The threat situation for companies is greater than ever before. Because security vulnerabilities can be hidden anywhere in the IT system, all of them are hardly ever found. According to a study by Kaspersky, not only is the number of cyber attacks on companies increasing, but also their severity. According to this study, 14% of attacks were classified as serious in 2021. This figure was 9% in 2020. The most common causes of critical incidents were targeted attacks (40.7%), critical impact malware (14%), exploitation of publicly accessible critical vulnerabilities (13%) and social engineering (5.5%) “One hundred per cent protection against such attacks is not possible, but with the right measures many can be prevented”, says Markus Burri, Software Architect Embedded at bbv.
Undetected vulnerabilities – serious consequences
There can be many different reasons for an active threat. A warning message may have ended up in the spam folder, responsibilities are not correctly defined or – and this is where bbv expert Markus Burri points the finger – an in-depth security analysis was not carried out. The analyses are often not done because of the costs. “In the end, it usually turns out to be much more expensive if damage has to be repaired afterwards”, says Markus Burri. He quotes an example of an inconspicuous vulnerability that had not been considered by anyone in a company: “To find out whether a meeting room was currently free or occupied, someone in the particular company came up with the idea of installing a practical sensor, which indicates the availability of the room. The sensor was connected directly to Outlook so that all employees knew whether the room was available. Because the sensor was not properly secure, it acted as an open gateway, allowing hackers to infiltrate the system.” Similar, often overlooked vulnerabilities include forgotten computers or servers that hardly anyone uses, a networked coffee machine or forgotten updates.
How to find hidden vulnerabilities and risks
“It’s about performing a security analysis to find as many potential gateways as possible”, says Markus Burri. It is precisely the non-obvious vulnerabilities that often pose significant risks. “It is important to know the whole system well and be clear about what you want to protect – i.e. what are the relevant data and infrastructures and what hazards you want to avoid.” Microsoft developed the STRIDE method in order to find as many vulnerabilities in the IT system as possible. It allows as many potential hazards as possible to be listed and classified based on systematic risk analysis. The STRIDE security model includes the following six categories:
- Spoofing identity: Faking a false identity, unauthorised access.
- Tampering with data: Manipulation of data.
- Repudiation: Failure to recognise an illegal action. You cannot prove what an attacker has done.
- Information disclosure: Unauthorised disclosure of information. An attacker sees data they are not supposed to see.
- Denial of Service (DoS): Disruption of the availability of an application
- Elevation of privileges: Increasing rights, for example, if an attacker can increase their privileges.
Markus Burri explains the most important steps in using STRIDE: “The aim is to name all possible threats and enter them in the special and comprehensive STRIDE table. Each hazard is then classified so that the extent of potential damage and the possible costs can be defined.” The next step is to weigh up how high the risk is that an individual case will occur: Which cases can be disregarded? Which cases must be prevented at all costs? Which cases cause the most damage? Such vulnerabilities must be preventively blocked as a matter of urgency.
It is more effective here if not only one person looks for and lists possible dangers, but if a team takes care of this so that as many potential cases as possible can be intercepted according to the principle of multiple-party verification. “These analyses must be carried out iteratively during development so that the necessary countermeasures can be taken instantly. This is because if you want to implement the security precautions on the finished product, the effort is often many times greater.” Besides this, Markus Burri identifies two potential strategies and approaches for maintaining a high level of IT security in the company in general: Multiline of defence and Zero Trust.
Multiline of defence
It is not a good idea to merely build the most secure wall possible around a system in order to network all servers, computers and applications behind it without restrictions. “A staggered defence is much better. This means not relying on a single firewall, rather also building in protective mechanisms behind it to create different zones or subnets and to protect these with different security levels”, says Markus Burri. Important business data can be protected in this way even if cybercriminals succeed in overcoming the first barrier and partially infiltrate the system. This gives the defence time to detect the attack and respond to it. In addition, it can also be assumed with multi-level security that the entire company will not be affected in the event of an attack, rather only an individual area.
According to Markus Burri, basically not trusting anyone is another good way to protect your systems: “Only allow access that is absolutely necessary. And this access should be checked as effectively as possible.” The Zero Trust architectural approach, for example, envisages only assigning users as many rights as they really need. Even the CEO does not have access to all areas in this case. “A common problem in companies is that administrators use their admin login for tasks that have nothing to do with administration. If such a person inadvertently opens a phishing mail, for example, the damage can be disproportionately greater than if they had done this as a normally logged-in user.
High level of protection with industry standard IEC 62443
The security certifications of the IEC 62443 series of standards are another instrument. This originates from Industrial Automation and Control Systems (IACS) and takes a holistic approach for operators, integrators and manufacturers. Both hardware and software components were originally analysed for reliable and safe operation of automated production facilities. But they also support security in systems. Specific requirements regarding the system, components and processes must be fulfilled in various areas in order to achieve a certain level of protection with IEC 62443 . According to Markus Burri , the industrial standard is a useful instrument for improving cybersecurity.
Conclusion: Stringent analyses and development-based action
Compliance with the methods outlined above can improve cybersecurity and help to identify and resolve vulnerabilities. This can reduce the risk of compromised information or production downtimes considerably. “These methods and processes offer an effective toolbox for identifying as many vulnerabilities as possible in a structured manner”, says Markus Burri. “Many companies shy away from spending money preventively to ward off possible dangers. But one thing is certain: Preventing vulnerabilities is definitely less costly than repairing damage afterwards.”
Markus Burri is a Senior Software Engineer Embedded at bbv. He focuses on the topic of security – especially in relation to application development in C++ for embedded systems and networks. Markus Burri also heads bbv’s security community.