Everyone talks about hacks and data leaks. But who is in charge oft he security of companies? Visit the secret heroes of the German economy.
Jürgen Pfister knows, that IT-Security has long since become the CEO’s business.
Photo: Luise Aedtner
When Sascha Herzog and Jürgen Pfister talk about their work, the stories often sound like episodes from a detective novel. Like the time they were working in Switzerland. The target was a computer belonging to the CFO of a well-known private bank. Herzog and his team contacted his assistant, posing as the head of IT using a falsified text message and set an appointment to allegedly install new software on the laptop containing the valuable data. A colleague was already on site and used a falsified visiting card to identify himself as a representative of the antivirus producer. Within an hour, he was seated at the computer. Since the trojan horse could not be loaded on a USB stick, they just quickly sent it by email. Then, they had full access to all of the contact data. All of this happened while the woman trustingly made a coffee in the next room.
Today, hardly a week goes by without news of a spectacular hacker attack. Customer data and company secrets are sometimes not at all, or only poorly, secured on the Internet, while email addresses and passwords are leaked millions of times. According to a study from the IT-security company McAfee, the worldwide economic damages from cybercrime amount to 600 billion USD every year. Nearly 70 percent of companies and institutions in Germany have been the victims of cyberattacks in recent years, as a survey from the Federal Office for Information Security (BSI) has shown. In nearly half of the cases, for example, the attackers were successful and could gain access to IT systems, influence their functionality, or manipulate the companies’ websites. Every second successful attack led to loss of production or business breakdowns.
Firms like Nside Attack Logic are here to prevent this. Companies hire them to break into their networks. They are supposed to find out where the weak spots are. “We simulate complex attacks with a clear target,” Herzog explains. Every hacker has a motive: To enrich themselves, sabotage the competition, or strategically control critical infrastructures.
The company is headquartered in a modern office complex in the north of Munich. There is a lot of glass and steel, with open coffee kitchens and a foosball table in the foyer; a visitor can see into most of the offices. Herzog sits in a conference room and tells about successful attacks and companies that went bankrupt thanks to ransomware.
A few rays of filtered sunlight fall into the room through a not-quite-closed shade. With closely cropped hair, neatly trimmed beard, and broad shoulders, he does not exactly look like the popular stereotype of a hacker found in the media.
“Of course we cannot name names,” says Jürgen Pfister, Herzog’s co-CEO. Cybersecurity is a confidential business. The firm, which has barely more than 20 employees, counts as many as nine Dax-listed companies among its customers. These include banks and insurance companies, energy suppliers or companies from the pharma and chemical industries. All sectors that are highly vulnerable. “Our work consists of going through attacks on the critical business processes of our customers, using nearly all of the means that are also used by cybercriminals and other actors in this field,” says Pfister.
The questions are: Which attacks are possible? How do those accountable respond? Do they even notice the attack at all and what actions are in place to block an attack already in progress? The watchword is cyber resilience. Using a coordinated strategy, critical business operations are maintained, IT is restored quickly after an attack, and the effects on business are minimized. “We help our customers to maximally improve their ability to resist,” says Pfister. “Besides technology, this also involves organizational measures and the awareness of employees and partners.”
Sascha Herzog has been working in IT-Security for 15 years, looking for security holes on behalf of companies.
Photo: NSIDE ATTACK LOGIC
At the beginning of each hack is what Sascha Herzog and his team call “tactical information gathering”: “We observe a company through the lens of a hacker on the Internet, do research in databanks, and correlate information that would go into a potential attack.” In this phase, not even a single network packet is sent against their customer’s servers yet. How else would you carry out an attack yourself, when the companies themselves often open the doors for the hackers?
One favorite method consists of so-called social engineering and spearphishing. Herzog’s employees go for the target. They inform themselves about the current procedures in the company and create psychological profiles of the target persons. Sometimes, they present themselves as a hopeful applicant sending in their portfolio as an attachment, then again as a student working on their bachelor’s thesis who is just quickly asking the experts if they can verify test results.
The industry is full of stories like these, and almost every time, there is a trusting employee at the company who falls into the trap. Usually, the contact is made with employees far from the IT department who believe that the complex material doesn’t have anything to do with them anyway, such as salespeople and marketing experts; not even the janitor’s computer is safe. Cybersecurity is not only the task of the specialists, but applies to the decision-makers in the company as well. For reasons such as these, Messe München held Command Control for the first time in the fall of 2018 (see box), which is a summit rather than a fair.
In the worst case, you might as well close the shop.Sascha Herzog, Founder of Nside Attack Logic
Of course, it is not just humans who are prone to errors. Technology is, too. More and more devices are connected to the Internet. For example, in their work, the experts from Munich make use of the search engine shodan.io, which lists the IP addresses of countless networked devices: Printers, routers, and even control systems for power plants or water treatment plants. What this means is: Once you have tapped the relevant address, you can manipulate the corresponding hardware with the necessary know-how.
“Imagine the typical mid-size company,” says Herzog, “say in the manufacturing industry. What happens when a competitor takes over its system controls and drills heads into the workpieces, so that the devices no longer function and production comes to a standstill? In the worst case, it can take up to half a year until spare parts can be delivered. You might as well close the shop.”
Good hackers, of course, do not break anything. Instead, they try to reach the place where they can launch such an attack. In their own hardware laboratory, they analyze devices to find their weak spots. They recently found a critical error in the routers of a major German telecommunications provider. A potential point of entry into millions of households. The bug was fixed in collaboration with the company.
Both tiny webcams and powerful industrial drills are affected to the same degree. “When you look under the hood, what you find is often insanely trivial,” says Herzog. Industry 4.0 teems with unsecured systems and standard passwords that are freely accessible on the Internet. Many weak spots that you find in the area of networked devices are perhaps no longer valuable to a hacker,” says Herzog. But he could already be strategically positioned and waiting for the right moment—then the attack begins.
Command Control addresses all decision-makers who participate in the digitalization of a company or an organization. Therefore, the event has an international focus and is designed to be a dialog platform for all of Europe. Command Control is distinguished by its interactive character, offering participants numerous continuing-education and networking opportunities.
Key leaders from commerce, science, and politics deliver the necessary know-how and the right contacts to manage the digital transformation of a company through best-practices workshops, peer-to-peer sessions, panel discussions, and keynote addresses. The theme of the event in March 2020 is Cyber Resilience.
By Michael Moorstedt. The article was first published in our Messe München Magazine 01/2019.