Cybersecurity: “Hackers Constantly Challenge Us”
Bernd and Marcel Steinkühler from Correct Power Institute, an IT specialist, discuss attacks from the Internet and potential defenses
Bernd and Marcel Steinkühler from Correct Power Institute, an IT specialist, discuss attacks from the Internet and potential defenses
Should a company simply expect that cyber criminals will attack it?
Bernd Steinkühler: When a location like a computing center goes on line, then hackers attack, statistically speaking, after two minutes at the latest. If the criminals succeed in interrupting the power supply, they can incapacitate the company. However, it often happens, that the hackers call using a disposable cell phone and say “You will pay X amount or you will be finished in five minutes.” As a rule, companies generally pay.
What drives hackers? Does Bank A hire them and pay them to attack Bank B?
Bernd Steinkühler: Most often, Chinese or Russian corporations hire hackers to damage their competitors. This is quite professionally organized, which is why the extorted companies generally pay without thinking too long or too hard. They know that their electricity can actually be cut off after ten minutes.
It is really that simple?
Marcel Steinkühler: It’s even easier: A head manager leaves his mobile phone in a taxi; the driver finds it and sells it to a criminal, who uses it as a gateway past the corporate firewall. This happens faster than you think: The entire company network can be crashed within a few minutes. Mobile phones are currently the main access point. This scam is currently affecting London’s banking sector.
Do companies handle their data carelessly?
Bernd Steinkühler: They don’t always know what can happen. The greatest threat is casually connecting devices to the Internet. If there is sensitive architecture behind that device, like, for example, a water treatment plant, then this carelessness can have severe consequences. If hackers shut off the pumps, then several thousand people suddenly have no water. This is why penetration tests are important in order to find the gaps in the architecture. Yet until recently, these tests have not always been consistently carried out. Reconsideration of this casual practice is gradually being established at more companies, and IT security is gaining importance. For banks, it has become the most important topic. The entire architecture being developed there is IT-secure. As service providers, we secure the transport paths for the data by rigorously applying encryption. This means there are no attack vectors in the open Internet.
If someone wanted to, could they protect themselves 100% from cyber attacks?
Bernd Steinkühler: We have to be honest here: Hackers challenge us every day, and there is no 100% level of security. Every system has a weakness, regardless of how well it is constructed. However, if a company places emphasizes cybersecurity and employs one hundred people to ensure it, then hackers will only succeed with a great deal of effort. One person, on the other hand, has no chance against them at all. We have incorporated numerous obstacles into our system for monitoring server farms: We rely on encryption and intrusion detection, which means that we also watch the traffic in our protected network. If we detect suspicious patterns, then the data packets are rejected and not transported any farther. This also helps us learn whether there are security gaps and where they are. In addition, our architecture is designed so that only certain servers, not all of them, can access the infrastructure to be monitored. Employees have to log in using two-factor identification, and they only see things virtually. They are never physically in the same room as the computers. This is essential: Everything must be concealed so that it cannot be attacked.
How long does it take to establish a security concept?
Bernd Steinkühler: It took two years for Ernst & Young to certify our architecture, and the optimization process is ongoing. We had 51 findings in the first attack during an Ernst & Young penetration test. Of course, we then attempted to remedy them, but after the 13th finding, there was no solution possible, because there were simply too many gaps and they could not be closed. We had to accept that there were too many systems in use that were not secured against penetration. Therefore, we completely overhauled the architecture; the simple explanation is that we built a high wall around it with encryption and a netscaler that also functions as a firewall and checkpoint: All websites that can link outward are screened again and protected. Our security architecture resembles a fort: Only a few gates lead outward – and those are monitored very carefully.
You have companies from different sectors as customers. Is there one security solution that can be used as a blueprint for everything?
Bernd Steinkühler: It always has to be individually checked. The correct concept is ultimately based on how the data is supposed to emerge from the computing center. The various possibilities must be incorporated together with the customer’s security department. In addition, several standards and norms apply. BSI baseline protection is considered the bible of cybersecurity. When it is taken into consideration, then at least a basic protection level has been achieved. The rest has to be adapted to the individual requirements.
You have companies from different sectors as customers. Is there one security solution that can be used as a blueprint for everything?
Bernd Steinkühler: It always has to be individually checked. The correct concept is ultimately based on how the data is supposed to emerge from the computing center. The various possibilities must be incorporated together with the customer’s security department. In addition, several standards and norms apply. BSI baseline protection is considered the bible of cybersecurity. When it is taken into consideration, then at least a basic protection level has been achieved. The rest has to be adapted to the individual requirements.