Authored by: Morey J. Haber, CTO/CSO at BeyondTrust
One of the quirkiest things about cyber security best practices is that some concepts from last week, last month, and from last year, are now obsolete and should be discarded. This concept is very similar to medical recommendations for health, nutrition, and exercise, but unlike the recommendations to change the oil in your car every 5,000 miles, cyber security best practices have conditions and relationships that warrant you should unlearn a concept and never, ever perform its mission again.
If you think this crazy, and fundamentally wrong since cyber security is a cumulative process, you are mistaken. Consider the following former best practices we should unlearn:
Changing your personal passwords frequently.
According to NIST guidance, it is not necessary to change your personal passwords on a frequent basis. While this sounds outrageously reckless, there are conditions for unlearning this previous security best practice. The password should be truly associated with a single credentialed account and your identity, stored for your use only, not re-used for any other resources, and finally meets the proper complexity to avoid privileged attack vectors like a dictionary attack. It is time to unlearn this previous recommendation but keep in mind, privileged accounts, shared accounts, and application and service accounts are not included in this recommendation.
Downloading software directly from the vendor
While most commercial applications are only available from the manufacturer, most modern applications, including Microsoft Office, are now available from the Application Stores for Windows and even MacOS. While downloading them from the source ensures the software has not been tampered with, installing them from a proper application store, whether via the operating system or managed by your organisation, ensures that compatibility issues, updates, and additional security vetting has been performed. For example, with Microsoft Office 365 now available in the MacOS Application Store, users and businesses can feel confident that a single update mechanism is being used to deliver security and feature updates, and that additional screening has occurred to ensure that the software has not been tampered with. As a security recommendation to unlearn, consider using secure authorised application stores for software delivery verses the older recommendation of getting applications from the vendors directly.
Unlearning training recommendations
One of the hardest cyber security lessons to unlearn were prior recommendations used in training employees. While most security professionals might draw a blank on these discrepancies, it should be top of mind for all security training practitioners. Therefore, every time updated training is performed, an overview of changes from old practices, to new security best practices should be outlined and highlighted in the material. This avoids any conflict that reflects, “I learned this last year and now they are teaching me something contradictory.” For example, take training for phishing attacks. While the steadfast recommendation has always been not to click on links embedded in emails, there are many applications that embed links that cannot accessed directly per best practices. Employee security training dictates you should always inspect the URL for HTTPS and domain names before using a link in an email, it potentially trumps clicking on any embedded link. So, which is the best practice your organisation should follow and which one is now obsolete? As you continuously updated training material, make sure something as simple as this is highlighted and when exceptions should occur to unlearn the previous best practice.
While there are some things we never want to unlearn like riding a bicycle, there are some behaviors and even urges we should embrace to unlearn. Cyber security best practices contain recommendations that will last the test of time like never sharing or reusing your passwords but also contain recommendations that have evolved over time due to changes in attack vectors and maturity models. We all should consider how to unlearn the obsolete behaviors, recognise when they are present, and embrace the new ones to protect ourselves, our businesses, and our data.