In the beginning there was the internet. Well, not at the very beginning. First came the light (or was it the chicken?). But in any case the World Wide Web existed long before IT security. IT security continues to live a neglected existence in the minds of most users, but is becoming more and more important in times when information exists almost exclusively in digital form.
For us at eguana, safety has top priority. That is why we work closely with SBA Research, a center for information security, and have them carry out hacker attacks and penetration tests on our system on a regular basis in order to identify and close possible gaps in good time.
We have spoken to Thomas Konrad, senior consultant for information security at SBA Research, about the past, present and future of IT security.
*****
eguana: Let’s start at the beginning: IT security. How long has the topic existed? Was it relevant from the start, or has the topic gained importance historically?
Thomas Konrad: The topic of IT security is almost as old as digital information processing itself, but it has changed a lot over time. While in the beginning computer networks were reserved for the military sector, computers and their networking are ubiquitous today. IT security used to be synonymous with firewalls and the isolation of networks, but nowadays that is by no means sufficient to guarantee the secure processing of information. The complexity of these systems is overwhelmingly high and there is no prospect of a reversal of this trend – or in other words: There is no longer a single person who can understand an IT system in its entirety and thus conclusively assess its security.
Let’s compare that with the construction industry: There has been a comparatively small increase in productivity here in the last few decades, which is partly due to the fact that extensive safety and environmental regulations are driving up production costs. But this has already proven itself for the population! The safety level of buildings in our part of the world is extremely high, accidents and disasters in this area are extremely rare.
In the IT world it is completely different: The loss of sensitive data is so frequent that messages about it can only elicit a short, „Oh, now it happened again“. In any case: The topic is gaining importance due to the rapidly increasing extent of digital information processing. Also because every company these days is an IT company. Some are aware of this, others are not.
What are the most fundamental changes that have emerged in the area of IT security in recent years?
Politicians are slowly becoming aware that the legislation hast o demand certain minimum standards for the security of information in the public interest. This is exactly what the Datenschutzgrundverordnung (DSGVO) aims at. One can criticize details of this regulation, and rightly so – but by and large the direction is the right one: If organizations negligently handle sensitive information, they can be threatened with severe penalties. A positive consequence of this is that the issue of security is increasingly being considered right from the start. Until now, this was only looked at when IT systems had already been implemented and operational.
Imagine the construction industry: First you build a tunnel as quickly and cheaply as possible, let people use it, and only then you start to assess the statics. While writing these lines, I can literally feel the unease of my readers in the pit of my stomach.
What exactly is it SBA Research is doing?
On one hand, we conduct research in the area of information security. On the other hand we advise organizations on their way to greater information security. One of our classic activities is the so-called penetration test, where we basically simulate a hacking attack and try to penetrate IT systems. If we succeed, we make constructive suggestions on how to make the system more secure.
But as mentioned before: At this point it is often late and profound changes in the system are difficult and expensive. It’s a bit like trying to replace the masonry in an existing building with poor statics. That ranges somewhere between complex and impossible, with a tendency towards the latter.
This is precisely why we are increasingly supporting companies in changing organization and environment in such a way that the issue of security plays a major role in the development of IT systems early on. It is time-consuming at first, but in the long run, organizations usually save costs because security can become a driver for quality in general.
We once got called to an emergency where a company was attacked; A six-digit euro amount was previously spent on attack analysis alone. In the end, it turned out that someone intruded through an application that no one was using anymore and which was therefore no longer updated. Simply switching off the website would probably have cost less.
A tip for our readers?
You mean, what can you do to ensure the security of your own information? The basic rule is very simple: information that is not there cannot be stolen. Reduce to what is absolutely necessary. Find platforms that handle your information well by asking specialists or doing your own research. Enable multi-factor authentication wherever you are registered. The provider doesn’t support that? Change the provider. Regularly delete accounts and online information that you no longer need. Use a unique password on each platform, preferably one that has been generated by a password manager. Use means of communication that transmit messages with end-to-end encryption. Stay informed and actively demand that your personal information be handled properly.
Back to the future – what will the situation look like five years from now?
Considering the fast pace, it is very difficult to say what the future of IT security will look like. What I can say is how I would like the future to look. On the one hand, I think and hope that there will be greater awareness in society in general, and thus also in politics, that our personal information is becoming an increasingly important asset that must be handled with care. Careless handling should not be tolerated. I also think two key buzzwords will be „simplicity“ and „hygiene“. Simplicity because the simpler a system is, the more sustainable it can be operated safely. Hygiene in the sense that IT systems and the information processed in them have to be cleaned regularly. Because the simplest rule of IT security still applies: What is not there cannot be attacked.
*****
To anyone wondering what security looks like at eguana: Together with SBA Research we ensure IT security, and with our customers we ensure tunneling security. In order to be able to guarantee the optimal protection of all data, we have involved SBA Research into the development of our systems from the beginning. We are in regular exchange with the researchers and let them attack our servers in a controlled manner. Multi-factor authentication has therefore been standard for us for years. But even the most sophisticated security system does not help if the passwords are unsafe – which is why we dedicated a separate blog post to password security some time ago, which you can read here.
About guest author Thomas Konrad
Thomas Konrad has been working at SBA Research for more than ten years and is by now an authority in the field of IT security. Born in Gnas, he has been working with penetration tests as well as architectural and design tests ever since completing his master’s degree in information security at the St. Pölten University of Applied Sciences. He is among other things doing research on secure web and mobile applications, and is a lecturer at the FH Campus Wien. You can often find him on stage at various conferences, where the founder of the sec4dev security conference lectures on the subject of software security.