Thanks to the internet, someone seeking to harm a company stands a good chance of success
Cyber attacks are a growing threat to companies. Florian Seitner from the Bavarian Office for the Protection of the Constitution and Michael Hochenrieder from HvS–Consulting, a provider of IT security services, talked with Munich Re about costly losses and complex risks.
Michael Lardschneider (Munich Re): Cyber attacks causing costly losses are becoming more frequent in many branches of industry. Companies are investing more and more in technical infrastructure. Does this deter hackers?
Florian Seitner: Hackers are becoming more and more professional – something that is also reflected in the growing division of labour. As in the world of business, more complex programming tasks are outsourced, with some groups of hackers even working for both intelligence agencies and criminal clients.
Lardschneider: Mr. Hochenrieder, as a provider of IT security services, you endeavour to find out how effective your clients’ security measures are. As part of your vulnerability analysis and penetration tests, your job is to try and steal the digital “crown jewels”. How do you go about this?
Michael Hochenrieder: We specifically launch our attack at a carefully selected point in the network and look to see how IT security staff and systems respond: Do they raise the alarm? Or can we move around freely in the network for two or three weeks, continuously skimming off company data?
Lardschneider: What has been your experience to date? Are the attacks detected more quickly than in the past?
Hochenrieder: No, on the contrary. It takes longer now because the tools used for genuine attacks have become exceedingly sophisticated. And that makes it very difficult to detect an attacker who has the relevant technical knowledge.
Seitner: Our adversaries have the advantage that they can learn from their mistakes, as there is a chance they may notice why their attack failed. Next time around, they’ll have better software and target a different network.
Hochenrieder: In the end, we must admit that, in this game of cat and mouse, we usually come off second best. We can only learn from an attack after the event. Analysing the attack is a lengthy process, during which other companies may find themselves under attack from a similar technology.
Lardschneider: Companies are becoming more aware that they are all in the same boat. However, a great deal of mutual trust is needed in order to understand which attacks have been launched and which measures have been implemented. Trust-based intercorporate bodies are slow to emerge. This is also true of collaborations with providers of IT security services and product manufacturers. An extremely close and trusting business relationship is imperative if it is possible that the service provider might also be working for the competition, for example. Close cooperation with domestic intelligence authorities is also important.
Seitner: Firms can work with us on a confidential basis and receive support from the authorities in the event of electronic attacks, without this necessarily leading to criminal prosecution. Many firms, however, are reluctant to call in the police. The police are obliged to report such cases to the public prosecutor on account of the legality principle. As a domestic intelligence authority, we are not governed by this principle. We guarantee the firms complete confidentiality.
Lardschneider: Last year, US security authorities informed 3,000 firms that they may have been the target of cyber attacks. Will such close cooperation also become more common in Europe and other regions in the future?
Seitner: We issue a security warning if we detect an attack or hear of an attack which, judging by its nature, could affect more than one company. Though the details are always anonymised, our warnings describe the attack in such a way that every potential victim can take specific action. Many firms have performed tests on the basis of our warnings, several of them uncovering attacks in the process. Such cases are then included in our assessment of the current situation.
Hochenrieder: In the case of specific attacks, several different methods are employed simultaneously. On average, it takes 260 days before an attack is actually discovered by the company targeted. In some cases, the hackers can lurk undetected in the corporate network for several years.
Lardschneider: This can only be prevented if technology and human intelligence operate in synch. A great deal can be stopped through technical measures, although this can occasionally interfere with the employees’ work flow. But they tend to accept this if they understand why certain functions have been deactivated. We also invest a great deal in improving our employees’ know-how and heightening their awareness of the entire subject.
Hochenrieder: At the moment, we are experiencing numerous spear phishing attacks, targeted at specific individuals. However, instead of drawing blood, such attacks seek to extract confidential data. Spear phishing occurs, for example, through e-mails referring to specific job offers. Although the job offer appears professional, the attachment containing the CV or the linked website is actually infected. Hackers can waltz in as soon as the attachment is opened by a member of the personnel department.
Lardschneider: Can you describe any other loss scenarios?
Hochenrieder: If someone really wanted to harm a competitor, he could simply shut down all the competitor’s systems. That, however, is usually detected and remedied fairly quickly. Attacks are much more difficult to detect when, for example, they involve the manipulation of financial data or the marginal alteration of a car maker’s dimensions for a milling machine. Moving the decimal point in a few figures or changing the date in a few places is all that needs to be done. The changes initially remain undetected, with fatal consequences for the end product. Once the intrusion has been detected, however, the targeted company must attempt to ascertain which data are still intact. After all, it is impossible to know how long the intruder has already been inside the network, which areas have been manipulated and when. Checking the integrity of all data can be a very complex and costly process in the case of large companies.
Seitner: I would even go one step further. What happens when processes in a production facility are modified by hackers so that something is changed in a product – a drug for example – unbeknownst to the manufacturer? The automotive industry is another vulnerable sector: major product recalls entailing complex liability issues would cause considerable losses.
Lardschneider: There is also an increasing number of attacks which are best described as cyber terrorism.
Seitner: Attacks of this nature are primarily directed at critical infrastructure. For instance, if a single CHP plant for a new development area were hacked into, this could possibly still be offset by the utility company. However, if several CHP plants with the same control system were hacked into and then failed, this could impact the entire system.
Lardschneider: Companies tend to see attacks on their own systems as an all-out declaration of war. For them, there is more than just their reputation at stake. Particularly in the finance industry, customers are paying more and more attention to how companies handle their data and whether they have already become the target of an attack. For companies dealing with confidential data, however, this is also an excellent opportunity to gain an edge over other firms in the market by introducing specific measures and suitable insurance cover.
Hochenrieder: Companies must realize that they cannot protect everything, particularly as targets and methods are changing all the time. What they need is a multi-tiered approach to security, aimed at effectively protecting essential assets. Costs, benefits and risks must be carefully weighed up. This also includes made-to-measure insurance cover for cyber risks.
Lardschneider: How will cyber risks develop in the coming years?
Seitner: Military conflicts will increasingly extend into cyber space and this is a process which must be monitored very closely. Firms and public authorities must also prepare themselves and establish a strong, broad alliance based on trust and confidence. That is the only way to detect electronic attacks more quickly, and successfully avert them.
Hochenrieder: Companies need to be flexible in dealing with the new situation. They can still protect themselves, but a new way of thinking is needed. The strategy so far has been to seek protection behind high walls. But as we now know that’s no longer enough, our new strategy is based on the “onion peeling” principle, i.e. a multi-layered approach. Raising awareness among staff and administrators involved in information security and cyber risks, and putting early-warning systems in place, can be achieved relatively quickly. On the other hand, measures such as a precise segmentation of the networks, safeguarding privileged accounts and identifying, classifying and protecting the “crown jewels” take longer, sometimes several years. It is therefore important that companies start today and at the same time invest in appropriate cyber covers if they want to be ready for the challenges of the future.