An article by Dirk Backofen, from December 2016 to May 2020 Head of Telekom Security.
When WannaCry ransomware began to spread around the world on May 12, 2017, it marked the culmination in the history of cyber crime to date. No other previous attack had as great an impact. The result: 230,000 infected computers in 150 countries, affecting many global corporations, government agencies, and healthcare facilities. The truly insidious thing about this encryption Trojan: WannaCry spread worm-like from computer to computer, virtually eating its way through IT systems worldwide.
WannaCry exposed the global vulnerability of the IT infrastructure in a way never done before. The Trojan showed that the world is still light years away from effective resilience against such attacks. Or to put it another way: globally connected IT structures are only as strong and robust as their weakest links.
What lessons should we draw from it? We need a "broad-spectrum vaccine" against cyber attacks. We need "cyber-immunity". There is no getting around the need for companies around the world to boost their cybersecurity activities and permanently maintain them at a sensible level.
There will still be successful attacks, of course, but their numbers will be reduced by better "vaccination coverage". And above all, the right "vaccines" will ensure that the number of successful attacks drops.
Companies that are cyber-resilient are built on three pillars: prevention, detection, and reaction. To achieve comprehensive cyber-immunity based on these pillars, all companies have to implement at least eight measures:
1. Security by Design
Security isn't a feature that can simply be added to a finished product after the fact. Security has to be considered from the start for every new development and enhancement; it must be part of the product's virtual DNA. This applies to companies that develop products, as well as to the business customers that buy them: they have to demand security by design in their tender documents.
2. Compulsory vulnerability scans
It isn't enough to merely test IT systems, products, and solutions once before their launch; they have to be tested for vulnerabilities regularly. These tests must be compulsory and their results must be verifiable.
3. APT protection for every business mailbox and the web
Companies must guarantee protection against advanced persistent threats (APTs) for every mailbox and web access, to ensure that complex, effective, targeted attacks can be prevented reliably.
4. DDoS protection in the terabit range
Companies have to review their protection against DDoS (distributed denial of service) attacks from the Internet and, if necessary, upgrade them to be resilient against the increasing power of these attacks, up to the terabit range.
5. Mobile security for companies
Mobile devices need a kind of permanent radar as a protective shield, which protects each individual smartphone and tablet PC and takes them off the network when a threat is detected, in particular, to identify and block access to enterprise networks promptly.
6. Compulsory (managed) cyber defense for enterprise networks
The days when companies could rely on protective measures alone are long past. Modern attackers can gain access to enterprise networks and crucial data unnoticed, through smuggled malware or infected USB sticks. Zero day exploits and advanced persistent threats can only be controlled through sophisticated detection methods and targeted countermeasures. As such, security information and event management (SIEM) systems should be compulsory for companies, to fight off cyberattacks. Aside from threat intelligence, a key element here is knowledge of the attack vectors and how to counter them effectively.
7. Treat industrial networks like critical infrastructures
Industrial networks still do not have sufficient protection, despite the sensitive data they handle. They have to be protected just as extensively as any other critical infrastructure.
8. Improve reaction times
On average, it takes 180 days until companies realize that an attacker has stolen sensitive information from their IT systems – or is still looking for it. A lot of damage can be done in those 180 days. That's why we need a new maxim: time is security! The ever-increasing pace of attacks must be countered with fast-acting detection and defense mechanisms.
This is what a modern digital vaccine looks like – with eight measures for cyber-immunity.