by Dirk Arendt, Head of Government & Public at Trend Micro Germany
The hafnium cyberattacks on vulnerabilities in Microsoft Exchange have further exacerbated the IT security situation in Germany. The situation is so serious that computer science professor Hartmut Pohl told ZDF television that it is “disastrous.” According to the BSI, several federal authorities were also victims of the attack. While the vulnerabilities are now slowly being closed and security experts are setting about removing the backdoors installed by cybercriminals as well, it is time to learn lessons from the wave of attacks:
Just because you’re not “in the cloud” doesn’t mean you’re safe.
Particularly in public authorities, but also in many companies, there is still a great deal of skepticism about cloud-based or hybrid infrastructures. This often leads to a blanket rejection of all cloud solutions because of their supposedly poorer security. This may be understandable in principle, but unfortunately it often leads to a deceptive feeling of security with onpremise systems. True to the motto “in my own data center, my data belongs to me”, basic security measures such as regular and rapid patching of vulnerabilities are then neglected. The consequences can be fatal. This applies all the more to particularly popular and widespread systems such as Exchange. These “de facto monocultures” are a particularly popular target for attackers and therefore require special attention on the part of those responsible for security.
Relieve the Admins!
Many IT administrators are chronically overworked – not only, but especially in the public sector. In addition to a wide range of administrative and support tasks, which have increased significantly due to the Corona pandemic and home office, they often have little time for security. Patching, for example, is regularly neglected, even if technical solutions can provide partial relief. The basic problem remains: IT security is apparently not important enough for many organizations. This must change and administrators should be given more time and capacity to improve security.
There can be no such thing as complete security.
Companies and government agencies must be prepared at all times for successful attacks to occur and be able to take appropriate countermeasures. Unfortunately, even the best security solution and the most efficient patch management cannot guarantee 100 percent security. If, for example, previously unknown vulnerabilities (zero days) are used in an attack, even patch management reaches its limits. In addition, sophisticated attacks, for example using ransomware, are becoming increasingly easy for criminals. In some cases, they can even be purchased as a service underground. It is therefore all the more important that companies and public authorities remain capable of acting even after an attack has taken place. This includes not only the ability to quickly detect and combat attacks and repair any damage caused, but also secure backups and tried-and-tested crisis response plans.
We need a different way of dealing with vulnerabilities.
The current cyberattacks are attributed to a hacker force with ties to the Chinese state, whose tactics were then adopted by (other) cybercriminals. This is far from the first situation in which presumably state actors (whether Chinese, Russian, or U.S.) have caused massive damage by keeping security vulnerabilities secret and using them for their own purposes. After all, no one is preventing cybercriminals from discovering and abusing these vulnerabilities themselves. Moreover, the cyber weapons of the intelligence agencies are by no means safe from theft, as shown by previous cases in which they themselves became victims of cyberattacks. The only right course is therefore to consistently report security vulnerabilities to the affected manufacturers and close them as quickly as possible. This is the only way to prevent further damage. In this context, the draft for the IT Security Act 2.0 also urgently needs to be revised, which in its current form allows the BSI to maintain precisely this secrecy about vulnerabilities with reference to “overriding security interests.”
The attacks on Exchange servers show once again how quickly supposedly secure systems can become the target of attackers. At the same time, however, the topic of “IT security” goes far beyond individual e-mail servers: more and more functions of our daily lives are being digitized, and with our smartphones we carry powerful little computers around with us at all times. Security therefore concerns us all, and it is high time we finally gave it an appropriate status.
Above all, IT security is not a state that can be achieved once and then maintained forever. Rather, it is a process that requires constant learning. We should now live up to this claim.