Aside from the warning of specific threats and appropriate security tips, it is worth taking a general look at what security actually means in IT. And since this is the 200th post on my blog, I'll use the moment to make a few basic observations.
Security from A User and Expert Perspective
In 2015, Google presented a comprehensive survey
of security practices. The data from this study allow the security
practices of experts and normal users to be compared with one another. The
(English) diagram there lists very different approaches in descending order:
User
1. Use free antivirus software
2. Use strong
passwords
3. Change
passwords often
4. Only visit
known websites
5. Do not
share personal information
Experts
1. Install
software updates
2. Use unique
passwords
3. Use 2
factor registration
4. Use strong
passwords
5. Use a
password manager
It
is particularly noticeable that antivirus software is not very important to the
experts, while users neglect updates. Experts know that security is
primarily a process that requires work on the system, especially in the form of
updates and updates. Users often make it too easy for themselves: They
believe that an antivirus program offers permanent and reliable protection, and
I often observe that not even these programs get updates from users or that
their failure due to some errors is not noticed at all.
Security as A Process
In
IT, security is not a state that remains once it has been set up. In
contrast to a car, which with airbags, crumple zones, seat belts, ABS and ESP, etc. will still offer the same level of safety in an accident in 20 years
as it does today, provided that the functions are not defective, the safety of
a computer system is eroding at high speed. New, more or less serious, and
more or less easily exploitable security problems are regularly discovered
which must be eliminated. For this reason, updates are the top priority
for experts. All types of software, not just the operating system, must be
constantly updated. Unfortunately, I often observe a certain reluctance to
do so among users, or even incomprehension for update messages. Almost
every computer I look at Update notifications for Java, Flash, Acrobat, or
other programs that have been ignored for months report immediately after the
start. This is one of the most common security mistakes made by users:
Updates are extremely important.
The updated practice of Windows (and unfortunately also Adobe,
for example) with its monthly patch day has long been out of date. Updates and
patches should actually come at least daily. An even faster cycle is
common for antivirus programs, at least for paid versions. Under Linux, it
is not uncommon for the system to report updates once a day. Security gaps
are very reliably closed here, usually within a few hours of becoming known. With
Windows, you have to let a whole month or more pass
before you finally get a little more security.
In the mobile sector, the situation often looks even more
unpleasant, since updates, at least for the operating system, usually fail to
appear completely after a short time. Android receives updates from
manufacturers slowly and not for long, even if Google actually provides them; Windows
10 Mobile reaches end-of-life after less than two years, and even
on the desktop, it looks exactly the same if you avoid the full operating system
upgrades under the name "Windows 10": a Windows 10 the first hour is
already cut off from the upgrade cycle if the system is not completely replaced
by the Creator upgrade. The situation is a little better with iOS, here
the devices can enjoy system upgrades for a little longer.
The
security of a system is therefore only guaranteed if something is constantly
being done for it: above all, this includes ongoing updates, but also ongoing
training and vigilance.
In the Crosshairs of The Attacks
By
no means every security problem is actually used for specific attacks. The
mere number of closed or open gaps, therefore, does not necessarily say anything
about the specific security situation. Many technical loopholes that the
press portrayed as particularly dangerous can only be used under special
circumstances or with extensive preparation. Often it doesn't happen at
all. And it is increasingly no longer necessary to concentrate on
technical weaknesses.
Practically
every attack can be classified on a scale between two extreme points. At
one end of this scale, there are attacks on security gaps that take place
completely without interaction with the user, at the other end attacks on the
user himself, who are manipulated to install malware or disclose data without
exploiting technical gaps (phishing). Most attacks can be located between
these extreme points, although I have observed in recent years that there is an
increasing shift towards the user. This means that the user is
increasingly being manipulated to help infect his system. This is because,
on the one hand, the systems become more secure, which makes completely
automatic infections more difficult, on the other hand, however, more and
more users do not even have the simplest basic knowledge with them. It is
much easier to attack humans than machines.
What the User Should Do
Let's
take another look at what users following the list above do for their safety.
Antivirus Software
I have reported very often about antivirus software. It
only makes sense on Windows systems (and possibly on e-mail servers to sort
out dangerous attachments), and it can itself be a major security
risk represents. If it is maintained, it actually offers
additional security: but if it detects a malware, then it has already advanced
much further than it should actually be. If you receive a malicious email attachment, the virus scanner did not remove it in time. If
you can open it and the scanner still does not work, the virus protection has
already completely failed. The protective value of virus scanners is
actually declining. Relying on that alone is a huge mistake.
Passwords
Security-conscious
users use strong passwords according to the list (points 2 and 3) and change
them. Apart from the updates, all four other points on the expert side
have something to do with passwords. So here we have some agreement.
Strong passwords are unfortunately very difficult to
remember. What many users consider a strong password is often far weaker
than expected. And anyone who actually remembers a strong password, but
uses it for many services, weakens their password, as it only has to be stolen
from one point to be able to misuse it elsewhere. Once a strong
password is known, it is worthless everywhere. That is why the experts
rely not only on strong but unique passwords.
For this purpose, the experts use password managers, i.e. programs that manage the
passwords themselves and only require a main password from the user. I
myself prefer a password education system in which I can construct an
individual and secure password from the name of the service without having to
write it down or learn it by heart. Both approaches support the use of
different secure passwords for all services. If one of the passwords is
known, the other services are still secured.
Changing
passwords, on the other hand, if they have not been compromised are not very
useful. There is no point in regularly replacing a good password with
another equally good password; it does not increase security. If, for, For example, it took 5 years to try out all possible combinations of 12 letters,
numbers, and special characters, then changing the password within this time
would only bring security gains if such a calculation attempt is actually
running and the changed password happens to be a combination that has already
been tried at the time of the change. In all other cases, it is just a
pointless exchange.
2-Factor Registration
The
2-factor registration supplements the password security with an additional
requirement, e.g. the entry of a code transmitted by SMS or code generator. Many
websites and services such as Facebook or Dropbox offer this option, and it
should be used wherever it is available and where sensitive data is involved,
even if it seems annoying. Then security would be guaranteed even if the
password was known. It is of no use to a data thief to know my Dropbox
password if Dropbox first sends a notification to my mobile phone with a code
that has to be entered when trying to connect from unknown (i.e. not belonging
to me) computers. The thief would also have to have my cell phone or get
me to give him this code.
The
adoption and use of newer security techniques, such as 2-factor registration,
is also part of the IT security process.
Visiting Known Websites
Limiting
yourself to well-known websites does not mean any additional security, as
well-known and widespread websites, for example through cross-site scripting
and maliciously modified advertisements, are definitely used to distribute
malware. Also, if you just walk its well-trodden path, you deprive
yourself of the usefulness of the Internet. The fact that dangers lurk
only on semi-silly offers (sex and pirated copies) is a misjudgment.
Disclosure of Personal Information
Of
course, there is a certain degree of protection not to reflexively passing on
personal data (e.g. phishing). But I often see that users bring their
concerns into play in the wrong places. For example, if you want to use
your mobile phone as a navigation system or prefer local search results, you
cannot switch off the location services. If you want to use voice
searches, you can't get upset that devices pick up and evaluate voice
information. Data protection is important, but you have to think carefully
about which data is worth protecting and which use of our data by third parties
gives us an advantage.
From a system security perspective, personal data is of secondary importance.
Conclusion
As
shown, it is increasingly the user, i.e. you, who is caught in the crosshairs
of the attacks. Only very rare attacks do not require any assistance from
the user. It is your job to ensure the security of your entire system
through updates were available and through regular training and vigilance.
Comments
Post a Comment