In this article you will read about,
- which malware will pose a particular threat to IT security in the future
- why enterprise applications are increasingly becoming the target of ransomware hacker attacks
- how bug bounty programs, honeypots, and vulnerability scanners support the fight against cyber crime
Emotet defeated – problem solved? It's not quite that simple. Hackers will continue to target companies and data centers with ransomware and other malware. How do you protect your data and applications proactively and effectively? What role does cloud computing play in this? A conversation on the state of data protection and IT security with Daniel Fussy, Security & Privacy Consultant at T-Systems.
Mr. Fussy, how do you assess the current security situation in information and communications technology – what threats do we have to be prepared for?
Ransomware will continue to be at the forefront of attack methods, even as the Emotet infrastructure is phased out. However cyber criminals are now taking a more targeted approach: The classic attack on a data center via DDOS attacks is now increasingly being augmented by intrusion attempts on systems. I therefore see one of the biggest threats in 2021 being industrial espionage by breaking into customers' applications. This is where 90 percent of all attacks via the Internet are directed.
Spy, grab information, and sell it for a lot of money
What is it about enterprise applications that makes them such frequent targets?
I call this "user manual attacks." If a customer has worked through 80 percent of the manual when configuring their application and the system is running properly, the remaining 20 percent often falls by the wayside. This can lead, for example, to no or incorrect rights being assigned to users, passwords not being changed, and systems not being hardened. All this opens up opportunities for an attacker to find backdoors for ransomware and other malware behind the firewall and penetrate deeper and deeper into the system. Mistakes like this happen all the time – even secret documents from the NSA have been accessible due to user errors in the public cloud of a US hyperscaler.
What is the aim of the attackers?
The attackers are usually not interested in paralyzing or destroying a system, as in the classic DDOS attack – on an e-shop, for example. Rather, the aim is to remain undetected for as long as possible, to conduct industrial espionage undisturbed, and to tap information in order to turn it into money at the highest possible price.
Certifications and the right cloud strategy
What measures are best suited to protect applications?
Certifications are considered a good indicator of quality and protection. For the cloud, for example, certifications such as ISO 27018 and Trusted Cloud (TCDP) are particularly relevant. To ensure the availability of a customer's application, it is nowadays managed across multiple data center locations. This approach is also known as "pet versus cattle." It doesn’t matter if a beloved and preferred "pet" server at one site fails because a new server from the herd ("cattle") is already ready.
How is this implemented?
Failed servers and virtual machines can be rebuilt and made operational in the shortest possible time with the help of scripting languages and automation tools such as Ansible, Terraform, and SaltStack – this can also be described as the "self-healing powers" of servers. This corresponds to the principle of container solutions such as Docker and control tools such as Kubernetes. The cloud is thus enabled to repair itself, so to speak. Based on the last current backup, the entire environment is rebuilt within a few minutes at the push of a button. Meanwhile, more and more customers appreciate these advantages of cloud computing and infrastructure as a service (IaaS).
Data protection, compliance, GDPR – how do companies manage this triple jump? And how can cloud providers help them?
In the case of personal data in particular, legislators in Europe and Germany have made enormous improvements, especially with the renewal of the BSI C5:2020 criteria catalog, which provides companies with concrete criteria, for example, for cooperation with third parties and the implementation of the "right to be forgotten." Data is the crown jewel of every company. Therefore, personnel, financial, and research data as well as trade secrets should always be stored in the location that offers the highest level of security. If you are a company subject to the GDPR, you need a location in Europe or European cloud providers for your data processing in order to maintain compliance. At the same time, it is advisable to rely on a multi-cloud strategy with several providers in order to maximize availability and reliability. This is especially true for large corporations that can monitor the daily performance of their respective providers and then decide on which cloud to distribute their applications as containers.
More security through bug bounty programs, honeypots, and vulnerability scanners
The latest BSI security report records high levels in all areas of cyber crime and warns of newly emerging threats. What would a comprehensive overall concept look like to defend against them?
Regular internal controls are indispensable. At Telekom, the Privacy & Security Assessment has become established. As part of this process, all known vulnerabilities and the hardening of the systems are checked and pentests are carried out – it is basically the equivalent of internal certification. Bug bounty programs are also very useful. Here, companies and organizations invite hackers to break into their systems and pay them for doing so: Anyone who finds and reports a vulnerability receives a reward. Telekom also runs a bug bounty program. This creates incentives for hackers not to exploit points of attack in a criminal manner – in other words ransomware.
What else can companies do?
Another good way to look over the shoulder of hackers and study their preferences and methods is by using honeypots: You put a system in the cloud that looks like a real computer on a network, but is actually isolated, contains no critical data, and also uses special software to record all the hacker's activities – distracting them from the real systems. Our honeypot is called T-Pot, and it is always amazing to see how up to 20,000 attacks are carried out within 24 hours on a virgin IP address with a new honeypot system – all of which the respective system records, of course.
One final tip: Vulnerability scanners are also a proven resource. In addition to solutions such as Qualis and Nessus, we use the OpenVAS scanner from Greenbone. It should also be noted that the best procedures, measures, and software tools are of no use if they are not used regularly. So it's important to continue to run and evaluate vulnerability scans on a regular basis, even after a system has gone live. Because hackers don’t sleep, they continue to develop their malware and methods.
Cyber(in)security in figures
The German Federal Office for Information Security (BSI) has summarized the most important figures in its annual Report on the State of IT Security in Germany 2020. Here is a selection:
- 117.4 million new malware variants were counted in 2020 (2019: 114 million)
- That is an average of 322,000 new malware variants per day, 470,000 on peak days
- Almost 7 million reports of malware infections sent by the BSI to German network operators
- Up to 20,000 bot infections of German systems were registered every day
- 24.3 million patient records were estimated to be freely accessible internationally on the Internet
- 76 percent is the share of unsolicited spam mails in all mails received in the federal government’s networks (2019: 69 percent)
- There were 419 CRITIS notifications, up from 252 in 2019, and only 145 in 2018
- 52,000 websites were blocked by government network web filters because they contained malware
- 35,000 mails containing malware were intercepted on average per month in German government networks
Do you have questions?
We answer your questions about testing, booking and use - free of charge and individually. Try it! Hotline: 24 hours a day, 7 days a week
0800 33 04477 from Germany / 00800 33 04 47 70 from abroad