercase letter, one symbol, and one number is preferred these days. Web sites also provide the strength of passwords to prevent cyber-attacks. 63% of the confirmed data breaches leverage a weak, default or stolen password. Having said that, it is important to mention even an extremely strong password would not provide any risk mitigation when it is stolen; and that is why we recommend multi-factor authentication for all sensitive and privileged access.

Myth #4: Cyber-attacks are not possible through phishing emails

Phishing emails are easy to identify and ignore.

Truth

Phishing is on the rise. One of the most common means for cyber-attacks these days is by phishing. Hackers swiftly infiltrate corporate systems and extract all the relevant data. Most of the phishing attacks are usually done by sending out a seemingly legitimate email that asks the recipient to click on an email, reset a password or open an attachment. From there on what happens is something that entirely depends on the battle between the organization's security controls and the attackers’ game.

Despite creating full awareness and imparting proper training, a lot of employees still can’t recognize phishing messages. 30% of phishing emails are opened, and about 12% of targets go on to click the link or attachment.

Myth #5: There is a surge in cyber-espionage attacks

Cyber-espionage attacks are widespread and increasing. 

Truth

Money remains the main motive for attacks. Cyberespionage groups use a single vulnerability to target organizations around the world.Recently, two government organizations, one of the largest financial institutions and a top IT firm have been among the targets of an advanced cyber espionage group conducting long-term espionage campaigns against high-profile targets in India.80% of these analyzed breaches generally have a financial motive.

Many businesses that fall victim to cyber-attacks don’t have basic security practices in place such as identifying their most critical assets and data or implementing stronger controls to manage risk. Overlooking the most basic steps like learning fundamental things about cyber security can lead to disaster.

Awareness is the first and best form of defense against cyber-criminals and lack of this basic awareness in some organizations ensures repeated success of the cyber criminals.

Another measure is to effectively isolate the most sensitive assets in an organization from the non-critical systems. To negatively impact the economic balance of the cyber-attacks, an organization must strive to create multiple checkpoints in the potential attack path that an adversary could take; thereby raising the bar and creating air-gaps.