Slow Travel, Fast Insights: Cyber Lessons on the Road to Athens
Athens: Women4Cyber conference. Either a two-hour flight away, or a 55-hour journey by train, bus and ferry. A couple of days full of learning about cyber security, people, fears and myself. As I opted for slow travel due to my aversion to flying, I had plenty of time to read, think, enjoy the views of the Albanian coast and the Balkans' mountains, as well as observe my surroundings and the people around me.
And during all the time, I did not forget about my passion: Cyber Security. So I had some interesting insights. The principles of cyber security can be found everywhere since every principle is just an idea of security with a small grain of bits and bytes. Travelling involves many techniques that we know in cyber security; city life and even hotels have them as well. If you understand these techniques, you will have a good grasp of fundamental cyber security concepts.
Athens is a city with a rich history. It gave birth to democracy, and many famous mathematicians, architects and philosophers have come from there. It is a city of many different neighbourhoods and contradictions, with many beautiful places, as well as some odd ones. Just like your IT infrastructure. There are ancient (legacy) systems that have been running for 20 years and haven't received updates since then. There are also new, state-of-the-art systems that fill the gaps that the legacy systems could not. Taxis are everywhere, keeping the city alive, just like your IT department. Police are everywhere, keeping the city secure, just like your security units. There are potholes, big streets without traffic lights and steep, slippery paths. The credo is: if it works, it works. Or, "never change a running system".
Fixing an ancient building in such a way, that it doesn't lose its charm, is really difficult. And so is it with fixing legacy systems. Chances are high it will break. However, you can secure an ancient building by putting up fences and restricting access, and that's what we do with legacy systems. We allow only the necessary connections to it, trying to keep it safe from malicious actors while it is still able to operate and serve the business.
Why repair small things that are still working? There's no time for it, no real need for it and maybe not enough money for it either. Holes in the street are like minor vulnerabilities that don't pose a significant risk, so they might get fixed one day when someone has time, but it's OK to leave them open in the meantime. And a street without streetlights for pedestrians is like a hardware security bug. Use it at your own risk. If you want to get rid of it, you have to replace it, which costs a lot of money and affects your work and the work of others for an unknown amount of time.
When you check in to a hotel, you prove who you are and, in return, you are given a keycard to access your room. It's a kind of login system, including role-based access. Only you and the staff can access your room. As a guest, you get access to a room, suite or whatever you have paid for; the staff are like admins or superusers.
Even the mentality of the people and the unspoken rules reminded me of the daily challenges we face in Cyber Security. Things that aren't changed, even though they're inefficient or inconvenient for customers, because they've always done it that way. Some extra olives? Not possible. Small salad? Order a large one; we don't do small.
On my way back, I travelled through Bulgaria, Serbia, Croatia, Slovenia and Austria. The EU countries trusted their colleagues at the border. There was just one control, where policemen walked quickly through the bus, checking our passports to see if we were all authorised to enter the country. It was kind of like logging in, where we proved to be the user by providing information that only we have: Our ID.
As a non-EU country, Serbia was a bit more cautious. There were two controls at the border with Bulgaria and two at the border with Croatia, including luggage checks. You could call it packet inspection as well. It's not just about checking if someone is authorised to enter a country; it's also about seeing if they're carrying something forbidden or dangerous. It's similar to checking a network packet or a file being downloaded to see if it's suspicious or carries harmful content, like a virus. The same applies to luggage being scanned at airports or ferry ports. Packet inspection. Is there anything that is not allowed by law to be carried? If so, access is denied. If you really dig into what happens during border control in terms of the information processed, the decisions made and the actions taken, you'll see that it incorporates many principles of a cyber security model called Zero Trust.
You see? Even if you think you know nothing about cyber security, you already know a lot. Security is often very logical and straightforward. Cyber is then the cherry on top. It's the technical implementation of what we're seeing daily in our non-digital life. Cybersecurity is by no means only a field for nerdy tech people in hoodies. There's so much more to it than that. Who defines security standards? Who communicates them? Who talks to employees about security awareness? Who informs customers about security features? Who informs management about the importance of security? Who makes these topics accessible to non-tech people? While understanding cyber security principles is essential if you work in this field, you don't need to be a forensic specialist or seasoned SOC professional to understand what's going on and have an impact in your role.
Keep your eyes open on your next trip and you’ll see real-world examples of security concepts everywhere. Once you have mapped them to their cyber equivalents, you will see that it is not as nerdy as you might have expected, since the basics are clear and simple to understand.