Voir en

français

Computer Security: Bull**** Bingo

There are many mantras and claims floating around about cybersecurity. Some of them leave no room for doubt, like “defence in depth”, which suggests deploying protective means at every level of the hardware and software stack, or “KISS ─ keep it simple, stupid” to avoid over-complication and too many deviations from the “standard” cybersecurity system. Other, more unfortunate statements also hold true. For example, “convenient, cheap, secure ─ pick two” makes “secure” always the least attractive option, as it brings no immediate benefits. However, some other mantras and claims are simply not true. Plain wrong. Or, excuse my language, “bull****”.

Indeed, computer security is never straightforward. Often, there is no single solution, but a series of complementary solutions is needed, like how our xorlab ActiveGuard solution works together with the Microsoft SPAM filter. Often a holistic solution cannot be found, for example when the quick fix of having two-factor authentication (2FA) for the new CERN SSO was deployed, which meant that the old SSO was left to die, and the non-holistic solutions we are looking at for how to deploy 2FA to LXPLUS and Windows Terminal Servers in the future. Generally, computer security requires the aforementioned “defence in depth”: individually, multiple protective layers, each with a defined (implementation) scope, a limited coverage and holes are insufficient. But together, they provide adequate overall protection to the Organization that is pragmatic, balanced and efficient. Combined, they keep the cybersecurity risks and threats to the Organization under control.

So, while we acknowledge that there is no single solution to “cybersecurity”, there are many wrong solutions. Wrong statements. Wrong mantras. Bull****. In order to give you an idea of what we mean, let’s play “Bull**** Bingo”. Below are 25 statements we have heard in the past about cybersecurity, best security practices and cybersecurity implementation, some even from esteemed colleagues. Can you spot where they went wrong?  

 

A

B

C

D

E

1

There is no malware for Apple devices

Software from the Google Play Store is harmless

Security is everyone’s responsibility

SSH on port 2222/tcp is more secure

SPAM and malware filtering is 100% effective

2

2FA is a big step forward for account protection

Emails from “@cern.ch” are legitimate

I'm personally not a target as I'm not interesting to attackers

Back-ups cannot be altered

I have nothing to hide

3

I would never fall for phishing

Only the link behind a text/QR code reveals its truth

CERN’s technical network is secure

A password written on a post-it is a good idea

QR codes always link to legit sites

4

A (free) VPN service protects me

Password protection on my laptop protects its data

My browser’s password manager is secure

CERN is not interesting to attackers

CERN’s anti-malware software is free for you to download

5

Using “https” means the website is secure

CERN’s outer perimeter firewall keeps all threats away

Cloud services cannot be hacked

Encryption is easy; key management is complicated

WiFi is always secure

 

The first three people to send the five true statements to Computer.Security@cern.ch will win a bottle of Coca-Cola, as well as a “Hawaiian” pizza from CERN’s Restaurant 2.

Want to learn more about computer security incidents and issues at CERN? Read our monthly reports (https://cern.ch/security/reports/en/monthly_reports.shtml). For more information, questions or advice, check out our website (https://cern.ch/Computer.Security) or contact us at Computer.Security@cern.ch.