Top 10 security misperceptions

Issue 3 2021 Cyber Security, Security Services & Risk Management

The Sophos Rapid Response team has compiled a list of the most commonly held security misperceptions they’ve encountered in the last 12 months while neutralising and investigating cyberattacks in a wide range of organisations.

Below is a list of the top 10 misperceptions, together with a Sophos counterpoint dispelling each of them based on incident responders’ experience and observations at the frontline of attacks.

Misperception 1: We are not a target; we are too small and/or have no assets of value to an adversary.

Sophos Counterpoint: Many cyberattack victims assume they are too small, in a sector of no interest or lacking the kind of lucrative assets that would attract an adversary. The truth is, it doesn’t matter: if you have processing power and a digital presence, you are a target. Despite the media headlines, most attacks are not perpetrated by advanced nation-state attackers; they are launched by opportunists looking for easy prey and low hanging fruit, such as organisations with security gaps, errors or misconfigurations that cybercriminals can easily exploit.

If you believe that your organisation is not a target, you are probably not actively looking for suspicious activity on your network – such as the presence of Mimikatz (an open-source application that allows users to view and save authentication credentials) on your domain controller – and you could miss the early signs of an attack.

Misperception 2: We don’t need advanced security technologies installed everywhere.

Sophos Counterpoint: Some IT teams still believe that endpoint security software is enough to stop all threats and/or they don’t need security for their servers. Attackers take full advantage of such assumptions. Any mistakes in configuration, patching or protection make servers a primary target, not a secondary one as might have been the case in the past.

The list of attack techniques that try to bypass or disable endpoint software and avoid detection by IT security teams grows longer by the day. Examples include attacks operated by humans that exploit social engineering and multiple points of vulnerability to gain entry; heavily packed and obfuscated malicious code injected direct into memory; ‘fileless’ malware attacks such as reflective DLL (Dynamic Link Library) loading; and attacks using legitimate remote access agents like Cobalt Strike alongside everyday IT admin tools and techniques. Basic anti-virus technologies will struggle to detect and block such activity.

Similarly, the assumption that protected endpoints can prevent intruders from making their way to unprotected servers is a mistake. According to the incidents Sophos Rapid Response has investigated, servers are now the number one target for attack and attackers can easily find a direct route using stolen access credentials. Most attackers also know their way around a Linux machine. In fact, attackers often hack into and install backdoors in Linux machines to use them as safe havens and to maintain access to a target’s network.

If your organisation relies only on basic security, without more advanced and integrated tools such as behavioural and AI-based detection and a 24/7 human-led security operations centre – then intruders will likely find their way past your defences eventually.

Last but not least, it is always worth remembering that while prevention is ideal, detection is a must.

Misperception 3: We have robust security policies in place.

Sophos Counterpoint: Having security policies for applications and users is critical. However, they need to be checked and updated constantly as new features and functionality are added to devices connected to the network. Verify and test policies, using techniques such as penetration testing, table top exercises and trial runs of your disaster recovery plans.

Misperception 4: Remote Desktop Protocol (RDP) servers can be protected from attackers by changing the ports they are on and introducing multi-factor authentication (MFA).

Sophos Counterpoint: The standard port used for RDP services is 3389, so most attackers will scan this port to find open remote access servers. However, the scanning will identify any open services, regardless of the port they are on, so changing ports offers little or no protection on its own.

Further, while introducing multi-factor authentication is important, it won’t enhance security unless the policy is enforced for all employees and devices. RDP activity should take place within the protective boundary of a virtual private network (VPN), but even that cannot fully protect an organisation if the attackers already have a foothold in a network. Ideally, unless its use is essential, IT security should limit or disable the use of RDP internally and externally.

Misperception 5: Blocking IP addresses from high-risk regions such as Russia, China and North Korea protects us against attacks from those geographies.

Sophos Counterpoint: Blocking IPs from specific regions is unlikely to do any harm, but it could give a false sense of security if you rely only on this for protection. Adversaries host their malicious infrastructure in many countries, with hotspots including the US, the Netherlands and the rest of Europe.

Misperception 6: Our backups provide immunity from the impact of ransomware.

Sophos Counterpoint: Keeping up-to-date backups of documents is business critical. However, if your backups are connected to the network, then they are within reach of attackers and vulnerable to being encrypted, deleted or disabled in a ransomware attack.

It is worth noting that limiting the number of people with access to your backups may not significantly enhance security as the attackers will have spent time in your network looking for these people and their access credentials.

Similarly, storing backups in the cloud also needs to be done with care – in one incident Sophos Rapid Response investigated, the attackers emailed the cloud service provider from a hacked IT admin account and asked them to delete all backups. The provider complied.

The standard formula for secure backups that can be used to restore data and systems after a ransomware attack is 3:2:1: three copies of everything, using two different systems, one of which is offline.

One final note of caution, having offline backups in place won’t protect your information from extortion-based ransomware attacks, where the criminals steal and threaten to publish your data instead of or as well as encrypting it.

Misperception 7: Our employees understand security.

Sophos Counterpoint: According to the State of Ransomware Survey 2021, 22% of organisations believe they’ll be hit by ransomware in the next 12 months because it’s hard to stop end-users from compromising security.

Social engineering tactics like phishing emails are becoming harder to spot. Messages are often handcrafted, accurately written, persuasive and carefully targeted. Your employees need to know how to spot suspicious messages and what to do when they receive one. Who do they notify so that other employees can be put on alert?

Misperception 8: Incident response teams can recover my data after a ransomware attack.

Sophos Counterpoint: This is very unlikely. Attackers today make far fewer mistakes and the encryption process has improved, so relying on responders to find a loophole that can undo the damage is extremely rare. Automatic backups like Windows Volume ShadowCopies are also deleted by most modern ransomware as well as overwriting the original data stored on disk making recovery impossible other than paying the ransom.

Misperception 9: Paying the ransom will get our data back after a ransomware attack.

Sophos Counterpoint: According to the State of Ransomware Survey 2021, an organisation that pays the ransom recovers on average around two-thirds (65%) of its data. A mere 8% got back all of their data and 29% recovered less than half. Paying the ransom – even when it seems the easier option and/or is covered by your cyber-insurance policy – is therefore not a straightforward solution to getting back on your feet.

Further, restoring data is only part of the recovery process – in most cases the ransomware completely disables the computers and the software and systems need to be rebuilt from the ground up before the data can be restored. The 2021 survey found that recovery costs are, on average, 10 times the size of the ransom demand.

Misperception 10: The release of ransomware is the whole attack – if we survive that we’re OK.

Sophos Counterpoint: Unfortunately, this is rarely the case. The ransomware is just the point at which the attackers want you to realise they are there and what they have done.

The adversaries are likely to have been in your network for days, if not weeks, before releasing the ransomware, exploring, disabling or deleting backups, finding the machines with high value information or applications to target for encryption, removing information and installing additional payloads such as backdoors. Maintaining a presence in the victim’s networks allows attackers to launch a second attack if they want to.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Dahua’s cybersecurity approach
CCTV Handbook 2021, Dahua Technology South Africa , Cyber Security
The world is getting smarter and everything is going to have an online ID and then connect into a vast network of IoT devices, like a laptop computer, a mobile phone, a connected thermostat and more.

Dahua Technology’s cybersecurity approach
Issue 3 2021, Dahua Technology South Africa , CCTV, Surveillance & Remote Monitoring, Cyber Security
With a mindset that emphasises cybersecurity and all the resources it can allocate to establish, carry out and strengthen its cybersecurity approach, Dahua plans to stay positive, open, responsible and constantly improving its cybersecurity.

SASE-enriched threat protection
Issue 3 2021 , Cyber Security
MVISION XDR automates security investigation and response processes with actionable threat insights harnessed from deeply integrated cloud data sources, with the ability to proactively stop targeted attacks.

Active Adversary Playbook 2021
Issue 3 2021 , Cyber Security
Sophos has released its Active Adversary Playbook 2021, detailing cyber-attacker behaviours and the tools, techniques and procedures Sophos’ frontline threat hunters and incident responders saw in the wild.

Passwords are 60, time for them to go
Issue 3 2021 , Access Control & Identity Management, Cyber Security
It has been 60 years since passwords were first used at MIT and if the number of breaches in the news are anything to go by, we are no more adept at managing our passwords than we were in 1961.

The supply chain of the future
Issue 3 2021 , Integrated Solutions, Security Services & Risk Management, Retail (Industry)
For retailers to maximise their bottom line, the supply chain needs to be fast, efficient and responsive, which requires the use of intelligent, integrated technology.

Surveillance business models are changing
CCTV Handbook 2021, Technews Publishing, Eagle Eye Networks, Bosch Building Technologies, Dahua Technology South Africa, Genetec , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, IT infrastructure
The CCTV Handbook round table highlighted the changes that are happening in the surveillance and security world in general, from cloud to costing models and of course, cybersecurity.

Drones: One aspect of an integrated security strategy
CCTV Handbook 2021, Technews Publishing, Bidvest Protea Coin , CCTV, Surveillance & Remote Monitoring, Integrated Solutions, Security Services & Risk Management
Drones are an excellent tool in one’s safety and security arsenal in the never-ending fight against crime, but they are only a tool, one of many needed for an effective security solution.

Building walls is not enough
Issue 3 2021, Vox , Cyber Security
Cybersecurity: businesses are still building walls to defend against nuclear attacks.