16 April 2015
‘Never one to miss a chance to push policy, Oettinger also suggested that the proposed Network and Information Security (NIS) Directive could have averted the hack in the first place.’ This excerpt from Jennifer Baker’s post ‘What would have stopped TV5Monde hack? Yup, MOAR LAWS’, published on 14 April 2015, shows once again the naïvety of top European leaders.
The implementation of an information security risk management will not raise the security level. It just manages the structural weaknesses of a security strategy. That’s much more than most of the companies have in place today, but it’s not enough to fight the current attacks and, to stay secure in future. This is best explained by an example.
One of the required controls for implementation of an Information Security Management System (ISMS) is a security standard or security baseline. The baseline lays down the security configuration of e.g. the servers in a company. It’s very important to define a security baseline because it allows you to find deviations of an individual server from the baseline. Each deviation is a vulnerability that could be exploited by an attacker and should be mitigated as soon as possible.
But a security baseline lays down the structural weaknesses of a security configuration as well. If your baseline was originated on the basis of Windows 2008 R2 Server, and if you use it for Windows 2012 R2 Server without changes, a Windows 2012 Server will show the same structural weaknesses as a Windows 2008 Server.
Thus, the baseline has to be continually improved to at least keep the security level because the threat level develops faster than vendors release new security features.
Would the European NIS Directive have averted the TV5 Monde hack?
The answer is: Definitely Not!
Information Security is more than implementing policies and the obligation to inform the authorities in the case of a cyber-attack.
Take care! And check the complexity of your passwords!