"Weak passwords are the number one cause and annoyance"
Protect yourself and be safe in the digital space. Photo: Fly d'Art/Unsplash
Try and make it harder for data thieves: October was marked by cybersecurity. On Twitter and Linkedin, the Leibniz Supercomputing Centre (LRZ) informed interested parties how they can protect notebooks, smartphones and, above all, their privacy from attacks. All recommendations were provided by the LRZ security team - Miran Mizani talks about the team's daily business in this interview. In his daily work, the computer scientist and his colleagues analyse security incidents, but also the tactics of attackers and optimise processes. In addition, he is currently working on his doctoral thesis on the question of how information security can be promoted when several organisations work together and network with each other via networks and the cloud. "Whoever is responsible for services as an admin at the LRZ also takes good care of their security, which helps us a lot," he says. "Weak passwords are certainly the number one cause and annoyance. Most of the time, attackers gain access to services and devices through compromised identifiers."
Have you personally experienced a cyberattack? Miran Mizani: Privately, I've been dealing with security issues since I was a student, so I've really trained myself to take protective measures. Here at the LRZ and in the Munich Scieentific Network or MWN, we have to deal with attacks, sometimes on a larger scale. Most of the time, however, the gateway is simple things like weak or easily guessable passwords, which attackers then use to gain access to the systems of institutions in the MWN.
Which security measures do you consider most important when surfing, chatting or sending e-mails? Mizani: It's not a single measure, but a whole bundle – the antivirus programme, the latest software versions, secure data connections via virtual private networks or VPN and a password manager are absolutely essential. I also check mail addresses and domains carefully, especially if I am supposed to open links or download files. Unusual spellings often indicate a phishing attempt. And I only enter general or personal access data via secure data connections, recognisable by the https:// at the beginning of a web address.
What causes of data loss do you observe at the LRZ and what mistakes by users annoy you? Mizani: Weak passwords are the number one cause and annoyance. Most of the time, attackers gain access to services and devices via compromised identifiers, which they then use to wreak their planned havoc. In the MWN, many institutes operate largely autonomously. As a data centre, we provide central technology and IT services. The respective administrators are responsible for the security of the systems that institutes operate themselves in the MWN. If they use outdated software versions or security protocols, it is easy for attackers to take over computers for cryptomining, for example, and then spread throughout the MWN. We contain such cases several times a month.
What can users do? Mizani: Think more about security aspects, keep yourself informed about them and generally be suspicious. In any case, use longer and different passwords. This applies to both private and professional life. Password managers are a good option here, there are good ones for free. Many IT and web services such as Github or ebay now offer two-factor authentication. It offers good protection against unwanted access to accounts. The IT admins at the institutes should regularly update their software. Instead of running everything themselves, we recommend outsourcing IT services (and their protection) to the LRZ – a good thing, especially if the people in charge can only take care of IT on the side and have little time.
How do you limit the technical risks of weak passwords? Mizani: We have now also established 2-factor authentication, 2FA, within the LRZ, and it is being planned for other LRZ services. In principle, 2FA requires another factor in addition to the password to prove that you are actually authorised to use the service. There are different procedures for this: The LRZ relies on additional hardware that is plugged into the notebook via USB and generates an additional one-time password if required. Smartphone apps or transaction numbers can also serve as a second factor. To limit weak passwords in the future, we have raised the requirements for their quality. We are also working on solutions to continuously check passwords and raise awareness among users.
Data exchange, transparency, open science - these are values that the LRZ stands for, but which you in the security team must see critically or as a risk. Mizani: That is indeed sometimes a conflict and a reason why we in the security team do not issue any bans, but rely on secure services. With the cloud service LRZ Sync+Share, for example, documents and files can be exchanged securely. Our colleagues from network operations also do a great job here by providing and operating the necessary security solutions such as firewalls, virtual private networks and monitoring in addition to the infrastructure for data traffic. If new services are created or integrated at the LRZ, we support this and immediately bring in our security perspective. After that, a continuous process of optimisation begins.
What does your typical work day look like - do you have to constantly react to attacks? Mizani: There is little routine in the security team, even though we have divided the tasks among ourselves and I pay special attention to processes and optimisation, how we react to security incidents internally and across organisations. Together we monitor what is happening in the MWN, for example, whether known or new types of viruses appear there, check the vulnerability of our systems and services and carry out system tests. For the latter, we confront our systems or networks with known methods of cyber criminals and analyse other possible attack tactics. Together with the IT admins and our specialist departments, we then develop strategies to secure these systems. And of course, we also receive technical questions about data protection and privacy. Students who want to gain insights into security techniques and support us are always welcome - we are currently looking for reinforcements. You can really learn a lot, the environment is exciting.
You are also working on your doctoral thesis – a security topic? Are security topics actually also researched at the LRZ? Mizani: I'm interested in how institutions can promote security aspects in their cross-organisational cooperation. I deal with this on a daily basis at the LRZ. It is relatively easier for companies to enforce security through rules and regulations. A data centre like the LRZ, on the other hand, cooperates with many different organisations; companies also often work together with external service providers and other organisations. In such a network, uniform security measures are complex and more difficult to introduce and establish. Unfortunately, because of the day-to-day issues, I'm only making slow progress at the moment.
In general, the LRZ is researching security issues in various research projects: Currently, for example, within the framework of GÉANT and CONCORDIA. For this purpose, European research institutions are building a cybersecurity ecosystem and an online platform around IT security and data protection. The LRZ supports CONCORDIA with services, virtual labs and cyberranges in the cloud, which are environments in which security experts can analyse attacks and test counterstrategies.
Do you also practise with them? Mizani: Most cyberranges are still being set up, but LRZ colleagues have already worked with the open cyberrange KYPO at Masaryk University in Brno on a trial basis. The Universität der Bundeswehr München (UniBW) and the CODE research institute are also building such an environment. It is planned that students and IT professionals will soon be able to practise on it. The CONCORDIA website provides information about this.
How do you protect resources - or does that have to remain a secret for security reasons? Mizani: Of course we don't publish detailed strategies and measures. But at the LRZ we can fully rely on our colleagues. Whoever is responsible for services at the LRZ as an admin obviously likes them a lot and therefore takes great care of their security. For example, the PC group informs itself intensively about security recommendations at the Federal Office for Information Security, BSI for short, and on other sites. It always suggests sensible innovations to us. Other groups do the same, which helps us a lot. LRZ admins think along with us, and that is probably one of the best security strategies. It also helps that we are constantly rethinking and optimising our processes through our ISO/IEC 27001 certification for information security. This keeps the topic of security on the agenda everywhere in the LRZ. (vs)
Miran Mizani, computer scientist and LRZ employee, who's specialised on cyber security and works
on his doctoral thesis now.