• Industry News
  • Management, Awareness and Compliance

A limited ability to defend

Hacking and cyber crime in 2021

Sebastian Artz
Sebastian Artz
Bereichsleiter Cyber- & Informationssicherheit Bitkom e.V.

This content is available to the it-sa 365 community. Please register or log in with your login data.

Sebastian Artz, Bitkom | Hacking and Cybercrime
A key US oil pipeline, the Irish healthcare system, and the world's largest meat producer have something in common. They have all recently fallen victim to cyber attacks and are thus just the tip of an iceberg in a series of attacks that have been attracting media attention for months. Experts and industry professionals have been worried about this problem for decades and continuously issued warnings, and its effects are now being felt throughout society with tremendous force, and with security policy consequences. Hacking in 2021 poses a significant threat to supply security and keeping the citizenry safe.

What’s true for all technological progress is also true for hacking: Technology is not good or bad but always only a means to an end. And hacking does not necessarily have to be a criminal act. Basically, hackers are people who use their expertise to overcome obstacles in innovative ways. With this nuanced view in mind, however, the focus is naturally on developments in the criminal area of hacking and their impact on the economy, politics, and society.

In this context, it is essential to understand what motivates the attackers. Abstracting from state espionage activities, the lion's share of what we observe in cyberspace is business-driven. The criminals are clearly interested in monetisation and are often out to make a quick buck. For years, we have observed a clear trend of cybercrime becoming more professional, international, and industrialised. The greater the potential damage to those affected or the broader the impact of the attack, the greater the potential profit for the criminals. So it is hardly surprising that organised crime is becoming increasingly active in cyberspace and not shying away from attacks on our critical infrastructure. The leverage is simply greater.

In addition, "cybercrime-as-a-service" is becoming increasingly popular, and the criminal value chain is becoming segmented. While individual hacker groups specialise in the "extraction" of access data, other groups provide their "customer-friendly" ransomware service. Because the to the associated elimination of technical competence hurdles, criminal energy can be discharged much more easily in cyberspace. Criminals have long since no longer needed in-depth programming knowledge or many years of IT expertise for a long time now. To put it bluntly, any petty criminal can simply use drag and drop to put together his attack vector.

The gateways are as diverse as they are expedient. While the majority of attacks start with phishing and social engineering, unpatched systems naturally also open the door to criminals. However, many companies and authorities only became aware of this with a bang. As the vulnerabilities in local exchange servers became known, criminals scanned large areas across countries and industries for vulnerable systems and put web shells in place. While many systems still remain unpatched, we can only guess how many systems have received security updates without, however, forensically checking whether attackers had already infiltrated them. The fear remains that the next few months will have nasty surprises in store.

In the final analysis, at first glance it is irrelevant whether the attackers reach their target via phishing, supply chain attacks or via zero/n-day vulnerabilities, misconfigured cloud environments, shadow IT, or internal perpetrators. Criminal energy will find its path. The flexibility and adaptability of cybercriminals is also where the greatest difficulty lies for the victims when it comes to prevention and response. As soon as one gateway closes, a new one opens. This means that there is no single panacea for defence. What’s needed is a proactive, structural, and continuous approach to security, which is often given short shrift everyday life.

What remains is the need to raise awareness to the dangers and the importance of IT and cyber security across all sectors, company of all sizes, and government institutions. As long as a sufficiently large number of key players fail to master the basics of cyber security, the number of attacks and the damage they cause will continue to rise in the future. This cannot and must not be allowed to continue. Companies and authorities must therefore immediately take specific steps. In addition to efficient law enforcement in the digital space, security-enhancing technical and organisational measures are needed, as well as the appropriate use of IT security technologies in their own infrastructures.

Both in terms of visibility for IT and cyber security and as a showcase for the relevant technologies and solutions, it-sa offers clear added value for proactively dealing with the threats at the cutting edge. The knowledge gathered here and the wide range of ideas must be taken up and brought to the companies and institutions.