Episode 24
Cyber security part 2 – how hackers operate
"In real life, unfortunately, it's not like a Hollywood movie, but usually a bit duller."
Note: This Podcast is exclusively avaliable in german.
Hello and welcome back to our Technik über dem Tellerrand" podcast. We are back with part two of our three-part series on cyber security. In this series, we explore the central question of how to protect yourself and your company from cyberattacks. To answer this question, we have a computer security expert on site today. Host and consistec CEO Dr Thomas Sinwell has invited Tenured Faculty of the CISPA Helmholtz Centre for Information Security, Prof. Dr Thorsten Holz, for a conversation. The tables are turned today and we are talking about hackers. What types of hackers are there and how do they differ in their approach? What tools and malware do they use and how do they get hold of them? Cybercrime - How do hackers operate?
Enjoy listening!
Transkription
Thomas Sinnwell: Welcome to the second episode in our three-part series on cybersecurity. In episode one, the focus was on the human factor. We talked about what it's like to be a victim of a cyberattack. We talked about the emotions of the people involved. And yes, no matter how you prepare, you can always be a victim. But it is also very clearly worked out that it is insanely important to be prepared. Today we are doing a very stark change of perspective. We're going to the dark side of this issue and as part of our current episode, we're also going to explore the question: Are all hackers criminals? In order to be able to discuss the topic as competently as possible, I was able to get a fantastic guest. With me today is Professor Dr Thorsten Holz from the CISPA Helmholtz Centre. And if you don't know it yet, the CISPA Helmholtz Centre is one of the world's leading research centres for cybersecurity and privacy. Welcome, Professor Holz.
Thorsten Holz: Thank you very much.
Thomas Sinnwell: Yes, I am very pleased that we can speak on this topic today, so that our listeners can get a better sense of who I am talking to and how it is possible that a proper German professor is also familiar with the dark side of the subject. I would ask you to introduce yourself briefly.
Thorsten Holz: Yes, hello, my name is Thorsten Holtz. I am a trained computer scientist and have already dealt with the topic of IT security as part of my diploma thesis. So-called honeypots. I think we will certainly come back to this later. I work at CISPA and mainly deal with the area of software security. So it's about either finding vulnerabilities in the system or looking at how we can implement defensive mechanisms to make our systems more robust.
Thomas Sinnwell: Yes, thank you very much for the brief insight. I have admittedly thought of a somewhat coloured question to start with. Would you describe yourself as a hacker?
Thorsten Holz: I think it depends. Maybe more or less, yes.
Thomas Sinnwell: So that means you are a criminal?
Thorsten Holz: Of course not, but rather we look at how an attacker can act and put ourselves in the attacker's shoes.
Thomas Sinnwell: The issue of who is a hacker? We still have to define that.
Thorsten Holz: Exactly. For me, hacking is a positive term. It's all about creatively dealing with technology, solving problems and thus advancing technological progress. So I think 'hacker' is sometimes misused in the media. I still think it's a very positive term and we tend to talk about attackers when we talk about the dark side of power.
Thomas Sinnwell: Yes, I agree with you there. That is definitely the more accurate formulation. I have to admit, I hadn't really questioned it for myself. I mean, such a classification. And it was already clear to me that there are also people who do good things when hacking. But I did a bit of research and came across a definition from the BSI (German Security Agency). And then found the following, I have to read it off. I can't remeber it by heart. The BSI says: Who is a hacker? They are technology enthusiasts who break down products and software developed by other people into their component parts in order to understand how they work. So this is definitely also this positive view.
Thorsten Holz: That's exactly what I want to support. Or perhaps also the historical view. The term also comes a bit from MIT. The hackers, where the creative use of technology plays a role, or also in the CC environment, where of course attacks on systems always play a role. But I think it's above all this creative use of technology that fascinates me about this whole subject area.
Thomas Sinnwell: During my research, I came across a very interesting story. I didn't know it, the 'hacker ethics'. And then I came across the author Steven Levy. In his book, he describes the mindset of American hackers, which probably existed from the 1950s to the beginning of the 1980s. From my point of view, the topics listed are also very, very exciting. I'll pick out a few things. The first thing I found there: Access to computers and everything that can show you how the world works should be unlimited and complete. And then, second point: all information must be free. If I remember correctly, that was also an issue when Apple was founded or when Microsoft was founded. Microsoft brought the first commercial computer system onto the market and you had to pay for it. That was not free at first. And then the first discussions probably arose in the scene. Or also something like: Judge a hacker by what he does and not by his origin, his gender or his social position. It all read to me now that the topic of hacking is indeed very broad. So the question for me is, can we classify hackers?
Thorsten Holz: These key points were also largely adopted by the Chaos Computer Club, the CCC in Germany. Points like using public data, protecting private data. That is something that I believe still plays a very important role here. And there, too, the main issue is how to deal with computers or technology in general. And in the classification there is, I would say, this one big part. And then, of course, on the attacker side, there is a broad spectrum of so-called 'script kiddies' who simply use tools and perhaps don't have much technical understanding. Then, of course, there are all the cyber criminals who have financial incentives, so ransomware in particular is a very, very big issue in practice, and perhaps at the end of the spectrum there are the intelligence services or state-controlled agencies that try to steal information in a targeted manner and then use it for political purposes. So the spectrum is very broad, from people who deal with the technology more out of curiosity to the attacker side. From financial incentives to really politically motivated people.
Thomas Sinnwell: Yes, and what you typically find are these groups, the Whiteheads, the Blackheads and the Greyheads, and Whiteheads would ultimately be the technology enthusiasts you mentioned, who deal with the issues. Vulnerabilities in software, in systems. That's not just software, it can also be hardware-based systems, and then use this information to inform the manufacturer so that he has a chance to close the holes that have been found.
Thorsten Holz: That is exactly the typical application. Of course, this can also be used in a commercial environment, so-called "penetration tests", as a company I can also commission such a company, i.e. a penetration testing company, to try to examine my network for possible vulnerabilities. Or to simply look at certain systems from an attacker's point of view and to see what the points of attack are, where am I vulnerable, what do I still have to do in my security concept and how can I react to such incidents and where do I still have to improve? So this is also a whole industry that has developed around this whole topic in recent years. So it's more a case of simply looking at the company network to see where I am vulnerable to attacks, where do I still need to make improvements?
Thomas Sinnwell: I would like to take up this topic at this point and contrast it with what people often perceive about hacking. When you see it in films, there are people sitting in dark rooms, armed with pizza boxes and hacking away madly on the keyboard, wild characters on the screen and now they're breaking in somewhere. On the other side, someone notices and hacks away at the keys almost as fast to ward it all off. That's not the classic scenario.
Thorsten Holz: In practice, unfortunately, it's not like in Hollywood, it's usually a bit bleaker. In the sense that the penetration testers then sit in the company and first try to identify on the network level which systems are accessible at all, which so-called ports are open, i.e. which services are offered to the outside? And then, step by step, they first try to get an overview of the company network. Which servers are accessible in some way, which services are running on them, which vulnerabilities are perhaps known and then try to understand the systems step by step? Perhaps also by analysing the source code. And that's a process that doesn't necessarily take hours, but rather days, maybe weeks, depending on how complex the order is. And then the main thing is to first get an overview, identify weaknesses or find the points of attack. And that is also an interactive process, often in consultation with the client. What exactly should the focus be now and then at the end a report is written, the whole thing is presented, so it is also formalised, so that the company can also take something away with it, so that the admins then also know okay, what do I have to do? How can I improve security in my system? So in this respect it's not like in the movies. Whereas some series are also really well done, from a technical point of view, but often this: Yes, cracking a password within five seconds and then you're directly an administrator on the system is usually not that easy in practice.
Thomas Sinnwell: Not quite so. Yes, now one could get the idea that when such pentesters do that, they have such a special tool or that you might even have to get something on the darknet, that's not the case either. Can you perhaps say a bit more about which tools are actually used and how one gets hold of these tools?
Thorsten Holz: Well, in practice there is a whole arsenal of different tools, either commercial tools that try to automate the whole thing as well as possible, that also have reporting functionality, that also provide clear support for the whole work. There are also many in the open source area, for example Nmap as a network scanner, which has been developed as a tool for 25 years now. You can perhaps use it as a first step to see which services are available. Then there are also open source tools like Nessos and others that try to identify vulnerabilities. So there is a very broad spectrum, from open source, i.e. tools that are available free of charge, to tools that easily cost a five or six-figure sum, which of course tend to be used only in a commercial environment. And many companies also develop their own tools internally in order to have a bit of a distinction from the other companies. So it's a bit like separating the wheat from the chaff, depending on how good the people in the company are.
Thomas Sinnwell: Yes, what makes a good hacker?
Thorsten Holz: I think above all a very good understanding of the system, that he has a good understanding of the different levels of the system, i.e. hardware, operating system, software, how the individual components interact with each other, where there are potential weak points and above all this attacker mindset. In other words, thinking like an attacker, so to speak, where are the entry points that can be exploited? Where can you somehow exploit a vulnerability for your personal advantage?
Thomas Sinnwell: That is, I can imagine that, based on this experience, the good hacker then also proceeds in a very targeted manner and, with the initially acquired information, can then simply stab in at the right place many times.
Thorsten Holz: Exactly.
Thomas Sinnwell: And in contrast to the inexperienced hacker, who then painstakingly tries out everything until he perhaps eventually finds the spot.
Thorsten Holz: Exactly. So in the first phase it's mainly about gathering information and quickly developing a feeling for where it's actually worth drilling deeper to find potential weak points and then to get an entry point into the network.
Thomas Sinnwell: I'd like to talk very briefly about the tooling used by hackers. But then this is the information gathering, then the primary place where the tools are used, or does it continue here. When I have completed this phase, then the aspect that either I have implemented malicious code somewhere that helps me or that I simply make further progress on the basis of my experiential knowledge really hits home.
Thorsten Holz: Exactly in the first phase, I think you can rely a lot on standard tools to simply gather information. And then in the second step, when you know where which systems are running or perhaps when you have access to the source code from the customer, to look at the systems in detail. Tools can also help here. There are also static or dynamic analysis tools that can provide a lot of support. But there is also a lot of manual analysis of the source code to find potential weaknesses or programming errors. And I have to say that the very good people have a very good intuition. Where do you have to look, where is the point where something often goes wrong, during authentication or when checking inputs or during internal processing? And I think that's the point where you get better over time.
Thomas Sinnwell: Yes, that's where the wheat is separated from the chaff. Then I would like to talk about how cyber criminals actually act. In my discussions with security officers in companies, I have heard from time to time: Well, who is interested in us as a company? We are not an interesting candidate. Which, conversely, would mean that the hacker is specifically looking for a company, which of course is also possible. But can you perhaps give our listeners a bit more of an overview of which groupings there are? The targeted one is a case and often it is rather broad and you become a victim by chance.
Thorsten Holz: Exactly. So in practice there are actually more facets. On the one hand, of course, there are targeted attacks on companies, because maybe it's a medium-sized company that only has 50 or 100 people, but if it's the world market leader in its small sector, it's of course also interesting because it might develop interesting series or pre-series developments. Or perhaps they have customer data or other intellectual property. It's interesting for the attackers to steal recipes or construction plans or something. Because especially if the company is successful, then it is definitely somehow on the target of targeted attackers. Of course, the bigger the company is. So if you talk about DAX companies and the like, they are of course an interesting target simply because of their size and their technical knowledge. Most of the time, it's more likely to be targeted attackers who want to gain access to the research department, for example, or perhaps also the customer department or even the production parts of the company, in order to spy on information there or perhaps also to manipulate something.
Thomas Sinnwell: That means that at this point you could say that when it comes to acquiring knowledge from a company, it is usually the more targeted attacks.
Thorsten Holz: Exactly classic industrial espionage, simply to steal information and then use it. The other facet is this very broad attack, where the attackers simply look to see which potential victims I can find. This is currently a big topic, so-called ransomware. The basic idea is that the attackers gain access to the victim's network. Typically, they first have an entry point, i.e. some PC is infected, then within the network they try to take over other systems step by step until they finally have access to the so-called domain controller, i.e. the central control unit within the network. And then they start encrypting files. You then have coordinates, i.e. ransom money, which you can demand in order to simply release the key to decrypt all the files again. Of course, you're in a better position there because the company suddenly doesn't have access to the data anymore. And I think every kind of company has potentially important data, be it about customers, be it about orders, be it about payroll, be it about its own staff etc.. And if the company suddenly no longer has access to it, it is of course forced into a bit of a corner. Ideally, it still has access to the backup, that it can still import backups. In practice, unfortunately, this doesn't work as well as one would think.
Thomas Sinnwell: If the backup is not done well, even the backup server is encrypted again. That's a real disaster.
Thorsten Holz: That's the worst case scenario. Yes, exactly. And especially now with ransomware, the criminals in this area are very, very flexible in inverted commas in their choice of victims. For example, many small and medium-sized businesses were affected, some of them even larger companies. Now in Germany, for example, the TU Berlin or the Ruhr University Bochum or the university in Maastricht were also affected, so also universities, sometimes also hospitals or medical institutions. So they are simply trying to get as many victims as possible and then ransom them, because the companies simply can't do anything else. And this is not a targeted attack, but rather a random victim, in inverted commas, because you simply fall for this kind of attack because an employee clicks on an attachment or you have unpatched servers in your network. And they simply exploit whatever they find. It's rather aimless and you can always become a victim somehow.
Thomas Sinnwell: So if I go to such a high altitude, do you then go with the statement that there are basically two types of attacks? One is about the expansion of data, about data exfiltration. And the second is a type of sabotage, however deliberate, for example by encrypting and then blackmailing the company.
Thorsten Holz: Of course, sabotage goes one step further. So now, for example, attacks on industrial plants and the like are also about really sabotaging the processes that take place afterwards and thus really causing damage in practice. In other words, stealing data or manipulating data in an unauthorised way. These are probably the two main criticisms or main points of attack in practice.
Thomas Sinnwell: What can I do to recognise such attacks?
Thorsten Holz: Exactly. At the attack detection level, there are various types of anomaly detection, where you try to analyse either at the network level, i.e. all packets that enter or leave the company network, to see if you can find any anomalies, i.e. any aspects that typically do not occur. For example, observing at the network border what kind of objects are being sent into the company right now, i.e. by any users from the company network, downloaded from the Internet, and then looking to see if any malicious code is discovered there. Or any Office files that contain malicious content. The same can of course be done on the end devices, be it on the desktop. Of course, it is becoming more and more complicated nowadays, because many people have their mobile device with them, a laptop or perhaps a tablet, so that you have many different types of operating systems that you cannot necessarily monitor so easily, because they do not communicate via the company network, but perhaps via an LTE connection or 5G connections, so that you also have to monitor different types of communication channels, either at the network level or at the end device level. So mostly anomaly detection to see if you can detect something that shouldn't be there.
Thomas Sinnwell: It is not a trivial issue in large IT infrastructures, which can be very dynamic, to be able to determine normal behaviour as reliably as possible in order to indicate deviations with low error rates. These are also very current research topics at the moment. What is CISPA doing in these areas?
Thorsten Holz: On the research level, it is mainly about understanding better what the current state of the network is or what kind of objects are being downloaded or uploaded somewhere, so that one can then also determine through the analysis of these objects, is this legitimate? So it's simply a new website that users go to, where maybe a bit of JavaScript code is downloaded or maybe some PDF file is downloaded from somewhere or a Word file is uploaded somewhere. The next step is to identify potential malicious code, which is becoming increasingly difficult at the moment. Because the cloud is simply gaining in importance everywhere. The data is not always necessarily in the company network, i.e. not in the classic castle, but is now located somewhere outside, not on the company's own servers, where you also have to look at how do I get an overview at all? Who has access to these files? What is there in the first place? Are there perhaps any other types of access that I have overlooked? Or have I maybe left the access passwords somewhere unintentionally? Or have they been compromised somewhere, so that now not only the castle has to be monitored, but also the cloud. So these are all challenges that we are dealing with. And an important point is how can we use current developments in the field of machine learning to simply identify potential anomalies more efficiently with the help of algorithms and, above all, to make the whole thing scalable?
Thomas Sinnwell: At this point, I would like to move on to the topic we discussed at the beginning of our conversation. How does a proper German professor come to have to deal with this dark side of the issue? When you say to yourself, yes, especially machine learning, that this is of course a very legitimate approach to being able to recognise such anomalies, especially in large infrastructures, where a certain automation aspect simply plays a role. I can't look at each system individually and think about what could be abnormal there. Then I won't be able to finish. The machine has to go there and look over this huge amount of data. And when it comes to machine learning, it is still very important that I know the right features, the right scanners, in order to enable the best possible learning. As a security researcher, how do you come up with these features that you have to look at for learning?
Thorsten Holz: Exactly. So perhaps a good turn towards my background itself. As part of my doctorate, I was primarily concerned with how attackers actually proceed. And different aspects of it. On the one hand, so-called honeypots, you can imagine a honeypot as a kind of electronic bait. You have a computer system, so to speak, which you then specially prepare by installing even more tools on it in order to get a very detailed overview of how people interact with this system. So it's a kind of bait that you put out in your network and then you just wait. How do people interact with this system? Because by definition, nobody should interact with this honeypot. It doesn't offer any normal services. However, if an attacker simply scans the network in this information gathering phase, sooner or later he will stumble across this honeypot. In this way, the bait has fulfilled its task, so to speak. The attacker has found the honeypot, perhaps tries to trigger a vulnerability there and thus gain control over the honeypot. And then we can observe what happens on the system. From where is further malware loaded, which commands are executed, how is communication with each other, so that we can learn more step by step about how attackers actually proceed. Nowadays, there are also companies that offer such honeypots directly as solutions, typically quite well automated, so that you can distribute these electronic decoys in your network. The whole information evaluation is also automated, so that you also get an overview of it. What is actually happening in my network? How are these honeypots being interacted with, so that you have a kind of early warning system in your network, which potentially identifies attacks that have not been detected by the intrusion detection system and thus learns at an early stage, so to speak, when something interesting has happened in the network.
Thomas Sinnwell: And that is perhaps a very exciting point, the keyword malware. How do you get hold of malware? Or how do cybercriminals get hold of malware?
Thorsten Holz: Again, there is a relatively broad spectrum. Either they don't implement it, even if they have the skills, or even if it's a larger group. Most of the time, there is a lot of specialisation, so that the various aspects of an attack also include information gathering. So, as the pentesters did before, the cyber criminals also collect information first. Then they look at what kind of vulnerability they can exploit, typically also specialists who then carry out exactly these steps. And then there is typically also a team that implements the actual malware. This can now also be purchased as a service. So you don't have to do it yourself, but you have the option of simply buying it as a service for a certain amount. Or that you say here, I have a certain malware here, I would like to install it on 1,000 or 10,000 machines, you can now also buy this as a service. Or the sending of spam emails or phishing emails is also a service that can be purchased on such underground forums. So in this respect, there is a lot of specialisation, own developments or even that one falls back on services. Or sometimes the source code of some of the popular tools is also publicly available, so that the attackers can simply adapt it to their needs.
Thomas Sinnwell: Special needs.
Thorsten Holz: Yes, special needs.
Thomas Sinnwell: This is perhaps a good opportunity to talk about the darknet, because you hear that very often and I think few people really know what the darknet is. Could you perhaps briefly say something for our listeners?
Thorsten Holz: Exactly, Darknet sounds evil and all, but actually, from a technical point of view, perhaps briefly summarised. Tor is the best-known software in this area and was actually developed to enable anonymous access to the Internet.
Thomas Sinnwell: So the very positive story first of all.
Thorsten Holz: Exactly, and the basic idea is that I don't connect directly to a web server with my web browser, but I have three nodes in the middle and you can imagine that you first connect to the first node, from there to the second, then to a third and only then to the web server at the end. And through these intermediate nodes, I then disguise so that no one knows who the browser is that is accessing the website, so that even a very strong attacker who observes the entire network, even for him it is disguised, so that it is not clear who is actually using it? Interestingly, Tor was also financed by the DOD, the Department of Defense in the USA, but also by the EFF. This is the equivalent of the Chaos Computer Club in the USA. So there is a very, very broad spectrum of people who have supported the whole thing. The use cases of Tor in practice are very broad. So on the one hand, whistleblowers who can simply get information out there without their identity being established, so to speak, so that they can also use the circumvention of censorship that way. So another big use case is that you can also access websites that are perhaps blocked by the political party in a certain country, so that you can also circumvent censorship mechanisms. At the other end of the spectrum, there is of course also a lot of abuse, be it for cybercrime, but also for child pornography and so on. So this technology, that you can use the net anonymously, can be used very widely. Without wanting to go into all the ethical aspects of it now. And an interesting application of this technology is that you can also offer websites without it being clear where the server is located. So you have a web service. But it is not clear under which IP address it is now offered? Where is it physically located in the world?
Thomas Sinnwell: Yes.
Thorsten Holz: And that is the basic idea behind the Dark Web. That was the web server, i.e. certain services that can be accessed, where it is not entirely clear where they are actually located, in order to prevent potential censorship or text downtimes, i.e. that the servers can be taken down, we have this concealment mechanism. And in practice, it is used for various types of services and, especially in the press, mostly in the rather abusive way that there are also forums where you can buy drugs or perhaps weapons or fake credit cards or various types of malware.
Thomas Sinnwell: Of course, the obvious question is: How do I find these systems of these offers?
Thorsten Holz: There are also search engines on the dark web or, above all, there are mostly link collections where there are certain links to forums where you can exchange information. So via the Tor browser you can get access to such websites and then you can look at what kind of forums are there, what is offered there? But in principle it works just like normal web browsing. You have Firefox as a browser, which then also has a certain plug-in, the Tor Browser. But from the look and feel it's very similar. It's just much slower because of this obfuscation in the middle, because of these middle stations. But otherwise it just feels like surfing. Maybe in the 90s, because it's slower.
Thomas Sinnwell: Nice image. That means it is a very suitable way for cyber criminals to access the tools, the information, the groups.
Thorsten Holz: Yes, but the criminals don't necessarily have to be in dark web forums, they also have other types of exchange mechanisms, via various chat platforms or other messenger formats. So they already have the possibility, let's say among like-minded people in inverted commas, to exchange information in order to get access to such services. They have to have payment processing behind them. There has to be a certain amount of trust, because there, too, yes, of course, there is trust when you buy things and that has a certain quality in the software and so on.
Thomas Sinnwell: Yes, we have now addressed many exciting topics in our conversation, including the topic of machine learning. AI, artificial intelligence. We talked about how it can be used to recognise such anomalies. What is the situation now on the dark side of the issue? Is artificial intelligence being used there as well?
Thorsten Holz: I think, in general, machine learning will significantly change our interaction with computers in the next few years or decades. And of course we also see the potential on the attacker side. For example, a few years ago DARPA held a competition in the USA in which machines played against each other, in inverted commas. The setup was as follows. There were various types of programmes that offered some kind of service and then the task was to automatically find vulnerabilities in these programmes, to develop an exploit, so to speak, a mechanism to exploit this vulnerability and execute malicious code. And in the third step, of course, the patching of these gaps. And in this competition, it was really only the machines that played against each other. So of course humans developed these systems, but then the actual competition phase. It was really only the algorithms that played against each other and then in many rounds they simply attacked each other, developed exploits, developed patches and I think that is a step into the future, because these systems were still a bit simple in the sense that they were not a complete Linux or Windows system, the services were also a bit simpler. But it has already shown that you can actually automate all the steps from finding vulnerabilities, from exploiting vulnerabilities to patching. And that, I think, is the first step, and I think that will occupy us much more in the future. So how can we use algorithms to automate more and more some of the tasks that people are currently still doing?
Thomas Sinnwell: That means the competition between defenders and attackers will continue, but on a different level. The attacker's machines against the defender's machines.
Thorsten Holz: Exactly. It's definitely getting faster and faster.
Thomas Sinnwell: Sounds threatening or frightening at first.
Thorsten Holz: Exactly. I also think that in the future it will probably go in that direction. How can we achieve more and more automation? How can we manage to react effectively and, above all, very efficiently to new threats when, of course, the attacker side is moving more and more in the direction of automation. And perhaps another aspect of machine learning, which I think will become increasingly important in the future, is the whole area of deep fakes and the like. In the meantime, algorithms can simply create images where we as humans can no longer distinguish. Is that an authentic image or just generated by a computer? Similar to other media, that you can generate texts or audio.
Thomas Sinnwell: You can reproduce voices. Of course, that's a great instrument for making phone calls, because it sounds like the boss or the head of the department.
Thorsten Holz: Exactly, and it is precisely in this context that there have already been the first attacks, because the boss may have given lectures somewhere. So the attacker has access to audio material and can use it to synthesise new audio. To create any sentences in the pitch or in the voice of the boss and can then use that to carry out social engineering attacks. So I think that's a first step. And the other big threat that I also see are all the misinformation campaigns. That simply in order to destabilise a democracy, another country can try to start disinformation campaigns in a certain country in order to spread insecurity or false information. And fake pictures or fake profiles are used a lot to create a certain mood. And I believe that this is something that will occupy us a great deal in the next few years, because machine learning methods are becoming much better. It is becoming increasingly difficult to distinguish whether something is legitimate or not. And then this human knowledge, is it authentic at all or is it legitimate at all, what is being said there? It will become more and more of a challenge in the coming years.
Thomas Sinnwell: Yes, exciting times are coming. Thank you very much, Professor Holz. I enjoyed the conversation very much, and yes, to our listeners until the next episode. Bye!
Thorsten Holz: Thank you very much for this invitation and see you soon. Bye.
So, that's it from us again. We hope you enjoyed today's episode and that we were able to teach you a little bit about the topic of cybersecurity. You can find further links to the current episode in the show notes. And if you are interested in the wonderful world of technology and software development, we would of course be happy if you subscribed to us. In the next episode we are back with the third and final part of our series on cybersecurity. Host Dr. Thomas Sinnwell is back and has another expert in store. See you next time. We look forward to seeing you.
Transcription.
Thomas Sinnwell: Welcome to our new podcast in the "Technology Outside the Box" section. Today we are talking about cybersecurity and producing the first episode of a three-part series. I have Prof. Dr. Mana Mojadadr as our guest today. In addition to her professorship at the Saarland University of Applied Sciences, Mana Mojadadr is an innovation advisor, entrepreneur and supervisory board member. And she holds the title of "Professor of the Year 2021", where she came in second in Germany. A warm welcome to you.
Mana Mojadadr: Thank you Thomas.
Thomas Sinnwell: Nice to have you here. Please be so kind and introduce yourself, so that our listeners can get a better picture.
Mana Mojadadr: Yes. With pleasure. As you already described, my main job is as a professor. I take incredible pleasure in teaching young people not only business management topics, but also current practical themes, from the corporate landscape, current problems and finding solutions together.
Thomas Sinnwell: I would like to take up the keyword from the real world and give our listeners the chance to listen to a person concerned and thanks to your mediation, it was possible for us to talk to Mr. Storb from LEG-Services GmbH. And he told us what happened to him when his company was hacked.
Andreas Storb: For me, this attack was a terrible experience. I don't want to experience something like that again. We were hacked even though we had introduced an information security management system and maintained it for several years. In the event of a hack, it becomes clear to what extent an organisation is dependent on the availability of IT systems. If telephony, e-mail communication and access to data or booking systems is impossible, the organisation is virtually incapable of acting. In addition, forensic investigations also take place after a hack with regard to criminal prosecution, which also take a certain amount of time. You can prepare for a lot of emergencies, but the creation of redundancies also has economic limits.
Thomas Sinnwell: Mana. I would now like to address the very obvious question: Are cyber or hacker attacks inevitable or can we prepare for them?
Mana Mojadadr: I think one can definitely prepare. I don't think there is one hundred percent security. And that is also a saying that has become established by now. I admit managers, board members and supervisory board members can't hear it any more. Why? Because they often say, "We are preparing ourselves". And I am very happy that we can talk a little bit about this today. Often people get confused cybersecurity doesn't mean I have to be a techy. It also doesn't mean I necessarily need an IT licence. Rather, it means how can I, as a company, also work with my employees, no matter what job they do on a daily basis, prepare and deal with the subject more consciously in order to minimise the risks.
Thomas Sinnwell: Yes. You raise very important issues that I would like to discuss in more detail. But first I would like to give my curiosity free rein and I think that is also in the interest of our listeners. How do you get to cybersecurity so purposefully when you start with business studies?
Mana Mojadadr: I don't know how it really came about. Maybe it has something to do with a helper syndrome. From a professional point of view, it was clear to me that I wanted to get out into the world after my doctorate. Also that it is incredibly important not just to be able to live out what you have learned as an expert, but rather to look at where the market is moving at the moment. How can I learn from other business models, other sectors? And that's when it was clear to me that I would really want to work in the software industry. At that time I was allowed to work for the Executive Board and Supervisory Board as an executive assistant at SAP in Waldorf. And it was incredibly exciting to see what all comes together there. And not just to sell software, IT or innovation, but to actually think about, how can I help? How can I support processes, people and organise their day-to-day processes?
Thomas Sinnwell: Yes. I think that was also a very exciting phase in your career. But you then also moved on a bit. What are you doing in these areas now?
Mana Mojadadr: Yes. So after that I was also a managing director in Italy at the subsidiary of SAP and was able to help small and medium-sized businesses there. So I was allowed to change from foucisng on, let's say, very large international companies as customers to small and medium-sized businesses. Italy was a very difficult market and that means that a lot of things that don't work in the economy have to be compensated for with software. And rather to work together with each other under certain circumstances. How can we do things differently? More innovative? Make them better? Make them safer? And-.
Thomas Sinnwell: For curiosities sake, was there a difference in mentality on these issues? In dealing with these issues?
Mana Mojadadr: Somehow I think so. It has something to do with the cultures. Some Germans might say that the Italians are a bit slower than us with regards to innovation. I was surprised to see in some places that the Italian industry is a front runner in a lot of things. Milan has a large banking sector, and there the banks are also very strongly regulated, be it on the financial market side, but also with regard to the digital topic. But also in terms of security issues, because it was just as strongly and strictly regulated.
Thomas Sinnwell: Yes, now I would like to talk about what it is like to be hacked. To get in the mood, let's listen to our recording of the conversation with Mr Storb.
Andreas Storb: Early in the morning of the 3rd of november 2020, I received a call from a system administrator informing me that an encryption troyan had successfully unpacked and encrypted large amounts of data. The criminal attacker left a six-figure ransom demand. This demand automatically doubled after 10 days. I then immediately informed the management. An emergency meeting was then convened in which it was decided that, firstly, Leg Service would not respond to the ransom demand, that a criminal complaint would be filed, that the independent data protection centre would be informed first by telephone and later in writing, that a team would be put together which, under my leadership, would implement the secure reconstruction of the destroyed systems and that external expertise would also be involved.
Thomas Sinnwell: Mana you also have clients who have been victims of a cyber attack and you have had conversations with them. What is your perception of what it feels like for them when they find out that their company has been hacked? Can you tell us a little bit more about that?
Mana Mojadadr: Yes. I'd be happy to. I mean, of course, some of my clients don't like to talk about it. I think there needs to be more of these events and discussions to learn more from the experience. And often, when you look in the press, you read that something has been hacked again. Somehow the place is at a standstill. Something doesn't seem to be working. Then there is talk of blackmail money, most of the time. And then there's also a lot of playing on fear, which I think plays into the hands of hackers or organisations that are out to do just that. On the other side, i.e. an IT manager, an administrator, the executive board members, but also the employees are often really traumatised when something like this happens to them. Because we often think that things like that couldn't happen to us. This is a cyber war somewhere, some kind of a topic you read about in papers. What does that have to do with us? When it happens and and the child has fallen into the well, it is often incredibly difficult to look at how can we get back to normality? That means technically, but also in terms of togetherness and so that the company doesn't come to a stand still.
Thomas Sinnwell: I am now in the fortunate position of not being affected myself, thank God. I have had little opportunity to really talk to those affected. My perception from the few conversations I have had is that the subject is shamed. And that is perhaps even a strong term, but it also has the connotation of abuse. Something is really being done by force and the people have no chance to resist it in any way.
Mana Mojadadr: Absolutely. It also has something to do with the big feeling, have I caused the mistake that lead to this? Am I the weak point in this whole construct? And that is usually the problem when it comes to correcting the error. Or when you want to quickly compensate for the weak spot. Hackers will be able to hack in a matter of seconds, or if it's automatically executed malware, it's also a matter of seconds. And when it comes to that we have to ask: Where was the vulnerability? Of course, the human factor comes up at this point, somewhat uncomfortably, as you say, shamefully. Because it's really only about that, please let us work on it. And it may be that staff members can't or don't really want to help at this point because they think, maybe it was me. Maybe it's my fault that my company is in a really bad shape right now.
Thomas Sinnwell: Yes. Depending on the culture in a company, people don't need to say to themselves, I think I've done something wrong, I think I clicked on the wrong link. And that would actually be from my point of view, from this technical point of view, a very good time to say, hello, people maybe I've just clicked inteh wrong button. Then IT still has a chance or it can still have a chance to limit the whole attack. And if you wait six weeks then it becomes really difficult. In this respect, I think it has a lot to do with mindset. I think it is enormously important to talk about it. And I asked this question deliberately at the beginning, is it unavoidable? We can go a bit deeper. I think you can prepare, but on the other hand, this is a very real threat nowadays. It doesn't only affect the others, you can quickly get caught in the crosshairs or simply become the victim of a random attack. Not all of what is going on is targeted.
Mana Mojadadr: Yes absolutely. And we see it in the statistics. You brought the Nation's Situation Report of the IT situation in Germany. Germany was also shown the red card as far as the status at the economic level, i.e. in companies, is concerned. What the preparations for such attacks and the black number that is always hovering somewhere above is that probably everyone has been hacked, but not everyone has actually understood that they have been hacked.
Thomas Sinnwell: Or noticed it. Or it will happen soon. Or the code is already lying dormant in their own networks. Yes, I have indeed brought the Nations Report regarding IT security in Germany in 2021 with me and there are an incredible number of exciting and frightening aspects in it. And it would be completely out of place to go through every number in here in this podcast. But I have simply brought along a number for the listeners that I find exciting or that really makes you realise that this is a real risk. And that is in the category of new malware variants. That is the big challenge. They are generated quite frequently and on the defence side you have to look at whether I can somehow recognise this new malicious code, somehow ward it off? Do I have a chance? And the BSI has now chosen an observation period from June 2020 to May 2021. In this time, in this reporting period, there were 144 million new malicious code variants. You really have to let that roll off your tongue. And I think a number like that makes it clear that yes, this is a very real risk. In principle, it can affect anyone. But I also found a second thing, in the Mix magazine at Heise. While reading through it, the whole thing jumped out at me and they refer to the SonicWall Cyber Report 2022, which is also very up to date. And it deals specifically with ransomware attacks, and in 2021, in comparison with 2020 these ransomware attacks have increased by 105 percent. That's a real number.
Mana Mojadadr: But in terms of perception, that's going to be counterproductive again now. I'll put it this way, employees who now work in accounting... I'll say a classic job in the back office are more likely to say, ok, malware, any variants, what do I have to do with it? What does that have to do with my daily work? And how can I actually support and minimise the risks? And as you said, it is a lot of training, preparation, a lot of communication, a lot of working on the culture, in order to draw attention to it. It can happen every day and there are certain rules when you have digital access somewhere, whether you log on to the computer or not. Whether you go into the booking system. Whether you use any other system. Then there are rules ranging from password security to how and where am I allowed to log in and how? And also where do I keep certain things that need to be protected. Backups are also a very important topic. But I can't expect that either. This is not an IT or techy topic.
Andreas Storb: LEG Service has taken over the task of the central IT service provider for several national companies. After a phase of consolidation and standardisation of infrastructure and processes, risks had to be assessed. We have done this consistently, had ourselves audited and certified and have now been successfully recertified in spring 2022. Awareness played a very important role in the auditing process. We drew up a concept that provided for a series of interviews with employees from various companies with different areas of responsibility as a first step. Based on the results, the following measures were derived, the implementation of which is continuously monitored by our cyber security task force. The online training courses on information security and data protection have now been launched across the board, starting with the managers. Here, employees learn more about secure passwords, working in a home office and data protection while travelling, among other things.
Thomas Sinnwell: So Mana let's talk about that for a moment. How do you support your clients in these areas?
Mana Mojadadr: So in a variety of ways. I originally come from the consulting, restructive consulting, so my contact persons are often board members, managing directors, but also IT managers. And from there I often get the order to support them. Coach them. Support them in communication as well. And it can go in the direction of training. But it can also go in the direction of raising awareness. I like to work with experts who can support me in saying that there are very complex legal regulations that we have to comply with. And then I'm always happy when someone else is there to say, Mana in simple language please. The employees must have it explained to them in simple language. And that can be trained. But you also have to raise awareness regularly. Of course, when an emergency occurs, it's also a matter of reacting quickly and repairing the damage quickly. Sometimes also a bit of support, what steps do we have to take and how? According to the GDPR you have to follow a certain catalogue. Many companies don't know that.
Thomas Sinnwell: But I would like to come back to that separately. Let's please stay with, before it happens. What you should do then. I have now taken with me: Awareness training. A big topic. What is awareness? In the context of cybersecurity.
Mana Mojadadr: Awareness means that I, as an organisation, have to think holistically about where I stand. Prepare not only from a technical point of view, but also at a human level, in order to practise these types of attacks. Can I recognise an attack? Do I know that there is malware or something similar on the way? Is it the case that maybe someone is trying to grab my access data in order to get hold of golden data or similar systems? And how can I prepare myself? And if I notice something, of course I should also report it to the IT department or the relevant experts.
Thomas Sinnwell: How do you do that? What are your focal points? Your approach?
Mana Mojadadr: There are a lot of awareness-raising campaigns or you advertise on the Internet or try to make contact, how shall I put it, with the employees at the various levels. We have had very good experience with individual talks. Often in connection with, let's take stock. Where are you at the moment in your day-to-day doings with the topic? And let's talk about the topic with different employees from different departments with different responsibilities. And there we use a kind of four-eye conversation, interviews, where we want to talk authentically about: do you know what is worth protecting? And how do you protect it? Where do you need help? Do you still have ideas? So of course it also has something to do with innovation, but also with vulnerability assessment. But to approach it in such a trusting way. And that's where it often reflects a picture of the organisation, which you then know, ok, you have to work on some areas. It often has to do with the fact that some medium-sized companies now prepare themselves. There are guidelines on security. Information security. Data protection. And then there is often this distorted picture, but why doesn't it get through to the organisation? I've done everything, even bureaucratically, to prepare myself. Maybe I am even certified. But then we try to find out on the other side, has all this actually been achieved? Be it in terms of training, whether it's communicative, whether it's that it's not just a theoretical techy-topic or something that people say I don't want to have anything to do with, but that I can contribute to making us safer.
Thomas Sinnwell: Yes. How do you see this approach, which I have come across several times now, that awareness training is carried out? And then comes the review. Has it worked? What is your view of this approach?
Mana Mojadadr: So not doing any training at all is a no-go. Now there are, I guess that's what you mean, e-learning that you roll through maybe once a year.
Thomas Sinnwell: Yes. Or service providers who then import harmless malicious code and then you get a wonderful evaluation of who fell for it again.
Mana Mojadadr: Yes. But that would be the next step. Some organisations are not yet so far advanced that they have really trained on the minimum level. I would also, before I start to simulate emergencies at the same time, prepare an emergency plan. My employees would not be prepared for it. Or maybe even the IT department. Maybe I'd like to test them a bit. But then that's counterproductive and is more likely to damage trust than to rebuild trust. That's why it's very important to first lay a foundation again. To sensitise again. Prepare a minimum of training but also to announce that at unknown intervals we might even become technical. But also in the social engineering area. Someone from the outside may try to get in or trick you a little. To get hold of your access data, for example. That can happen. We just don't announce it directly any more. But I'll prepare you for emergencies. Just to test how quickly we can react if the blood pressure rises a bit.
Thomas Sinnwell: Yes. What I particularly liked about one approach was that it was done in a playful way. That it was actually the person who had recognised it best was singled out. So it wasn't like this, like in school, but you did it wrong. But the other way round, you did it very well. From my point of view, I think that is an important aspect of this review, so that we don't lose this acceptance of the subject.
Mana Mojadadr: It also has an effect that has to be considered very carefully. It can also backfire. In the meantime, there are also studies that say that too many simulations can have a rather numbing effect on an organisation, because people then say, well, that's the hundredth fire drill. And at the end of the day, I don't care. I just don't feel like playing along. And there are now statistics and studies on this, that show that simulations don't necessarily help. I think the most important thing for organisations is simply to build their own recipe. How are we? Do we find our culture again? How can we work on trust? But of course let us also put ourselves to the test every now and then, but please, together and constructively and not just by making games out of it. Or it actually comes to that, that we want to show certain members of staff that they are not yet really able to protect themselves or the company.
Thomas Sinnwell: Yes. Well, now I would like to talk about other activities that companies can carry out, which are also of an organisational nature but also partly of a technical nature. We had to create awareness as the first step. I would sign that. Absolutely a top issue. We should definitely start with that. Everything else is downstream. You have already touched on a second point. Taking stock. What do I actually have? What is worth protecting? What would really hurt if it no longer worked? Or what could I still live with if necessary? Because, in my experience, the budgets for IT security measures are also limited. They are not inexhaustible. And then I have to think about what am I going to do with the money? And maybe I should also do it in a sensible order.
Mana Mojadadr: Absolutely. And that reminds me of a funny saying that was thrown at me a few years ago: We don't even know where our data is. So that's the best protection against hackers, because they don't know where to find it either. But a lot has happened in the meantime. And I also notice that some really want to work on it. Even board members and managers want to prepare themselves. They have also understood that I don't necessarily have to be at the high-end of technology. But I have to prove to my partners and my customers and my employees that I want to deal carefully with these relevant issues. And I find that some of those who do this cleverly see it or treat it very similarly to a compliance management system. They say that there are also clear rules in our industry or in the way we do things, there are clear governance rules. Be it externally prescribed by the legislator or simply because we have certain guidelines for ourselves. And we want to approach this topic in a very similar way. And it is also clear that we have to look again very clearly, where are the processes and data that need to be protected. And that is a lot of work. So we also need workshops for this. You often can't answer that off the cuff and is often an issue, especially for small and medium-sized businesses, because they are often growing and then of course things simply develop themselves. And if you have the process itself, if you have defined it at all. And then it is a bit of work to where the golden treasure is that needs to be protected at this point.
Thomas Sinnwell: Okay. If you have done your homework in this area and you know your crown jewels that need to be protected, then I am at the next stage. Now I build my protection. The thing that immediately comes to people's minds, which is also absolutely right and valid, is the firewall. What I often come across are statements that we have now bought a super next-generation firewall, everything is fine. Have you already had this experience?
Mana Mojadadr: Yes. Also the saying: We have an anti-virus system, don't we? My IT manager has just got budget for it. A firewall. Yes. And then terms get mixed up and then you don't know whether it's the spam filter, the firewall or whatever. But maybe that's not what matters. And that's not enough, why? Because I often compare it to a house where a burglar could somehow get hold of a key in order to to gain access through the main entrance in the normal way, without setting off the alarm, because he had the key. In principle, he pretended to be the landlady or the master of the house and was allowed in. So the alarm wouldn't go off at that point. So the alarm wouldn't go off at that point. And what we are actually talking about, what now proves the greatest damage in the statistics of the BSI, are precisely these very professional types of attacks that apparently access data, passwords of accounts of employees or managers or admins over a period of months. And then starts moving from system to system. I'll scout the landscape first. I'm going to look at what's on the backup server. What's in the database? Who is accessing, how, what exactly, how often? To create an early warning system you have to have a baseline on normal behaviore so that if someone from outside has the password and the corresponding access, the key, these early warning systems notice unusual behaviore. So, for example, someone copied something suddenly at an unusall time a night or unsusuall masses of data? The worst thing is, if it is already overwritten, then it is already the emergency most of the time. Then we also talk about the encryption of data. But it's much more exciting to be able to use technological systems that can detect abnormal behaviour at an early stage and then say, please take a closer look. Maybe the person is actually allowed to do this, but he is doing it in a very unusual way and please look again. And these are professional early warning systems. I think you are also working on such an early warning system. Which will be needed more and more, but which also has to learn with the corresponding types of attacks.
Thomas Sinnwell: You mentioned the topic of anomaly detection. That is our thing. It is a very exciting topic and basically it's like you said with this break-in into the house. Attackers leave traces behind. And they have to be discovered. It's not always easy. Given the complexity of the networks. With the high data rates. And that's where you need good approaches, but there again the human factor comes into play. The systems must be controllable, which means that the IT colleagues, who sit in front of them should be able to deal with them. Or another variant, which not everyone wants to do this, but you have a service provider who takes over this job. In this respect, the product selection is also an important question from my point of view. Good. Yes. If you've done all that now. The crown jewels are protected. They may have even an anomaly detection system in place. It can still happen. And now it comes to a successful attack and the child, as you just said, is now in the well. What is your perception of how do companies perceive this?
Mana Mojadadr: As I said, it's best to have a certain contingency plan in place. And an emergency plan sounds similar to a fire drill. So I clearly wrote down step one, step two and so on. Who is allowed to do what? Who can I reach via a different telephone numbers? So it also starts with quite normal organisational issues. If, for example, the IT manager cannot be reached on the private number and the system is now destroyed or paralysed by voice-over-IP or whatever, I already have the problem of who to reach. And here, in addition to the technical solutions, it must be quite clear, how to separate systems? When am I allowed to start up which system again, because it may still be contaminated? I need a very clear plan and that has to do with organisation and we have just mentioned where do I have to report what? Often it is clear that I have to call the LKA. There is now a cybercrime devision and if you are lucky enough to have made a note of it beforehand, you know which direct number to dial. And you also have to contact data protection. And that is also shameful and incredibly unpleasant, because you actually have to prove there was a hacked here, and actually you should also know how what happened. What data might have been affected? Because then it's also about protecting customer data, partner data or employee data. But that usually works well if I have a emergency plan. And I've practised it a bit. Nevertheless, there is excitement. Nevertheless, there is a certain trauma associated with it. But that alone helps, having a plan. It won't be security, but it means I can work on it, even if we are stressed as an organisation on how we can deal with it.
Thomas Sinnwell: Yes. What you are talking about is, from my point of view, a very important issue. At that moment, when the malware strikes, sometimes dramatic things happen. And you mentioned on the phone. It can be gone. Suddenly I can't call my IT manager at all. He may still be in the building. Locking systems can be affected. I can't get into the workshop. I'll have to find a door on the outside that has a mechanical locking system that has a mechanical locking system to get in. Employees start to panic. There are suddenly a thousand questions that come up and in an atmosphere like that it helps to have a checklist that I can work through. My emergency plan. I think that's what you called it. It's very helpful, of course. And it's the same as in any aeroplane, if there's a catastrophe, the co-pilot flips to the manual. And there's the checklist, and they go through it one by one. That's assuming you've drawn up such a checklist.
Mana Mojadadr: Exactly. That only works if it is there.
Thomas Sinnwell: Yes. And that's another area in which you also provide support.
Mana Mojadadr: Yes. Of course I'm happy when it doesn't come to an emergency. I much rather work in prevention, i.e. preparing for emergencies. But if it does, of course.Then I am also available. The BSI has launched a similar concept. It is called digital rescue chain. But there too. I think it only works if you have a direct connection to this person, whether in an advisory capacity, externally or internally. And can also be part of this reaction and communication at that moment. So more importantly, I have clearly defined the steps with my people, from IT to the secretariat to the management. Who has to do what? And how can we meet? And then it's more likely to be physical. As you say, then accesses are missing, digital accesses in all directions. I won't be able to access a calendar either. I won't know which client I have to meet and when. So these are often such incidents that I am first of all busy with after the attack. I am busy with the trauma. But at the same time the company really does come to a standstill for organisational reasons alone, because I don't know where I might have to go to the authorities? Who do I still have to talk to and how? It's all gone for now.
Thomas Sinnwell: Yes. At this point I also have a tip for our listeners about what you should definitely do. You need your emergency plan, this documentation of the processes, what is to happen then, you will also need a hard copy at some point. If they are on the drive that is encrypted and I can't get to it because my computer is locked. I have no chance. Then I can't use all these things at all. In this respect, I really need to have it in writing or it's in a completely different place. But then I have to be a bit clever so that the malware doesn't realise that there's still something there. There are many things you can do, but that's a bit more advanced, I'd say. Then there's the issue of communication. You mentioned it. For data protection reasons I have to ultimately, if customer data is affected, I have to report it. What is your experience?
Mana Mojadadr: That is a contradiction in terms. Why? According to the language of the authorities, the LKA has to report to the public prosecutor's office. That also means in investigative work. Where did which hacker come from where? You mentioned the footprints. I might find something. But I'm not allowed to talk to the head of IT or the relevant executive at that point. If I'm lucky, there are still a few clues or I pick up hints, but actually it's strictly reporting, IT forensics, LKA, public prosecutor's office. And at the same time, as the managing director, I am obliged to report to data protection what actually happened. And there lies the crux. We also tried to talk to the data protection authority, because I was also keen on the data. Because I was thinking, what statistics do you have? Do you have any experience? Are there perhaps certain types of attacks that occur more frequently in certain regions? How were they dealt with? And at the end of the day, the database is not particularly helpful, because then the data protection authority rightly says that either not everyone necessarily reports it, although they have to. Those who do report it they don't really know what happened. Most of the time, the footprints are also only partially there. Or because investigations have already been carried out relatively quickly, the organisations have no added value from their experience. And that is the crux of the matter. And that's why it's so important to talk openly about the issue, because through the press, something happened. Or it's unbelievably bad. That only stirs up fears. It doesn't prepare people. And somehow you don't really learn from each other.
Thomas Sinnwell: Learning from each other is certainly an absolutely important aspect. And I also believe, as you do, that talking openly with each other is important. And a report like the one we received from Mr. Storb I find immensely helpful in this context. And I found it very exciting that the LEG services dealt with the experience in a very constructive way. Let's listen to the recording of our conversation again.
Andreas Storb: We have learned from this bad experience - we were able to reposition ourselves and our infrastructure and have taken organisational and technical measures to protect our information. Others can also benefit from our experience. At the beginning of 2022, the Saarland founded a new company, LEG Kommunal, together with municipalities. This company offers the municipalities involved not only services in the area of project management for municipal development and construction measures, but also support in the introduction of information security management systems so that municipalities can provide their services to the economy, citizens and authorities reliably and securely and thus minimise the risk of falling victim to a cyber attack.
Thomas Sinnwell: Yes. As we have just heard, something really good has come out of the cyberattack at LEG-Services. LEG-Kommunal. So, in my opinion, it's a great example of knowledge exchange and communication.
Mana Mojadadr: Absolutely. And above all, I think, there is communication. Talking to each other. Also, please don't just leave communication to the IT department alone. I'll train you in that direction. But when the time comes, or even in the course of day-to-day doing, who has to report certain things and how to report anomalies. And who can help?
Thomas Sinnwell: Yes. I would like to end our podcast with some advice. What is your top advice for listeners? What they should do when they approach the topic of increasing security?
Mana Mojadadr: Well, if they haven't done anything yet, just have an educational talk. Inform yourself a little bit. If it is the case that the IT management itself has to do a bit of propaganda, please help. Please provide them with a budget. Then also the management as well. Don't tackle the issue alone. And vice versa. Ideally, the managing directors and IT managers should approach the appropriate advisors or experts. And first try to have an informative talk. And then it will certainly quickly take fruition and the steps you have just described.
Thomas Sinnwell: Now you've already taken away my top advice. But this aspect of really involving all units of the company is a very important story for me. It's not just an IT issue and it can't be driven by IT alone. There are important tasks to be done. In any case, it has to be started by management. There must also be an awareness. And an understanding of what is going on and what can happen in your own company and what you should do. And from my point of view it is helpful to look for professional service providers, who can point out the issues in a targeted manner. And draw your attention to these areas. And perhaps they can give you the steps that you just have to go through. Well, thank you very much for this very interesting conversation. I think we talked about a very complex subject matter. I had a lot of fun. Thank you very much for being there.
Mana Mojadadr: Thank you Thomas.
Thomas Sinnwell: And to the listeners, I'm looking forward to the second episode on the topic of Cybersecurity and that will ultimately be about the attacker's perspective. How do they actually work? What do they do? How does an attack work from a hackers view? And from this you can then also derive a little on what you should do, if you are affected. Where do I invest first? Thank you very much. See you then. Bye.
Mana Mojadadr: See you soon. Bye.
So. That's it from us again. We hope you enjoyed today's episode and that we were able to give you an understanding of cybersecurity. Further links to the current episode can be found in the show notes. And if you are interested in the wonderful world of technology and software development, we would of course be happy if you subscribed to our newsletter. In the next episode we are back with part two on cybersecurity. Host Dr. Thomas Sinnwell is back and has another expert in store for you. See you next time. We look forward to it.