|
Image from Pixabay |
A young family member is currently having a difficult
relationship with testing. As a good schoolboy, he does a self-test twice a
week and this week he hit the mark: two red lines.
The family was in turmoil for a while, because they managed
to keep COVID-19 outside two years. What measures must be taken? Who should be
informed? And above all, quickly arrange the official test at the GGD! (The
public health service in the Netherlands.) Well, the latter was quite a hassle:
the GGD was fully occupied and the boy was referred to a commercial testing
facility a city away. Strangely enough, he could go there on the same day,
whenever he wanted. Afterwards, it became clear why this facility was perhaps a
little less popular: they did a rapid test and they did it very sloppily. The
result was negative, but this young man wasn’t convinced and that is why he
also did another self-test at home. Hey, negative too!
The next morning, just to be sure, he did a self-test.
And guess what: positive! That family didn't know what to do anymore. The
consulted assistant of the family doctor advised, after hearing the story, to
do another test at a real GGD facility. With the caveat that self-tests rarely
give a false positive, in other
words: assume that you have COVID-19. In the evening, the patient – who
fortunately had only mild complaints – was able to visit the GGD, which is more
than half an hour's drive from his hometown. The result took a while to come.
No one was surprised that it was positive.
As an IT person I have a hard time with such
inconsistencies. However, I learned a long time ago that even computers are not
always consistent. Thirty years ago I programmed in COBOL on the mainframe. One
of the programs I was in charge of was the so-called day work, which –
strangely enough – was run at night (it was batch processing; all input from
that day was processed in bulk overnight). One day, late at night, the phone
rang: the day work had crashed. Something similar had happened long before that
and then I, together with a colleague, sat in the office all night to solve the
error (no you young people, one couldn't work from home in those days). I
didn't feel like doing that again, so I told the operator to simply restart
processing. Never heard of it again.
Our security policy states that security features of a
system should be tested, and that this also needs to be done after
modifications to a system. When asked, the people who should be doing this tend
to mumble that systems are of course tested, but only rarely do they fully
agree that they pay explicit attention to the security functions. I know that’s
difficult: they often have to deal with complex systems from various suppliers.
The vast majority of those systems do not have security as their primary task;
security features are often referred to as 'non-functionals'. Dear people,
without security most information systems wouldn't be able to function at all,
because we couldn’t trust them! So security is as functional as can be, albeit,
admittedly, secondary to the tasks the system was built for.
Testing is really necessary. You need to make sure that
your processes and data are safe from curious but unauthorized colleagues, from
hackers, from criminals and from spies. Sometimes a self-test is sufficient,
sometimes you have to have a formal test done which is in fact a simulated
hacking attack. For this we use nice terms such as attack & penetration test or the shorter penetration test (which in turn is abbreviated to pentest). Such tests are mandatory for
us on all systems that are connected to the internet. We employ pen testers
ourselves, but we also have contracts with external parties who do this work
for us. When hiring pen testers, it is good to look at the reputation of both
their employer and the individuals themselves. After all, you don't want these
ethical hackers to overlook something that could be abused by a criminal
hacker.
Testing is not a binary activity: a negative result does
not necessarily mean that there is nothing wrong and a positive result can also
be a mistake. To make things worse, a negative result is received positively
and a positive result is bad news. What genius thought that up?
This blog post has been translated from Dutch to English by Google and edited by the author.
And in
the big bad world…
This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.
... the GGD is still in a bad position with regard to
privacy protection. [IN DUTCH]
https://www.destentor.nl/binnenland/ggd-laks-met-beschermen-privacy-oud-werker-kan-vanuit-huis-bij-jouw-data~a922a62b/
… the Belgian Data Protection Authority has reprimanded
the advertising industry.
https://www.dataprotectionauthority.be/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr
… your personal data can even leak through a font, and
that is not allowed. [IN DUTCH]
https://blog.iusmentis.com/2022/02/03/duitse-website-verjudged-for-passing-ip-adress-visitor-via-google-fonts/
… a German oil distributor IS paralyzed by
cybercriminals. [IN GERMAN]
https://app.handelsblatt.com/unternehmen/energieversorgung-cyberangriff-legt-oiltanking-tanklager-deutschlandweit-vollstaendig-lahm-tankwagen-beladung-ausser-betrieb/28023918.html
… an oil terminal in the Netherlands is also down. [IN DUTCH]
https://www.nu.nl/tech/6181835/olieterminal-terneuzen-kampt-met-laad-en-los
problem-na-cyber attack.html
… we never hear much about malware for the Mac, but this one
has evolved quite a bit.
https://arstechnica.com/information-technology/2022/02/mac-malware-spreading-for-14-months-is-growing-increasingly-aggressive/
… there was another noteworthy message about Mac malware.
https://arstechnica.com/information-technology/2022/01/booby-trapped-sites-delivered-potent-new-backdoor-trojan-to-macos-users/
… Specter and Meldown celebrated their fourth birthday.
https://www.kaspersky.com/blog/spectre-meltdown-in-practice/43525/
… cybercrime is still on the rise. [IN DUTCH]
https://www.nu.nl/tech/6181243/fraudehelpdesk-ziet-laag-van-nummer-meldingen-over-cybercriminatuur.html
… the Olympic Games are (of course) at risk of cyber
attacks.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-2022-beijing-olympics-cyberattack-privacy-risks/
… athletes, journalists and other visitors to China are
warned about digital espionage by the host country. [IN DUTCH]
https://www.nu.nl/tech/6180427/spionage-ligt-in-china-op-de-loer-maar-op-reis-kan-digitale-voorzorg-nooit-kwaad.html
… yet another cryptocurrency trading platform was robbed.
https://www.bleepingcomputer.com/news/cryptocurrency/wormhole-cryptocurrency-platform-hacked-to-steal-326-million/
... from now on, forensic institutes worldwide will speak
the same cyber language. [IN DUTCH]
https://www.forensischinstituut.nl/actueel/nieuws/2022/02/02/nfi-een-van-de-grondleggers-van-universele-cybertaal-die-internationale-bestrijding-tegen-criminatuur-makes
easier
… cyber criminals are getting smarter and richer.
https://www.securityweek.com/cyber-insights-2022-improving-criminal-sophistication
… you can of course throw your laptop out the window when
the police are coming for you. [IN DUTCH]
https://www.nu.nl/tech/6181270/verdachte-van-phishing-gooit-laptop-uit-het-raam-bij-inval-in-amsterdam.html
No comments:
Post a Comment