The invisible king

Image from Pixabay

His Majesty the King has been pleased to honor us with a visit. Although I myself had a meeting at the office yesterday, I didn’t see him. The traces of the royal visit were visible though: I was awaited by many security guards in the morning and in the afternoon there were almost no seats in the canteen because most chairs were still arranged in theater style. But most importantly, the theme of the visit was indeed digital security.

The king followed more or less the same program that all dignitaries are presented with: the printing line, the data center and the Security Operations Center (SOC). Because, well, those are the only tangible things we can show - the rest consists of knowledge and offices. I wasn’t there myself, but luckily some tv shows were present so we can watch some footage of the visit.

Our printing line is quite impressive (the enthusiastic team manager has also shown me around once). Large rolls of blank paper are printed with all kinds of documents. At the back of the meter-long machine, they come out of the printer as individual letters, to then be pushed into blue envelopes at dizzying speed in the envelope inserter. Mainly because of that speed, it is important that the equipment monitors the smooth running of things. The letters are weighed – not to determine how many stamps should be on them, but to check whether there is accidentally one sheet too many or too few in an envelope somewhere. Each letter has an optically readable code, so the letter itself knows how many sheets of paper long it is.

The data center is another place that you as a normal mortal cannot enter. You only enter if you have business there. The king was on a working visit and was therefore allowed in (at least, that is what I assume – I have not seen any images of it). Hopefully they kept royal earplugs available, because if they really did enter the corridors where hundreds of servers are blowing, then they certainly came in handy. It is well outside my area of expertise, but this form of safelty is also important. And for the rest, as I said, it is mainly a matter of keeping out everyone who has no business being there. We have various physical security measures for that.

On the other hand, there are the logical security measures, which ensure that employees can only do the things they are authorized to do, that potential intruders are kept out and that attackers who want to make our lives miserable are disappointed. But these measures are not visible, so why did the king visit the SOC anyway? Well, the SOC is not a normal space. The workstations are arranged in battle order, each with no fewer than four screens. A large video wall draws everybody’s attention and SOC employees notice immediately if a value goes into the red somewhere. There really is something to see at the SOC, even if you hardly understand what you are seeing.

When the king goes somewhere, he is surrounded by visible and invisible security measures. We also have to deal with this in information security. The security of the print line and the data center comprises, just like the space of the SOC, visible components. But in addition to that, we have many more things and especially people who ensure that not only our information security, but also our continuity and privacy are guaranteed. There is little to see in such a system, even for a layman of royal blood, and those many colleagues who deal with these matters on a daily basis – well, they are also just ordinary, hardly worth seeing people. And that is why the king did not join our team for tea.

Therefore, here is a generous shout-out to all those colleagues who, when managing their system or creating their application, are not only concerned with the actual functionality, but also take into account all the security requirements that are set (I know how difficult that can be). And also to all colleagues who realize in their daily work that adequate security is a matter for all of us. And, last but not least, to the colleagues in my own team, who do their best every day to make the rest of the organization color within the lines. All that work is invisible, no king comes to look at it. But that doesn’t make it any less important.

 

And in the big bad world…

• the press reported on the royal visit. [DUTCH]
• the Dutch General Audit Office delivered a harsh judgment on cloud use by the central government. [DUTCH]
• the United Nations Security Council met to discuss spyware.
• The UK government is considering a ban on ransomware payments across the public sector.
• Chinese companies have been charged with sending user data to China.
• President Biden gave cybersecurity a last-minute boost.
• The FBI cleverly exploits a self-destruct function in certain malware.
• From a legal perspective, you don't have to worry that your company data in the cloud will end up in the US anyway. [DUTCH]

Enlightened minds

Picture by author

Did you know that no less than 78% of people between the ages of 18 and 65 use a password manager? And that even more than eighty percent of youngsters use one? The vast majority of people are sensible and use a different, strong password for all their accounts, and they allow themselves the convenience of automatic login. Are you already participating?

I made up the above figures. “ Ooooh, shame on you!”, I hear you think. Let me explain how I arrived at that. I feel cheated myself. By an article that appeared in the newspaper the day before yesterday under the headline: ‘The cyclist without lights is now noticeable – Good lighting is the norm thanks to clip-on lights and e-bikes’. A traffic psychologist (I didn’t know this profession existed) explains in the article that people are trend-sensitive herd animals; if it is obvious in your ‘subculture’ to turn on the lights, then you will do so too. According to the psychologist, the general view used to be: frumpy old people have bicycle lights and young people don’t (I prefer to make the distinction between smart and stupid). Moreover, it is becoming increasingly easier to have lights on thanks to cheap, rechargeable lights and the e-bike. Not having lights on would then be a conscious choice.

I disagree with that article on so many points that I hardly know where to begin. Well, to start anyway: where on earth did they investigate this? Certainly not in my city, where I often encounter unlit cyclists who are also wearing dark clothing. When I encounter such a person, I sometimes shout: “Light on!” A boy recently snapped back: “The light is broken, man!” There is also a lot of junk among those loose lights. Some of them barely give more light than a candle – I call them ‘shame lights’, because their only purpose is to be able to triumphantly say: “Look officer, my bike does have lights!” Those people simply don’t understand that good lighting is crucial for their own safety.

The newspaper article got me thinking. How is it possible that I read something in the newspaper that does not match my own experience at all? Okay, I am willing to believe that things are less bad than they used to be, but all this cheering about how great things are these days goes way too far for me. The article itself seems to answer my question: If psychology dictates that we do things to avoid being left out, then you can also use that mechanism to influence people. If you write in the newspaper that most people obediently cycle with lights, then you can use that to encourage dark citizens to turn the corner, because who wants to be left out?

And that's how I arrived at my fake figures about password managers. With the final remark "Are you already participating?" I even pushed you a little more. Because it's pretty important that everyone starts using those tools. It used to be easy: you had one password and no one else was interested in it. Nowadays you have dozens of accounts and there's a cybercriminal on every digital street corner. That's a dangerous combination, and there's another important factor: not all sites and companies where you have an account protect your data equally well. Sometimes user data is stolen during a hack and the criminals manage to crack the passwords. If you use the same password for multiple accounts, they're all at risk. By the way, do you know what your most important account is? No, not your bank. Your email. Because someone who has access to your email can click on "Forgot password" anywhere and, using the emails that result, set a new password. That locks you out and the criminal can do all sorts of things under your name.

An equally important measure is two-factor authentication (2FA), which ensures that you can only log in after you have performed an additional action via another device (for example, entering a code or swiping your finger). This prevents someone who has a password for you from logging in to that account. So turn it on wherever possible. Did you know that more than seventy percent…

You may find it patronizing to shout “Lights on!”. However, I do this out of pity for the motorist who will sooner or later knock an unlit cyclist off their socks. And when I say to you: “Password manager and 2FA on!”, it’s also with the best intentions. And one more thing: watch out for fake messages.

 

And in the big bad world…

• There are also information stealers lurking. [DUTCH]
• This article makes fun of 2FA.
• Of course, a cloud-based password manager can also fail. [DUTCH]
• This ransomware gang presents itself as a company.
• the digital war in Eastern Europe is still raging.
• the European Commission must pay compensation to a citizen for a GDPR violation.
• Telegram shared more information with (Western) law enforcement agencies last year.
• Not all data leaks are handled properly.
• smart consumer devices can get a safety label in the US.
• Passkeys are not yet suitable for the masses.
• The government wants to move to the cloud, but preferably in Europe. [DUTCH]
• of course you can also hack a car charging station. [DUTCH]
• European data protection authorities do not sufficiently protect our privacy.