Hackers don’t care about compliance

--

securitycompliance is about whether the IT solution complies with applicable legal requirements and regulations. At the same time, it is the case that if the solutions we use are compliantthen it is not a given that they are secure.

Hackers are constantly looking for specific technical vulnerabilities they can exploit to gain a foothold for further penetration. Point 1 of NSM’s basic principles is to “Identify and map”, and this is often where it fails. This means that one must start by understanding which vulnerability surface one actually exposes to the outside world, and one’s own infrastructure’s characteristics and weaknesses.

Do you dare to admit that you are not in control?

One can easily imagine a situation where the board of a company wants to understand the company’s cyber risk. Perhaps you engage an adviser who goes through the whole thing with process glasses on, interviews the IT manager, operating suppliers, subcontractors and other relevant players.

If such an approach is to be successful, it is assumed that all parties have a full overview, or it seems okay to admit that they do not have full control. It is a risky and inadequate approach.

Many have outsourced operating services and assume that the operating provider has reasonable control. Our experience is that many are installed with standard settings that emphasize ease of use and simplicity more than security. It may therefore be a good idea to verify such deliveries with, for example, tools such as CIS Controls, in order to get an objective answer. Qualified viewing is not enough. Objective answers also make it easier to prioritize measures.

also read

Heavy on East-West cooperation on infrastructure: – A balancing act

Order is important

In day-to-day life, compliance is mostly about complying with good, documented processes and having “order and order”. The keywords in the previous sentence are documentation and processes. Frameworks such as ISO 9001, 27001, NIS2 and NSM-approved event handlers are mostly about documentation and processes.

Obtaining a correct picture of the situation is a prerequisite for obtaining a good result from such work. Maybe it’s the old system you forgot to switch off, which is the gateway the threat actor needs?

It is also not just anyone who can obtain information about how things are connected, where the traffic goes and why. It requires experience, in-depth knowledge and a methodical approach. Often there will also be a need for collaboration between different disciplines in order to get adequate answers.

also read

Successful transition from project to team is crucial for the future of business

Lacks situational awareness

We cheer for companies that put safety and compliance on the agenda. We also support those who assist companies in this work, regardless of whether it is the introduction or revision of IT solutions. At the same time, it is the case that the threat actors are completely indifferent to whether you have documented and updated processes for incident management and are ISO certified.

We have experienced that customers have carried out good compliance work, hired external auditors and received approved status. Nevertheless, they have had a technical security level that was so low that our consultants chose to press the big red button. The failure often lies in the lack of a good technical understanding of the situation on which the compliance work can be based. As so often elsewhere in our world, “Shit in = Shit out”.

It is therefore important to have a practical approach to compliance. What does each requirement, in say NIS2, actually mean? What must be done in your systems and networks for this to be fulfilled? Which resources in your company must be included in the process? It does not help, for example, to have a process for incident handling, if there is no tool that shows what has actually happened in the form of logs from all systems. Therefore, all compliance processes must be anchored in technical reality.

Scientists have combined real, organic brain cells with electronics to create a 'biological' computer. This is an illustration image.

also read

Scientists made computer with real brain cells

The article is in Norwegian

Tags: Hackers dont care compliance

-

PREV Red on Wall Street: six of the seven “Magnificent Seven” stocks fell
NEXT – Not lost a drop – E24
-

-