Dear manager

 

Image by author

Dear manager, I have received some complaints about you. You are said to dismiss signals about non-compliance with security regulations, or to devise a rationale that makes it look like those regulations are being complied with. Because I like to help people fulfill their responsibilities , we need to talk about this.

You are not one specific manager, nor do you work for a specific part of our large organization. Your level also does not matter: this phenomenon can occur anywhere in the organization at team, department and board level. In fact, I am convinced that you also exist outside my own organization. And furthermore: if the shoe fits, wear it.

The most misused word in information security has been dropped once again (and it’s translation from Dutch isn’t straightforward): actually, really, fundamentally. The manager who listens to an employee's complaints and then says that he is "actually/really/fundamentally" right, but that he can't do anything about it, or that that’s the way things are. Undoubtedly some managers will say that they can decide on this deviation, because they are managers. Yes, managers are indeed here to make decisions, but not all managers can decide on all matters. And sometimes someone goes out of his way on this difficult subject, possibly without realizing it. Think about whether a particular decision fits within your mandate.

But most complaints that come to my attention are not that difficult at all. These concern, for example, key boxes of which the key is on top of the box, or the code of which is written on a sticky note within one metre from that box. A physical key is indeed difficult if you have to share it with several people, but everyone can easily record the code of a number lock in (surprise!) their password manager. I am not in favor of mandatory periodical password changes, but codes of physical locks should be changed regularly, because otherwise worn-out keys will reveal the code.

Our internal mail offers the possibility to encrypt sensitive messages. One easy-to-place check mark ensures that the e-mail and any attachments can only be viewed by the addressee(s); delegates only see a white screen. Consider this option when sending personal data about customers or employees, for example, and bear in mind that the GDPR is a pretty strict law. This tip is of course for everyone, but I expect managers to propagate it.

Sometimes it is useful to immediately include the relevant documents in a meeting invitation. No problem, as long as those documents do not contain confidential information. Because in my organization most calendars are accessible to all colleagues, they can also read the attachments. But you just don’t want an appointment for an employee interview to contain an assessment form, do you? So don't put confidential information in the invitation, but send a separate email. In the invitation you can then include something like “see my email from 16-12-2022 09:56”.

As you can see, it's often the little things that you as a manager can do, without having to perform major deeds. When managers show that they take security seriously, this also has an effect on their employees. If the manager takes it less seriously, many employees will also shrug their shoulders.

Let's help the managers. For example, if you are a business security officer or a data coordinator (a role linked to the GDPR) and you see that something is not going well, then talk to management about it. If necessary, skip levels, while making sure that you have a well-founded story. In short: take your responsibilities seriously and make sure that management does too.

Our own manager gave us a Christmas bauble (thanks, Ton). An unbreakable one, he added explicitly. We must be equally unbreakable when it comes to complying with security rules – and that is not the same as rigid. Another team manager brought me a Christmas bauble from a conference in London (thanks, Robin). Managers who think about security even far beyond their work – that’s the kind we need.

The Security (b)log will return after the Christmas holidays.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• police services in the Netherlands, Germany and the US, among others, have taken fifty DDoS-for-hire services offline.
• also on Mastodon you have to think about your security.
• poorly built IoT devices are the asbestos of the internet.
• eighty percent of the Dutch have a smart device at home. [DUTCH]
• European Microsoft customers will soon be able to choose to store their data exclusively in Europe.
• webshops can be fined for fake reviews. [DUTCH]
• The Dutch excela in cyber diplomacy. [DUTCH]
• the Dutch NCSC has published a factsheet on open source security. [DUTCH]
• the Dutch intelligence agency AIVD has published their annual Christmas puzzles. Good luck… [DUTCH]
•  

Dicey ticks

 

Image from Pixabay

It was cold, dark and wet when I left the house before seven yesterday morning to travel to Amsterdam. On the way to a congress that started at nine and would not close until half past five. I considered leaving a bit early, especially since the last part was a panel discussion, which I rarely find interesting. Luckily I didn't.

The panel included information security professionals from the banking and insurance world. The facilitator asked his first question: “What do you see as the biggest threat to information security?” You would expect the standard answers: ransomware, phishing, budget. But no. One participant took the floor firmly and said: “Compliance is our biggest threat.” Boom! The room didn't react that way, but inside I did. That man spoke straight from the heart. Let me explain.

Simply put, compliance is complying with laws and regulations. Don't get me wrong – of course we have to comply with laws and regulations, especially since we are a government organization. However, we have gone too far, because we no longer do many things to optimally secure the organization, but to tick all the boxes and thus satisfy the auditors.

For example, we must comply with the BIO, the  Dutch Government Information Security Baseline. The BIO consists of about 250 controls (based on ISO27002). You must comply with every rule, unless you have a good reason not to (comply or explain). You have to go through all those controls anyway, if only to determine whether you have to comply with them. You must then either explain why you do not have to comply, or you must provide proof that you comply. You look for the gaps between the rules and the actual situation – you do a gap analysis.

And then you can also look at three different stages: set-up, existence and operation. Set-up means that a control has been documented, for example in policy or a design. Existence means that the documented measure has actually been taken, and for operation the control must have proven to be effective several times. Actually, "stage" isn't the right word. It’s not necessarily first set-up, then existence and finally operation. I know of countless situations where a control has worked fine for years without ever being documented. Operation then earns a green tick, while set-up scores red.

In recent years, we have performed this exercise at our data center. Not for the data center as a whole, but for each individual service that data center provides to its customers: networks, mainframe hosting, endpoints (for example your laptop) and countless other things that I never even suspected existed before. Apart from the fact that this operation has provided us with a lot of insights, it was also a huge job.

Our organization is of course much more than just a data center. And what do you think: the entire organization must comply with the BIO. A higher level of abstraction is needed for that. A few years ago we divided all those BIO controls among the organizational units. In a number of major meetings, responsibility and accountability were determined. The IT department, which also includes the data center, garnered 42 measures (I can't suppress a nod to The hitchhiker's guide to the galaxy here on my bookshelf). The other controls fall under the responsibility of other organizational units. And despite the limited number of measures that we have to implement, it is a hell of a job. Tough work too, because it is often difficult to retrieve the necessary information. Despite the higher level of abstraction, you still need detailed information to substantiate your statements.

And all this compliance, the panel sighed at the congress, swallows up all the time and money, leaving nothing left to actually improve security. In the hunt for green checkmarks, the heart of the matter is overlooked and the illusion of security is created. We are so busy polishing the car that we don't get around to solving shortcomings under the hood. While that is much more important than the outside.

Let's use lists like the BIO primarily to address and solve security issues in a practical sense. Compliance then follows naturally – not as a goal, but as a by-product.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Every software developer should know what SQL injection is by now, but it never hurts to explain it again.
• wholesaler Macro has again suffered from an attack on the parent company, which took place in October. [DUTCH]
• you will soon be able to encrypt your iCloud backup in such a way that Apple itself can no longer access it – and neither can law enforcement.
• European police forces are cracking down on money mules. [DUTCH]
• Chrome supports logging in without password. [DUTCH]
• the government is investigating whether there should be a national anti-phishing shield. [DUTCH]
• you can of course also hack a loudspeaker. [DUTCH]
• the State Secretary believes that the Tax and Customs Administration doesn’t log sufficiently to be able to combat corruption effectively. [DUTCH]

 

Passwords once more

 

Image from Pixabay

Last week's Security (b)log titled Passwords – yes, again raised a number of questions worth answering for a wider audience. So here we go, passwords once again!  

A remarkable password system came along, which in weighty language could easily be labeled zero knowledge. If a site asks for a password, the user clicks on “forgot password” every time. Usually the site then sends a recovery message to the e-mail address on file. The link in that email will take him to a page to set a new password. There, the user randomly hits a bunch of keys, making no effort to remember the new password. Because next time he will just do the same thing again. If I could please share my thoughts about this.

My first two thoughts are: “hey, how creative” and “wow, how laborious”. The combination of those two thoughts is: perfectly usable for accounts that you rarely visit. Like when you're ordering a gift from a site you've never been to before and probably won't need to be for a while, but they insist that you create an account. I think it's fine to use this system in that case. But for accounts that you need more often, it seems less useful to me; it’s just too cumbersome to get in. Another tip: you should first type the password in Notepad or in a new Word document and copy it from there to the password fields, as otherwise you will have a challenge to enter the same password in the second password field. Then close the file without saving it. By the way, do you know who is really good at coming up with those kinds of passwords? Password managers… (see below).

This system also makes it clear that it is very important to properly protect your email. After all: if an attacker has access to your mail, he can also click on “forgot password” everywhere and then gain access to all those sites via the recovery message – under your name.

Some people are skeptical about password vaults. Are those apps safe? Wouldn't there be a back door after all? The honest answer: we don't know, at least not with certainty. You see, a password manager is software, and software by default contains errors. Some of those errors affect the security of the product. Moreover, such an app usually does not run in isolation on your device, but synchronizes the data via the cloud, so that you can use your vault on all your devices. In other words, your passwords are usually not on your device, but on a computer somewhere in the world. By sheer accident, I just received an email this morning from LastPass, the password manager I used before. There was "unusual activity" in the cloud service they used. Hackers could view user information. But, they insist, the passwords are encrypted and because you're the only one who knows the key, they're not at risk. They leave it open whether those encrypted passwords have been captured. But I don't believe in deliberately installed back doors, as long as you don't use password managers that come from suspicious countries such as Russia or China. Some products are open source, which gives anyone the opportunity to turn the program inside out (whether that actually happens is another matter). And perhaps a malicious person will find a vulnerability fist.

The mandatory use of a mix of upper and lower case letters, numbers and other characters also raises questions. The most important element of a good password is its length, but the number of characters you can choose from also makes a difference. If you only use lowercase letters, an attacker trying to guess your password has a 1 in 26 chance per character of getting it right. If you also use capital letters, the chance decreases: 1 in 52. If you also add numbers and other characters, the chance of guessing correctly becomes even smaller. This then works nicely into the length of the password: with a password of 3 characters with only lowercase letters, the number of possibilities is 26*26*26 = 17,576. If you also use capital letters, you can already create 52*52*52 = 140,608 different passwords. With password length 8, you go to nearly 209 billion and nearly 53.5 trillion possibilities, respectively. Note that expanding the number of possible characters in this example gives only eight times as many possibilities, while making the password longer gives twelve million times as many possible passwords. That seems crazy, but remember that attackers often put a lot of computers to work to crack passwords. Many hands make light work!

In summary: use long passwords, preferably generated by and stored in a reliable app. And as always: turn on two-factor authentication/two-step verification wherever possible.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• here's what's going on at LastPass.
• the World Cup could easily lead to cyber threats.
• the San Francisco Police Department wants to use deadly robots.
• private data of all members and former members of a Dutch political party have been leaked. [DUTCH]
• Today, TikTok makes your data accessible to employees in China. [DUTCH]
• That can also be explained in a humorous way [DUTCH]
• criminals are still taking advantage of Log4j. [DUTCH]
• Microsoft 365 and GDPR don't go well together. [DUTCH]
• Russian hackers are targeting Dutch gas installations. [DUTCH]
• You can watch Mikko Hyppönen's presentation If it's smart, it's vulnerable.
• there is a privacy aspect to uploading your address book to an online service. [DUTCH]
• the Dutch NCSC can finally share threat information with non-critical companies. [DUTCH]
• some laptop and phone repairers snoop around your device. [DUTCH]
• we need to get an emergency kit in case a cyber-attack paralyzes the country. [DUTCH]