Six common misconceptions about cybersecurity in the enterprise

Cybersecurity costs money. As long as the IT systems and infrastructure are functioning, it is often difficult to invest the resources that would be needed to reduce risks and ensure smooth operation in the future as well, in other words: to establish cyber resilience. When organizations systematically underestimate their cyber risk, it has to do with several misconceptions. In the following, we look at six of the most common misconceptions.

Assumption 1: It only affects the others anyway

"Our company is not interesting enough for a cyberattack." This assessment is anything but rare. Unfortunately, the reality is completely different. Statistics show that as many as 99% of all cases of cyber damage are the result of attacks that were not targeted at all. In other words, the vast majority of attacks are spray-and-pray. Cyber criminals launch a general attack attempt without a specific target. Then they simply wait to see which companies or organizations, for example, the email with the phishing link will lead to success. Unfortunately, for many companies, the hurdle for an initial compromise of their IT is not high enough to withstand these attacks in the long term. This plays into the attackers' hands. Especially if they have primarily financial interests and want to blackmail the company, for example by encrypting it using crypto Trojans or ransomware. This is where the spray-and-pray approach is usually the most profitable for cyber criminals. This in turn means that every company is a potential victim. Politically motivated attacks are clearly distinct from this: here, success is ultimately just a question of available manpower, as monetary cost-benefit considerations play a completely subordinate role in an ideologically motivated attack. In such cases, zero-day attacks that exploit security vulnerabilities in software that are not yet publicly known are also used more frequently. With a zero-day exploit, the attacker plays a joker, so to speak. This is because if the new attack method becomes public as a result of its use, this attack vector is ultimately used up because software manufacturers then roll out the corresponding security updates.

Assumption 2: Attacks from the supply chain do not play a major role

In fact, the number of supply chain attacks is increasing. In this class of cyber attacks, software solutions, devices or machines that are supplied to a company and that it uses for its business activities act as the attack vectors. For example, the Log4j vulnerability disclosed in December 2021 was a zero-day vulnerability in a Java logging library. Log4j is used to create and store logging information from software, applications and hardware appliances. However, because Log4j is sometimes deeply embedded in many different solutions, in thousands of instances, a simple vulnerability scan is hardly sufficient to identify all vulnerable instances. In general, even open source software is not immune to security vulnerabilities. For example, a professor at the University of Minnesota managed to introduce vulnerabilities into the Linux kernel as part of a study. He and one of his students pretended to provide bug fixes for the Linux community. The aim of the controversial action was to demonstrate how vulnerable open source projects can be. A security gap in the Linux kernel is potentially so serious because Linux is very widespread. Today, it can be found in servers and smartphones as well as in a wide variety of embedded devices - from cars to smart homes and machines. With the increasing digitalization of our economy and our living environment, networked devices can now also become a gateway for cyber criminals. For example, a supermarket chain was hacked when the attackers chose the intelligent refrigerated shelves in the stores as an attack vector. The same risk exists for networked devices in the smart home sector. They also represent potential points of attack - a serious reputational risk for the device manufacturer or distributor. In both the private and commercial sectors, a much more conscious approach to installed software and purchased devices is therefore required. In the manufacturing industry, for example, where a machine can have a life cycle of several decades, sooner or later only mitigating measures will be available to reduce security risks. This is because manufacturers no longer exist, or they no longer supply security patches after a few years. So sometimes the only option left is to seal off the machine from the rest of the network at great expense and accept the residual risk. As a general rule, it would be negligent for a company to shift the responsibility for its cyber security entirely onto its suppliers. Threats from the supply chain are real and commonplace today. Companies therefore not only need appropriate risk awareness, but also experts who can help them establish effective cyber resilience.

Assumption 3: Our employees already have sufficient safety awareness

All too often, careless behavior on the part of employees still provides cyber criminals with a convenient gateway into the company. Creating and maintaining an appropriate level of risk awareness is a building block for cyber security, the importance of which a company should never underestimate. Only if they are aware of the danger will employees consistently avoid giving out passwords over the phone, for example, or carelessly clicking on a dubious link in an email. Sometimes the potential danger is also a direct consequence of daily work. Employees in the HR department, for example, open applications almost every day without knowing whether the digital CV contains malicious code or not. The same applies to invoice PDFs in the accounting department's inbox. This is why companies naturally need to take technical measures against such attacks. But it is equally important to reduce the likelihood of successful phishing attempts by raising awareness of the dangers of social engineering attacks in general. Social engineering means that the attackers use deception to gain unauthorized data or access. Methods of human psychology are misused to manipulate employees and persuade them to transmit information or take certain actions - such as fatally clicking on the link in the phishing email or giving their password to supposed support staff on the phone.

Assumption 4: The scope of this safety check will already be sufficient

Putting a company's cyber security to the test with penetration tests is an important building block in the development of cyber resilience. However, if the scope of the pentest is too small, little is gained. This creates a supposed sense of security. A typical example is the exclusion of certain systems, such as those that are at the end of their life cycle because they will soon be shut down or replaced anyway. However, as long as they have not yet been switched off, these old systems often offer the most tempting attack vector. Another example: An FTP service is also running on the server that operates a web application to be checked, which enables the server to be completely compromised - but all services apart from the web application are excluded from the check. It also happens that a financial institution, for example, only chooses the scope of its audit to be as large as is prescribed by regulation and officially required. Here too, the result would be a deceptive false sense of security. If pentests are to be truly meaningful, they must not only focus on a section of the company's IT. Instead, they must be designed holistically. After all, the aim of a penetration test is not just to give management a positive feeling about cyber security - it should identify real security gaps and potential attack vectors so that these can be rectified before they are exploited by criminal attackers.

Assumption 5: Penetration testing can be done by the IT department on the side

In most companies, pentesting cannot be an in-house task at all. After all, IT administrators have one thing above all else to do: they have to ensure that the company's systems run reliably. As a rule, the administration team is already working at 100, if not 120 percent capacity with its operational tasks. In addition, penetration testing requires highly specialized and cutting-edge expertiseThis is something that the IT department usually does not have at its disposal. It is important that management understands that a pentest is not something that can simply be done on the side. At the same time, internal IT staff must realize that a security audit is never about discrediting their own cybersecurity work, but about strengthening it. A meaningful penetration test would not even be feasible with in-house resources because know-how and time are lacking. This is only different if the company is large enough to afford its own dedicated Red Team - the attackers - for more or less continuous pentesting. This Red team is then countered by a dedicated Blue team with the defenders. But even a dedicated Red team can sometimes benefit greatly from external support from Ethical Hackers.

Assumption 6: Our backups save us in case of emergency

Just over five years ago, this statement may have been true. Today it is no longer true, not in every case. It is important to remember that the quality of malware has increased significantly. Crypto Trojans that encrypt company data for blackmail purposes no longer do so immediately. There is now ransomware that first settles in a company's backups and gradually destroys them. Only months later, when the backup has become unusable, does the crypto Trojan then set about encrypting the company's data - and the actual blackmail begins. That is why it is important today, Backups firstly, to secure them against malware with suitable protection concepts and, secondly, to check them regularly. Only a backup that can actually be set up can be relied on in an emergency. Companies should therefore regularly test, practice and try out their disaster recovery. And if a company encrypts its backup for security reasons: This backup key itself is also a potential point of attack, because cyber criminals can of course also encrypt the company's backup key. The backup would then, in turn, be unusable, and the extortion attempt through the encryption of the company's data could begin. That's why it's important that companies keep their backup crypto keys offline and also document their disaster recovery training offline.

Conclusion: From cybersecurity to cyber resilience

The threat of cyberattacks has not diminished; on the contrary. If a company wanted to conclude from a past that went smoothly that it will continue to be safe from cybercrime in the future, this would perhaps be the most serious misconception of all. Operational reliability can only be established in IT if a company establishes, maintains and further develops its cyber resilience with suitable, holistic concepts and measures. In any case, it is worth the effort to deal with this, because the financial damage in the event of an emergency weighs many times more heavily than the foresighted investment in cyber security. As in medicine, prevention is better than cure when it comes to cybersecurity. Authors: Michael Niewöhner and Daniel Querzola are both managers and penetration testers at Ventum Consulting, Munich  

This article originally appeared on m-q.ch - https://www.m-q.ch/de/sechs-gaengige-fehlannahmen-zur-cybersecurity-im-unternehmen/