Cyber ​​security is no longer just about computers

As long as a computer network is well maintained, the chance of a hack or ransomware is small. That was one of the conclusions during Jan van Toorn’s security session on Thursday. This time the theme was cyber security. A sport that is also less ‘far from my bed’ for ‘physical security guards’ than many think.

It is often thought that cyber security is something for the IT department. This is true in terms of implementation, but there is also something like policy and risk management. And these are things where the traditional security department comes into play. A good reason for Jan van Toorn to let three experts with different backgrounds talk about cyber security during one of his by now well-known and always well-attended security sessions in Ridderkerk.

Joost Gijzel of DataExpert’s Cyber ​​​​Security Response Team noted that his name fit the topic well: ransomware. More than 5000 successful attacks have been reported this year alone, with generally very heavy damage. The perpetrators are around forty criminal networks worldwide, the majority of which come from Russia.

The most notorious is Conti because it mainly focuses on vital organizations which cause a lot of social damage as well as financial damage. Much has become known about this organization after an angry employee revealed a wealth of sensitive information. It happened after Conti announced that it supports Russia in the war against Ukraine. The published information showed, among other things, that the cybercriminals had collected around 2.5 billion euros in ransom in recent years. Van Gijzel said such an attack is often preceded by a long period of preparation. It investigates whether there are vulnerabilities in security, then breaks in and investigates how the entire system – including backups – can be taken hostage. It also looks at how much the organization can just pay without going bankrupt. More and more people are also looking for sensitive data. If payment is not made, this data will be published or sold to a competitor.

Achilles heel
Gijzel discourages customers from paying ransom as it perpetuates this type of crime. But he also understands that companies sometimes choose to pay. This is often cheaper than rebuilding the entire system. However, according to the expert, payment is not a guarantee that the problem is solved. The criminals almost always provide the necessary encryption key, but it is not certain whether the network can be fully restored with it. It only takes a tiny bit of data to render an entire database useless. It’s not easy to pay either, says Gijzel. It must be in crypto, which not all organizations stock. It may take a while for enough money to be collected and converted to the desired crypto, while payment should usually be made within 48 hours. Otherwise, it will be more expensive or the data will be permanently destroyed. “Everybody takes a turn,” the speaker warned. “So get ready. Outline scenarios and make sure they’re executable. But first, make sure you have a system that’s well secured and fully up-to-date. And put together an Incident Response Team that can take immediate action. ICT is no longer a facility, but the Achilles’ heel of any organization!”

No security without politics
Fabian Prick of Tedas also noted that it is no longer a matter of if you will be hacked, but when. This means that, in addition to good security, you must also have a plan B in case things go wrong. “Ensure that a system has the correct permissions set for everyone and that unusual traffic is detected. Also remember that the attack can enter the network via a less secure partner. In that case, the consequences can be limited by partitioning the network.”

Many organizations don’t know they’ve been hacked. After hackers crack the security, they spend an average of 106 days researching how they can make as much money as possible from the victim. This cannot be stopped by paying a specialized service provider a certain amount. Policy is needed based on what is essential for the organization. If the network does not comply with the political rules, according to Prick, it is better to build a new network than to change the old one.

Four principles of security
Prick listed four guiding principles in securing networks. The first is to create depth, by implementing as many locks and doors as possible around the core of the system. The other is Zero Trust. This means that each device must be configured as if someone could access it. Principle 3 is segmentation. This ensures that an attacker does not immediately gain control over the entire network. Administrator accounts in particular pose a great risk in this sense. Finally, principle 4 is monitoring and detecting unusual traffic. According to Prick, cyber security should not be considered a cost item. “It’s just part of good business management. Risks are reduced and business continuity is better secured. You also run less risk of GDPR fines, administrative costs decrease and users experience fewer problems.” According to the expert, the investment pays off quickly. A ransomware attack costs an average of 6 tonnes or 2.3 percent of annual revenue and usually comes in via a ‘forgotten’ server which is still connected but no longer maintained.

Complex decision making
The last speaker was not a cyber security expert, but a policy advisor from the Rotterdam-Rijnmond Security Region. Maikel Lenssen discussed the transition from ordinary fire service to digital fire service. The ordinary work with bells and whistles is most visible to the citizen, but at least as much is done to avert dangers from ‘cyberspace’.

And with good reason. During a cyber attack on a container terminal in the port of Rotterdam a few years ago, the entire port area was disrupted by traffic jams from trucks that could not be loaded and unloaded. “Everyone then expresses their opinion on social media, and we get an annoyed mayor on the phone because he has not yet been informed by us. But it makes sense, because we will first have verified the facts before we come up with a report,’ said Lenssen. The security services are increasingly confronted with what he calls the Pleurisy Law. Pleurisy = Blameability x (social relevance (social media x media attention)³). The speaker gave an idea of ​​the enormity of his security region and of the complexity of the administration. “So sometimes you have to deal with two bosses, the mayor who has the authority and the building manager. In such a case we say: it’s your building, but it’s our fire! By our I mean the mayor as head of the security region.” is that politicians, area managers and emergency services know each other and understand each other’s language so that incidents can be fought integrated and with the support of all parties involved.

The next safety session will take place on September 15. You can register via Jan van Toorn’s website.

Leave a Comment