Security, it’s a broad concept, and just the definition of it can be discussed for days. We’re not going to do that as security is too important for that, even and especially now in a time of working from home and far-reaching changes in ICT. Let’s narrow it down a bit… to keep it manageable. Since NDI was certified within the framework of ISO 27001, we see security in a broad sense, which also includes the availability of data and systems, for example. It is, of course, true that ‘popularly spoken’ security is primarily understood to mean the prevention of unauthorized and unwanted access to data.
In that context, security has become an expertise in itself, at least in terms of imaging. There is nothing wrong with that in itself. Certainly, at the premier league level, security definitely is a profession in its own right. There are, therefore, people who really know a lot about it and who we are happy to call in when it comes to truly complex matters. To carry out a penetration test, you need people who know as much about hacking as cybercriminals do. This is the only way to find security weaknesses in the event of a fake intrusion attempt. For forensic IT, too, you need real experts who can identify a cybercrime and run a trace investigation just like real CSIs.
Daily security
As said … a profession in its own right and if it is so specialized, it is certainly not the expertise of NDI. In such cases, we call in the specialists of our security partner NFIR. However, there are many aspects of security that are much less sexy than fake burglaries and catching criminals. A large part of security lies in very boring everyday matters. Things that we, as IT managers, have to deal with daily and that we do know a lot about.
To be clear: many hacks are not carried out by genius hackers who know how to bypass extremely strong security in a super smart way. Unfortunately, most burglaries are carried out by abusing relatively simple security flaws and by taking advantage of people who are careless with their click behaviour or passwords; meaning that, as in many cases with security, the 80/20 rule applies. Specialists are needed to achieve the last 20% ‘security’. But the first 80% of ‘secure’ can be achieved with 20% of the effort involving simple and obvious things. Things for the IT administrator and often even for the user.
At the risk of sounding pedantic… an analogy:
You can secure your home with an alarm system and apply for a Police quality mark for safe homes. There’s nothing wrong with that, and it’s a good idea if you want to equip all your doors with 3-star SKG locks. But: just as with IT security, these kinds of measures are only relevant when you first tackle the basics. A door with a 3-star lock still opens very easily if you don’t bother to lock the door. Besides, I think many people don’t know exactly where all the keys to those expensive locks actually go. Lend them to the contractor, the dog walker or the plumber? Was that key returned or not? Of course, you lock windows that are accessible from the outside when you leave and leave a light on when no one is at home. Of course, a potential burglar also thinks it’s probably a ‘watch light’. However, when in doubt, he chooses the house where it is entirely dark. This kind of thing is ‘low hanging fruit’ when it comes to securing the house and fireplace—80% of security with 20% of the cost and effort. The aim is to make it slightly less attractive to burglars, who will always choose the weakest link. Make sure the weakest link is the neighbor’s house three blocks away.
As the story goes: ‘A ferocious bear chases two men. One says to the other ‘this makes no sense, we can never run faster than the bear’. Says the other ‘I don’t have to run faster than the bear, I just have to run faster than you..’ It’s basically the same with IT security as it is with home security. Ideally, the security is fully comprehensive and 100%. The most important thing is that it starts with making it more attractive for burglars to try it at the ‘neighbors’.
Basic safety
The IT equivalent of ‘lock your doors and close your windows when you leave’ is managing systems properly; both the server environment and workstations. In 2020, simple sound management means at least the following:
- Make sure that all systems are up to date. A week behind on updates of Microsoft Server 2019 software or Windows 10 does not have to be a problem, but any machine that is months behind is an unacceptable risk.
- A virus scanner that is up-to-date and kept up-to-date: good administrators use management software to manage updates and virus scanners. If a machine lags behind it is automatically detected.
- Disks are encrypted with strong encryption making data unreadable, even if a PC or server falls into the wrong hands.
- Users use strong passwords that are not easy to guess; preferably passphrases (i.e. sentences) of at least 16 characters. This makes it almost impossible to guess the password with ‘brute force’ attacks. Passwords need to be changed regularly, not too often as this encourages you to write them down.
- Multi-Factor Authentication (MFA or 2FA) is no longer a luxury but a must. Whereas in the past the use of a ‘token’ (if you were born after 1999: a small device that shows a unique number every minute that you have to enter when logging in) was expensive and cumbersome, you can now easily improve security with an app on the phone.
- Making good backups; daily backups that are tested regularly are absolutely essential. This means that data can always be retrieved if it is lost, for example, due to hostage software.
- Use security tools that are often available in, for example, Microsoft 365 at no extra cost.
And the last but perhaps most important point: just as with home security, technology is often not the weakest link, unfortunately, that is often the user. What is and always will be important: continue to use common sense! Be careful with ‘clicking on links’, never share passwords with others, ‘lock’ a PC when walking away… Security is the responsibility of all of us, not only of the IT administrator and certainly not only of the security specialist!
It is vital to have the above things in order first, only after that it’s time for the ‘champions league’ of security with pentests and white hackers. Security is actually not that sexy at all, but very, very dull.