As long as a computer network is well maintained, the chance of a hack or ransomware is small. That was one of the conclusions during Jan van Toorn’s security session on Thursday. This time the theme was cybersecurity. A sport that is also less ‘far from my bed’ for ‘physical security guards’ than many think.
It is often thought that cybersecurity is something for the IT department. This is true in terms of implementation, but there is also something like policy and risk management. And those are things where the traditional security department comes into play. A good reason for Jan van Toorn to let three experts with different backgrounds talk about cyber security during one of his now well-known and always well-attended security sessions in Ridderkerk.
Joost Gijzel of the DataExpert’s Cyber Security Response Team noted that his name fits well with the topic: ransomware. This year alone, more than 5,000 successful attacks with generally very large injuries have been reported. The perpetrators are about 40 criminal networks worldwide, the majority of which come from Russia.
The most notorious is Conti, because it mainly focuses on vital organizations, which cause a lot of social harm besides financial. Much has become known about this organization after an angry employee revealed a wealth of sensitive information. It came after Conti announced that it was supporting Russia in the war against Ukraine. The published information showed, among other things, that cybercriminals had collected around 2.5 billion euros in ransom in recent years. Van Gijzel said such an attack often precedes a long preparation period. It examines whether there are security vulnerabilities, then breaks in, and it examines how the entire system – including backups – can be taken hostage. It also looks at how much the organization can just pay without going bankrupt. More and more people are also looking for sensitive data. If payment is not made, this data will be published or sold to a competitor.
Gijzel advises customers not to pay ransom as it perpetuates this type of crime. But he also understands that companies sometimes choose to pay. This is often cheaper than rebuilding the entire system. However, according to the expert, payment is not a guarantee that the problem is solved. The criminals almost always provide the necessary encryption key, but it is not certain whether the network can be fully restored with this. It only takes a little bit of data to render an entire database unusable. It is also not easy to pay, says Gijzel. It has to be in crypto, and not all organizations have it in stock. It may take some time before enough money is collected and converted to the desired crypto, while payment usually has to be made within 48 hours. Otherwise it will become more expensive or the data will be permanently corrupted. “Everyone is taking a walk,” the speaker warned. “Then get ready. Outline scenarios and make sure they are executable. But first, make sure you have a system that is well secured and fully up to date. And put together an Incident Response Team that can take instant action. ICT is no longer something of a facility, but the Achilles’ heel of any organization! “
No security without politics
Fabian Prick of Tedas also noted that it is no longer a question of whether you will be hacked, but when. This means that in addition to good security, you must also have a plan B in case it should go wrong. “Make sure that a system has the correct permissions set for everyone and that unusual traffic is detected. Also remember that the attack can enter the network via a less secure partner. In that case, the consequences can be limited by splitting the network.”
Many organizations do not know they have been hacked. After hackers crack security, they spend an average of 106 days researching how to make as much money as possible on the victim. This can not be stopped by paying a specialized service provider a certain amount. There is a need for policy based on what is crucial to the organization. If the network does not comply with the policy rules, according to Prick, it is better to build a new network than to change the old one.
Four principles of safety
Prick listed four guiding principles in network security. The first is to create depth, by implementing as many locks and doors as possible around the core of the system. The other is Zero Trust. This means that each device must be configured as if someone could access it. Principle 3 is segmentation. This ensures that an attacker cannot immediately gain control of the entire network. In particular, administrator accounts pose a major risk in this sense. Finally, principle 4 is the monitoring and detection of unusual traffic. According to Prick, cybersecurity should not be considered a cost item. “It’s just part of good corporate governance. The risks are reduced and business continuity is better ensured. You also run a lower risk of GDPR fines, administrative costs fall, and users experience fewer problems. ” According to the expert, the investment pays off quickly. An attack with ransomware costs an average of 6 tons, or 2.3 percent of annual revenue, and usually comes in via a ‘forgotten’ server, which is still connected but no longer maintained.
Complex decision making
The last speaker was not a cybersecurity expert but a political adviser from the Rotterdam-Rijnmond Security Region. Maikel Lenssen discussed the transition from ordinary fire service to digital fire service. The usual work with bells and whistles is most visible to the citizen, but at least as much is done to avert dangers from ‘cyberspace’.
And with good reason. During a cyber attack on a container terminal in the port of Rotterdam a few years ago, the entire port area was disrupted by traffic jams from trucks that could not be loaded and unloaded. “Everyone then posts their opinion on social media and we get an annoyed mayor on the phone because he has not yet been informed from us. But it makes sense, because we will first have verified the facts before we come up with a report, “said Lenssen. The security services are increasingly confronted with what he calls the Pleuris Law. Pleuris = Blameability x (social relevance (social media x media attention) ³. The speaker gave an idea about the huge size of his security region and about the complexity of the administration. “Then sometimes you have to deal with two bosses, the mayor who has the authority and In such a case, we say: it’s your building, but it’s our brand! By ours, I mean the mayor as head of the security region. ” integrated and with the support of all parties involved.
The next security session will take place on September 15th. You can register via Jan van Toorn’s website.