Would the European NIS Directive have averted the TV5 Monde hack?

16 April 2015

‘Never one to miss a chance to push policy, Oettinger also suggested that the proposed Network and Information Security (NIS) Directive could have averted the hack in the first place.’ This excerpt from Jennifer Baker’s post ‘What would have stopped TV5Monde hack? Yup, MOAR LAWS’, published on 14 April 2015, shows once again the naïvety of top European leaders.

The implementation of an information security risk management will not raise the security level. It just manages the structural weaknesses of a security strategy. That’s much more than most of the companies have in place today, but it’s not enough to fight the current attacks and, to stay secure in future. This is best explained by an example.

One of the required controls for implementation of an Information Security Management System (ISMS) is a security standard or security baseline. The baseline lays down the security configuration of e.g. the servers in a company. It’s very important to define a security baseline because it allows you to find deviations of an individual server from the baseline. Each deviation is a vulnerability that could be exploited by an attacker and should be mitigated as soon as possible.

But a security baseline lays down the structural weaknesses of a security configuration as well. If your baseline was originated on the basis of Windows 2008 R2 Server, and if you use it for Windows 2012 R2 Server without changes, a Windows 2012 Server will show the same structural weaknesses as a Windows 2008 Server.

Thus, the baseline has to be continually improved to at least keep the security level because the threat level develops faster than vendors release new security features.

Would the European NIS Directive have averted the TV5 Monde hack?

The answer is: Definitely Not!

Information Security is more than implementing policies and the obligation to inform the authorities in the case of a cyber-attack.

Take care! And check the complexity of your passwords!

For details about the NIS directive please see the NIS platform.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s