IT administrators may be the first line of defence against hackers eager to tap into companies’ networks. But even they may have some inaccurate beliefs about how hackers operate – and those can have frightening consequences for their businesses’ data.
U.S.-based company Firemon LLC, which provides security solutions for IT administration held a webinar on Wednesday, aiming to debunk the myths behind data breaches.
One of the key things is to consider who might be targeting your business, said Tim Woods, Firemon’s vice-president of customer technical services.
“You need to ask, who wants what I have?” said Woods, speaking from a webinar on Wednesday. He added it’s important to accept IT administrators and hackers are locked into an adversarial mindset, and that IT administrations need to learn to think like hackers if they want to protect their business’ data.
Here are four commonly-found myths about data security among IT administrators
Myth 1 – My technology is not up-to-date.
Many IT administrators seem to believe their technology just can’t keep up with what hackers are doing – but according to Woods, this just isn’t true. Yet the belief is a pervasive one, he said, leading him to brand it “the single biggest myth in IT.”
“The technology is usually fine – it’s just misconfigured. That’s the much more likely reason for a data breach, instead of obsolete technology,” Woods said.
The technology may also be unnecessarily complicated. One of the biggest challenges in IT is burgeoning complexity among different layers of security and administrators. That raises the chance of human error, which is responsible for the majority of data breaches.
So there’s no need for businesses to turn to expensive or difficult countermeasures to guard against hackers. All that’s required is more vigilance and simpler systems, Woods said.
Myth 2 – Most threats and attacks are very sophisticated.
In the same vein, as IT administrators often underestimate their own technology, they often overrate hackers’ powers and abilities.
When some businesses think of hackers, the first names that come to mind are often Anonymous or Gottfrid Svartholm. Those may be some of the more notorious ones out there, but in reality, most attacks come from garden-variety hackers who are not nearly as skilled or knowledgeable as their highly adept counterparts, Woods said.
He indicated most breaches occur through easy points of access. Sometimes, IT administrators have left easy loopholes for hackers, allowing them to break in easily and without much resistance. That means businesses need to be more thorough in checking for weak points in their defences.
Myth 3 – Network controls are useless, since all attacks are now layer 7 attacks.
While it’s true that many attack attempts come through port 80, the port that a Web server uses to communicate with a Web client, it’s definitely possible to guard against those attacks, Woods said. Known as “layer 7 attacks,” these are used by hackers to bypass security measures by making apparently valid HTTP requests (like a typical Web surfer might) via Transmission Control Protocol, making the source untraceable.
He listed firewalls and whitelisting as ways of stopping malware and other potential dangers from entering the system. Alternatively, IT administrators can try to visualize what potential paths a hacker might take once he or she has entered a system and begun searching for critical assets. Vulnerability scanners would be a good tool for this, Woods said.
Myth 4 – If I just keep my systems patched, I can prevent all data breaches.
Patching is not a be-all, end-all solution for everything. While it does have its place, keeping ahead of the curve and trying to patch where needed isn’t feasible, Woods said.
Patches need to undergo QA testing before they can be deployed, and once that happens, there’s already something else cropping up that needs patching, he said, adding they also don’t defend against zero-day attacks.
Instead, IT administrators need to view patching as just one part of what they do to protect their data from being breached, Woods said.
Nowadays, what information security really comes down to is a refusal to surrender, Woods said. Some IT companies just brace themselves for what they see as the inevitable, and only try to deal with breaches once they’ve already happened.
But he said he believes it’s not enough to simply invest in good technology, as businesses need to also commit time and resources to protecting their data.
For example, instead of seeing audits and compliance initiatives as hurdles, it’s better to view them as guidelines to follow in securing sensitive company information.
“Companies will say, we know we will get hit, we feel helpless, we know the storm’s coming,” Woods said. “Yes, 100 per cent will not be stoppable, but we should still try … We can’t afford to do nothing.”