There are many mantras and claims floating around about cybersecurity. Some of them leave no room for doubt, like “defence in depth”, which suggests deploying protective means at every level of the hardware and software stack, or “KISS ─ keep it simple, stupid” to avoid over-complication and too many deviations from the “standard” cybersecurity system. Other, more unfortunate statements also hold true. For example, “convenient, cheap, secure ─ pick two” makes “secure” always the least attractive option, as it brings no immediate benefits. However, some other mantras and claims are simply not true. Plain wrong. Or, excuse my language, “bull****”.
Indeed, computer security is never straightforward. Often, there is no single solution, but a series of complementary solutions is needed, like how our xorlab ActiveGuard solution works together with the Microsoft SPAM filter. Often a holistic solution cannot be found, for example when the quick fix of having two-factor authentication (2FA) for the new CERN SSO was deployed, which meant that the old SSO was left to die, and the non-holistic solutions we are looking at for how to deploy 2FA to LXPLUS and Windows Terminal Servers in the future. Generally, computer security requires the aforementioned “defence in depth”: individually, multiple protective layers, each with a defined (implementation) scope, a limited coverage and holes are insufficient. But together, they provide adequate overall protection to the Organization that is pragmatic, balanced and efficient. Combined, they keep the cybersecurity risks and threats to the Organization under control.
So, while we acknowledge that there is no single solution to “cybersecurity”, there are many wrong solutions. Wrong statements. Wrong mantras. Bull****. In order to give you an idea of what we mean, let’s play “Bull**** Bingo”. Below are 25 statements we have heard in the past about cybersecurity, best security practices and cybersecurity implementation, some even from esteemed colleagues. Can you spot where they went wrong?
| A | B | C | D | E |
1 | There is no malware for Apple devices | Software from the Google Play Store is harmless | Security is everyone’s responsibility | SSH on port 2222/tcp is more secure | SPAM and malware filtering is 100% effective |
2 | 2FA is a big step forward for account protection | Emails from “@cern.ch” are legitimate | I'm personally not a target as I'm not interesting to attackers | Back-ups cannot be altered | I have nothing to hide |
3 | I would never fall for phishing | Only the link behind a text/QR code reveals its truth | CERN’s technical network is secure | A password written on a post-it is a good idea | QR codes always link to legit sites |
4 | A (free) VPN service protects me | Password protection on my laptop protects its data | My browser’s password manager is secure | CERN is not interesting to attackers | CERN’s anti-malware software is free for you to download |
5 | Using “https” means the website is secure | CERN’s outer perimeter firewall keeps all threats away | Cloud services cannot be hacked | Encryption is easy; key management is complicated | WiFi is always secure |
The first three people to send the five true statements to Computer.Security@cern.ch will win a bottle of Coca-Cola, as well as a “Hawaiian” pizza from CERN’s Restaurant 2.
Want to learn more about computer security incidents and issues at CERN? Read our monthly reports (https://cern.ch/security/reports/en/monthly_reports.shtml). For more information, questions or advice, check out our website (https://cern.ch/Computer.Security) or contact us at Computer.Security@cern.ch.