Checklist

 

Image from Pixabay

The holidays are just around the corner. The guest bed, which is here behind me, is slowly filling up with things that must be carried according to our extensive checklist. The car is shiny and polished in the garage, eager to go, knowing that it will already have a dirty face halfway through the first day of travel. But hey, you still want to leave in a clean car, don't you.

We are currently using version 21 of our checklist, so it is quite a mature document. And yet it is also very dynamic: every year we come up with something that should also be included, and we also delete items because we never need them anyway. The first stage of deletion is: we don’t need that on this trip. If this happens a few times, the item will disappear from the list for good. That happens a lot on the children’s list, but certainly also on the general list. The list also evolves with the way we go on holiday: we had a cottage-on-holiday-park phase, a mobile-home-on-camping phase, and now we're in the private-house-with-pool phase. Each phase brings with it its own need for stuff. Of course, there are also things that will always last, no matter what the holiday looks like. There is always a need for underwear.

Long before I related the term checklist to holidays, I already knew that pilots work with checklists. One for take-off, another for landing, and countless others for in between, including in case things go wrong. All those checklists should ensure that pilots do the right things in the right order. You would get such a big mess when a large Airbus is already on the ground and the gear still has to be lowered. Don't pilots know that themselves? Of course they do. And they certainly don't do the entire flight based on lists alone. But it does help them not to miss anything at the most exciting moments, when a lot has to be done and a lot can go wrong.

There is also a danger in such lists. Just as you used to know what the next song on the cassette would be (shuffle play was not possible on a sequential storage medium), you also know your checklists. That can put you on autopilot, assuming you do know. By the way, I have now left the cockpit at this point, because as far as I know the pilots in passenger aircraft always complete the checklist together, which considerably reduces the chance of taking shortcuts. Elsewhere, routine can indeed lead to mistakes. Once you've finished this blog, check out this video.

When I look at my own work, I also see a few checklists. Only then they are called SOPs – Standard Operating Procedures. They have a slightly different character than a real checklist. They are more like manuals, like: if you want to achieve that result, then you should do it in this manner. Convenient for new employees or for things you don't do that often, but also for tasks that consist of many or complex steps. Sometimes IT professionals find out too late that they should have done something. For example, this morning I had someone on the phone who reported that they had forgotten to perform a mandatory security test. Result: the plug was pulled for that application. A checklist could have prevented this.

Even for this blog I use a – modest – checklist. For example, it says that I have to check for certain spelling mistakes. I know Dutch rules like the back of my hand, but my fingers sometimes have a mind of their own when typing. And even though it's on my list that I should check for them, I sometimes manage to publish a blog with one of those mistakes. Fortunately, there is still an editorial team on the intranet, but that does not apply to the external publication. Which then results in a blush of shame on my cheeks. Any checklist only works if you use it properly.

And now it's time for the holiday checklist again!

The Security (b)log will return after the summer holidays.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the cloud cannot withstand the heat well.
• We are all quite concerned about cyber threats (if anyone asks). [DUTCH]
• local governments will soon be allowed to take decisions in online meetings. [DUTCH]
• China's cyber-espionage industry recruits university students to translate captured documents.
• the podcast 'Under the spell of Rian' highlights the life and work of this cybercharlatan. [DUTCH]
• Russia's digital war continues.
• ARTIS apparently has its security and continuity in order. [DUTCH]
• your Windows 11 account will be locked for ten minutes if you enter the wrong password too many times. [DUTCH]
• a Chinese GPS tracker might not be such a good idea after all. [DUTCH]
• you can transmit information from an infected air-gapped computer using the SATA cable as an antenna. [DUTCH]
• civil servants will receive a compulsory course in digital resilience. [DUTCH]

 

Do you lock the front door?

 

Image from Pixabay

“Well, I thought it was password protected.” That’s how a colleague reacted who was pointed out that his team not only had information in a questionable place, but that the information was also unprotected. And there were quite interesting things to read.

That dubious place was a cloud service. And it appears that a private account has been used for that service. All this left me completely flabbergasted. Let me explain why I feel so strongly about this.

To start with, the use of that cloud service. Is it really too much to expect our ICT specialists to know this simple rule: no cloud, unless? And that 'unless' is rather limited? Yes, change is coming, and a cloud service can be very useful, but that doesn't mean you can go into the cloud on your own.

“Ah, haven't we bought this service? No problem, we can use my private account!” Why didn't anyone on that team shout out: “You can’t be serious about that, can you?” Why was the person who suggested this idea not immediately and indignantly called to order? I'll explain it as simple as possible: use the boss's stuff for work (with some specific exceptions). If the boss doesn't offer what you need, you can ask if it can be bought, but you don't bring anything from home.

And then there was also information that cannot bear the light of day. Fortunately, it wasn’t business information, but nontheless things that certain people know how to deal with, at the expense of our information security.

But the goofiest thing that I heard was this " Well, I thought it was password protected." You should not think it, you should know it. Security doesn't happen by itself, folks. You have to do something about it. Not only in bad situations, as above, but also in normal situations.

Some people don't lock their front door when they go to run an errand. If you have a rather poor lock on your door, burglars will be inside within 1 to 2.5 minutes. They’ll happily do that in broad daylight. A good lock (three SKG stars in the Netherlands) extends this time to 3-5 minutes, which is apparently long enough to deter crooks. But even if you don't lock the door, at least you close it. And if you're not sure whether you've done that, you turn around and check. In the digital world, we use passwords, among other things, to protect our digital content. If you're not sure if you've protected access to a system, check it. Rather than thinking: I’ll just be fine.

Do you think this story is about you? That doesn't mean it actually is. There have been cases where someone thought the Security (b)log was about him, while it was based on a different (but almost identical) case. Moreover, this is a blog, in which I can take the liberty of adding to stories, romanticizing them or even making them up completely – although I rarely do the latter.

If the shoe fits, wear it.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• passwords of half of our ministers can be easily found online. [DUTCH]
• the responsible State Secretary responds with an obligation to regularly change passwords (which is counterproductive). [DUTCH]
• Amazon hands over video footage of Ring doorbells to the police (at least in the US) without the owner's consent.
• Doxing will become a crime if this bill passes. [DUTCH]
• the iKCheck! app will notify you when someone checks your driver's license with the Vehicle Authority. [DUTCH]
• investments are made in the cybersecurity of education. [DUTCH]
• there will also be money for increasing the cyber resilience of companies and organisations. [DUTCH]
• Mantis is the most powerful botnet to date.
• Mozilla takes action against QWACs.
• the Dutch government warns against the use of public Wi-Fi networks. [DUTCH]
• the Australian government provides tips for using social media and messaging apps.
• cyber criminals pretend to be a security company. [DUTCH]

 

How do you chat?

 

Image from Pixabay

“WhatsApp and Telegram, should I do something with those?” a colleague asked. My answer was as clear as a brook in the Alps: "Do not use for business."

Why do I have such a strong opinion about that? Because I've researched it, based on the question: from a security and privacy perspective, which instant messaging apps are best for business use, and which ones should you ignore? Security is essentially about whether the app uses solid encryption so that no one can read along – not even the messaging provider itself. Privacy is about the trust you can have in the way the provider handles user and traffic data. The latter is about who has contact with whom and when.

It is also interesting to look at the revenue model. An old saying goes: if something is free, you are the product. In other words: you pay by providing your details, such as name, e-mail address and date of birth, which the provider can, for example, sell to advertising companies.

The content of your messages is safe with WhatsApp. They are reliably encrypted and the keys are only on the user's device; WhatsApp itself cannot read it and they can’t honour requests of investigation and intelligence services. But WhatsApp does fall short when it comes to privacy. The app comes to you from Meta, the advertising company of which Facebook is also a part. It is well known that Meta makes its money by using your data cleverly (that's why I call it an advertising company). If you don't like the idea – as an individual or as an organization – then you should not use WhatsApp.

Telegram is worse. That app is of Russian origin, although the company no longer lives there. They always move if the ICT regulations in the country of residence do not suit them. They are currently based in Dubai, although the company is legally based in the US and UK. The revenue model is vague: the founder says he has invested his own savings, and money has subsequently been raised from various investors. A more important point of criticism relates to security: it is turned off by default, and when you turn it on, you use a cryptographic protocol developed by Telegram itself, which most information security officers turn up their noses at, because it can’t be community tested. In addition, Telegram holds the key that encrypts messages, and the company can read messages or allow others to read them. Group chats can't be encrypted at all.

Are you shocked? Fortunately, there are also chat apps available that can withstand scrutiny fairly well. Within Dutch central government, we can use Webex, which we also use for online meetings. This app from the American company Cisco is hosted for us in Amsterdam, which is convenient for privacy. The privacy and security aspects have been extensively researched and approved.

If you look at publicly available chat apps, there are two that stand out positively: Threema and Signal. The Swiss company Threema prides itself on the possibility to remain anonymous and to comply with the GDPR, and message encryption is also very good. All this comes with a price tag: from a small one-time fee for consumers to a monthly fee per device for business licenses. This makes Signal interesting: it is free and yet not commercial, because the app is financed by donations. Leading cryptographers and privacy advocates prefer Signal, which gives me confidence that both security and privacy are top notch.

A while ago I noticed a team manager turn white when I asked him if his team uses Telegram (I'd heard something like that). He was genuinely shocked when he realized that this wasn't such a good choice. His team quickly switched to Signal after that. Many other teams have already made the switch. Who follows?

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• your iPhone will soon have extreme capabilities to protect you against highly targeted attacks.
• Ukrainian police arrested a gang posing as the EU. [DUTCH]
• ransomware and state actors are the most important digital threats for the Netherlands. [DUTCH]
• Police records of a billion Chinese are on the street because an official accidentally entered his password in a blog and a criminal noticed it.
• criminals conduct online job interviews using deepfake technology.
• the municipality of Buren has released the report on the malware attack on the municipality for publication. [DUTCH]
• Maastricht University is making an additional three hundred thousand euros thanks to the high-profile ransomware attack from 2019. [DUTCH]
• Mikko Hypponen talks about the cyber war in Ukraine.
• the Dutch House of Representatives wants the cabinet to continue to support end-to-end encryption. [DUTCH]
• the Dutch cabinet will increase the cyber resilience of SMEs. [DUTCH]
• Customs in the Netherlands deletes the citizen service number from the EORI number. [DUTCH]
• NIST chose four quantum-resistant cryptographic algorithms.

 

That's how we do it

 

The Media Park in Hilversum is not an obvious work location for me. And yet I went to work there last Friday, on the eleventh anniversary of the Security (b)log. Despite the fact that the nation’s radio and tv stations call this place their home, no camera was involved, not even a microphone. I wasn’t there for them, but for a group of students of Make IT Work, a retraining program of the Amsterdam University of Applied Sciences.

The first sentence about this training on their website reads: “A Security Specialist is responsible for the operational aspects of information security.” And yet I was there to give a guest lecture on risk analysis. At first glance, that topic does not seem to fit with operational aspects, but when I was approached for this guest lecture and we discussed the topic, we came up with this anyway. Later, when discussing my concept, I got the suggestion to leave out certain somewhat more theoretical parts, “because these students are doers”. So I went to Hilversum with mixed feelings; I had a good story in my pocket, but would it also work with this group?

As you would expect in a retraining programme, the audience was of very diverse shapes. Someone who had worked in the offshore industry, and someone who had studied law but had never done anything with it, for example. But each and every one of them was on the edge of their seats, asking questions that made it clear that this topic was a bull's eye. In fact, I have rarely been in front of a group that was so interested and motivated. That makes me enthusiastic myself, and I seem to radiate that – it already gave us a new teammate a few years ago.

So my story was about risk analyses, but it started with the Baseline Information Security for Dutch government bodies (BIO). Because that document clearly states that all activities have to be risk driven. Even without that obligation, the organizational unit where I worked a few years ago, our data center, already realized that risk analyses are important and useful, and the board therefore decided that all services provided had to undergo a risk analysis. Such a decision is extremely important – now I don't have to knock on a team's door and ask if I can please come and do a risk analysis; instead, they ask me if I can come and help with this exercise. Management is not only responsible, but also in the lead. Nowadays I work for the CTO of our ICT organisation, the Chief Technology Officer. But our work on risk analyses has remained the same.

Back to my students. It was inevitable that I first threw some theory about the BIO and the risk analysis at them, but then we dived into practice: we actually did a bit of risk analysis, just like I would do in the office. One of their teachers had told me that the group was excited about the 2011 DigiNotar debacle (in short: DigiNotar was a digital certificate authority, was hacked and kept it silent; read more on Wikipedia). The subject of our risk analysis therefore was: certificate management. We covered some threats from the risk analysis list and discussed them as if the students were responsible for certificate management. It provided them with some nice eye-openers, but above all insight into what a risk analysis actually entails.

The organization had scheduled two hours for my guest lecture. When I asked just before the end if I was free to overrun my time, they replied with eagerly nodding heads. I ended up standing there for over three hours. Afterwards, the students told me what made my story unique: I was the first guest teacher to tell and show how we do our work in real life. I recalled the comment that these students are doers. I had interpreted that as a kind of level indication, but now I know that these people have much more to offer than carrying out operational tasks. 'Doers' here also means: people who know how to tackle complex matters with the help of the right tools. Exactly what a university of applied sciences stands for.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the police, together with the business community, are fighting against the misuse of login data. [DUTCH]
• A ransomware attack on a meal service may lead to hunger among the elderly. [DUTCH]
• ARTIS zoo has also been hit by ransomware. [DUTCH]
• advanced new malware atttacks routers in Europe and North America.
• the intelligence services experience the Assessment Committee Deployment of Powers as a nuisance. [DUTCH]
• a data company illegally collected medical records for years. [DUTCH]
• More sectors will soon have to make mandatory reporting of cyber incidents. [DUTCH]
• organizations need to deal better with open source components. [DUTCH]
• Using US cloud services does not automatically constitute a privacy violation. [DUTCH]
• one fifth of the tested SME employees fell for a phishing email. [DUTCH]
• many people still use the same password in multiple places.
• Food items are thrown into the fray to find out if packages have been opened en route. [DUTCH]