When I was born, there was basically no such thing as computer security. There were no viruses, no worms, no malware. The vast majority of systems had no authentication and those that did often required little more than a name to allow access. Today, computer security is everywhere, everybody has dozens if not hundreds of accounts, two-factor authentication is becoming the norm and biometric authentication is available on an increasing number of devices.
But at the root of it all, from your smartphone to the largest IT networks, there are three basic security principles upon which information security are built. Given how vital these are, it is perhaps surprising that the analysis of breaches reveals that the vast majority are enabled by poor implementation of at least one of these fundamentals.
User Names and Passwords
We all hate passwords, they are hard to remember and we are supposed to have a different one for every website. System administrators force us to change them at too frequent intervals and they are, just generally a pain. But they are still the first, and often the only mechanism to prevent unauthorised access to an account.
If like me, you need to remember literally thousands of passwords then you need a password keeper program. In my opinion, this is an essential piece of software and there are a number of different offerings. I have tried a few of them over the years (graduating from a Word document in 2001) and for the last decade, I have been using KeePass Password Safe. This totally free software has dozens of useful features, including auto-form filling, and is probably the most secure and easy to use of them all. It is Open Source and my thanks go to Dominik Reich and the other contributors for this superb piece of software.
One of the benefits of software like KeePass, is that not even I need to know what my passwords are. I simply tell KeePass to generate a password for a site, and it builds a long string of letters, numbers and symbols that automatically get pasted wherever needed. You can’t get much more secure than that.
It was not until the mid-1980’s that the first anti-virus software was created, and even then uptake was slow. One of the earliest anti-virus programs was developed for Atari systems and had the catchy name of Ultimate Virus Killer (UVK). This was followed by a series of anti-virus companies releasing software including: Doctor Soloman’s, NOD, Flushot Plus, Anti4us, Luke Filewalker, Norton and F-Prot.
Some of these companies still exist today, although the names may have changed, new ones have emerged, and others have been purchased or taken over.
A lot of this activity occurred during the 1990s and early 2000’s when the anti-virus industry really started to emerge. It was also at this time that accusations started flying between companies over the practice of hiring former virus writers, as well as other, more nefarious practices.
Anti-virus software is still an absolute must, although now it often exists as a part of as suite offering anti-malware, and other protections. Whether you are happy to rely on Windows Defender or choose a more advanced, third party offering to monitor servers and corporate networks, the emergence of zero-day attacks means that now, more than ever, effective anti-virus software is essential.
Patches, bug fixes and updates
Nearly every personal computer, tablet and smartphone gets updates whether we want them or not. We are all familiar with the nagging messages and the enforced ‘downtime’ as one device or another updates itself. Microsoft is so insistent that you receive the latest updates (a legacy from past accusations of being ‘insecure’) that Windows will quite happily apply everything itself including closing all your programs and forcing a restart in the middle of the night.
But there is a reason for all this, and it is not just to make sure you have the latest pretty icons. It really does help to keep your devices secure. However, and it is a big ‘however’, it is all too easy to ignore older systems when applying updates. When was the last time you updated the firmware in your router? Or what about that mission-critical server that has been happily doing its job for the last five years. These older systems are often overlooked, sometimes they are simply forgotten about, but often there is a reluctance to touch older systems in case the latest patches cause problems.
Older systems need updating as regularly as newer systems, i.e. as soon as practically possible. Just look at the effect that ‘WannaCry’ had on the NHS back in 2017 to remind yourself of why keeping older systems up to date is vital.
The Human Element
Humans, staff, users, call them what you will, are probably the single most important security element. Obviously it is humans that produce the threats, the virus-authors, the ‘crackers’, the ‘phishers’, but ultimately it is the humans that are attacked by these that we should focus on.
This is sometimes called the ‘Human Firewall’ and can be your strongest, or weakest line of defence. However, it is normally the cheapest and one of the most effective security aspects that can start with simple learning exercises to teach staff how to detect and respond to threats.
Obviously, some aspects can be enforced, for example, users can be made to choose complex passwords, but does this become self-defeating if the user then writes that on a sticky-note in their top-drawer? Therefore the voluntary implementation of this aspect is by far the most effective. An hour-long workshop on how to spot a phishing email that staff can apply equally as well at home as at work can (and will) pay dividends. This is the point, make it relevant to your staff, teach them to spot a scam in everyday life and just watch how naturally it filters through at the workplace.
The three aspects above are bringing security back to basics. Complex AI capabilities, penetration testing and all the other tools available will matter little if the above are not effectively implemented as a foundation on which to base your organisational security.
Certification is a great way to get a good idea of the security fundamentals, for example ISO 27001, but this, and others, will all highlight tha the fundamentals described here are all essential to an effective, and secure, organisation.