IT security is of essential importance – and yet those responsible constantly make mistakes because they fall for old fairy tales and false promises. It’s not necessarily difficult to do better. In an interview, security expert Frank Ully explains what administrators need to watch out for and what they can safely ignore.
Frank Ully is Head of Research at Oneconsult Deutschland AG in Munich. He deals with current topics of offensive IT security.
Installing updates, activating security software and enforcing policies – why isn’t that enough for administrators to feel secure?
Patches and the other measures mentioned do not stop attackers if the environment is configured insecurely or is generally poorly designed. Admins should not underestimate the danger of insecure default settings and self-inflicted misconfigurations. It is often easier for attackers to gain access or elevated privileges through inadequate configuration than to exploit a specific patchable vulnerability. All protective measures must also be implemented consistently.
A lot often helps a lot – and companies shouldn’t skimp on security, say security providers. Is that correct?
No. Many decision-makers believe the insinuations of the security industry that their latest product with artificial intelligence is absolutely unbeatable. In doing so, they create a zoo of expensive tools with colorful management-friendly graphics that no one can oversee and the tools don’t work together at all. Tools must be set up, maintained and connected to other measures. It would make more sense to use less software – such as the malware scanner that is already available – in a targeted manner. And to invest more in the further training of existing employees and in additional colleagues.
Nobody can do everything perfectly. But is it really that dramatic in small companies? Attackers are probably more interested in the big fish.
Those responsible and admins tend to ignore the danger to their own company. When they read about the recently paralyzed industrial companies, city administrations or universities on Heise Security, they think: “It won’t affect us anyway. We are not important and interesting enough.” But these attacks can hit anyone. Every organization uses IT, be it a website, a customer database or just a few networked computers where employees read e-mails. SMEs often fall victim to mass intrusion attempts via phishing or unsecured systems accessible from the Internet. They are more likely to fall victim to such attacks – because they have fewer staff and little budget for expensive security solutions.
Mr. Ully, thank you very much for the replies! Readers can find out which security myths too many companies fall for and how administrators nevertheless implement the right security measures in a targeted manner in the cover articles on heise+ and in the new iX 6/2023.
In the “Three Questions and Answers” series, iX wants to get to the heart of today’s IT challenges – whether it’s the user’s point of view in front of the PC, the manager’s point of view or the everyday life of an administrator. Do you have suggestions from your daily practice or that of your users? Whose tips on which topic would you like to read in a nutshell? Then please write to us or leave a comment in the forum.
(fo)
To home page