Consistent data protection starts with monitoring
…and not with general phrases in data protection texts in order to comply with laws
March 3, 2024
March 11, 2024
We also follow reports of cyber attacks and ransomware on authorities and companies every day. But what we don't understand: How can such incidents occur despite IT audits, external consultants and security concepts? Presumably because much of it was not implemented consistently and conscientiously due to time pressure or because it was not checked by an independent party.
Classic IT in micro and small companies usually has 3 problems, which can have a significant impact on ongoing operations and can subsequently become significantly more expensive than if handled proactively:
At the latest when an incident occurs, companies are susceptible to inflated prices and sparklers without knowing what service is actually being provided by the external service provider in question. They also like to relabel Open source solutions or the actual work is outsourced to low-wage countries without informing the customer in the interests of transparency.
Our recommendation: Define the scope of services precisely, check the general terms and conditions and pay particular attention to the issue of liability. If an external service provider takes care of your IT security, they should also be held liable for the respective scope - provided the incident can be proven to be attributable to them.
Independent - and ideally tamper-proof - monitoring makes sense, especially when it comes to the "liability issue". Monitoring also helps to demonstrate whether measures have been implemented and whether they actually made sense or not. As an example below you will find monitoring of SSH access without Crowdsec and with Crowdsec firewall bouncer.
Then just implement an interface.*
*Classic statement without IT background knowledge
As a consequence, in the chain of responsibility between the budget, actual implementation and review of the measures, if an incident occurs, the hot potato is passed on until there are no longer any consequences to fear. To the outside world, you are always a “victim of a cyber attack” because shifting responsibility to an intangible place is still the most elegant way from a PR and marketing perspective.
From our point of view, stereotypes and nationalities have no place in the media or when it comes to hacking. Hackers don't just come from Russia or China and generally wear dark hoodies. For better understanding and differentiation, we use different nationalities and real-world examples below.
If you have now become a victim of classic ransomware, you can at least check based on the address of the Bitcoin wallet whether a Russian group is “actually” behind the extortion. In the best case scenario, in the event of a classic break-in, there is the IP address - provided the log files have not been deleted.
However, an IP address is comparable to a vehicle license plate: just because your video surveillance captured a vehicle with Russian license plates does not mean that the occupants are also Russian. So if the thieves have a certain level of intelligence, they will try to disguise their true origins as best as possible.
This is applied to IT with VPN over several servers without logging, e.g. Wireguard/OpenVPN implemented. Alternatively, there are of course enough VPN providers where the respective country can be easily selected. In private environments it is also often used to circumvent censorship and geo-blocking or to maintain privacy.
Of course, "non-company" people have no place in the system and "decent" people also respect enclosures that are not equipped with barbed wire and the latest security technology. However, we live in an economically driven world and if there is (data) gold in plain view, why not grab it, especially if the hurdle is relatively low in relation to the profit?
As a result, affected companies should see themselves less as victims after an incident, but rather use the opportunity to critically question internal structures and processes - similar to the garden gate mentioned above: Did we fail to modernize (in time) or was there more talk than agile implementation?
The protection of your personal data is particularly important to us. We therefore process your data exclusively on the basis of the legal provisions (GDPR, TKG 2003).
Laws definitely have their place in the sense of fair “rules of the game” for everyone involved. Likewise, consulting services, structural analyses, concepts, standardization or coordination discussions - provided the framework conditions are right and concrete implementation measures are defined.
A bad example of the relationship between the individual sub-areas can be seen in the diagram according to the motto "The main thing is a lot of paper" paired with generic statements à la "state of the art" - the interpretation is therefore left to those involved.
However, technology does not interpret, technology does according to the specifications of parameters and algorithms.
A 9 therefore remains a 9 and does not become a 6 - depending on the perspective from which the person looks at the number. Blue is recognized as blue - within the specified limits and parameters - and does not turn purple.
AI is a little more tolerant of probability calculations based on models: if you photograph a tree, you will get a probability as a result: tree (74%), shrub (16%), flower (9%) and other (1%). It then depends on further processing whether the user is shown the probability or only the result with the highest probability.
Technology and IT therefore remain the most honest and incorruptible feedback providers of those mentioned above paperwork. A current example is the problem of the German Bundeswehr (Taurus wiretapping affair) name: Despite a lot of paper with regulations, simple basics were more or less "forgotten". More celebrities Examples are Mercedes with the Source Code Leak or the Storm-0558 Hack at Microsoft.
Meaningful Investments
Our three suggestions focus on the human factor with the aim of becoming more attractive as an employer again. Based on critical employer reviews (1 to 3 stars) from Kununu on the topics: 9 to 5, dusty software, fruit basket and “My manager has no idea what we’re actually doing.”
It is not for nothing that the first step involves the basic arithmetic operations of addition, subtraction, multiplication and division taught and equations follow based on this knowledge.
However, in addition to a fixed annual budget, agility also requires a variable budget for unforeseen events and sensible further developments.
The printer informs you about empty toner via email and you give the system permission to order from the "regular supplier" - or the cheapest provider.
SSH login monitoring
In our opinion, a basic for Linux servers includes a firewall with dynamic rules and SSH monitoring. The time required to implement Crowdsec with nftables is kept to a minimum thanks to Docker Compose and lots of free tutorials within limits.
In this case, vector.dev is used to prepare and further transfer the log files and sent to Loki handed over. The visualization is done by Grafana. Of course there are also other solutions such as: Fail2Ban (dynamic firewall rules based on log files) or ELK (Elasticsearch, Logstash and Kibana) for recording and evaluation - depending on personal preference and requirements.
In the jargon of a study: The difference in the comparison period of 3 hours (10:00 p.m. - 1:00 a.m.) is obvious and proves the usefulness of the measure. Interested readers can form their own opinion on the topic of “geo bashing”.
Of course, we are always happy to receive constructive criticism of the article.
New project or
dissatisfied with the current IT costs? Write
to us for a free 30 minute initial
consultation via telephone or Microsoft Teams.