Cybersecurity - Misinformation As a Security Problem

Misinformation has a very political context these days - think "fake news!" The word conjures up images of horrible memes about issues with vaccinations, allegations about election fraud, and many other topics that people generally don't feel comfortable with because of the politics of them. But identifying and being resistant to misinformation is a hugely important part of cybersecurity that we don't talk about because the word has become so politicized. So please, take a deep breath, let it out slowly, and let's talk about misinformation in terms of cybersecurity without entering the realm of politics.

This country thrives on misinformation. Some of us are old enough to remember the plague of plain-text emails in the 1990's that promised you that just by reading the content of a plain-text email you had just infected your system and, often with that, the university computer network you were reading it on. Oh the joys of being one of the student employees of the IT staff fielding those panicked phone calls! And how many concerned relatives or friends shared urban legends with you about the dangers of walking alone through a mall parking lot, or not to flash your brights at someone who doesn't have their headlights on that they had gotten from a source they mistakenly thought was trustworthy. There is some strange pleasure we take in "knowing" something others don't and bursting their bubble with our knowledge. We like this so much that we often do so without recognizing the urban legend we're perpetuating is false. We even do this with information like useless tips on repelling flies - we just don't check the facts before we share these things.

Being misinformation aware is, in significant part, about critical thinking. It is the first step in resiliency against nearly all social engineering attacks:

• That urgent message you got about a problem with your account and the funny URL it suggests you click to fix it.
• That urgent message from the boss who needs a bunch of gift cards STAT!
• The Facebook message to connect to somebody you're already connected with.
• The proactive phone call from the "help desk" when your MFA push notifications are going off non-stop, where they tell you to just hit "accept" on one finally.

Thinking critically about what you're being told and what you're being asked to do in that moment - recognizing the misinformation - is step one in not making an important cybersecurity mistake. And don't get me wrong, misinformation can be very hard to detect without some real effort - nobody said security came without cost or effort.

But it goes farther than that. Misinformation can take the form of out-of-date security concepts as well.

• Passwords as a concept are showing their age, and the advice on length, complexity, and how often to change them is all over the map. The realities are that complex passwords are important - especially in environments without multi-factor authentication, but that their very complexity also leads to their limitations. The best advice today is to deploy MFA, and perhaps relax the password complexity rules - so long as you're using MFA for everything.
• Designing your remote access solution with a "full tunneling" end-user VPN used to be state-of-the-art security. How many organizations still think that's the bee's knees?
• And how about the open source wars of the early 2000's? The harm we were doing to our security programs in the name of open source vs. closed source religious infighting is mostly a disturbing footnote told around IT and IS campfires to scare the kids these days. A fight, often as not, fueled by misinformation.

But we still have some pretty serious Cybersecurity misinformation out there that people still hold onto:

• "My operating system is impervious to malware, I don't need AV/EDR software!" - While it is true that some OS's are built in such a way as to be less susceptible to many forms of malware, every operating system can be made a victim of a bad decision by the user. Now, there are systems out there that don't have traditional options for AV/EDR tools, so research what you should be doing to protect your devices.
• "My security team keeps me safe, so I'm not too worried about my computer." - Just like Smokey reminds us that we all have our job to do to prevent forest fires, so too we all have to take responsibility for our own cybersecurity, and for the cybersecurity of the organizations we work for. This one is even more important in the current era of so much work from home. Our home networks become possible sources of attack against corporate systems (our laptops) that we need to take responsibility for the threats they may contain as good corporate citizens. Of course, we probably want to protect our personal data to, so it turns out what's good for the company is good for us - in this case anyway.
• "I'm not a target, I don't have to be very disciplined." - While you may never be a named target, you are always a target of opportunity. We should all know this one by now. We've watched developers of small software projects have their projects hijacked to attempt to infect and infiltrate downstream systems. We've watched relatively low-level workers in companies become the Trojan horse for major incursions. We've watched all sorts of ways that average users and employees have had their user accounts become the account from which major incidents are launched.

So, check your biases. Check your sources. Check you facts. Turn those misinformation detectors up to 11, and you'll be off to a great start on keeping yourself and your organization safe from cybersecurity threats.

There, we made it through without any politics. I told you we could.

Originally published on LinkedIn, May 15, 2022