The 100% risk
Goto first pageSaturn Media Markt, Volvo, Colonial Pipeline, Solarwind, Microsoft – the list of cybercrime victims is illustrious. And there will be plenty more. Way more! Here, IT experts talk about what companies can do nevertheless.
100 percent. That is the probability of German companies being targeted by cybercriminals in coming years.That’s the sober assessment of Ramon Weil, CEO of Frankfurt security provider Secuinfra, which serves many victimized businesses. Weil sees only two exceptions to this rule: First, companies that have already experienced an attack. “Plus, those who have already been attacked and just haven’t noticed it yet. And there are a lot of those.”
For small and middle-sized companies, it becomes a matter of sheer survival as soon as criminals digitally handcuff them. That’s the bad news. The worse news is that there’s no reliable protection from IT attacks. Attacks can at most be slowed down, in the best cases stopped, but never prevented.
Why is that? And why shouldn’t this shattering realization give you an excuse to sit back and do nothing? What follows is a short security check, an update, a preventive action plan, and a surprisingly positive briefing on the future.
A brief security check
Goto first page Goto first page“The past year has been marked by a significant spread of cyberextortion methods,”warns the German Federal Office for Information Security (BSI). That was in October 2021 – before the widespread Log4 security leak, which opened incalculable opportunities for hacker attacks. “We’re in the midst of massive digitization – if we don’t think of information security ahead of time, we’re going to have huge challenges,” predicts BSI President Arne Schönbohm.
In the past several months, many companies have faced just such challenges. In June, MDax-listed chemical provider Brenntag AG was targeted by cyber racketeers, and in July, Wolfenbüttel clinic’s IT shut down after an extortion attempt. In August, international corporate law firm CMS Hasche Sigle cut its external network connections after their German sites were attacked. In November, 3,100 servers of the electronics chain Media Markt and Saturn were encrypted with Hive ransomware. Many Media Markt customers could then only pay in cash – invoices and cash register receipts couldn’t be issued.What the racketeers demanded: €240 million. In the first half of 2021 alone, IT security provider Sonicwall registered more than 300 million attempted ransomware attacks – more than in the whole previous year. The worst affected countries worldwide were the United States, the United Kingdom and Germany.
Security update
Goto first pageCybercrime is a business, and like any other business is subject to trends and changes. With current developments in the industry, however, the action defenders should take is also changing. So, what’s new on the IT security front?
Attacks by mobsInstead of attacking companies directly, criminals are increasingly using suppliers as Trojan horses. In spring 2021, suspected state hackers managed to smuggle infected updates of the SolarWinds’ Orion network management platform into as many as 18,000 customer systems, including those of Microsoft and several US authorities and federal departments. IT professionals call this phenomenon “supply chain compromise”. Thus, installing an update – which is supposed to be a security measure – directly causes an infection.
Expansion of the combat zoneIt used to be enough to secure company buildings and networks from attack. With the massive increase in work from home and on the road, almost every public WLAN and every home network is now an extension of the company network. “You need a lot less technical knowledge to get into an average home WLAN than into most company networks,” says David Bischoff of IT security provider Secuinfra. “And once an attacker has gotten into the home network, there are hardly any hurdles left.”
Humanoid attackClassic ransomware encrypts files automatically. Especially with high-profile victims, more and more human-operated ransomware is coming into use, and the attack is custom-directed by a person – after all, sometimes millions are at stake. According to the German business newspaper Handelsblatt, for example, every hacker group behind attacks on Software AG and Technische Werke Ludwigshafen operated in a way that gave away their origin: Observers noticed that the hackers didn’t work on Russian holidays.
Publication instead of encryptionSince classic ransomware attacks are carried out by encrypting data, many organizations made backups to reestablish their networks in an emergency. For that reason, instead of betting on encryption of sensitive data, hackers are now more often threatening to publish it. Before the attack is revealed, first large quantities of data are sucked off.
“A lot of attackers operate on the dark web, where they publish terrabytes of data from companies that don’t pay,” IT security expert Bischoff points out.Volvo is an example: In November 2021, after the ransomware gang Snatch captured data from the automaker’s research and development department, they published screenshots on the dark web that documented the depth of their attack. Even e-mails from a fall 2020 hack of European Medicines Agency EMA first emerged as screenshots on the dark web.
Präventionsoptionen
Goto first pageWhat are companies to do? How far attackers can get, and how much time they need to infiltrate a company network definitely has to do with technology, but above all with a company’s employees and culture.
Security-Briefing (Interview)
So, where is this all leading?Security briefingWith digitization progressing, the rise of the Internet of Things and artificial intelligence, the arms race between hackers and potential victims will go many more rounds. Andreas Fuchs, Head of Cyber-Physical Systems and Automotive Security at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, Germany, is nonetheless optimistic.
You research secure IT solutions for management and industry. Do you share the fear that continued digitization will open ever-increasing opportunities for attack? Yes. After IT, now Operational Technology (OT) is being targeted by criminals. For years now, vehicles have been digitized to the tune of 100 microprocessors per car. What’s new is that they’re now hooked up to the Internet. With the Internet of Things (IoT), in coming years machine fleets, production lines and products will also be connected to the Internet. This makes every one of them a potential point of attack.
With artificial intelligence, hackers are wielding a new, much more powerful weapon. That’s right. For example, someone can manipulate a car’s AI to interpret a stop sign as a yield sign and run through intersections – a perfect scenario for extorting vehicle manufacturers. Security researchers from McAfee have recently demonstrated how to fool a Tesla’s AI with two pieces of duct tape on a traffic sign. Or criminals use AI to sharpen their attack weapons. Both are possible. The trouble with AI is that you don’t know what or why it does what it does. At the moment, there’s a lot of research into reverse engineering – processes for tracing AI processes in reverse to understand how they work and to prevent unnoticeable tampering.
Sooner or later, quantum computers will bring the next leap in technology. Will this make our current encryption technologies obsolete? Nobody knows when quantum computers are coming, but when we get there, they’ll crack a lot of the current cryptographic processes. We’re therefore currently working on post-quantum cryptography that will be resistant to the power of quantum computers. Naturally, the question is how fast we can change over when the first powerful entity owns and uses quantum computers. Besides that, we’re researching cyber-resilience systems.
What does cyber-resilience mean? Not only personal computers, but also embedded systems will have local security modules in the future. These will allow detection of whether their integrity is ensured or if they have been compromised. For example, the same goes for the German railway’s bazillion IT controlled switches and the millions of smart meters that will be built into German households in a few years. Behind all this is the idea of trusted computing, a technology with which a device’s software status can be detected remotely. Even routers will be able to notify each other of their integrity. The basic research in this field is already done – now it’s time to spread the idea. This requires open standards.
But certainly the enemy is also gearing up.That’s for sure. Right now we’re seeing more and more focus on high-value targets: oil pipelines, hospitals and vehicle manufacturers. Crooks always go for the low-hanging fruit. And with their growing technological capabilities, ever more lucrative targets come within their reach.
So are we on the verge of an endless arms race between hackers and IT security experts?No, because the problem has been identified. In July 2021, the Biden administration in the US passed the Cybersecurity Act to require operators of critical infrastructure to use only state-of-the-art security technology. That’s also relevant to us, because a good portion of our IT comes from the US. Moreover, here in Germany critical infrastructure is also being regulated. We’re in the middle of a trend reversal. Up to now there has been too little demand for IT security and therefore too little incentive to innovate. But the more companies see the enormous sums in potential damage their IT security poses, the more they’ll invest. That’s exactly the case right now.
That means that the more damage the hackers do, the tougher it will be for them in the future? I think we’re on the verge of a true leap in innovation for IT security technology. My hope is that in the next 5 to 10 years we’ll see a change for the better. Everybody knows it can’t keep going on like this.
Outro
Discover more:
Cyber-Security-Risk-Report 2021
Increasing digitization offers numerous new and unique opportunities for the majority of companies in Germany. But this also increases the risk of being exposed to cyber attacks.
Homo Digitalis
How digitalization will change our life, thinking and being.
A Mechanical Revolution
How digital technologies are the driving force behind the transformation of companies.
Text: Harald Willenbrock
Harald Willenbrock, a Hamburg-based copywriter and author, is a member of the brand eins editorial team, a co-founder and co-managing editor of outdoor magazine WALDEN, an author at GEO, A&W, NZZ-Folio, and others, as well as a corporate copywriter for brands such as BMW, Duravit, Porsche, and COR.
The time factor
Goto first page“Trying to concentrate only on preventing attacks doesn’t make much sense anymore,” says IT security consultant Weil.“Above all, it’s about crippling the attacker to slow down his infection of the network and to force him to act ever more ruthlessly. Then it’s easier to detect.” For every company, there are precautionary measures that at least allow them to gain time during an attack.
Segmenting the company network Only in very rare cases do accounting employees need access to data from the development or production department (and vice versa). Those who set up the company network in segments don’t open the whole company up to intruders with a single gateway.
Limiting accessEmployees should have access only to the data they actually need for daily work in their department. For example, their access options could be limited to defined data groups, computers or work times.
Two-factor authenticationIf two-factor authentication is demanded when logging into the company network (e.g. by text message or dongle), attackers with a stolen password can’t immediately open every route into the company.
Optimizing processesAccount access should be set up so that employees can log in only during their core work times. Nighttime login attempts are then more noticeable. This is how hacking of the European Medicines Agency EMA was discovered: A system manager noticed that a certain employee was regularly logging in outside of office hours. This “employee” turned out to be a Russian hacker.
Setting trapsThe earlier a break-in attempt is noticed, the better the damage can be limited. A simple cyberdeception tool is an easily accessible computer whose access accounts are monitored. It works as a sort of glue trap where unwanted visitors leave their tracks.
The human factor
Goto first pageEvery company has a crucial IT security factor already on board. The trick is to use it right. Four parameters people often struggle with:
Lack of personnel“Most middle-sized companies of 500 employees have at most one IT officer, plus a trainee. This department must then service not only the hardware and software, but usually also attend to the users,” says Hauke Gierow from security provider G Data in Bochum, Germany. “It’s highly likely that a department like this is overloaded. There is not much chance that they can quickly investigate irregularities and detect attacks.”
Technical failurePeople play a key role not only in preventing, but also in evaluating security problems. Ideally, all technical messages and logs are brought together in an SIEM system (Security Information & Event Management). It takes experts to decide whether an irregularity is actually an attack or a false positive, and what the right reaction is. “If you leave it to the software to decide whether production should shut down because a server is compromised, that will do more damage than the attack, in some circumstances,” says IT security expert Bischoff.
Lack of knowledge“There’s not just a shortage of IT security experts,” says Andreas Fuchs of the Fraunhofer Institute for Secure Information Technology (SIT), “but also a lack of IT security knowledge among managers and employees.” Even the best IT security structure is useless if employees don’t learn not to insert outside USB sticks into their computers and not to open phishing e-mails. Investing in employees’ IT security competence is therefore just as important as investing in security systems.
Lack of concentrationAnyone who wants to protect himself against hackers can pump all his revenue into IT security and still be a sitting duck. It makes more sense to model threats and ask yourself: Which assets should get priority protection? Against whom? And for how long? This allows sensible distribution of resources.
The corporate culture factor
Goto first pageWhat’s the best protection against hackers? An open corporate culture that sees IT security as the task of all employees. What does that require?
Provide resourcesSecurity expert Gierow recommends that corporate customers invest at least 0.5% of their annual revenue in IT security. And the important thing: The IT budget and the IT security budget should always be separate. Otherwise, in years of heavy investment in hardware or software, there’s no money left for protecting the network.
Establish an error culture Everyone makes mistakes, and the question is always how they deal with them. Companies should therefore maintain an error culture in which employees dare to notify IT security officers if they’ve just opened a suspicious e-mail. A survey by G Data shows this is exactly the problem: 68% of younger employees are afraid to admit an IT error openly.
Configure processesEven the most sophisticated technology can’t prevent scams like the “CEO fraud”. This is where only a culture of trust and openness can help. A culture where an accountant in doubt can call his CEO and ask, “Does this order to transfer a million euros to this Bulgarian subsidiary actually come from you?”
Abolish special privilegesIn many companies, for security reasons, only IT administrators can install software on company PCs – except for computers at the upper management level. “With privileges like that, upper management is not just a bad role model, but also a very juicy victim. This is because the C-level PCs also have the most interesting data,” explains Gierow. Therefore, upper managers should also “toe the line” and submit to the same precautionary measures as other employees, recommends Gierow.
Operate holisticallyFinally, a more comprehensive understanding of digital security is needed. “Companies need to recognize that IT security isn’t a purely technical issue but also involves a lot of psychology and social sciences – in short, it has to do with people,” says Gierow, the expert from G Data. “Software and technology are just the beginning. Only when you understand that, can you tackle the problem.”
Scroll down to continue
Swipe to continue
Swipe to continue
The 100% risk
100 percent. That is the probability of German companies being targeted by cybercriminals in coming years.
Why is that? And why shouldn’t this shattering realization give you an excuse to sit back and do nothing?
A brief security check
Do we have a problem, and if so, how many?
“The past year has been marked by a significant spread of cyberextortion methods,”
Scope of attack
Loss events
Cost factor
High risk
Security update
Attacks by mobs
Humanoid attack
Preventive options
What are companies to do?
Security briefing
You research secure IT solutions for management and industry. Do you share the fear that continued digitization will open ever-increasing opportunities for attack?
The time factor
Limiting access
Setting traps
The human factor
Lack of knowledge
The corporate culture factor
Establish an error culture