With malware a constant threat across the internet – it's projected to cost the world six trillion dollars annually by 2021, according to Steve Morgan of the Cybersecurity Business Report – businesses need strong cybersecurity practices to keep networks and user’s devices secure from threats.
However, while there's increasing awareness among businesses and end users of the threats they face, and what can be done to defend against them, there are still plenty of misconceptions around cybersecurity – and here are six in particular that need to be debunked.
1. A firewall keeps the network secure
A firewall is the technology used to keep an internal network secure, and keep unauthorized users off a network, while allowing data transfer to and from the internet. There are two types of firewalls: hardware and software. In a typical home network setup the router is the hardware device, while a PC running Windows contains an integrated software firewall.
While this typical setup sounds like it should be pretty secure, this isn't necessarily the case. It doesn't help that most users don't even install firmware upgrades for their router that contain the security patches that manufacturers put out.
There are plenty of examples of routers being compromised. These include a worm dubbed The Moon, which infected Linksys routers back in 2014, and which was stopped by the manufacturer issuing a firmware patch. WPS (Wi-Fi Protected Setup) is another known vulnerability for all routers, with users advised to disable the feature in the router’s settings.
The prudent thing is to check that your firewall is secure, and this can be tested via GRC’s ShieldsUP!. While it's convenient to use a home router, security conscious users would do well to heed the advice Michael Horowitz offered at the Hope X Hacker Conference recently in NY. He recommends installing a commercial router that's more robust at the firewall function, as enterprise equipment offers more frequent firmware upgrades, and has no function for WPS or UPnP, another potential security issue.
2. Antivirus software is enough
Just as getting your flu shot annually doesn’t protect you from many other viruses, including the common cold, so just running a single antivirus software program is not enough to protect you from the myriad malware threats out there.
Most antivirus programs do a decent job of protecting against computer viruses, but can be hit and miss when it comes to the multiple other types of malware, including adware, Trojans, spyware, browser hijackers, worms, rootkits, backdoors, keyloggers and ransomware. Microsoft includes Windows Defender integrated into its OS, and while historically it wasn’t the best solution, these days it has improved quite a bit when it comes to dealing with viruses.
However, Defender still needs to be supplemented with an additional antivirus program, as well as an antimalware program. Choose one to constantly monitor things in the background, and run the others at a regular interval, say once a week.
3. Hacking is only for experts
The proverbial ‘computer hacker’ is the evil computer-coding genius – an individual so smart that they can pit their wits against security services and governments. In the popular imagination they can be found either in their underground lair, or skulking in a coffee shop wearing a hoodie.
We’d be better off if the evil genius depiction was accurate, as hackers would be much rarer; unfortunately there are plenty of hackers who have only rudimentary computer skills, and who make their mischief via existing code. They’ve become so common that they have their own name – ‘script kiddies’, as they don’t write any of the code themselves. The latest program designed for these amateur hackers is known as Autosploilt, which is designed to detect and automatically exploit known vulnerabilities.
4. Passwords are adequate security
Passwords remain a cornerstone of internet security, keeping accounts safe from all types of attacks. However, they get compromised quite often, including by advertisers that grab data even from an online browser's integrated password manager. The insecurity of passwords has even spawned a website where users can check if their credentials have been hacked, and are appearing in online databases.
Users are encouraged to come up with strong passwords – i.e. ones that are long and complex – and to change them at regular intervals. Better yet, don’t rely only on a password, and enable two-factor-authentication (2FA), which requires you to use a secondary means of logging into your account, typically via your smartphone. While previously this could involve a text message being sent to your phone, with the advent of SIM card cloning you’re are better off bypassing this older method, and going with the more secure authentication app for those services that offer it.
5. A VPN makes you completely anonymous
A method frequently turned to for privacy and security online is to run internet traffic through a VPN. The idea is that, by encrypting all the traffic leaving their LAN and going to the internet until it’s decrypted at the VPN’s server, the user will be anonymous, and therefore immune from hacking. However, Cisco has recently issued an alert about a VPN bug that affects their popular Adaptive Security Appliance software, and which can allow a hacker to reset the system, and even take full control of it.
While a VPN encryption tunnel can help in certain situations, such as getting around a geolocation restriction to watch a video, and browsing over a public wireless network to avoid a Wi-Fi packet sniffing attack, this hardly makes the user anonymous, or immune to other types of security compromises.
Remember that a VPN can also be compromised, either via an IP leak or via a DNS leak. In addition, a VPN’s data can be subject to mass decryption from government servers.
6. HTTPS is always secure
HTTP is the Hyper Text Transfer Protocol, the method by which data is transmitted between the internet and your browser. A variant of this is HTTPS, which stands for Hyper Text Transfer Protocol Secure, which means data is encryption while it’s being transmitted. Websites that support HTTPS are typically banking or other finance-related sites, online stores and others that would benefit from enhanced security.
While HTTPS is generally preferred to its unencrypted counterpart, it’s by no means fully secure. In fact, several years back the ‘Logjam’ vulnerability was described, which according to TechRadar’s Jamie Hinks “lets eavesdroppers view data passing over encrypted connections and then modify it to successfully perform man-in-the-middle attacks”.