Blind Spot in cyber security
During the past 3 months, I (Rüdiger Henrici, founder and owner of [j]karef Gmbh) have had innumerable conversations with CEOs and IT managers from all kinds of companies. The occasion was usually the discovery of security vulnerabilities in the web infrastructure of these companies.
Besides the fact that it is not necessarily pleasant to be surprised with the news about insecurities in the company network, at the end of most of the conversations I had the feeling that I had talked about processes that unfortunately completely elude the understanding of the counterpart.
What was particularly astonishing for me in these conversations was the fact that the topic of IT security is addressed quite naturally only within the companies' IT departments.
Depending on the size of the company, the IT departments also invest a considerable amount of time and effort to protect the internal IT infrastructure.
The situation is completely different, however, when it comes to the security of web-based, "external", applications.
I call this the blind spot of companies. There are many reasons for this. One of the main reasons for the massive security gaps we see is the fragmentation of services, often provided by 3rd party web agencies or specialized eCommerce agencies.
Furthermore, the strong focus of these 3rd party service provider companies on the use of opensourcesoftware products has led to a concentration on a few well known products. However, these products are not only well known to users, but also to attackers. opensourcesoftware products have a reputation for being inexpensive and secure. The fact that they are maintained by a large community, which can also react quickly to security vulnerabilities, is one of the main arguments for their use, in addition to the price.
It is true that open source products have a high quality and a low price. This assumption does not apply to the ongoing operating costs.
In my view, one reason for the poor security record is the lack of budgeting for the applications. Poorly maintained servers and applications indicate a misunderstanding in the business consideration of a web application.
However, the biggest mistake in assessing security risks that a company can face from web applications is assuming that there is no danger due to the frequent lack of technical connection between the web application and internal IT.
That may be true for small businesses without a digital business model - though I would also include mail servers under web-based applications.
However, this is not true for companies that offer databases and digital services on the web!
For simplicity, I divide the dangers of running insecure Web applications into two scenarios.
Scenario 1: Dangers to customers and operators of the web applications that result directly from their use.
This includes malware distribution, data and identity theft, illegal distribution of criminal or pornographic content, risk of data corruption, rendering servers and data connections unusable, just to mention a few.
Additional tactics and scenarios can be found at https://attack.mitre.org/ .
MITRE ATT&CK® is a globally accessible knowledge base of attacker tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as the basis for developing specific threat models and methodologies in the private sector, government, and cybersecurity products and services community.
Scenario 2: Threats that arise to an organization's internal IT security.
These include scenarios such as ransomware extortion and the associated data loss. Theft of company secrets, rendering the entire IT infrastructure unusable with all the known consequences.
For both scenarios, I would name two more subgroups.
- Short-term and quickly damaging attacks
- Long- and medium-term attack scenarios
The scenarios under 1. usually serve to generate a quick profit for the attackers. Ransomware attacks, for example, can be expensive for victims, but are usually over after a ransom is paid (which is not advisable) or data is recovered.
In my view, among the most dangerous attacks we will see in the next 3 years are the scenarios from point 2. These perpetrators pursue long-term goals. The motivation is not necessarily based on greed for profit, but can have various other reasons.
One of the main reasons is betrayal of secrets - by which is meant the continuous tapping of information that can be used for the development and/or replication of products. This also includes the theft of financial information from customers or the company concerned.
Another scenario is the theft of crypto keys, or certificates that exist for further communication with other victims from the environment of the hacked website. Also the manipulation of e.g. source code of a software application can fall under it.
This area also includes attacks on companies that are not the actual victims of the attack, but are intended to serve as a starting point for further criminal activities by the attackers. Servers can become zombie computers that can be used remotely for attacks on third parties or, depending on their performance, they can be used as the home base for complex and coordinated attacks on other companies.
Collaboration with companies that operate servers with potential security vulnerabilities represents a high risk for all parties involved.
This is also the reason why even small and medium sized companies have to make prevention an important part of their daily IT routine.