Mr. Brox, you have been involved in IT security for many years. What has changed in your business since the beginning of the digitalization wave in the industry?

Thomas Brox, Managing Director Allgeier Core. © Allgeier Core

For us, the digitalization of industry means another sector that absolutely needs to be secured. For companies, the business opportunities naturally grow with increasing networking, but at the same time so do the IT risks. We believe that it is no longer a question of whether a company will be attacked, but when - and how prepared it is for this situation. Many companies - both in industry and in other sectors - are still not aware of this. In recent years, we have noticed that the terms IT and information security can no longer be separated. In industry in particular, we are increasingly building awareness in these areas.

Have the number and intensity of cyber attacks and the criminal energy of the attackers increased or have more gaps in IT security simply arisen primarily due to the networking of so many components?

The number of cyber attacks has increased many times over across all industries. While in the beginning they were often a "prank" by so-called script kiddies, the economic aspect has changed significantly. The whole thing has developed into a business that is becoming more and more professionalized. The most striking aspect of this is that attacks are becoming increasingly targeted. No company or organization is now spared - not production facilities, energy suppliers or hospitals.

Of course, the growing number of "intelligent" devices also offers a much broader field of attack. This means that in addition to the increased number of attacks - and I'm not talking about automated attacks using artificial intelligence - there are also increasing opportunities to penetrate internal networks. Let's take the example of "intelligent" coffee machines: if the manufacturer does not supply appropriate security updates that are also installed, they can be accessed from outside. Sooner or later, there will certainly be a gap in this area. For example, a well-secured casino in the USA was hacked when an aquarium control system installed there was cracked using remote maintenance, giving the attackers access to the internal network.

Do cyberattacks tend to be targeted or are they widespread and random?

Both are the case. As already mentioned, the first attacks were rather broad-based. However, there is an increasing trend towards targeted cyberattacks. However, targeted attacks are rarely publicized, so unless the effects are publicly visible, they tend to remain hidden. However, AI-supported attacks can again be very wide-ranging and affect the entire population.

Is it possible to say approximately what percentage of attacks are successful?

Assuming that "successful" also includes the payment of a ransom, this cannot be quantified precisely. The situations depend heavily on the victim's prevention. If functioning back-ups are available, payment can usually be avoided. In our practice, around 30 percent result in a ransom payment. However, operational and production losses are recorded in the majority of cases.

Allgeier Core specializes in information security awareness and IT forensics, among other things. What does the latter mean and how do you go about it?

IT forensics is a sub-discipline of incident response, which deals with the response to IT security incidents. Incident response provides techniques to contain the attacker or stop data outflow. Incident response can also help to restore production readiness.

IT forensics can clarify where the attacker came from, how they penetrated the system and how the data left the company. In addition, evidence can be recorded and preserved in a legally compliant manner, possibly leading to the conviction of the perpetrators. The procedure is professional, analytical and systematic; every step is documented to ensure traceability.

You sometimes use unconventional methods to open your customers' eyes to security gaps and the need to take action. Were there any spectacular examples?

Especially when our Red Team goes into a company in disguise as part of pentests, it is often exciting to see how far we get there. Of course, this only ever happens after the order has been placed and in close coordination with the project managers. In one case, two of our employees disguised themselves as a service team to service the air conditioning system in the server room. The service technicians announced their arrival in advance by sending a fake email officially announcing the maintenance work. So there was no suspicion when our employees demanded access to the server room with their equipment. As the equipment used was so loud, our team was able to quickly "get rid of" the company employee and now had free access to the servers - and therefore to all important company information.

In addition to such tests, we also organize awareness training sessions where we like to distribute test objects to document the success of the campaigns (including phishing mails, USB sticks, mice, keyboards, fake WLANs, etc.). This shows that awareness increases with the number of training sessions. In general, you can always use people's curiosity and willingness to help to get into the system.