The path of least resistance when it comes to cyber threats

In many organizations, IT is now more technically protected than ever before. A network scan of any infrastructure will identify far fewer attack surfaces today than 20 years ago. What hasn't changed in the same time is that attackers don't like struggling with professionally locked vault doors. You'd much rather use the still open back entrance, which was forgotten. The saying that security is a chain and that it is only as strong as the weakest link continues to apply.

Automated attack tools

The search for insufficiently secured network services remains popular, after all, the list of OWASP Top 10that, in general, enough vulnerabilities can be tried out. Easy-to-use attack tools are also available for laymen (called “Script Kiddies” in jargon).

This enables poorly trained Script Kiddies to vandalize systems found largely by chance and in doing so strengthen their otherwise damaged self-confidence. Anyone who would like to brag about a robbery story or perhaps even generate a footnote in media reports with the event is almost there. Well over 90% of attackers are likely to fall into this category.

Lack of overview and technical overload

With well-implemented basic IT protection, you should generally be able to deal with such less sophisticated threats. Because even in the joke of the two hikers who meet a bear, one said to the other: “I don't have to be able to run faster than the bear, it's enough if I'm faster than you.” Transferred to IT, this means that if the indiscriminate attacking troll does not immediately succeed and finds an open door, he will usually lose interest and look for the next victim who is more willing to be pied.

But for example, at the time this article is written, there are still Tens of thousands of Exchange servers are not affected by two vulnerabilities protected, which have been actively exploited for attacks on the Internet for 4 months. And also to the through the CVE-2022-26134 With a severity rating of 9.8 out of 10.0 possible points affected by Confluence systems, there are still unpatched systems after more than 9 months, some of which are now Also work as a cryptominer for hackers should. Anyone who flees from a bear at this pace shouldn't be surprised if it's not quite enough at best.

Many organizations today see themselves as very well organized. This includes, for example, the Window manufacturer Swisswindows with formerly 170 employees who had to shut down operations following a cyber attack. Anyone who believes that they can run their IT entirely by themselves with a handful of internal employees is likely to have misconceptions about the breadth of threats and the number and diversity of applications, services and technologies to be controlled. Even very competent computer scientists are simply only able to provide a sufficient overview of a very small portion of all necessary systems and constantly protect them against new threats. The fact that the job market has dried up and experienced employees are difficult to find only makes this more difficult.

Implement basic IT protection correctly

Most organizations today also commission professional IT service providers to operate many systems. And these IT service providers are less and less concerned with a jungle of diverse systems that are barely comprehensible, but are increasingly specializing in very specific components and services for which they have extensive in-house expertise. The remaining services are purchased from specialized as-a-service providers and sub-suppliers and combined into the product range.

As a result, the average technical resistance of the systems has increased significantly. Even in SMEs, the hardware components are now located in large data centers and are well protected against elementary damage and unauthorised access. In case of an emergency, there are alternative locations with redundant hardware. If a software service fails, cloud orchestration software such as Kubernetes performs fully automated failovers without manual intervention and simply restart the services on other servers.

Find technical weak points

Where are there still technical security gaps in such a professionalized IT landscape with specialized providers? Systems and processes that are only on the periphery of the core business of IT departments can be notoriously problematic. There is often a lower level of maturity in the operating processes and the existing components are not centrally inventoried. There, it is therefore more likely that technical precautionary measures will be forgotten. These include, for example:

• So-called shadow IT systems, i.e. systems that are operated by the business itself on its own because IT does not offer suitable solutions or does not feel responsible. The problem here is not that they are not also operated by the IT department. On the contrary, the current trends towards microservices and product development teams are moving precisely in the direction of business becoming more responsible. The problem is that they are operated in the shadows, which means that some of them are not included in company-wide inventories and are not integrated into standard processes such as security management.
• Servers and network devices that are located outside a data center and are therefore more likely to be protected by lack of access controls, uninterrupted power supply or elementary damage and are perhaps only included in otherwise standardized security processes such as updates/patching. This also includes network-compatible peripherals such as printers, scanners, etc.
• Unsafe waste disposal of confidential documents and hardware such as mobile data carriers and hard drives, such as Data theft from Zurich's judicial authorities
• Remote and home workplaces for employees
• Mobile devices such as smartphones, tablets, etc., which are only secured by weak PINs or predictable gestures and on which new seemingly legitimate apps are constantly being installed. For example, one of the 8,000 apps such as the “Notruf Graubünden Nord”, “Adoption Helper” or the app from the “Criminal Law Firm”, which uses part of their data using the Pushwoosh components apparently to the Russian company in Novosibirsk disguised as an American company transmitted without users, the clients of the apps or the app developers having realized this.

In short, almost everything that meets one of two criteria: a) due to a lack of clear responsibility, no one takes care of the system and the associated processes holistically or b) someone is commissioned to take care of it, but it is a side task for which not sufficient resources from those responsible are invested.

What does a company management have to ensure?

• The inventory of assets worth protecting, i.e. information, resources, devices, systems, etc., must be regularly checked for completeness. What is not generally known cannot be professionally managed.
• For each asset category and asset, a (security) person is appointed who is responsible for providing appropriate protection. To determine what appropriate means in individual cases, a protection assessment should be carried out for each asset and reviewed regularly.
• The resources required for appropriate risk-based protection must be approved and their implementation monitored. It should be particularly noted here that the graveyard of ineffective strategies has rarely grown due to a lack of good concepts, but rather due to a lack of implementation. Effective implementation must therefore be measurably monitored. Agreed measures include assigned, scheduled and checked off. Recurring tasks such as software updates and security patches can be logged and checked.