Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

10 Security 'Chestnuts' We Should Roast Over the Open Fire

These outdated security rules we all know (and maybe live by) no longer apply.

Joan Goodchild, Contributing Writer

December 5, 2019

12 Min Read
Dark Reading logo in a gray background | Dark Reading

 As 2019 draws to a close, it's a good time to take stock of the year in security. The numbers tell us these past 12 months will likely be another record-breaker for breaches. According to Risk Based Security's '2019 Midyear Quickview Data Breach Report,' about 4.1 billion records were exposed through June alone. Those figures represent a 54% increase over the same period in 2018. Another year, a whole 'lotta data stolen. What's it going to take turn the numbers around? We might start by retiring some of the outdated thinking among security professionals. We asked several veterans to tell us which security chestnuts they would roast in 2020. (image: exclusive-design, via Adobe Stock) (Continued on next page)

As 2019 draws to a close, it's a good time to take stock of the year in security. The numbers tell us these past 12 months will likely be another record-breaker for breaches. According to Risk Based Security's "2019 Midyear Quickview Data Breach Report," about 4.1 billion records were exposed through June alone. Those figures represent a 54% increase over the same period in 2018.

Another year, a whole 'lotta data stolen. What's it going to take turn the numbers around? We might start by retiring some of the outdated thinking among security professionals. We asked several veterans to tell us which security chestnuts they would roast in 2020.

(image: exclusive-design, via Adobe Stock)

 Roast: Use Complex Passwords. Change Them Periodically. 'Passwords have almost zero redeeming value left at this point, especially with how many breaches have already compromised so many of them,' says Akamai CSO Andy Ellis. 'The password complexity requirements -- almost perfectly designed to make them hard for humans to remember -- added to rules like 'don't write them down' have created incentives for most humans to reuse passwords. And a password breached at one site is useful for breaking into another one. So let's retire the password rules and look at some options.' Among his suggestions: 'If you would let a user reset a password with a click from a known email account, consider moving to email based login,' he says. 'If you need something stronger, use a push-based MFA.' Aaron Turner, president and CSO of HighSide, also thinks the password should be swapped out for other forms of authentication. But for those not ready to give them up, the time-driven reset should be done away with completely, he says. It is an outdated practice that no longer holds up against current attack methods of calculating password patterns. (Image: designer491, via Adobe Stock) (Continued on next page)

Roast: Use Complex Passwords. Change Them Periodically.

"Passwords have almost zero redeeming value left at this point, especially with how many breaches have already compromised so many of them," says Akamai CSO Andy Ellis. "The password complexity requirements -- almost perfectly designed to make them hard for humans to remember -- added to rules like 'don't write them down' have created incentives for most humans to reuse passwords. And a password breached at one site is useful for breaking into another one. So let's retire the password rules and look at some options."

Among his suggestions: "If you would let a user reset a password with a click from a known email account, consider moving to email based login," he says. "If you need something stronger, use a push-based MFA."

Aaron Turner, president and CSO of HighSide, also thinks the password should be swapped out for other forms of authentication. But for those not ready to give them up, the time-driven reset should be done away with completely, he says. It is an outdated practice that no longer holds up against current attack methods of calculating password patterns.

(Image: designer491, via Adobe Stock)

 Roast: We Must Only Hire Security Candidates with These Certifications & Qualifications Amid a documented skills gap -- the InfoSec Institute says the shortage of cybersecurity professionals has grown to nearly 3 million globally -- it's time to do away with narrow criteria for who will be a good fit for many security roles, says Fredrick 'Flee' Lee, CISO at Gusto, a provider of payroll, benefits, and human resource management software. 'We'll see a shift in the way we look at resumes by placing less importance on pedigree and certifications, and we'll see a switch-up in interviewing processes so that candidates are evaluated based on true security mindset and problem-solving skills versus their ability to manage security tools,' Lee said. (Image: Couperfield, via Adobe Stock) (Continued on next page)

Roast: We Must Only Hire Security Candidates with These Certifications and Qualifications

Amid a documented skills gap -- the InfoSec Institute says the shortage of cybersecurity professionals has grown to nearly 3 million globally -- it's time to do away with narrow criteria for who will be a good fit for many security roles, says Fredrick "Flee" Lee, CISO at Gusto, a provider of payroll, benefits, and human resource management software.

"We'll see a shift in the way we look at resumes by placing less importance on pedigree and certifications, and we'll see a switch-up in interviewing processes so that candidates are evaluated based on true security mindset and problem-solving skills versus their ability to manage security tools," Lee said.

(Image: Couperfield, via Adobe Stock)

 Roast: CAPTCHAs Will Protect You Against Bots 'Twenty years ago, CAPTCHA was an interesting innovation [that] kept the relatively benign bots on the Internet at bay without introducing too much user friction,' says Shuman Ghosemajumder, CTO at Shape Security. 'Today, it does just the opposite, since cybercriminals use third-party CAPTCHA-solving services to easily bypass CAPTCHA, and users are perpetually confused, slowed down, and falsely rejected by CAPTCHA challenges on websites. In other words, going into 2020, CAPTCHA lets cybercriminals in and keeps many users out -- the opposite of what it was supposed to do.' (Image: gearstd, via Adobe Stock) (Continued on next page)

Roast: CAPTCHAs Will Protect You Against Bots

"Twenty years ago, CAPTCHA was an interesting innovation [that] kept the relatively benign bots on the Internet at bay without introducing too much user friction," says Shuman Ghosemajumder, CTO at Shape Security. "Today, it does just the opposite, since cybercriminals use third-party CAPTCHA-solving services to easily bypass CAPTCHA, and users are perpetually confused, slowed down, and falsely rejected by CAPTCHA challenges on websites. In other words, going into 2020, CAPTCHA lets cybercriminals in and keeps many users out -- the opposite of what it was supposed to do."

(Image: gearstd, via Adobe Stock)

Roast: Be Stealthy and Say 'No' A Lot

It's time for old perceptions about the security team as a closed-off "cloak and dagger" group to finally be disposed of, Gusto's Lee says. He's observing a shift from security as a department of enforcement to division of enablement, which accelerates innovation.

"We'll see security sacrifice being elite and exclusive so we can prioritize being effective," he says. "When we treat security like an exclusive 'secret handshake' society, it silos us off and creates blind spots that lead to vulnerabilities. But when security is approachable and we create an environment where it's easy for folks to ask questions and use features, people want to actively engage with and utilize security solutions, it makes us all more secure in the long run."

(Image: fotokitas, via Adobe Stock)

 Roast: Advanced Attackers Use Scary, Unbeatable Tools 'An attacker will use the tools and methods that help them achieve their goals at the lowest cost,' says Mark Orlando, SANS instructor and CEO of Bionic Security. 'Often, those tools and methods are simple and freely available. This doesn't mean that the attacker isn't advanced or perpetrating some larger campaign. Conversely, a sophisticated tool doesn't always signify a complex or targeted attack.' (Image: grek881, via Adobe Stock) (Continued on next page)

Roast: Advanced Attackers Use Scary, Unbeatable Tools

"An attacker will use the tools and methods that help them achieve their goals at the lowest cost," says Mark Orlando, SANS instructor and CEO of Bionic Security. "Often, those tools and methods are simple and freely available. This doesn't mean that the attacker isn't advanced or perpetrating some larger campaign. Conversely, a sophisticated tool doesn't always signify a complex or targeted attack."

(Image: grek881, via Adobe Stock)

Figure 7:  Roast: 'What's Your Mother's Maiden Name?' 'Nobody should be using challenge questions anymore,' Shape Security's Ghosemajumder says. 'While you can change your password on a website, you can't change the name of the street you grew up on or the city where your high school was. That information is easily obtained from other data breaches or from public records for most users. Challenge questions, at best, are like asking for multiple passwords. At worst, they are less secure than passwords and allow an attacker to bypass the password security on a website.' (Image: airdone, via Adobe Stock) (Continued on next page)

Roast: 'What's Your Mother's Maiden Name?'

"Nobody should be using challenge questions anymore," Shape Security's Ghosemajumder says. "While you can change your password on a website, you can't change the name of the street you grew up on or the city where your high school was. That information is easily obtained from other data breaches or from public records for most users. Challenge questions, at best, are like asking for multiple passwords. At worst, they are less secure than passwords and allow an attacker to bypass the password security on a website."

(Image: airdone, via Adobe Stock)

Figure 8:  Roast: Antivirus Software Keeps Us Virus-Free 'Antivirus' efficacy is between 50% and 80% on a good day,' says Nir Gaist, co-founder and CTO of Nyotron. 'That doesn't mean you should run to the office and uninstall your AV. It simply means that a single line of defense doesn't cut it, and reliance on the past to stop future attacks will never provide you with a high degree of confidence. Blacklisting tools must be complemented by the whitelisting tools.' (Image: Skorzewiak, via Adobe Stock) (Continued on next page)

Roast: Antivirus Software Keeps Us Virus-Free

"Antivirus' efficacy is between 50% and 80% on a good day," says Nir Gaist, co-founder and CTO of Nyotron. "That doesn't mean you should run to the office and uninstall your AV. It simply means that a single line of defense doesn't cut it, and reliance on the past to stop future attacks will never provide you with a high degree of confidence. Blacklisting tools must be complemented by the whitelisting tools."

(Image: Skorzewiak, via Adobe Stock)

Figure 9:  Roast: We're Too Small to Be Attractive to Attackers 'Smaller businesses have fewer security controls in place on their websites because they lack the necessary budget, resources, and security expertise,' says Aanand Krishnan, CEO of Tala Security. 'Magecart, an attack campaign to steal credit cards, has successfully breached a number of smaller online retailers. The consequences of a breach are much more severe for small businesses. Studies have shown that 60% of small businesses that suffer a cyberattack are out of business within six months.' (Image: neosiam, via Adobe Stock) (Continued on next page)

Roast: We're Too Small to Be Attractive to Attackers

"Smaller businesses have fewer security controls in place on their websites because they lack the necessary budget, resources, and security expertise," says Aanand Krishnan, CEO of Tala Security. "Magecart, an attack campaign to steal credit cards, has successfully breached a number of smaller online retailers. The consequences of a breach are much more severe for small businesses. Studies have shown that 60% of small businesses that suffer a cyberattack are out of business within six months."

(Image: neosiam, via Adobe Stock)

Figure 10:  Roast: It's End Users' Fault 'If you have to rely on your users never 'falling for it,' you have problems,' Akamai's Ellis says. 'Modern e-mail clients all but bend over backward to allow adversaries to send legitimate-seeming emails, and your users are trained to click links by your HR and finance departments. Fix your internal systems so that compromises of individual users' systems aren't all that it takes for an adversary to seize control of your enterprise.' (Image: putilov_denis, via Adobe Stock) (Continued on next page)

Roast: It's End Users' Fault


"If you have to rely on your users never 'falling for it,' you have problems," Akamai's Ellis says. "Modern e-mail clients all but bend over backward to allow adversaries to send legitimate-seeming emails, and your users are trained to click links by your HR and finance departments. Fix your internal systems so that compromises of individual users' systems aren't all that it takes for an adversary to seize control of your enterprise."

(Image: putilov_denis, via Adobe Stock)

Figure 11:  Roast: The Cloud Is Less Secure. Or More Secure. 'Cloud is a platform, not a panacea,' Bionic Security's Orlando says. 'It's also not inherently worse for security than on-premises solutions. Business owners can educate themselves on the trade-offs and the capabilities of their cloud service providers -- or be educated by their attackers.' (Image: estherspoon, via Adobe Stock)  

Roast: The Cloud Is Less Secure. Or More Secure.

"Cloud is a platform, not a panacea," Bionic Security's Orlando says. "It's also not inherently worse for security than on-premises solutions. Business owners can educate themselves on the trade-offs and the capabilities of their cloud service providers -- or be educated by their attackers."

(Image: estherspoon, via Adobe Stock)

 

Read more about:

2019

About the Author

Joan Goodchild

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights