Greetings to our dear reader! We begin by subtly reminding you about the fact that this is the digital era where spectacular technological inventions accomplished through dexterous minds of innovations are catching eyes and driving almost all of them crazy from each and every part of the globe brewing fascination towards using them. These advancements in technology are always yielding greater products with every new day thereby rendering the previously released ones outdated that seemed to be great just yesterday. At such fast pace, are updates constantly applied in security too? Are security concerns looked after effectively?
Why so? Reading this blog further will let you know!
What’s shocking still?
I had the privilege to go along with my boss for a client meeting where we were asked to conduct security assessment on their infrastructure. Our client said after the project confirmation that our security team won’t identify any vulnerability. We asked why and they replied that they have placed a firewall and a familiar antivirus product in their infrastructure environment. When our team later tested their environment, many critical and high level issues like SQL injection were identified which if weren’t found and patched would’ve compromised their entire security systems and caused terrible repercussions. This reality indication shocked them and us too as reputed organizations themselves still are complacent with just having very little security features and believe it to be fine despite the ever growing and evolving distinct cyber threats. This pathetic mindset of many organizations is a significant reason for data breaches to be on the rise.
Other reasons for rising security threats:
- Failing to apply patches:
Patches have to be applied then and there when they are introduced. This solves the threats that could arise due to using outdated and unpatched ones. But now, it’s become really easier as OS like Windows and mobile OS like Android and iOS now provide an auto-update feature helping users apply patch solutions with just a click or two.
2. Usage of weak passwords:
A survey reveals that 60% of users use easily guessable passwords like their names and many companies (mostly ISP’s) still use default passwords. Another survey revealed that in the UK alone, an average person has the same passwords for 19 different accounts. This enables a hacker to easily guess and compromise your systems. To prevent this, ensure strong passwords with right combinations (Lower/upper case, alphanumeric and special characters) are used and avoid using same password for different accounts thereby making it tedious for hackers to crack passwords through brute-forcing.
3. Flaunting in social media:
Social media’s have held captive the minds of countless youngsters and many adults to expose every tiny information about them publicly for likes and publicity. When a hacker randomly crawls through various accounts and if he/she finds any juicy information on anyone, then they illegally procure, spoof and then misuse it in all criminal ways and threaten them for money. If the victim fails to give what they ask, everything gets leaked online and results in cyberbullying which is one of the causes for increasing suicides.
4. Surfing on unsecured connections:
Kindly avoid connecting to free Wi-Fi at coffee shops and at other places. Too much of threats arise through it like password spoofing and end-devices compromise. Never register any details on websites that aren’t HTTPS protected. Also, check out the SSL certificate warnings on a website like if it is expired or valid.
5. Failing to protect devices:
A small yet huge mistake that most of them do is leaving their desktops and laptops unlocked and unclosed. Let it be just for a coffee break, systems must be locked before going to breaks and must be shut down before ending the office day. Also, make sure none are snooping around your shoulders as they may espy your passwords when you unlock.
6. Unencrypted remote login:
Since this new normal WFH began, employees had to connect to office systems remotely. Many unencrypted connection software’s and VPN’s were used to connect remotely which wasn’t a good security sign. In August 2020, massive 1.2 TB of data was leaked by hackers due to employees using unencrypted remote connections through Pulse Secure VPN. Thus, avoid using telnet like connections and instead use SSH.
7. Downloading apps from 3rd party sources:
If you are an Android user, download apps only from play store that’s verified by Google and App store for iOS. Never download apps from 3rd parties as they may contain malware that may secretly install on your devices and track your activities if you install them. They may appear fine but they really aren’t.
8. Not upgrading security solutions:
Having security solutions deployed in your infrastructure is good but maintaining them updated is the key. Let it be firewall, antivirus solutions or cloud protection, ensure they are kept to the latest version.
9. Failing to take backups:
Backups are super important to be taken on a regular basis. Especially with rising ransomware attacks, having backups will restore your data. Of course, they’d be known to hackers and CIA triad would be compromised but data will not be lost. Moreover, failing to take backups would result in hefty GDPR fines during audit.
10. Complacency and ignorance towards security:
An absolute contrast referring to the predominantly present extreme delusions among many people about information security where half of them are happy with false complacency while the rest get comforted by ignorance. Regarding complacency, remember that nothing is 100% secure and regarding ignorance, remember nobody is an exception to hacking and every digital entity can be hacked.
The former Special Counsel for the United States Department of Justice Mr. Robert Mueller has said:
The final touch:
The most important one of all is always saved for the last. Similarly, besides the above mentioned ones, the most prominent mistake towards security is lack of human awareness. No matter how effective VAPT is performed nor strongest technical defenses are deployed, neither of them makes real sense without employee’s being aware towards the threats.
Good Security Standards follow the “90/10” Rule:
- 10% of security safeguards are technical
- 90% of security safeguards rely on the computer user (YOU!) to adhere to good computing practices
Awareness training must be given to all employees on all scenarios and practical demonstrations on all social engineering attacks (i.e., phishing, vishing, etc.,) must be given with effective tips to spot and differentiate phishing pages/links from real ones and escape without clicking it. In case if a breach or unfortunate security disaster happened, they must also be thought on how to approach and whom to report it for sorting it out smartly!
Mr. Bruce Schneier, one of the world’s most famous cryptographers take on the human factor: