6 Worthless Security Tactics That Won't Go Away
Trusting a security placebo never makes sense. Don't let your organization fall victim to a discredited security approach that provides little or no protection.
![cartoon: worm that lives inside an apple is angry because another neighboring worm won't let him sleep. cartoon: worm that lives inside an apple is angry because another neighboring worm won't let him sleep.](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/bltb5a21e46ebf0eb2c/64bf5c018b736dce633dedd1/00security-_Jr_Casas-alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Jr Casas via Alamy Stock
Something is not always better than nothing. This is particularly true when organizations rely on one or more security techniques that have proven largely ineffective against online predators.
Here’s a quick rundown of a half-dozen security practices that remain widely used, despite being generally worthless or obsolete.
CAPTCHAs should be a goner, says Sam Crowther, CEO of cybersecurity company Kasada. The once useful security method now exists only as a minor user inconvenience, while attackers leverage multiple methods to work around the roadblocks. CAPTCHA solvers, human click farms, and machine learning/AI solutions all defeat the process quite easily. CAPTCHA bypasses are also sold as a service at little cost, helping attackers who don’t possess the knowledge needed to defeat the technology. “A more effective approach for organizations is to leverage a flexible and dynamic anti-bot solution that employs invisible and dynamic challenges rather than relying on outdated CAPTCHAs or other visual challenges,” he says.
Providing access credentials to groups of employees, associates, or devices, such as vendors, contractors, receptionists, cashiers, printers, or scanners, is a bad idea. These accounts usually don’t have trusted access to systems, so the misconception is that they can’t be used to damage or attack critical infrastructure, explains Christopher Cain, threat research manager with OpenText Security Solutions, a cyber security and digital forensics firm. “If a threat actor is able to obtain access with a limited credential, there are a myriad of ways they can escalate access to attack critical infrastructure,” he says. Always create limited credentials for each employee or device, even if that means trading off time to occasionally reset passwords.
While training can reduce the likelihood of a staff member inadvertently launching a phishing attack, the threat can never be entirely eliminated. All an attacker needs is a single click, says Rotem Iram, CEO and founder of cyber insurance provider At-Bay. “It's certainly noble to try to educate your workforce against phishing attempts, and the sticker price on training can seem lower than the cost of other security tactics,” he notes. Yet, according to a study conducted by research university ETH Zurich, training not only fails to improve employee phishing resilience, but actually makes employees more susceptible to phishing due to a false sense of security created by the training.
Using a map or any type of wall dashboard for threat monitoring, without knowing how to properly interpret the presented information, is essentially a useless effort, observes Dave Dalling, cyber chief technology officer at Accenture Federal Services.
It takes time and knowledge to properly configure a monitoring tool, Dalling, says. It's also challenging to find talent with the necessary expertise to utilize raw data. “Without curating threat intelligence and adding the needed context, an alert is just a piece of information” he states. “Curation validates your data and reduces false positives; the context gives it meaning, sets the priority, and informs analysts and incident responders (IR) about what to look for and [to take] proper response actions.”
This concept relies on the belief that any asset people don’t know about, or don’t already know the location of, is safe and secure. “Obfuscation and subterfuge are absolutely valid techniques for protecting something -- it's one of the many reasons why data centers are so nondescript from the outside,” states Mike Pedrick, vice president, cybersecurity consulting, at managed security services provider Nuspire.
Yet it’s the “blind archer” you should fear -- the individual who stumbles on the thing you're hiding, Pedrick says. “You can bury sensitive personnel records five levels deep under a master directory called ‘Underwater Basket Weaving Training for Dummies’ in a company-wide share, and all that needs to occur to invoke chaos is for a team member to randomly plug their name into a search field where that share has been indexed.”
Passwords are the leading cause of security breaches and the most common entry point for cybercriminals to achieve their goals, warns Rishi Bhargava, co-founder of authentication technology developer Descope. “Organizations spend lots of resources adding security controls to stop credential stuffing and brute force attacks, but with the speed at which automation and compute power are growing, attackers continue to have the upper hand,” he notes.
Passwords also cause friction throughout the user journey, leading to churn and a negative user experience. “No one wants the cognitive load of remembering unique 16-character passwords for every site or app they access, so they reuse passwords across sites which is a recipe for disaster when passwords get leaked,” Bhargava says. “Password managers offer a temporary salve by reducing the number of passwords users need to remember, but as the recent LastPass breach shows, the best password is no password.”
There are multiple alternatives to knowledge-based authentication that are more secure, user-friendly, and interoperable, Bhargava states. “The most important development in this area is the rising adoption of standards such as FIDO2 and WebAuthn, which let users authenticate using device-native biometrics,” he explains. “Apple and Google have already launched passkeys support, which is based on the WebAuthn standard, so I expect user awareness to continue growing.”
Bhargava notes that options are available for applications that aren’t yet ready for biometrics. “Magic links via email, SMS, and messaging services let users log in with a click without having to remember a password,” he says. “Authenticator apps, like Google Authenticator, that use time-based one-time passwords (TOTP) are effective as either a first or second authentication factor.”
Passwords are the leading cause of security breaches and the most common entry point for cybercriminals to achieve their goals, warns Rishi Bhargava, co-founder of authentication technology developer Descope. “Organizations spend lots of resources adding security controls to stop credential stuffing and brute force attacks, but with the speed at which automation and compute power are growing, attackers continue to have the upper hand,” he notes.
Passwords also cause friction throughout the user journey, leading to churn and a negative user experience. “No one wants the cognitive load of remembering unique 16-character passwords for every site or app they access, so they reuse passwords across sites which is a recipe for disaster when passwords get leaked,” Bhargava says. “Password managers offer a temporary salve by reducing the number of passwords users need to remember, but as the recent LastPass breach shows, the best password is no password.”
There are multiple alternatives to knowledge-based authentication that are more secure, user-friendly, and interoperable, Bhargava states. “The most important development in this area is the rising adoption of standards such as FIDO2 and WebAuthn, which let users authenticate using device-native biometrics,” he explains. “Apple and Google have already launched passkeys support, which is based on the WebAuthn standard, so I expect user awareness to continue growing.”
Bhargava notes that options are available for applications that aren’t yet ready for biometrics. “Magic links via email, SMS, and messaging services let users log in with a click without having to remember a password,” he says. “Authenticator apps, like Google Authenticator, that use time-based one-time passwords (TOTP) are effective as either a first or second authentication factor.”
-
About the Author(s)
You May Also Like