Fundamentally Preventing Attacks - In & Out of the Cloud
Considering the steadily rising number and growing scope of cyber attacks, companies' IT security needs a significant upgrade. A talk with Daniel Heck, Head of Marketing at Rohde & Schwarz Cybersecurity, about long-term defensive strategies, and data protection in the cloud.
DOTMAGAZINE: Mr. Heck, are companies adequately equipped to counter attacks against their IT?
DANIEL HECK: No. Not at all, unfortunately. A recent study by the digital publishing house Bitkom reported that only four in ten companies are prepared for cyber attacks. Small companies in particular don’t even have an emergency plan to fall back on in the event of security incidents. The consequences are serious; more than half of all companies in Germany have been the victim of corporate espionage, sabotage, or data theft in the last two years. The damage costs the companies about 55 million Euro each year.
DOT: What are the biggest threats for companies?
HECK: The scope of attacks is growing more and more diverse. Trends like “bring your own device” (or BYOD for short), migration to the cloud, web-based business applications, and the use of social media as an instrument of communication offer hackers more and more new paths to spy on employees, to access data, and to cripple systems. Given the steadily growing threat level, companies have to upgrade significantly to protect themselves effectively. Aside from spying, mostly extortion by hackers is one of the greatest threats for companies at present. The hacker attacks with the malware systems WannaCry and Petya demonstrated how difficult it is to fend off this type of attack.
DOT: What makes cyber attacks like WannaCry and Petya so dangerous?
HECK: What’s new about these attacks is that they camouflage themselves. They appear like ransomware attacks, which normally block data until a ransom is paid. However, Petya deletes entire sections of the infected hard drives instead of just blocking them. Critical infrastructures like hospitals, and power and water utilities make a profitable target for such sabotage attacks. However, any other company whatsoever may be affected, as we saw.
DOT: The attacks keep coming despite stronger cyber security. Why is that?
HECK: Technically, it’s getting harder and harder to fend off such attacks. The German Federal Office for Information Security (BSI) came to the sobering conclusion that Petya even impaired systems whose anti-virus software was state-of-the-art. Petya uses a “zero-day exploit” to spread through internal systems, a method that exploits targeted holes in a system’s security before they can be detected and closed. Conventional anti-virus software can’t defend against such attacks. That’s what makes the attacks so dangerous.
DOT: What are your top 3 security tips for companies?
HECK: First: Protect the browsers on the workstation PCs. Most attacks, namely 70 percent, get into the company through the browser. To stop this, you need security solutions that make an attack completely impossible. One example is the “Browser in the Box”, which creates a virtual PC on the workstation PC instead of using a separate PC for web access. Operating systems and browsers then have no direct access to the hardware, but only to virtual hardware, which acts as a sort of defensive wall. Invading viruses, trojans and the like remain in this sealed environment and cannot spread to the computer or the local network.
Second, companies should secure their mobile devices. Smartphones and tablets are becoming even greater risks. Their pre-installed security mechanisms are inadequate. Mobile devices are also best protected through separation. That means dividing the smartphone into two separate security areas: a private area and a business area. Apps installed by the user could then not be used to access sensitive data.
And finally, companies – especially those in the industrial sectors – need modern firewalls. Conventional firewall technologies still work with so-called “blacklisting”, which blocks data packages with recognized attack patterns but lets all other data through. However, such mechanisms are completely ineffective against new and unknown attacks. Here you must have next-generation firewalls, which review data packages proactively. They can only pass once they’ve been identified as benevolent. Everything else, including unknown ones, are rejected. This method is called “whitelisting”.
DOT: What role does securing web applications play in the security strategy of companies?
HECK: A much too small one! It wasn’t until the start of the year that the Federal Office for Information Security issued a warning that 1,000 German online shops were not secure against skimming attacks. This shows how great the risk of cyber attacks against web services is. The consequences can be major; if hackers manage to feed harmful program codes onto a website, they can steal customer data and manipulate page content. Digital transformation, which nearly every business sector has embraced, therefore relies on secure and reliable web applications. Web applications play a central role here for companies and their protection is becoming critical to the existence of more and more business segments. Without effective security solutions for web applications, digital transformation is accompanied by great risk.
DOT: At the it-sa IT security trade fair you will present a new concept for securing cloud services. What’s new about your solution and what are its strengths?
HECK: Governments and companies are placing more and more sensitive data in the cloud so that it can be processed worldwide. However, conventional access controls for a public cloud are too weak to protect the data from third-party access. While encryption protects the data, it eliminates the option of using certain search functions, which greatly complicates work. With our TrustedGate solution, we merge security and transparency for the first time. Here’s the concept: When you upload a document, a virtual version of the original is created. This virtual document only contains the meta-data like key words and certain rules for accessing the document. However, it holds no content itself. The original document is in turn encrypted and stored on different, freely selectable storage systems in fragments. The documents are therefore not necessarily with the cloud provider but may be on the user’s server. For companies, this is a prerequisite for meeting data protection standards. With the new EU General Data Protection Regulation (EU-GDPR), sensitive data may not leave the German legal sphere. However, most cloud services do not have servers in Germany and cannot guarantee the corresponding data security. Our solution allows them to work in the cloud while complying with the data protection regulation.
DOT: The Rohde & Schwarz Cybersecurity GmbH recently launched in 2016. What is its background?
HECK: We’re a unification of the former Rohde & Schwarz subsidiaries gateprotect, SIRRIX, ipoque, and SIT. That makes us one of the largest manufacturers of security solutions Made in Germany. Our broad range of products protect endpoints and networks for companies of all sizes. In December 2016, we acquired the French company DenyAll. With DenyAll we managed to expand our comprehensive portfolio of innovative cyber security solutions even further. Although France accounts for the main business of DenyAll, one third of revenues today come from the EU and international markets. This puts us one meaningful step closer to our goal of becoming the leading European provider for cyber security solutions. In the future, we’re going to equip even more customers around the world with innovative and trusted cyber security solutions.
Visit Rohde & Schwarz Cybersecurity at the IT-Security trade fair it-sa from 10th to 12th October in Nuremberg.
Daniel Heck calls on many years of experience in international marketing for IT security and topics such as customer relationship management, enterprise content management, search technologies, and eBusiness. Prior to Rohde & Schwarz Cybersecurity, he was Senior Director of Marketing EMEA for SugarCRM, a provider of CRM software. In the cyber security industry, he held senior marketing positions at Eleven (CYREN), LogLogoc (TIBCO), and Surfcontrol (Websense).
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.