6th commandment: Security is real, genuine work
In addition to technical email alerts, there are now also personal user messages. In security circles, the term “alert fatigue” is often used in such an environment: Too many messages that are then no longer investigated in detail. On a small scale, this is often a problem of responsibility: if security is assigned to employees who are already at the limit of their capacity with IT/ OT operations, the first alerts fall through the cracks a few months later. An assignment must therefore be serious and not just a formal item on a list. This means that resources in the form of time and possibly also tools must be created. The core of the sixth recommendation is that security is a real and individual activity!
7th commandment: Lack of orientation
Nevertheless, the amount of information can be too much. Even if it only comes in seventh place in this article, the lack of orientation in the flood of information is related to one of the first steps in a cyber security strategy: risk assessment. If you are not starting from scratch when it comes to security, you have already created it for your own assets or at least have an idea in your head of which components should not fail. This list, which is hopefully already documented anyway, belongs in the hands or at least in the heads of the professionals who process the reports. This helps with the “triage” of events, i.e. in case of doubt, the targeted ignoring of reports that concern less critical assets. Without such a definition, it would be hopeless to keep an overview of the situation in the long term, even with suitable tools such as a SIEM.
8th commandment: Patch management
A somewhat unrelated aspect that I unfortunately encounter time and again in real customer environments is patch management. Updates always have risks and in the absence of test processes - ultimately time - there is often a basic fear of update problems. The small updates
are postponed and after a year, an update is really a risky business because a lot of individual steps change at once. If the development of a comprehensive patch strategy is still a long way off, at least the 8th commandment is that regular patch windows are much more manageable than the great unknown “someday”. Because in the networked world, every patch is actually security-relevant, even without its own CVE.
9th commandment: Use existing tools in a targeted manner
Just like patch management, a prompt response is also part of a comprehensive security strategy. The BSI's “Guidance on attack detection” prescribes very fast response times and mentions automation. Even if there seems to be a great temptation to use automation and even AI here - perhaps even the expensive Network Detection and Response (NDR) that manufacturer X advertises - it makes sense to take another look at the existing tools. After all, even normal anti-virus software does exactly this job: an immediate response to a detected attack! An ad blocker in the web browser can also block phishing sites immediately and many firewalls have an unused Intrusion Prevention System (IPS) on board, which has comprehensive network-based capabilities. Similar to the detection area, the 9th commandment is therefore to understand existing tools and use them in a targeted manner.
10th commandment: Rehearse the emergency
This leaves only one last commandment, which should be familiar in a backup strategy in a similar form: Only a tested backup is a real backup. The same applies to the response: the perfect response to a cyber security incident only emerges from experience after an incident. As it is not expedient to wait for the disaster to occur in order to acquire the experience, it is essential to rehearse an emergency. Similar to a fire drill, this usually feels somewhat unreal and superfluous, but in a simulation game that is taken seriously, many questions arise that were not considered in theoretical considerations. And, of course, their answers.
If you have followed this up to this point and played through the simulation game with attack scenarios tailored to you, you will discover the gaps that go beyond the ten commandments. This is where it really pays off to invest - and not necessarily always in the places recommended by the paper tigers of standards and laws.