Skip to content

Instantly share code, notes, and snippets.

@little-dude

little-dude/questions.md

Created June 7, 2023 09:56
Show Gist options
  • Save little-dude/9143926e08dd100be34acddb35b29469 to your computer and use it in GitHub Desktop.
Save little-dude/9143926e08dd100be34acddb35b29469 to your computer and use it in GitHub Desktop.
Download ZIP
questions
Raw
questions.md

What are the biggest threats to your business/company?

Phishing

My biggest concern is phishing, ie being tricked into giving away sensitive information. As a foreigner, I am an easier target:

  • I don't speak German well enough to detect "weird" patterns in the documents I read that would normally make me suspicious.
  • I don't have a sense of what pieces of information are sensitive, and who I can safely share them with. For instance, can I freely share the company VAT ID, tax ID or registration number? What could an attacker do with these pieces of information?
  • I am not familiar with the various administrative procedures a company has to go through.

Some factors have nothing to do with being a foreigner:

  • There is a wide variety of official (Finanzamt, Amtsgericht, Chamber of commerce) and non-official institutions (banks, accountants, insurances) we have to interact with , each with their own websites, communication channels and security procedures
  • There is no straightforward way to identify an "official" email address or website. For instance https://www.transparenzregister.de seems to belong to the federal government, but the domain name doesn't really reflect that. It would be easy enough for an attacker to create a bunch of clones of the website under similar looking domain names, eg https://www.transparensregister.de

Some ideas to reduce the risks of phishing (disclaimer, I have zero background in cyber-security so some of them may well be terrible ones):

  • Have a reserved domain name for all official institutions. For instance, in France most (all?) official websites have the .gouv.fr domain name. This is very easy to check for anyone, and cannot easily be spoofed.
  • Have a unique authentication scheme for all official procedures. I'm not sure how it works for companies, but for individuals, we have France Connect in France.
  • Favor secure channels that require authentication for communication with official institutions rather than relying on mail, or mails. It is too easy to forge a letter or an email.

Lax security measures from private stakeholders

We partnered with a company for payroll, that doesn't provide two-factor authentication, and doesn't enforce any constraint on its clients passwords. This shows how little care is given to security.

I wish private companies handling sensitive information were forced to implement basic security measures such as two-factor authentication.

Identity theft

We have been victim of several tentative of identity theft. These attempts were pretty basic and clearly made by amateurs.

What would you like the government to do more or less in that area?

Again, I am not a security person. Some of these ideas may be terribe ones, or may not be legally or technication possible to implement.

  • Have a unique domain name for all administrative procedures, whether it is for companies or individuals. Communicate a lot about it.
  • Implement a unique government-backed authentication procedure for all administrative procedures, whether it is for companies or individuals.
  • Force private companies handling sensitive information to delegate authentication to said government-backed authentication procedure via OAuth.
  • Reduce use of mail and emails, favor communication via secure channels.
  • Make official website available in other languages.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment