Since March 2020, we have all witnessed a significant shift in face-to-face work from the office to the privacy of one's own home. This has not only advantages –
cyber criminals also use this for their activities...
Although the pandemic seems to be slowly losing momentum, the topic of home office continues to be very present for many and will remain so for a long time to come. However, this is not only associated with setting up the infrastructure at home or positive effects such as the elimination of travel time, but also with topics such as video or telephone conferences or the exchange of data and information via the Internet. A large part of office communication currently takes place digitally. This digital data source is very attractive to a group of people, which leads to malicious intentions - cyber criminals. The Bundesamt für Sicherheit in der Informationstechnik (BSI) likewise notes, "The extensive, sudden increase in the use of digitized products opens up a greatly increased attack surface for attackers to use in their criminal activities." While for many companies adapting to digitization has been slow, it has been a welcome opportunity for hackers, who have been quick to respond to the situational changes. The advantage for them is precisely the digital space, because here an attack can take place from a physically very remote location, for example, even from another continent, and thus the risk for the attacker is very low.
Of course, the types of attacks that were already popular in the past are still strongly represented, but have been registered significantly more in the recent past. For example, in 2020 DDOS attacks were up 81% year-over-year and the number kept steadily rising till today.
DDOS attacks usually involve crippling a website or network by making a very large number of requests. This is possible for attackers with relatively little knowledge, but can cause a lot of damage to the target. Just imagine that one or the other online portal would be unavailable for some time and what this would mean for potential loss of profits.
Other attacks were also significantly increased, specifically driven by Corona. For example, there were large waves of phishing campaigns. Here, for example, the aim is to use a mail to persuade the user to click on a link in order to retrieve further data or information. In particular, Corona grants or vaccination appointments were used as a lure to persuade unsuspecting people to provide personal data. For many who rely on such funding, it was also difficult to see through the increasingly professional emails and websites that the bank information entered was falling into the wrong hands.
A more recent danger lies in the fact that many meetings now take place in the digital space. And while it might be fun if someone manages to hack into the top-secret meeting of EU defense ministers, it can also be very dangerous. It can also be dangerous if this happens unnoticed and people unwittingly eavesdrop on conferences or get hold of the ever-increasing number of recordings and thus learn, for example, company secrets.
However, not only companies are affected by the attacks, but also private individuals. Since many things are now happening within one's own four walls, i.e. in the home network, these have become much more attractive to cyber criminals. Often, a home network not only contains a long list of devices that - if you have access to the network - are usually inadequately protected, but also, for example, business laptops that can be used to access the company network. This means that if an attacker succeeds in gaining access to the home network, he can tap into both private information and possibly also company details and profit twice as much. To counteract attacks on companies in particular, there are often advanced security measures such as a VPN with multiple passwords (keyword: multiple authentication), so that pure access to the private network is not sufficient in that case.
Which brings us back to one of the main problems of the topic: security vs. usability. It is always a kind of trade you have to make between these points. The easier the access is for the user, the easier it is for a hacker to get in. If, for example, you add a TAN on the smartphone to the login process in addition to the password, the attacker must also get hold of this in order to break in, so security increases considerably. On the other hand, however, this is at the expense of user convenience, because the user now has to have his smartphone with him every time he logs in. The fact that the password, which you don't want to or can't remember, is now stuck to your computer at home and no longer in the office does little to change the fact that this is generally bad practice.
After this outline of different topics around security now to us. What do we have to do with it in our daily work? On the one hand, we are personally affected by the password entry of the VPN of the token etc. On the other hand, we develop and operate software for our customers. And this software is usually also being used by users, whether they are internal users or, for example, websites that can be accessed worldwide. The assumption that no or less security is necessary for "internal" systems should be explicitly negated here. There are still more than 40% internal users who are responsible for data loss. And as the old saying goes: "A chain is only as strong as its weakest link", in other words: a single user is enough to gain access to the system. It is enough if a website can be attacked even once, allowing the user's data to be read. Any attack that results in the loss of data can lead to serious problems. On the one hand, there are the direct monetary expenses, which are incurred, for example, in the restoration of a failed system. On the other hand, there is the damage to the company's image that can result from the loss of customer data. On average, we are talking about 4.45 million US dollars for a single data loss in Germany. So this is nothing to be careless about.
I think security in general will be a term to most people and that one or the other written may already be known. The real question now is, what can we do to ensure sufficient security in our developments and customer projects? Unfortunately, this cannot be summarized so simply, but first of all it is important to consider enough time for this topic. Security is not a topic that can be "added on top" at the end of a project, but must be taken into account from the very beginning, for example, in role concepts, infrastructure or interface topics, or database connections, etc. A PenTest, i.e. a security check of the application, is definitely recommended and is already demanded by many customers. However, this alone is not enough; much more attention must be paid to this topic during the development itself to ensure that no security gaps occur.