2018 has seen some of the most expensive data-breaches. A giant organisation like Facebook was affected by a massive breach exposing accounts information of 50 Million Users. ‘
Breaches aren’t just a problem for security professionals, the impact is felt across the whole business. Everyone needs to play their part in managing the risks, but first, you need to understand what you’re up against. Although many business owners are aware of these threats, but are ignorant of it, due to some common misconceptions about security.
Below are few misconceptions that can lead to a data breach
“I have a Nextgen firewall, so I’m safe.”
Enterprise Security is far more complex today then it used to be a few years ago. While having anti-virus, endpoint protection, firewalls help control few class of attacks via real-time network monitoring and decision making. These alone are not adequate to protect a network from any form of intrusions. Most attacks are delivered via email, and the web, both of which are allowed through firewalls and firewalls do not control outbound data theft.
Attackers have become more supplicated, that they have invented new ways to evade any kinds of malicious detection, as an example most of the malware today use techniques like DNS exfiltration (using DNS packets to ex-filtrate data out of network) since outbound DNS is mostly allowed in all firewalls, hence in cases like these the above mentioned security is voided.
“Why would my organization be attacked? My company is small.”
Majority of the organizations assume that hackers are always target focused, therefore the less well known or your organizations is very unlikely to be a victim of such attacks while your company might not be a victim to targeted attack. There are many threat actors out there that are using exploit kit powered malware wildly so that you might be a part of the global target.
Botnet infection is one such case where hackers try to compromise as many devices as possible around the globe without a specific target in mind. Today, it doesn’t matter if you have a well-known brand, you’re running your website for fun, or you’re somewhere in between. If you have any data worth stealing, you have to consider yourself a potential target.
“I have the best software developer so why bother.”
Many organizations think that building a website with a perfect web developer or getting software from a trusted organization will prevent their website from criminal activities, but this is a common misconception. It is a must to know and note that web developers are generally not security experts. Hackers are always at work looking for new ways to do the evil things to disrupt your data. An excellent example of this is Microsoft: they regularly send security updates to millions of PCs because what was safe yesterday isn’t safe today.
“We go through Vulnerability Assessments & Penetration Tests.”
People and physical security is a rise in attacks these days as you can not blindly trust humans because humans are predictable and they make mistakes. There are many cases of GitHub token, aws keys, source code leaks on a popular platform like GitHub, Pastebin, trello, etc. Lack of security awareness among the developers results in the exposure of sensitive information like credentials, secret key, access keys, source code.
Recently cloud leak exposed the business of the big organizations like Accenture. Misconfigured S3 bucket exposed the configuration files, the plain document containing the master access key for Accenture account, etc.
“I am Compliant. Hence I am Secure”
It is known that the most common starting approach into managing security as an organization is achieving compliance standards of various forms. There are multiple audits and checklists like PCI (for online payments processing), soc2 (accounting report for publicly traded companies), They are all well known, official, and are industry-regulated security standards, so it’s understandable that businesses have an impression that being compliant against best industry standards equals being secure.
But that’s not the case, most of the organizations that suffered data breaches had passed a variety of compliance audits. Being compliant against these standards will provide business benefits and help improve security around various systems, but this doesn’t make the business secure against all the possible threats.
Security cannot be bound to a list of checkboxes. It is a continuous process. Compliance is necessary for doing business, but it’s not what great security practices are built around.