Although the technology around digital security has come a long way in recent years, persistent misconceptions continue to weaken systems across industries.
While it may not be surprising that everyday internet users make security blunders, these issues aren't limited to casual users. Here are some common fallacies that even the most seasoned IT professionals still buy into:
FALLACY 1: Minimal controls are sufficient.
This is the idea that any control is enough to deter bad actors. In this day and age, that's simply not true. Enterprises using only usernames and passwords to authenticate identities may think they are protected, but minimal controls are simply not enough.
Even those with legacy systems that don't offer other built-in options must consider ways to enhance their controls. There is always a way to beef up security—and it's important that all enterprises explore these means. Keep in mind that every enterprise’s data is of some value to a bad actor and therefore minimal security controls are insufficient to consider a reasonable barrier. If you must live with legacy systems that cannot be refactored, add this legacy system to your list of systems that need special monitoring attention, or add some other form of security control such as network isolation.
FALLACY 2: All types of risk can be remedied with the same solution.
Not all multi-factor authentication (MFA) is created equal, and businesses with high-value information don't always choose their MFA techniques correctly. The security level of the MFA method a company chooses must be proportional to the value of the company's information to bad actors. Companies are only now starting to understand that they need MFA techniques to match the risk level associated with their business. Enterprises who house high-value information—banking information, Social Security numbers, credit card numbers, health information, etc.—must engage in more secure procedures than those who do not.
FALLACY 3: A virtual private network (VPN) is all you need.
This fallacy encompasses four points of issue: node termination, flat networks, credential protection, and the principle of least privileges. People who use VPNs assume that the cryptographic tunnel is sufficiently secure without considering other factors that may affect access. Doing any of the following puts VPN users at risk even if the VPN is stable:
- Not assessing the trustworthiness of the node termination (i.e., the VPN provider)
- Enterprises that have flat networks that allow external VPN access to too much of their network
- Usage of weak credential form factors
- Overprivileged users
Ignoring these considerations—which many VPN users do—violates the principle of least privileges and puts users at risk.
FALLACY 4: You can always detect the bad guy through anomaly monitoring and block-listing.
Both technologies are great, but they cannot secure an enterprise when used in isolation. Even so, many enterprises over-invest in—and overestimate the value of—these systems while ignoring other measures that must be layered alongside them.
Both of these measures are integral to comprehensive enterprise security, but relying on them as the program's backbone assumes that the technology will notice bad actors in the system. Hackers' methods often look identical to legitimate network traffic and often use legitimate credentials. . Assuming a hacker’s methods will throw up red flags every time they attempt a breach leaves enterprises open to substantial risk.
FALLACY 5: Proximity means security.
Despite the ongoing switch to cloud-based networking across industries, many IT professionals still believe that proximity to servers and identity management systems affords them more control than they would have over a cloud solution. That's not true. Owning the hardware and hosting your own systems doesn't make it any more secure.
FALLACY 6: Operating systems are inherently trustworthy.
This is a fallacy that many hardware vendors engage in, and often it is because they decide to trust Active Directory. Whether due to ignorance or uncertainty, the security architects of these devices often blindly trust that the operating system the device runs will be devoid of security risks. They assume this even though many OS providers have acknowledged vulnerabilities that have long been pointed out by white-hat researchers or have been actively used by bad actors. We have moved on from blind trust in legacy OS security controls. it is time to move to stronger and more modern authentication systems that are application-based rather than network-based.
FALLACY 7: Credential form factors don't need protection.
Regardless of the type of certificate in use, credential form factors must be protected somehow. Many users, especially developers or operations staff pressed for time make the mistake of hard-coding their credentials which can lead to leaks. Whether by software or other measures—like credential vaults, for example—users who fail to protect their credentials are opening themselves up to substantial risk.
FALLACY 8: Credentials don't need management.
The explosion in certificate volume many enterprises are experiencing thanks to work-from-home arrangements, emerging use cases, and other advancements have already occurred. Many businesses are finding their IT departments overwhelmed by the number of certificates in their networks. Unfortunately, just having the certificates in place isn't enough. Enterprises need reliable, integrated management systems to ensure certificates are not left to expire, sit unrevoked, or be compromised in other ways.
To hear more fallacies, listen to Root Causes, episode 192, "14 Security Fallacies We Still Have in 2021."