5 Cybersecurity Security Fallacies

5 Cybersecurity Security Fallacies
Photo by Franck / Unsplash

Keeping your security protocols secret increases your security.

There is a belief a belief that any sort of system can be secured so long as the internal mechanisms are kept private. This is called "Security Through Obscurity". Security experts have rejected this view as far back as 1851.

Obscurity should never be the only security mechanism.

Alternatively, there is Kerchoff's principle which states that any system should be secure, even if everything about the system, except the key, is public knowledge.

Don't rely on secrecy to secure your systems.

Do use protocols and procedures which are secure even if an attacker has knowledge of protocols and procedures.

A complex password is a good password.

People often equate complex passwords (a password with a mix of UPPER and lower case characters, numbers and symbols) as secure. If I agreed with you on this, then we would both be wrong.

The strength of a password is measured by its entropy (randomness or unpredictability). The length of the password has a greater impact on the password's entropy than does the complexity of the password.

Consider the password ""YW%?n2)J" versus the pass phrase "Simplicity is the ultimate sophistication". The first will meet the password complexity requirements of most websites, the later will not. Yet, the entropy of the first is only 36.2, which is just enough to be considered reasonably secure. Passwords with an entropy <36 are considered weak. Where as the pass phrase has an entropy of 187.7 bits, which is considered very strong or even "over kill" and has the added advantage of being easier to remember.

Don't use short complex passwords.

Do use long pass phrases.

Changing passwords at regular intervals increases security.

Requiring passwords to be changed every few months used to be considered a password best practice. However, recent studies have found that frequently changing passwords is counter productive. Users forced to change passwords at regular intervals often will only slightly modify existing passwords, changing a single character or adding a symbol. If the password is compromised it will not be too hard to crack the updated version.

Don't require users to change passwords at regular intervals

Do require users to change passwords if compromised.

Physical security is not important.

A computer or system that is not physically secure is at risk. I once had a client that lost the password to their Windows domain controller. The fix required booting the system with a standard Windows installation CD, modifying a few files, rebooting the computer and then typing a few commands in the command prompt. It only took rebooting the computer twice and a 2 minutes in front of the computer to gain access.

Don't leave computers unattended in public spaces.

Do take measures that critical systems are physically secure.

Password hints help users remember complex passwords.

It may be simple to prompt the user to answer a personal question such as ‘what city were you born in?’ or ‘What is the name of your first school?’. However, the answers to many of these questions can easily be found on social media by a determined attacker. This undermines security and potentially increases the possibility of a breach.

Don't use password hints.