Infosec fact and fiction
Infosec fact and fiction
Information security is littered with misconceptions and exaggerations. Too often there is little understanding about the threats out there, and risk perspective is based on erroneous information, resulting in people emphasising the wrong facts and worrying about issues that don't really affect them at all, while ignoring the ones that do.
Security vendors are facing huge obstacles - trying to secure systems, and at the same time, trying to educate people on the situation. However, despite this, there are many infosec myths that exist today and surprisingly, many people still believe them.
Simon Campbell-Young, CEO of Phoenix Distribution, says the first, and most common misconception is ‘It won't happen to me, because I don't really have anything worth taking'.
He says this is little better than abject stupidity. "Personal information, no matter how innocuous, irrelevant or small can be of value to a cyber criminal, and should it be stolen, the consequences can be catastrophic. Even those with not a shred of information stored on their machines are not safe. The machine itself is a target, as it can be remotely controlled to carry out nefarious deeds. It can be used as part of a botnet comprising thousands of computers or use it as camouflage for further criminal activities. In this way, innocent users can become unwitting accomplices. Nor do you need to be wealthy to be an attractive target. Cyber criminals steal small amounts from hundreds of thousands of accounts to evade detection."
Another misconception is that software and operating system patches are not that important. "In fact, you would be surprised how many people are not even aware that these patches exist. This naiveté is making it child's play for cyber criminals to exploit vulnerabilities in un-patched systems."
"Another common misconception is that people believe they will know if they are infected. While several types of malware do make it obvious that the machine is infected, today's threat authors rely largely on obfuscation, and stealth," he says. "Many threats today are silent and operate without the users' knowledge. Malware writers want to remain undetected for as long as possible in order to extract their payload, usually the exfiltration of sensitive information, or the remote hijacking of the machine to be used to send spam or for DDoS attacks."
Another belief that is doing the cyber criminals a big favour, is the belief that attachments in emails from known sources are always legit. "If you think that it is always safe to open email attachments sent from people you know, think again, because you are putting yourself at risk. While it is common sense to never open attachments from untrusted sources, opening attachments willy nilly even from people you know, isn't a fantastic idea either. Threat authors often write malware that can infect a machine and send a virus in an email attachment from a friend's computer, so exercise caution."
Finally, people believe that reputable, legitimate Web sites are safe, and it's only dodgy ones that should be avoided. "While this is often the case, even legitimate sites can be compromised, and used to commit drive-by downloads. Cyber crooks have been exploiting weaknesses of legitimate Web sites as a means of distributing their malware for some time. Once an infected site is visited, it can speed malware to a visitor's computer. All Web sites should be treated with caution."