"Hackers don't sleep" – How can you protect yourself against cyber crime?

In this article you will read about,

• which malware will pose a particular threat to IT security in the future
• why enterprise applications are increasingly becoming the target of ransomware hacker attacks
• how bug bounty programs, honeypots, and vulnerability scanners support the fight against cyber crime

Emotet defeated – problem solved? It's not quite that simple. Hackers will continue to target companies and data centers with ransomware and other malware. How do you protect your data and applications proactively and effectively? What role does cloud computing play in this? A conversation on the state of data protection and IT security with Daniel Fussy, Security & Privacy Consultant at T-Systems.

What is it about enterprise applications that makes them such frequent targets?

I call this "user manual attacks." If a customer has worked through 80 percent of the manual when configuring their application and the system is running properly, the remaining 20 percent often falls by the wayside. This can lead, for example, to no or incorrect rights being assigned to users, passwords not being changed, and systems not being hardened. All this opens up opportunities for an attacker to find backdoors for ransomware and other malware behind the firewall and penetrate deeper and deeper into the system. Mistakes like this happen all the time – even secret documents from the NSA have been accessible due to user errors in the public cloud of a US hyperscaler.

What is the aim of the attackers?

The attackers are usually not interested in paralyzing or destroying a system, as in the classic DDOS attack – on an e-shop, for example. Rather, the aim is to remain undetected for as long as possible, to conduct industrial espionage undisturbed, and to tap information in order to turn it into money at the highest possible price.

What measures are best suited to protect applications?

Certifications are considered a good indicator of quality and protection. For the cloud, for example, certifications such as ISO 27018 and Trusted Cloud (TCDP) are particularly relevant. To ensure the availability of a customer's application, it is nowadays managed across multiple data center locations. This approach is also known as "pet versus cattle." It doesn’t matter if a beloved and preferred "pet" server at one site fails because a new server from the herd ("cattle") is already ready.

How is this implemented?

Failed servers and virtual machines can be rebuilt and made operational in the shortest possible time with the help of scripting languages and automation tools such as Ansible, Terraform, and SaltStack – this can also be described as the "self-healing powers" of servers. This corresponds to the principle of container solutions such as Docker and control tools such as Kubernetes. The cloud is thus enabled to repair itself, so to speak. Based on the last current backup, the entire environment is rebuilt within a few minutes at the push of a button. Meanwhile, more and more customers appreciate these advantages of cloud computing and infrastructure as a service (IaaS).

Data protection, compliance, GDPR – how do companies manage this triple jump? And how can cloud providers help them?

In the case of personal data in particular, legislators in Europe and Germany have made enormous improvements, especially with the renewal of the BSI C5:2020 criteria catalog, which provides companies with concrete criteria, for example, for cooperation with third parties and the implementation of the "right to be forgotten." Data is the crown jewel of every company. Therefore, personnel, financial, and research data as well as trade secrets should always be stored in the location that offers the highest level of security. If you are a company subject to the GDPR, you need a location in Europe or European cloud providers for your data processing in order to maintain compliance. At the same time, it is advisable to rely on a multi-cloud strategy with several providers in order to maximize availability and reliability. This is especially true for large corporations that can monitor the daily performance of their respective providers and then decide on which cloud to distribute their applications as containers.

The latest BSI security report records high levels in all areas of cyber crime and warns of newly emerging threats. What would a comprehensive overall concept look like to defend against them?

Regular internal controls are indispensable. At Telekom, the Privacy & Security Assessment has become established. As part of this process, all known vulnerabilities and the hardening of the systems are checked and pentests are carried out – it is basically the equivalent of internal certification. Bug bounty programs are also very useful. Here, companies and organizations invite hackers to break into their systems and pay them for doing so: Anyone who finds and reports a vulnerability receives a reward. Telekom also runs a bug bounty program. This creates incentives for hackers not to exploit points of attack in a criminal manner – in other words ransomware.

What else can companies do?

Another good way to look over the shoulder of hackers and study their preferences and methods is by using honeypots: You put a system in the cloud that looks like a real computer on a network, but is actually isolated, contains no critical data, and also uses special software to record all the hacker's activities – distracting them from the real systems. Our honeypot is called T-Pot, and it is always amazing to see how up to 20,000 attacks are carried out within 24 hours on a virgin IP address with a new honeypot system – all of which the respective system records, of course.

One final tip: Vulnerability scanners are also a proven resource. In addition to solutions such as Qualis and Nessus, we use the OpenVAS scanner from Greenbone. It should also be noted that the best procedures, measures, and software tools are of no use if they are not used regularly. So it's important to continue to run and evaluate vulnerability scans on a regular basis, even after a system has gone live. Because hackers don’t sleep, they continue to develop their malware and methods.