2022-02-04

Self-test

 

Image from Pixabay

A young family member is currently having a difficult relationship with testing. As a good schoolboy, he does a self-test twice a week and this week he hit the mark: two red lines.

 The family was in turmoil for a while, because they managed to keep COVID-19 outside two years. What measures must be taken? Who should be informed? And above all, quickly arrange the official test at the GGD! (The public health service in the Netherlands.) Well, the latter was quite a hassle: the GGD was fully occupied and the boy was referred to a commercial testing facility a city away. Strangely enough, he could go there on the same day, whenever he wanted. Afterwards, it became clear why this facility was perhaps a little less popular: they did a rapid test and they did it very sloppily. The result was negative, but this young man wasn’t convinced and that is why he also did another self-test at home. Hey, negative too!

 The next morning, just to be sure, he did a self-test. And guess what: positive! That family didn't know what to do anymore. The consulted assistant of the family doctor advised, after hearing the story, to do another test at a real GGD facility. With the caveat that self-tests rarely give a false positive, in other words: assume that you have COVID-19. In the evening, the patient – who fortunately had only mild complaints – was able to visit the GGD, which is more than half an hour's drive from his hometown. The result took a while to come. No one was surprised that it was positive.

 As an IT person I have a hard time with such inconsistencies. However, I learned a long time ago that even computers are not always consistent. Thirty years ago I programmed in COBOL on the mainframe. One of the programs I was in charge of was the so-called day work, which – strangely enough – was run at night (it was batch processing; all input from that day was processed in bulk overnight). One day, late at night, the phone rang: the day work had crashed. Something similar had happened long before that and then I, together with a colleague, sat in the office all night to solve the error (no you young people, one couldn't work from home in those days). I didn't feel like doing that again, so I told the operator to simply restart processing. Never heard of it again.

 Our security policy states that security features of a system should be tested, and that this also needs to be done after modifications to a system. When asked, the people who should be doing this tend to mumble that systems are of course tested, but only rarely do they fully agree that they pay explicit attention to the security functions. I know that’s difficult: they often have to deal with complex systems from various suppliers. The vast majority of those systems do not have security as their primary task; security features are often referred to as 'non-functionals'. Dear people, without security most information systems wouldn't be able to function at all, because we couldn’t trust them! So security is as functional as can be, albeit, admittedly, secondary to the tasks the system was built for.

 Testing is really necessary. You need to make sure that your processes and data are safe from curious but unauthorized colleagues, from hackers, from criminals and from spies. Sometimes a self-test is sufficient, sometimes you have to have a formal test done which is in fact a simulated hacking attack. For this we use nice terms such as attack & penetration test or the shorter penetration test (which in turn is abbreviated to pentest). Such tests are mandatory for us on all systems that are connected to the internet. We employ pen testers ourselves, but we also have contracts with external parties who do this work for us. When hiring pen testers, it is good to look at the reputation of both their employer and the individuals themselves. After all, you don't want these ethical hackers to overlook something that could be abused by a criminal hacker.

 Testing is not a binary activity: a negative result does not necessarily mean that there is nothing wrong and a positive result can also be a mistake. To make things worse, a negative result is received positively and a positive result is bad news. What genius thought that up?

This blog post has been translated from Dutch to English by Google and edited by the author.


 And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

... the GGD is still in a bad position with regard to privacy protection. [IN DUTCH]
https://www.destentor.nl/binnenland/ggd-laks-met-beschermen-privacy-oud-werker-kan-vanuit-huis-bij-jouw-data~a922a62b/

 … the Belgian Data Protection Authority has reprimanded the advertising industry.
https://www.dataprotectionauthority.be/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr

 … your personal data can even leak through a font, and that is not allowed. [IN DUTCH]
https://blog.iusmentis.com/2022/02/03/duitse-website-verjudged-for-passing-ip-adress-visitor-via-google-fonts/

 … a German oil distributor IS paralyzed by cybercriminals. [IN GERMAN]
https://app.handelsblatt.com/unternehmen/energieversorgung-cyberangriff-legt-oiltanking-tanklager-deutschlandweit-vollstaendig-lahm-tankwagen-beladung-ausser-betrieb/28023918.html

 … an oil terminal in the Netherlands is also down. [IN DUTCH]
https://www.nu.nl/tech/6181835/olieterminal-terneuzen-kampt-met-laad-en-los problem-na-cyber attack.html

 … we never hear much about malware for the Mac, but this one has evolved quite a bit.
https://arstechnica.com/information-technology/2022/02/mac-malware-spreading-for-14-months-is-growing-increasingly-aggressive/

 … there was another noteworthy message about Mac malware.
https://arstechnica.com/information-technology/2022/01/booby-trapped-sites-delivered-potent-new-backdoor-trojan-to-macos-users/

 … Specter and Meldown celebrated their fourth birthday.
https://www.kaspersky.com/blog/spectre-meltdown-in-practice/43525/

 … cybercrime is still on the rise. [IN DUTCH]
https://www.nu.nl/tech/6181243/fraudehelpdesk-ziet-laag-van-nummer-meldingen-over-cybercriminatuur.html

 … the Olympic Games are (of course) at risk of cyber attacks.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-2022-beijing-olympics-cyberattack-privacy-risks/

 … athletes, journalists and other visitors to China are warned about digital espionage by the host country. [IN DUTCH]
https://www.nu.nl/tech/6180427/spionage-ligt-in-china-op-de-loer-maar-op-reis-kan-digitale-voorzorg-nooit-kwaad.html

 … yet another cryptocurrency trading platform was robbed.
https://www.bleepingcomputer.com/news/cryptocurrency/wormhole-cryptocurrency-platform-hacked-to-steal-326-million/

 ... from now on, forensic institutes worldwide will speak the same cyber language. [IN DUTCH]
https://www.forensischinstituut.nl/actueel/nieuws/2022/02/02/nfi-een-van-de-grondleggers-van-universele-cybertaal-die-internationale-bestrijding-tegen-criminatuur-makes easier

 … cyber criminals are getting smarter and richer.
https://www.securityweek.com/cyber-insights-2022-improving-criminal-sophistication

 … you can of course throw your laptop out the window when the police are coming for you. [IN DUTCH]
https://www.nu.nl/tech/6181270/verdachte-van-phishing-gooit-laptop-uit-het-raam-bij-inval-in-amsterdam.html

 

No comments:

Post a Comment

The invisible king

Image from Pixabay His Majesty the King has been pleased to honor us with a visit. Although I myself had a meeting at the office yesterday, ...