• guess with it-security and internet-security (internet = roads, cars = computers that users use every day) it is like with real-life-security – there is no 100% security.

  • all users of a system are in constant potential danger of having an “accident” = security problem, costing loads of time and money to repair (restore backups, heal the limbs, repair the car) and cyber security problems can have impacts (just as a car on pedestrians) on the physical health of people (not only exploding nuclear power plants (just hope that NO COUNTRY EVER hooks up nuclear power plants to the internet)
    • less mass catastrophic, but still catastrophic: think about a lost x-ray photo that has to be taken again!
  • airbag-manufacturers = security-product-manufactureres, city-planers, traffic-planers (and police) = system administrators do their best to make sure the usage of the streets and cars = the internet is as safe as possible (and yes educating users about secure behavior will become very important and mandatory, just as users may not use the streets without knowing what the signs mean/use cars (computers?) without knowing how to drive them safely (passing a test and get a license)
    • trying to predict what might happen (users drive too fast) then implementing measures (speed limit or bumpers) so it is unlikely to happen
    • users want to get their computer work done fast, access everything anywhere fast, but if this is done without security in mind, the company might suffer more than what is gained by this efficiency (first and foremost trust of customers)
    • SAFETY FIRST! SECOND COMES SPEED!
      • but speed is of course also very important – because otherwise nobody will get done anything in a useful time (having to enter toooo many very very very long and cryptic passwords X-D)
  • there is no possibility (as Jacque Fresco always wanted it to be) to get this security problem down to 0% (also not with self driving cars, sorry Elon X-D (even worse those might have software security problems as well, would feel VERY UNCOMFORTABLE in cars without the possibility of manual “backup” steering).
  • but it is possible – when all involved – take all precautions possible (and yes users complain, if things take only 1ms longer than usual X-D) to bring down the security problem to almost 0%

what can CEOs do?

  • actually listen to the concerns of security-sensitive (paranoid) software developers and administrators and users
  • hold monthly “education” and “live hacking” meetings/workshops to educate the whole company on cyber-security

what can administrators do?

  • all internet-facing machines
    • keep all software as up to date as possible (os, browser, mail-client)
    • have a virus scanner running (even if it provides just basic security, can not detect virus in encrypted.pdf (maybe after decryption/during unpacking? (but might be too late then X-D)
  • have a multi-layered password concept (and of course, change those passwords at least every year)
    • level0 = everyone may know the password
    • level1 = only inner circle may know the password
    • level3 = only you may know the password
  • educate users
    • how to avoid malicious scam hoax mails and phone calls (!)
    • how to safely open malicious mail attachments
  • block all traffic that is not absolutely necessary (whitelist?)
  • maybe even block USB ports and DVD Drives (this software can actually do that)
  • store one complete set of data “off site” ideally in an EMP secure (double layered metal) casing)

what can the user do?

  • educate the user in terms of security and privacy
    • it’s a bit old (2013) but still very educating and even entertaining! (well done 🙂https://youtu.be/XHqN5hpZMUY
  • pass the “how to use a computer/smart phone safely” and watch educating and funny “live hacking” videos (https://youtu.be/XHqN5hpZMUY)

where to educate stay up to date oneself? what to subscribe to?

rss feeds are convenient way staying up to date with latest developments while checking mails (in thunderbird) (just seriously DISABLE javascript before X-D)

this list is far from incomplete… if user has suggestions what is missing please contact

in English:

rss feed: https://krebsonsecurity.com/feed/ https://krebsonsecurity.com/

rss feed: https://googleprojectzero.blogspot.com/feeds/posts/default https://googleprojectzero.blogspot.com

rss feed: https://feeds.feedburner.com/securityweek https://www.securityweek.com

rss feed: https://media.ccc.de/updates.rdf https://media.ccc.de/

call me lame: X-D rss feed: https://feeds.feedburner.com/TheHackersNews

rss feed: https://www.bleepingcomputer.com/feed/ bleepingcomputer.com

rss feed: https://research.checkpoint.com/rss research.checkpoint.com

rss feed: https://rss.packetstormsecurity.com/ packetstormsecurity.com

rss feed: https://blog.knowbe4.com/rss.xml blog.knowbe4.com

rss feed: https://blog.netlab.360.com/rss/ https://blog.netlab.360.com

rss feed: https://www.intezer.com/rss https://intezer.com/

rss feed: https://blog.ripstech.com/index.xml https://blog.ripstech.com

rss feed: https://www.blogger.com/feeds/4838136820032157985/posts/default

rss feed: https://census-labs.com/news/feeds/rss/ https://census-labs.com/news

rss feed: https://precisionsec.com/rss https://precisionsec.com

in Russian:

rss feed: http://www.securitylab.ru/_Services/Export/RSS/news/ securitylab.ru

rss feed: https://exploit.in/feed/ https://exploit.in

in German:

rss feed: https://www.heise.de/security/rss/news-atom.xml https://www.heise.de/security/

rss feed: https://rss.golem.de/rss.php?tp=sec&feed=RSS2.0 golem.de

privacy & dataprotection:

rss feed: https://rsf.org/en/rss.xml (in English)

rss feed: https://www.kuketz-blog.de/feed/ kuketz-blog.de (in German)

just in case someone asks: can a jpg file contain a virus?

aks google X-D https://googleprojectzero.blogspot.com/2020/04/fuzzing-imageio.html

walk drive fly and surf safe!

 

admin