Good enough cyber security – or do you want to be among the best?

 

A lot of people say they have good enough cyber security.
But in cyber security, good enough is often the first step toward not enough.

Is it an antivirus that scores average in tests, or one that ranks in the top three?
Is it using multi-factor authentication only for management, but not for the operations team?
Or a firewall that allows everything, just to make things work?

Many still believe that no one is interested in them.
But most attacks aren’t targeted – they’re automated.
They look for weak spots, and good enough is often exactly that.

We see it every week: an unpatched system, an old password, or an open rule that was never reviewed.
It works – until the day it doesn’t.

Think about it this way:
Would management say it’s fine to show up at work in swimwear twice a year,
while everyone else wears suits the rest of the time?
Probably not.
Dress code is 100% – not good enough.

Security should be treated the same way.
You either have control, or you don’t.
Good enough doesn’t protect you as well as it should – it only feels comfortable until something happens.

Threat actors don’t stop because you’re average,
but they might move on when you’re better than your neighbor.

The best organizations treat security as a competitive advantage.
They build trust, protect value, and show that quality doesn’t stop at minimum compliance.

Security isn’t about being perfect – it’s about getting a little better every week.
Attackers only need one weakness.
Your job is to close every one of them –
just like you lock every door when you leave the office, not nine out of ten.

So next time someone says good enough, ask:
Good enough for whom – you, or the attacker?

And remember: you don’t need big projects to improve.
Start small – update one system, tighten one firewall rule, remove one unnecessary access.
Do it every week.

Or take inspiration from a few simple CIS principles:

• Know your assets. You can’t protect what you don’t know exists.

• Keep systems updated. Most attacks exploit known vulnerabilities.

• Limit access. Give only what’s needed – that’s how least privilege and Zero Trust start.

• Log and monitor. What you don’t see, and don’t log, won’t be detected or stopped.

Real security isn’t built in a single project.
It’s built through small, consistent actions – logged, learned, and improved.
One step, one log, one improvement at a time.

And one more thing:
Don’t just choose the cheapest antivirus, firewall, or SOC provider.
Run your own tests and check the quality before you trust it –
unless you already know someone who has tested it thoroughly.

Good security isn’t about saving money; it’s about knowing what actually works.

Why IT departments should not sit in open-plan offices

 

Open-plan offices have become a trend in recent years. The idea is to promote collaboration, flexibility, and communication. And there is no doubt that this setup has benefits:

• collaboration becomes easier, since you can quickly ask the colleague next to you

• knowledge sharing happens naturally and informally

• it builds team spirit and a sense of community

• communication flows faster, and problems can often be solved on the spot

For many departments this can work well. But for an IT department, an open-plan office is directly risky.

The risks of open spaces

IT staff handle information that is critical to the business: system configurations, logs, network diagrams, and security incidents. When these tasks are carried out in an open office environment, the risk of unauthorized access increases significantly.

This is particularly important for functions such as the CISO or the Security Operations Center (SOC), where staff may be dealing with ongoing incidents, threat intelligence, or forensic data. Such information should never be visible or overheard in an environment where guests, contractors, or even other employees without clearance can pass by.

The classic example is “shoulder surfing” – someone glancing at sensitive content on a screen. Equally problematic is the risk that confidential conversations are overheard. 

Another often overlooked risk is sound leakage: in open-plan offices, a customer on the phone may also hear conversations from nearby desks, unless very advanced headsets with strong noise isolation are used. This means sensitive discussions between colleagues can unintentionally be shared with external parties.

ISO 27001:2022 – why open-plan is a problem

ISO 27001:2022 highlights several controls that all point to the same issue: sensitive information must be protected from unauthorized access. Open-plan offices make this nearly impossible.

• Physical security perimeters

• Physical entry controls

• Clear desk and clear screen

• Information security in supplier relationships

Real-life scenarios show how quickly security can fail in relation to these controls:

• a visitor waiting for a meeting can easily photograph notes, diagrams, or printouts left on a desk

• a contractor or job candidate passing by may glimpse a screen just as someone opens an attachment, without realizing the first page contains confidential information

• when an IT employee locks their computer to get a coffee or use the restroom, they may leave documents on their desk – one quick smartphone photo is enough to capture that information permanently

• suppliers or service providers moving through the office may unintentionally gain visibility into data they should never have access to

It is also worth noting that other standards and frameworks – such as GDPR, NIS2, NIST, CIS Controls, and NSM grunnprinsipper (Norway) – point in the same direction, emphasizing the need for physical protection of sensitive information and controlled access to workplaces.

Other departments should also reconsider

It is not only IT that should think twice about open-plan setups. Departments handling sensitive information face similar risks, for example:

• HR – managing personal data, employment contracts, and health-related information

• Legal/Compliance – working with confidential documents and internal investigations

• Finance – handling accounting, banking, and budget data

• Executive/Strategy – discussing mergers, strategic plans, or other confidential information

• Research & Development – working on products, designs, or innovations that may be patented or involve intellectual property

• Customer support – handling customer records, tickets, and sometimes payment details

• Project teams for mergers & acquisitions – where leaks can have major financial consequences

All these functions risk exposing information if their workspaces are too open and accessible.

Real-world observations

When walking the streets of Oslo or Bergen, I often see offices on the ground floor with large windows facing the street. It is surprising how easy it is to see what people are working on. With today’s smartphone cameras, it takes no effort to take pictures or record video from the sidewalk – or even from a hotel room across the street.

The question is: do these companies think about security at all? It is frighteningly easy for outsiders to gain insight into customer data, accounting systems, or even online banking screens.

Conclusion

Open-plan offices can bring real benefits such as collaboration, flexibility, and stronger team dynamics. But for departments dealing with sensitive information – especially IT – the risks outweigh the benefits.

An IT department should therefore never sit in an open-plan office if guests, contractors, or even passersby can gain visibility. The same applies to HR, Legal, Finance, R&D, Customer Support, and Executive functions.

Physical segregation is not only common sense – it is a requirement for ISO 27001 compliance and a cornerstone of a strong security culture.

When documentation becomes the breach

 

I love documentation—and I recommend documenting a lot. It creates memory, clarity, and resilience. But attackers love it too. Over time, spaces like confluence and sharepoint collect shortcuts, “temporary” exceptions, and helpful screenshots. Alone they look harmless. Together, they can map how to step around controls.

👀 What attackers actually use

• Notes that describe how to “temporarily” bypass checks

• Mentions of shared or test accounts used “for convenience”

• Hints about remote access, allow-lists, or quick openings “for support”

• Screenshots that reveal settings, approval flows, or who to ask

• Exported lists of users, systems, or internal locations

• Attachments with no owner, no classification, and no review date

• Links set to “anyone with the link,” often without an expiry

• Scripts, runbooks, and “how-to” guides that include sensitive internal details

🧩 Why this keeps happening

• Helpful people share broadly so others aren’t blocked

• “Just for now” files never get cleaned up

• MFA is not enforced

• Shared users survive because they’re easy

🔐 Simple habits that help (zero trust)

• Put things where they belong: secrets in a password vault, code in source control, configs in the right system—not in the wiki

• Use SSO and MFA for confluence and similar tools; limit or disable local passwords where the platform supports it (especially for admins)

• Grant access to named groups, not “anyone with the link,” and give links an expiry

• Require an owner, purpose, and review date for sensitive pages and attachments

• Avoid screenshots of sensitive settings; document outcomes instead

• Review sharing regularly and close what’s no longer needed

✅ Bottom line: Wikis should explain how we work—not how to work around controls. Keep them clean, and zero trust becomes a daily habit, not a slogan.

Without IT asset management, cyber security becomes guesswork

 

🙏 Begin your IT security journey at the beginning, not in the middle.
Too many organizations jump straight into firefighting—patching vulnerabilities, responding to incidents, and buying new tools—without ever laying the foundation. The foundation is always IT asset management (ITAM). Without it, everything else is largely built on assumptions.

💾 Think about it: you wouldn’t order a backup server without knowing how much or what data you need to protect. And you wouldn’t buy a firewall without knowing what it is supposed to defend, or how much traffic it must be able to handle. The same logic applies to cyber security as a whole—you must start with ITAM, or everything else becomes guesswork.

👀 You cannot protect what you cannot see.
Without updated and reliable ITAM, risk assessments quickly turn into theory detached from reality. Many organizations say they have X critical systems, and that sounds reassuring. The problem is the Y systems they don’t know about—the ones set up by someone years ago, without documentation, still running in the background, and still connected to the network. X represents the assets you know and track, while Y represents the shadow IT: the forgotten, hidden, or undocumented systems that pose just as much risk, if not more.

⚽ It is a bit like football: to build a strong team, the coach must know exactly which players are on the field, their positions, and their strengths. Only then can he create a winning strategy. ITAM works the same way—without a complete view of all systems, you cannot build a secure IT environment that functions as a well-organized team.

🌐 Whether the environment is on-premises or in the cloud makes little difference; the challenge is the same.
You must know what you have before you can assess whether it is secure or not.

⚠️ At minimum, every device with an IP address must be accounted for.
But the real goal must be to cover all assets—including OT equipment and sensors that may not have their own IP address yet still impact operations and security. Without this broader view, the inventory remains incomplete and the risk picture distorted.

🔑 Frameworks agree:

• Norway’s NSM grunnprinsipper call for complete and updated asset overviews.

• ISO 27001 requires organizations to identify, classify, and manage assets throughout their lifecycle.

• The CIS framework starts with Inventory and Control of Enterprise Assets as Control 01—the very first step toward building a secure baseline.

🚢 Maritime regulations agree too:

• IMO 2021 requires cyber risk management to be integrated into the ship’s Safety Management System (SMS). A key part of this is maintaining an up-to-date inventory of all systems and assets as the basis for risk assessment.

• IACS UR E26 (mandatory for newbuilds contracted from July 2024) demands a complete inventory of hardware and software, along with network diagrams and lifecycle documentation, to ensure cyber resilience of ships.

✅ The message is clear: without ITAM, cyber security is reactive and based on assumptions. With ITAM, zero trust becomes possible, measurable, and sustainable.

PANOS 12.1 ORION installation on PA-440 and Panorama

PANOS 12.1 ORION installation on PA-440 and Panorama

Bad start on the Panorama for me:
Failed to create required free space. Free space: 2778 MB, Required space: 3717 MB


Found a guide for cloning Panorama disk to a new and larger disk. Only used 15 minutes to clone and remove the old disk.
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/increase-the-system-disk-on-the-panorama-virtual-appliance/increase-the-system-disk-for-panorama-on-an-esxi-server#id27229f7c-6701-4fef-9ad7-cb630ea5cbcb

 

Guide worked perfect and I booted up Panorama with free space available.




PA-440:

Reboot take about 15 minutes.
....and some more waiting time before login is up and running.

Welcome to PAN-OS 12.1!

With this release, Palo Alto Networks extends and improves your security posture with our innovative approach. PAN-OS 12.1 provides passwordless authentication capabilities, additional quantum protections, expanded Device-ID capabilities, decryption enhancements, and more. Highlights include:

Passwordless Authentication for Kerberos Protected Applications—Enables your Palo Alto Networks firewall to act as a Kerberos Constrained Delegation (KCD) agent. This feature allows seamless access to enterprise applications using Kerberos authentication, eliminating the need for users to repeatedly enter credentials. Enhances security by reducing password-related vulnerabilities and improves productivity by streamlining access to multiple Kerberos-protected applications.

Quantum Key Distribution (QKD)—Provides protection for VPN key exchanges by using the ETSI GS QKD 014 standard, QKD, to provide a set of standardized API calls that enable a PAN-OS firewall to communicate with and request symmetric encryption keys from a QKD Device. The PAN-OS firewall acts as the secure application entity (SAE) device and makes API calls to the QKD device, called the key management entity (KME). Depending on the QKD vendor’s implementation, you can use TLSv1.3 to secure the key generation process.

Advanced Device-ID—Enables more granular and precise device-based policy recommendations by enhancing the existing Device-ID functionality. Advanced Device-ID enables the creation of least-privilege access policies by creating device object groupings based on device attributes. With Advanced Device-ID, you can now create more complex Device-ID objects by matching grouping criteria using multiple asset categories and attributes (10x more than before) such as asset type, device profiles, operating systems, site, location, subnet, risk, internet access, and user tag to match assets and enforce security policies based on changing security posture.

Post-Quantum Cryptography (PQC) SSL Support for PAN-OS Management—Supports PQC in TLSv1.3 for administrative access to firewalls and Panorama and facilitates a smooth adoption of PQCs as a proactive defense against PQC threats. This feature prioritizes maximum interoperability and adaptability to future PQC updates. You can also generate self-signed certificates with the NIST-approved digital signatures, ML-DSA and SLH-DSA (based on SPHINCS+), for experimental use as the industry works toward a standard approach for PKI certificates.

Post-Quantum Cryptography (PQC) Cipher Support for TLSv1.3 Inline Decryption—Enables PQC cipher support in TLSv1.3 for SSL Forward Proxy and SSL Inbound Inspection, as well as the decryption mirror and Network Packet Broker features. You can now use PQC preferred ciphers in the decryption profile either for client session, server session, or both. This flexibility allows for post-quantum migration as either the client or server side could be first to adopt PQCs and this feature supports cipher translations across the client and server sessions of the decryption proxy. You can also elect to negotiate Standard (ML-KEM) and/or Experimental (BIKE, Frodo, HQC) ciphers to support NIST and EU requirements allowing for Crypto Agility of ciphers as required.

Decryption Simplification—New options have been added to decryption functionality to simplify certificate verification and log analysis. For example:

Use the new Bypass Server Certificate Verification option in decryption profiles to disable the verification of server certificates, so that the firewall can decrypt outbound SSL traffic from an internal client to the web. This ensures the availability of websites and applications without compromising deep packet inspection for threats during SSL Forward Proxy sessions when servers present incomplete or invalid SSL certificates.

More easily analyze log entries and troubleshoot decryption issues using the new columns provided. For example, Decryption Status lists the reason a session was or was not decrypted, whether by failure or design. In addition, new and existing columns that concern one side of a decrypted session are labeled with client or server if conditions apply to only one or the other.

Zero Touch Provisioning (ZTP) for Cellular—Enables automated deployment and configuration of NGFW in remote locations with limited connectivity or lacking traditional wired connections using cellular interfaces. With the expanded support for cellular connections, ZTP now supports multiple connectivity scenarios, including cellular-only, ethernet-only, or both to provide the flexibility to adapt to various network environments. The feature is designed to work with current and future 5G-enabled platforms, ensuring long-term value and adaptability as your network evolves.

For descriptions of the new features, associated software and content releases, changes in default behavior, and other release information, refer to the PAN-OS 12.1 Release Notes.

HA/failover with one NGFW in PANOS 12.1.2 and one NGFW in 11.1.10-h1 worked in my test.

I really like the new report, telling me what I need to fix, and how!

Certificates seems to have an update, great news, maybe SSL decrypt works better now.

New AI Security profile, this can be fun.

 

Was hoping for more SD-WAN updated, didn't find anything so far.