The virtual cyber world and the physical security of your home front door are barely linked… if you don’t have IoT or any connected door locks that is! Before buying my first property I knew nothing about security options for front doors. A random topic you may think but read on and you will see my point. The front door on your home is often UPVC and has many components, for now let’s focus just on the Euro Cylinder lock and the door handle. The Euro Cylinder, everyone argues, is the weakest part of the door since it is the most exposed item and you can try to: drill it, bump it, screw it, pick it or snap it.
Euro Cylinders range from £10-£60 and come in standard, high and maximum security. High is 1* and maximum is 3*, these are British kitemarked and often come with Secure by Design as well. Door handles are either rated 2* or have no rating. You can either buy a 1* lock and 2* door handle to achieve the maximum 3* rating for your door security or just buy a 3* lock. If you have spent hundreds of thousands on a home (London of course), surely you can afford tens of pounds on a good lock and/or handle? The Kitemark or Secure by Design means it has been physically inspected for build quality and an assortment of physical attack tests have been run against the product before it gets a stamp.
For ISO 27001 the auditor is often not vastly technical and often focuses on process documents & registers rather than looking “under the hood”. The Cyber Essentials badge is self-policing with the Plus version having a pen test run. Both do not actually review security controls in depth. People typically do certifiable security for three reasons: 1. Because they really want to. 2. To win new clients. 3. Because a new contract says so. Often companies fumble around to get all in order a few weeks before the external audit. It is a mark in time and one month after, the company may abandon all the hard work until renewal.
The problem with ISO 27001 or Cyber Essentials is the guidance is high level and not specific. I.e. you must have antivirus. So if I install free AVG on all my servers, is this good enough? Not really in my view. You can pick and exclude your own controls. Look under the hood of most companies and you will find servers & devices have not been hardened. Yes, your paperwork and registers maybe great but does anyone actually read them and could someone break in remotely, likely. Why? Because the person putting the ISMS together and the auditors are often good at either side. I.e. great in GRC and not technical security controls like my biased self!
What is missing is a mainstream certifiable technical security standard. Wouldn’t it be nice reading someone’s certification and knowing their policies, procedures, registers are in order and most importantly their technical security is actually strong and has been checked in depth?