Identity & Access Management Archive

How well is your company protected against hacking?

30. June 2021/in Identity & Access Management, IT Security/by Michaela Senft

Missing access policies, poor password hygiene, and lack of awareness of social engineering: humans are the biggest risk factor for your IT security. It doesn’t have to be. A comprehensive identity protection solution like DoubleClue protects your employee identities and access from misuse – and improves internal workflow in a compliant manner for smooth operations.

Social Engineering: Humans at the Heart of Hackers

Digitization brings with it a major challenge: ensuring that only authorized individuals have access to certain devices, applications, and data. In addition to safeguarding against technical attacks (firewall, VPN clients, and anti-virus software), this also includes a social component.

Because modern hacking attacks have long relied on the biggest weak point in your IT landscape: the human factor. And their negligence in dealing with basic security requirements: passwords that are too short or used multiple times, a lack of awareness of social engineering, or simply too lax settings in the area of identity and access management form the gateway for criminal machinations.

DoubleClue: IT Security for the Human Factor

Granular distribution of access rights to employees as well as external resources using comprehensive Identity and Access Management (IAM) including Privileged Access Management (PAM)
Multifactor Authentication (MFA) protects employee identities from misuse
Centralized password management increases enterprise password security while enabling a pleasant user experience
Centralized password and data storage encrypted from both external and internal access

Automate approval processes using digital signatures

DoubleClue offers companies many options for user self-service via the system: autonomous addition of devices and applications, automated password reset without administrator involvement, as well as digital approval of document access and granting of approvals via push messages. This saves time and resources on day-to-day operations.

At the same time, these approval processes are tamper-proof thanks to Public Key Infrastructure (PKI). Thus, push messages generated by DoubleClue comply with the standards of the Digital Signature Act and PSD 2 regulation.

Encrypted data storage

The integrated DoubleClue CloudSafe enables centralized encrypted storage of highly sensitive files on your own servers (on-premises) or in the cloud. This allows device-independent access, which can also be shared with internal and external parties. Furthermore, this advanced type of storage rules out decryption by third parties. Thus, passwords and confidential documents can be stored in DoubleClue without hesitation.

Uninterrupted workflows through reduced password entry

Software that combines IAM, MFA, and password management enables single sign-on (SSO). This means that your employees* only need to log into DoubleClue once to gain uninterrupted access to their applications. This leads to higher employee productivity and satisfaction in your organization.
The innovative DoubleClue Single Sign-On additionally embeds automated log-in to applications that rely on common third-party MFA.

Invest in the passwordless future today

IT security is the foundation of your modern enterprise. At the same time, a future-proof solution must map the future needs of innovative companies today.
Predictions from business experts* indicate that passwords will be replaced by more secure authentication options – today, they remain a reality for the vast majority of applications.

With DoubleClue, which brings the integrated PasswordSafe, you have a state-of-the-art software solution while being prepared for the passwordless future. The innovative range of functions forms the basis for smooth workflows and efficient collaboration in your company. This makes DoubleClue the optimal and secure solution for identity protection.

Learn more about DoubleClue here.

Deepfake – what is real?

7. May 2021/in Identity & Access Management, IT Security/by Michaela Senft

The digital and analog worlds are becoming increasingly blurred. With the rapid development of artificial intelligence and machine learning, the information we receive is becoming increasingly complex. Nevertheless, we are finding that what we humans find very easy – such as facial recognition – first has to be taught to artificial intelligence. This so-called deep learning is a very complex process. Put simply, the algorithm breaks down the complex structures of the object into individual hierarchically structured concepts. This is how the machine “learns” to recognize and interpret complex structures. And even – to manipulate them. This makes the transition between real and fake news fluid. For example, today we encounter image manipulation in the form of deepfake. This term is borrowed from Deep Learning denotes a deep identity fraud: with the help of state-of-the-art AI-supported software, it is possible to fake images, soundtracks, and even entire videos. Deceptively real.

Media manipulation through deepfake

At first, using AI-based systems to create new identities and stories sounds quite exciting and entertaining. A bit like Sims back then, only much more real and with better graphics. On the Internet, you can find some sites where you can create freely invented faces. Why not give them a story as well? At the same time, the boundaries between reality and lies are blurred here.

At the same time, this form of artificial intelligence shows us how easily our media can be manipulated. And how difficult it is for us to distinguish manipulated recordings from real ones. This has an impact on how we deal with media. Because if we can’t be sure that the image we’re shown is real, what are we supposed to believe? Which part of the information offered is genuine, which possibly cleverly faked?

Depending on how we evaluate a piece of information, this can influence our decisions. This starts with credibility in our private lives, but can ultimately change our political landscape as well.

Especially in the area of cyberstalking against private individuals and celebrities, deepfake has already made inroads. Through clever video manipulation, an alternative story can be attributed to anyone, a private person or a public figure. In the form of Revenge Porn, fake content is found that imputes an apparent past to people – even if in reality a video has been manipulated or even reinvented using Deepfake. In the end, this not only damages reputations, but also the mental health of those affected.

Social Engineering 2.0

Deepfake is also finding new dangerous methods in the area of white-collar crime. Social engineering attacks that have a personal connection to the victim are already particularly successful. Time pressure, pressure to perform, or hierarchical constraints often lead to the successful disclosure of identification features or internal information. But how much more successful is a CEO fraud in which voice swapping (=imitation of voices using deepfake) is used? In other words, when the supposed CEO on the phone actually sounds like the CEO or even appears in a video conference. It is then no longer possible for people to distinguish between a fake and a real telephone call.

The end of biometric credentials?

Ultimately, the development that any image, video, or voice recording can be manipulated also has an impact on the possibilities of logging in with biometric data. After all, how secure are biometric logins via FaceID if really anyone can forge an image? The answer is nevertheless reassuring: Compared to passwords or other character-based login methods, biometric authentication is comparatively secure. However, there is still a residual risk, which is why you should never rely on just one authentication method. Only the interaction of at least two authentication methods makes a login secure – both privately and professionally.

3 reasons to invest in digital identity security

12. March 2021/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

Our world is increasingly digitized and in many areas only takes place online. This also increasingly applies to our everyday working lives; companies are networked in the cloud thanks to communication and collaboration tools. Our systems such as CRM or ERP have also been outsourced to the cloud for better data availability. At the same time, questions are now increasingly being asked about the best possible protection for this outsourced infrastructure. It has become clear that VPN and virus protection alone are no longer sufficient to reliably protect your company’s IT from unauthorized access.

For this reason, you should definitely consider—if you haven’t already done so—meaningful identity management and deeper protection of your employee identities. This includes the question of how your employees can digitally identify themselves. So they can protect themselves from misuse of their own identity and its consequences. We’ve rounded up 3 key reasons why you should invest in digital identity security in your organization now, at the latest.

Secure tomorrow’s workplace today

The future is digital—that also means remote! True, remote work has existed before 2020. But 2020 was a booster for faster digitization in office applications. “Digital-only” therefore already applies to collaboration and communication. Despite the misgivings of many companies, employees have coped surprisingly well with this. They have quickly learned to anticipate these new ways of working and reap the benefits for themselves. But this is only part of the story. Although the introduction of communication and collaboration tools has been well received, network security and, in particular, the safeguarding of employee identities have often been neglected. The priority was to get operationally up and running quickly; thinking about IT security was a second step if it was thought about at all.

Yet the shift of (working) life to the digital world has created the perfect conditions for cybercrime. Phishing and social engineering attacks on companies have increased as a result of the crisis. By introducing a second factor to secure applications, they prevent identity misuse. After all, only those who can identify themselves twice—with a 2nd factor known only to them—will ultimately gain access to a file or system. Sensible and restrained access management also ensures that only those employees who really need access to sensitive areas of your corporate IT have it.

Improved usability increases employee satisfaction

Today, we expect a high level of usability and a consistent user experience with our applications. No longer just in our private lives, but also in the applications we use at work. Passwordless login increases the productivity and acceptance of your employees: because they don’t have to remember a multitude of complex passwords and can log on to their PC and applications with a single click. The combination of a multifactor authentication solution with single sign-on functionality allows fast, convenient, and uninterrupted switching between different applications. Without compromising on security.

Simplify your compliance processes

Centralized management of user identities and simplified login via single sign-on increase the productivity and effectiveness of your employees in the long term. Lengthy processes for (repeated) logins to individual applications and mandatory password changes in specific cycles are eliminated. Life is also easier for your administrators, who can dispense with complex password policies and the need to control them. Even a simple, insecure password has become a secure login with the highest security requirements through MFA.

At the same time, with a sensible Identity and Access Management and a secure multifactor authentication method, you introduce an important milestone to protect your corporate compliance. After all, the theft of (employee) identities poses a profound threat to your company; the compromise of your IT landscape and the possible associated data loss can be followed by data protection lawsuits and corporate compliance investigations. These are often more expensive than the actual damage caused by lost productivity.

Digital Collaboration—IT security while working from home

4. February 2021/in Digital Transformation, Identity & Access Management, IT Security/by Michaela Senft

The past year was a catalyst for the digitization of German companies. This relates in particular to how and especially where we worked. Many companies suddenly and mostly abruptly started to work from home.

According to Bitkom, almost every 2nd employee was affected by this development in the spring. However, this accelerator of many digitization projects also has downsides. Since the attack surface for cyberattacks has increased as a result of the decentralized IT infrastructure. We should therefore take a look at how well IT security has been ensured in this time. And especially ask ourselves the question: What could we learn from this for the current “home office”-wave?

IT security or smooth operations while working from home?

This should not be a matter of decision! Even if reality has shown that this was certainly the case. And unfortunately, it is again the case today. Because many companies have reacted to the crisis: Due to the decentralized way of working, new cloud and collaboration tools had to be introduced, such as MS Teams or Zoom. Often, however, the question of the security of these applications, which were operated almost exclusively via private Internet lines, has fallen by the wayside.

Virtually overnight, employees—and with them, the IT they use—have started to work from home. Since many companies were not prepared for such a situation, this also meant that their IT structures were not designed for remote work at all. Therefore, the priority here was to create structures that kept the daily business alive despite the home office—which often meant that questions about security took a back seat.

Lack of security standards while working from home

Both companies and employees had to consider so many things: How do I deal with the fact that my company laptop is running on the same network as my in-house network printer, the private laptop as well as my children’s smartphones? How can I ensure that the private network printer does not allow intrusion into the company network?

Responsibility for the security of in-house networks and the devices used are often passed on to employees. Often, however, the basics of IT security are lacking, such as training in IT security-related actions, for example, in the case of phishing emails or about fraudulent websites, or the necessary infrastructure for working from home.

A survey by Computerbild makes it clear that basic security measures were not being used: Only just under two-thirds of respondents said they had password protection for their computers and installed virus protection programs. And only just under half mentioned the (necessary!) separation of devices used for private and business purposes. VPN connections and multifactor authentication (MFA) were ultimately affirmed by only about one-third of respondents. This clearly shows that only just under a third of all home workplaces meet these IT security standards.

Whose IT security is affected while their employees are working from home?

In short, everyones.

However, small and medium-sized companies, in particular, lull themselves into a false sense of security; in fact, size is no guarantee that they will not be affected by ransomware attacks or similar attacks. According to a recent Bitkom study, it is small and medium-sized companies that are particularly lucrative for extortionists; unlike large companies, they often have no way of bridging economic downtime and the associated costs. A “small” ransom of a few 100,000 to a single-digit million figure often seems to be paid more quickly here than waiting for lengthy decryption processes with an uncertain outcome. Multinational players have completely different (financial) options here.

The human factor as the greatest target

Yet it is almost always the human factor that poses the greatest risk to your company’s security. Our algorithms and the AI that underlie today’s virus scanners and threat protection are so good and sophisticated that they can detect malware well. Unfortunately, humans often don’t: In the morning, we want to briefly skim through the mails over a cup of coffee. We are still tired, perhaps also under time pressure; especially in such situations, we are inclined to open an attachment or follow a link without closer examination. Especially in the environment of our own places, such carelessness is fatal: the infrastructure is less protected, the virus programs may not be up to date. A single infected PC can then paralyze your entire IT infrastructure.

In addition to carelessness, attackers also rely on emotions. Data and personal (identification) information are thus often willingly revealed. It is true that malware spam inherently uses social engineering methods to play on people’s fears and concerns. Central themes in recent months have been the new insecurities associated with the Corona crisis. Supposed instructions from superiors, authorities, or colleagues—today, well-crafted malware spam can hardly be distinguished from genuine requests and is also not intercepted by Mail Protection. This also becomes clear when you consider how well hackers have succeeded in tapping personal data via fake Corona help pages. Currently, the LKA in North Rhine-Westphalia, for example, is warning against such offers.

The consequences of a ransomware attack

Ransomware is malware that prevents access to local data or a network by encrypting and/or stealing data. The aim is usually to extort ransom money to unlock the data. Another extortion method is also the threat of successive publication or sale of sensitive data on the Internet if payment is not made.

Ransomware is usually spread via links or attachments in emails, with the spreaders relying on advanced social engineering methods and also exploiting professional constraints or emergencies in particular. After all, without human assistance, infecting the PC is almost impossible, or at least unrealistic. The human factor is the biggest vulnerability in your system. This is because, despite bugs and loopholes in programs, an attack via humans themselves is less time-consuming and resource-intensive.

The damage of such attacks—both financially and in terms of reputation—is enormous. Only very few companies are adequately secured against ransomware attacks, although around three-quarters of German companies are affected by data attacks. The damage is often in the millions, as ransomware encrypts systems and data, making it impossible to continue working. If backups are also encrypted, which are often just as vulnerable to attack as the original data due to their location on the servers, companies must reckon with definitive data losses. Since most ransomware attacks rely not only on encryption but also data extraction, even after successful decryption, further data protection lawsuits by those affected are to be expected.

These measures secure your IT

So you see: In addition to the technical component, the human factor, in particular, must be included when securing your IT systems. After all, the human factor is THE weak point in your IT system.

Short-term measures such as the strict separation of private and professional devices are a good start for the current situation. In the long term, however, you need a holistic strategy that starts with the choice of technical solutions used. This includes VPN clients, cloud applications, firewalls, and anti-virus programs. Ideally, these building blocks go hand in hand, so that the maintenance effort for your IT infrastructure is reduced.

It is also essential that you become even more aware of the importance of the human security risk—and take active measures. This starts with training courses on social engineering and manipulation. This training should not only focus on the basic problems but also explain the technical aspects. Only then can a basic understanding of the dangers of such attacks emerge.

Become aware of the importance of identity protection! Today, this can be secured with simple means such as multifactor authentication. This also kills two birds with one stone: modern multifactor authentication relies on passwordless login methods and single sign-on. This not only protects your IT but also offers your employees a simpler and more effective work experience.

DoubleClue – Your protection for the human factor

Therefore, we advise you to implement an improved identification policy in your company. Using multi-factor authentication, users must identify themselves through a second component when logging on to different applications or devices. This ensures security against unauthorized use by third parties. Multifactor authentication is especially important for all those employees who have administrative rights or remote access rights to third-party servers and devices. No matter how well you train your employees, a technical barrier that prevents unauthorized access without exception is mandatory. As a single human error by a single user is enough to cause maximum damage.

Your advantages when implementing DoubleClue

Short roll-out time: In total, you need about one day to secure your corporate network against external attacks with multifactor authentication
We accompany you completely during implementation and roll-out and offer you full support afterward

Request your 30-day free trial here.

How secure is the Electronic Patient Record?

12. January 2021/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

Since the beginning of the month, the Electronic Patient Record has been available in Germany, in which insured persons can store and manage their data in a central location. The central storage of their health data is intended to facilitate communication between patients and doctors. In the initial phase, however, patients will have to take care of filling their digital files themselves. There are also still data protection concerns: Patients will not be able to select which doctor has access to which parts of the medical record until 2022. For the time being, anyone who wants to use the Electronic Patient Record provides their doctor with all the information it contains – or none at all.

What is an Electronic Patient Record?

The Electronic Patient Record allows patients to voluntarily store their health and diagnostic data centrally in one place. The information it contains can be shared with doctors, pharmacies, and hospitals to shorten treatments. Or prevent duplicate examinations. In the future, patients will also be able to use the app to manage the information it contains. They can then decide which doctor can see which information. The digitization of bonus books, vaccination cards, and maternity records is also planned for the future.

When does the Electronic Patient Record come into effect?

Patients will be able to have their health insurers issue the Electronic Patient Record from the beginning of 2021. For the time being, however, they will have to fill it out themselves. Until July, it will only be available to around 200 practices and hospitals on a trial basis; only then will its use be extended to the whole of Germany. The health insurers, on the other hand, have no insight into the stored data, even though the Electronic Patient Record is intended to provide communication channels to their own health insurer. This prevents the insured person from suffering any disadvantages as a result of diagnoses or findings.

How secure is my data?

The Electronic Patient Record stores patient data in encrypted form. Data is exchanged with doctors and other healthcare facilities via the so-called telematics infrastructure network. However, critics have still identified security deficiencies here: For example, the TI’s virus protection is said to be insufficient to actually protect sensitive health data reliably. Also, too lax IT security measures in medical practices can be a security risk. Easy-to-guess passwords or shared admin and access rights are unfortunately still commonplace in many medical practices. You can also read a comprehensive review of the current data security in healthcare as well as the criticism of the telematics infrastructure in our blog post here.

Cases from abroad, such as a successful hacker attack in Finland, have also shown how weakly protected our sensitive healthcare data still is. Experts, therefore, advise being selective about what information you want to include in the Record. The inclusion of psychotherapeutic documents is currently not advisable. This is because such data could have negative consequences for those affected when looking for new insurance companies or employers, should this data fall into the hands of third parties without authorization.

Unfortunately, the risks and benefits of the Electronic Patient Record must be weighed up here as well. On the one hand, centrally stored data enables faster and more favorable treatment success. This saves time, costs, and nerves on both sides. However, if this sensitive data falls victim to a cyberattack, the insured person may suffer disadvantages, the consequences of which cannot yet be assessed.

Will you use the Electronic Patient Record? Join the discussion here.

DDoS attack on vaccination portal

8. January 2021/in Identity & Access Management, IT Security, Malware/by Michaela Senft

At the end of December, vaccination against the COVID-19 virus began in the European Union; it has now become known that a cyberattack on the vaccination portal of the Association of Statutory Health Insurance Physicians in Thuringia and the Thuringian Ministry of Health had already occurred in December. This was probably a so-called DDoS (Distributed Denial of Service) attack. As the vaccination center announced, the servers were overloaded by a high number of requests and collapsed as a result. Booking vaccination appointments via the site was therefore initially not possible.

What is a DDoS attack?

This form of cyberattack is an attempt to paralyze a server, a website, or even just parts of a website. For this purpose, countless (and pointless) requests are sent to the respective server within a very short time. How many requests are necessary depends on the server’s capacity. In Thuringia, about 158,000 requests were necessary.

The requests are usually sent by a mixture of botnets and reflectors. Botnets are infected devices that can be directly controlled by the hacker by means of malware. These “zombie” computers then send misleading connection requests to other computers, which are then called reflectors. These reflectors do not necessarily have to be infected themselves. Because here, hackers exploit the characteristics of our modern devices to also want to “answer” queries. In this way, they manage to build up a comparatively small botnet and also cover their tracks, since devices that are not involved in themselves now also support the attack.

Who is the target of DDoS attacks?

The good news, if you will, upfront: the target of such attacks is not private individuals. Such attacks usually target large websites and opinion leaders – but also, as the current case shows, the healthcare sector, governments, or banks. In other words, important and critical infrastructure. This is why some security experts classify DDoS attacks in the realm of digital warfare, as they can paralyze critical civilian networks and thus harm society.

It is important to note, however, that a DDoS attack does not primarily have monetary goals. It is often about protesting against a site that does not correspond to one’s own political opinion. Or even just to prove that one has the skills to carry out such hacks. These attacks become really critical when the primary goal is not to cripple the site, but other actions are running in the background. The superficial distraction facilitates the cover-up of a more serious hack in the background. If critical infrastructures are affected, a ransom demand can also follow in order to release the server as quickly as possible and get it up and running again.

For the current case, however, the background of the act is not further known.

How can you protect yourself from a DDoS attack?

Since you as a private individual are not the primary target of such an attack, the sobering answer here is: very little to nothing. However, your primary goal should always be to protect your PC as best as possible against malware being installed. After all, this is how you can at least prevent yourself from becoming part of the botnet. Therefore, always update your virus software on the devices you use in a timely manner. The router also plays an important role in protecting your network and should therefore always be up to date. The same applies to your passwords. Wherever possible, set up modern password protection with multifactor authentication. A password manager can help you keep track of your passwords.

As a web administrator, you basically have options available to defend against such attacks. For example, if you notice an unusual data stream in time, you can redirect it to a “black hole” (= a non-existent server). A bandwidth management tool as well as good virus software will help you in advance to fend off simple DDoS attacks if necessary. The last option is to rent a higher bandwidth to ensure availability despite high traffic. For your users, unfortunately, the only option is to wait until your service is available again.

Mimikatz – a cute name, but a dangerous Offensive Security Tool

27. November 2020/in Identity & Access Management, IT Security/by Michaela Senft

The Windows security tool Mimikatz may have a cute name – but it also has a great potential for damage. It was originally developed to demonstrate the security vulnerabilities of Windows systems, as there is a gap in the authentication process. It quickly evolved from a tool for white-hat hackers to one for black-hat hackers. Nevertheless, even today, admins still use the tool to detect and then close security holes in their own systems. Therefore, Mimikatz is one of the best known Offensive Security Tools (OST), which is freely available as open-source.

How does Mimikatz work?

With the help of Mimikatz, it is possible to read passwords, PINs, and Kerberos tickets from Windows systems, which is why it is often used by malware attackers. For this purpose, Mimikatz uses the Windows Single-Sign-On function, which has the so-called “WDigest” feature. This feature is used to load encrypted passwords and their keys into memory. Especially companies or other organizations use this feature to authenticate user groups. Although WDigest is disabled by default in Windows 10, anyone with administrative rights can enable it. And thus read out the passwords of the user groups using Mimikatz.

This makes the software a powerful tool for hackers

Root Access is required to successfully introduce Mimikatz into a system. Once the software is in the system, there are different ways how Mimikatz can work:

Pass-the-hash – In earlier versions, Windows saved passwords in a so-called NTLM hash when logging in. Attackers can therefore use Mimikatz to copy this exact hash string and use it on the target computer to log in. The password does not even have to be known for this, since this character string is sufficient for authentication.

Pass-the-Ticket – Newer versions of Windows no longer use an NTLM hash for authentication, but so-called Kerberos tickets. Mimikatz is now able to read this ticket and pass it on to another computer so that you can log in there as this user.

Over-Pass the Hash (Pass-the-Key) – With the help of the key obtained in this way, hackers can pretend to be users who can be accessed via a domain controller.

Kerberos Golden Ticket – A golden ticket gives you domain administration rights for each computer on the network. Perfidious: Golden tickets do not expire.

Kerberos Silver Ticket – Kerberos gives a user a TGS ticket that is used to log on to all services on the network. This is possible because Windows does not check TGS tickets at every login.

Pass-the-Cache– In general, this is the same tactic as a pass-the-ticket attack. However, no Windows system is compromised here, but the stored and entered login data is used on a Mac, UNIX, or Linux system.

To protect your system

Ideally, Mimikatz should not be able to access your system at all. A prerequisite for an initially secure Windows system is an upgrade to Windows 10 (or at least 8.1). If this is not possible, it is at least advisable to disable WDigest manually, although this should probably only be a small hurdle for a skilled attacker. Regardless of the Windows version used, a configuration of the Local Security Authority (LSA) is necessary.

Unfortunately, an overriding admin password is still common practice in companies today, although this is a well-known security hole. Every Windows machine needs its own unique administrator password. The combination of LSASS and safe mode makes Mimikatz ineffective under the newer Windows versions.

You should also educate your employees about the dangers of phishing emails and limit the use of macros,

Discover mimic cat

Detecting facial expressions is a difficult task since most detection solutions do not work with the software. The only real solution to reliably identify Mimikatz is to specifically examine your own system for it. The use of a manual network monitoring component is therefore highly recommended.

So what to do?

In the end, Mimikatz remains a highly dangerous and efficient tool for hackers that can easily slip past automated security checks. It is therefore the human being’s duty to remain vigilant. Simple security installations like unique admin passwords for each machine. Only necessary admin and remote access and multi-factor authentication, which does not work with the logic of Windows systems, form a strong hurdle.

Black Friday – How Cybercriminals are hunting for your data

24. November 2020/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

It’s the end of November and thus bargains time for most of us: Under names like Black Friday, Black Week, Cyber Week, Cyber Friday – or other creative names – companies are now luring us bargain hunters in the fight for pre-Christmas business. But the bargains not only attract us as consumers but also cybercriminals. And these in turn lure us with “offers” via e-mail or online ads, to elicit our data unnoticed. The British National Cyber Security Centre (NCSC) has now renewed its warning on the occasion of the Shopping Week to be careful when shopping online. Consumers should be particularly careful where they store and what data they disclose when they do so, especially in the rush to buy and find bargains.

Black Friday offers via phishing e-mails

However, this mindfulness begins even before the actual shopping experience. Because under the flood of actual offer e-mails from various providers, one or the other phishing e-mail can also be hidden. Of course, everyone wants to participate in the pre-Christmas business, but these phishing emails are out to get usernames, passwords, or credit card information – for nothing in return, of course. You’d better be wary of receiving offers from merchants you don’t know. Or when direct links to bargain items are offered. In any case, it’s better to manually enter the merchant’s site into the search box to make sure you end up on the right homepage. The offer will be there already if it is a real offer from the dealer. Because often enough the rule is: If the offer is too good to be true, then it probably is!

More information?! – Then better no information

There is nothing to be said against trying out smaller and unknown retailers and not always buying from the same well-known multinational supplier. But there are a few clues that help to distinguish serious websites from dubious ones. For example, the payment process should be clearly arranged and no personal information should be requested that is not necessary. Additional security details such as a codeword or a secret question may sound trustworthy at first – but they are not at all. During the payment process, you should really not be asked for your mother’s maiden name, your first pet, or your brother’s place of residence. At this point at the latest, you should cancel the purchase process. Ideally, before you have given your bank details.

Check the security of the payment process

Completely different from an unnecessary security query, the question of multi-factor authentication is to be evaluated. Multi-factor authentication serves to identify you as the buyer. Without entering a second factor in addition to the password – usually, a code sent to you by e-mail or SMS – nobody can place an order. This ensures that only those who have access to your e-mail address or your smartphone can carry out this process. However, not all serious online stores offer this: If you want at least a little security, check the address bar of your browser before entering your data. If there is a padlock symbol there, it means that the connection to the merchant is secure. Of course, this does not mean that the dealer is legitimate, but at least the connection is secure.

And if the store asks you to save your payment data, do so only if you are really sure that you want to order there again. Otherwise, this information is absolutely unnecessary. And creates another factor of low security.

Black(out) Friday and Amazon Phishing Day

A similar phenomenon as around Black Friday can also be found on Amazon Prime Day: Here, too, cybercriminals take advantage of an event and the bargaining mood of the customers around it to obtain passwords, credit card data, and the like. In their phishing campaigns, cybercriminals use a similar structure to their fake Amazon site and often use similar actions as the “real” Amazon. These actions are especially perfidious because the URLs also want to come as close as possible to the original and have at least “amazon” in their name. Often the URL is unnecessarily long so that it is not obvious at first glance that this is a completely different page, which seems to belong to Amazon, but is ultimately hosted somewhere else.

You should always be suspicious if you are not supposed to enter a password at Amazon – but other personal information, including your credit or debit card number. Security experts therefore strongly recommend that you always start on the actual page and never from an email link, even for special promotions such as Amazon Prime Day or Black Friday. Also, if you enter your information differently than usual, you may be dealing with a fraudulent fake site. And pay attention to details: Does the page look the way you are used to? Is the shopping cart icon in the same place as usual? Are all pictures in focus? Can you get to the store’s homepage by clicking on the store’s logo? Is continuous navigation in the store possible? Is the URL complete and logical? Only when all these things are correct should you start the payment process.

Data protection and cybersecurity in the healthcare system

18. November 2020/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

The digitalization of our healthcare system is progressing massively: The German federal government is promoting the networking of medical facilities through the so-called telematics infrastructure Telematik Infrastruktur, TI). As a result of the corona crisis, the need for online communication between doctors and patients has increased. In addition to these developments, the electronic patient file will be introduced in January 2021.

With such networking of our healthcare system, it is time to take a critical look at the security of the systems and thus of our data. The importance of cybersecurity for the protection of patient records is unfortunately demonstrated by those cases in which attackers have succeeded in penetrating an institution’s system, paralyzing it, or – in the worst case – even stealing data records.

There have also been many reports of major attacks on hospital IT worldwide in recent times. However, it should not be forgotten that cyberattacks can affect not only large medical institutions. It also affects small, independent doctor’s offices – such a singular attack can threaten their existence for various reasons. And it also involves risks for us consumers.

Securing IT structures in the healthcare system properly

Basics of secure IT systems

First of all, medical institutions, more than any other, must carefully select and maintain their IT infrastructure. An up-to-date operating system with all relevant security updates, a functioning hardware firewall, and an up-to-date and intelligent anti-virus program should be standard. Besides, there should be regular security updates and, ideally, daily backups that cannot be processed from the system. In this way, facilities can be up and running again quickly in the event of a ransomware attack. And the loss of data in your own systems is at least limited.

But password security is also an important point that all too often gets lost in everyday professional life: For many physicians in private doctor’s office, it is necessary to find a compromise between security and practicability. Especially because computers at reception or in laboratories may be used by several people. Nevertheless, even these shared passwords should comply with security standards and be renewed regularly. We also recommend the introduction of a practicable multi-factor authentication.

Since this is a sensitive infrastructure, clear rules for IT use in the workplace should also be established: May private mails be checked? Are online purchases or other surfing behavior allowed? May own storage media be brought and used? Are there special devices that are not connected to the doctor’s office network? It is important here to increase awareness of possible security gaps that could arise from this behavior. Employee training courses on cybersecurity, phishing, or social engineering should therefore be held regularly.

Cyber insurance can also minimize the (financial) risks that arise after an attack has taken place. Often good security concepts ensure that the contribution is minimized, and only the compulsion to deal with this topic creates good conditions for the actual implementation of plans.

Increased security thanks to telematics infrastructure (TI)?

With the large-scale introduction of the telematics infrastructure (TI) in German medical doctor’s offices since 2018, the security of the systems was to be further increased. Patient information was to be made available quickly and securely via this secure channel to reduce treatment costs through repeated examinations. However, reports are accumulating that the connection to the network is not as secure as announced.

Which security gaps in TI are described?

Although the TI has been forced to connect to the network, liability in the event of cyber-attacks in particular – and thus for data protection issues – has not been sufficiently clarified. Last year, the IT-expert Jens Ernst from happycomputer already revealed considerable data protection deficiencies when connecting to the telematics infrastructure.

This starts with the way the TI connector is integrated into the network of doctor’s offices. This is where you have the option of choosing between serial and parallel integration. Although serial integration initially requires more installation effort, it offers the advantage that all devices in the doctor’s offices are included in the federal security network. Extra protection on the part of the doctor’s office owners is not necessary according to information of the Gematik. Parallel integration, on the other hand, requires that the physicians make their own efforts to secure their existing systems and devices. This actually only makes sense for larger units that have already integrated many devices into their system before.

Nevertheless, it seems that most units were connected in parallel operation. In this case, the doctor’s office owners themselves would now have to ensure that their own systems were secured. However, many claims that they have not been sufficiently informed about this by their IT provider. Ernst describes that even with the few facilities that have been connected serially, security systems do not function correctly. This is because the firewall of the TI connector in use would not be sufficient to detect an anti-virus test file that he had installed. This means that even in this case there is no security against access by third parties without further security measures. In the vast majority of doctor’s offices, there is therefore no hardware firewall, regardless of how they are integrated. Besides, the virus protection on the computer and the software firewall, which every computer has today, was often switched off.

How can the healthcare system guarantee cybersecurity?

Ernst calls for an open approach to the topic of cybersecurity, which basically rests on three pillars:

A doctor’s office needs a higher security level than just a router, as is often the case today.
Sensitive data should not be sent via a WIFI network. The connector’s LAN network sends data unencrypted; by intruding into the WIFI, it is possible to “listen in”.
Devices that cannot be sufficiently protected due to their design should not be used or operated in a DMZ (Demilitarized Zone).

He also proposes the development of a DMZ in which all TI systems are included. This is currently not even the case for the telematics infrastructure itself. He also criticizes the fact that IT specialists do not need a separate certificate from Gematik to connect the TI. This would ensure that only trained personnel are allowed to carry out the installation and that sufficient educational work is done with the liable physicians.

In summary, Ernst states that the security of all systems can only be guaranteed if the vast majority of surgeries completely remove their computers and devices from the network. Neither the TI connectors nor their own systems would offer any protection whatsoever to safely store consumer data.

As security experts, we too say that security should clearly be the most important starting point for digitization. The security of the systems must be guaranteed before any equipment is connected.

What do you think? Discuss with us.

Viruses in hospitals – Cybersecurity in the Corona pandemic

13. November 2020/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

The corona pandemic is pushing hospitals and care facilities to their limits. And this also affects the cybersecurity of many facilities. According to Interpol, an increasing number of attacks on the IT network of hospitals has been reported in recent months.

Particularly in the USA, the FBI has been warning since October about increasing cyber attacks on hospitals and the service providers connected to them. At the end of October, various facilities were successfully infected with so-called ransomware. Due to data encryption, the normal operation of the hospitals was no longer possible. Read more here.

But why do hospitals in particular offer such good targets for cyberattacks?

IoT implementation despite low security standards

Hospital IT is one thing in particular: historically grown. And that is exactly problem, in two respects. Historical means that sometimes not all operating systems and application structures are state-of-the-art. Often important security updates or patches are missing to protect the systems. At the same time, the technical infrastructure in the healthcare sector is growing rapidly due to the digitalization of various processes.

This affects medical devices that can communicate via IoT, but often also with the office network. The latter is potentially high-risk since an attack on office computers also affects the IoT devices in the background. Portable medical devices that remotely monitor patients’ vital signs could fail under certain circumstances. A cyber attack would therefore be life-threatening for patients.

Also, hospitals are using opportunities for further digital expansion in the area of office IT: new PCs, tablets, or other smart devices are being purchased that can be used to communicate patient data internally. However, these devices may not even be designed for use in a highly sensitive environment such as a hospital and do not comply with data protection laws or cybersecurity standards. Weak points in their security systems are therefore also ideal starting points for compromising the technical infrastructure.

Besides, some institutions are forced to cut costs and often lack the budget for adequate security of their IT systems. Although they invest in the latest technology, they lack the money and know-how for the corresponding security. And sometimes the clinics themselves are not in control of security installations. Whenever they are connected to third-party providers and their systems. Because even if their own IT has very good security standards, this is not necessarily right for external providers.

Cybersecurity – not just a matter of time

Lack of personnel and thus lack of time are unfortunately everyday life in the medical and nursing professions. Often there is not enough time for the actual work – so where do they get the time to deal with cybersecurity? Most people are probably familiar with simple rules such as switching on a lock screen as soon as you leave your desk or checking the sender of an e-mail. But often the necessary time and/or awareness of the dangers involved is lacking in everyday business life. Employee training courses on cybersecurity could help here – if only time and budget were available.

However, increased attention would make sense. Hospitals are public institutions and therefore easily accessible. Even if the measures in the corona period make access more difficult, it should at least be noted that reception in particular poses a potential cybersecurity risk. In an unattended moment, a potential attacker could enter the hospital’s IT system and could unnoticed install malware on the reception PC via a USB stick.

Also, modern hospitals themselves act as IT service providers. WIFI access is provided for patients and visitors. If the systems are not detached from the actual company network, a potential gateway for hackers is left open.

Increasing the endpoint security of the diverse hospital IT landscape

As you can see, hospitals and other medical facilities already have a diverse IT landscape as a unit. These interwoven areas make the entire IT system vulnerable as soon as a weakness becomes apparent. Due to the sensitivity and criticality of the data and the associated devices and procedures, they require very high security standards. Increasing the endpoint security of KRITIS facilities should therefore be a concern.

A mantra that not only we repeat again and again is the active training of employees, which as an organizational unit belongs to endpoint security: Education creates an awareness of possible sources of danger and how to prevent them. A well set up mail protection is also mandatory for a KRITIS institution.

Besides, Internet access should only be available on those devices that need it. RDP ports (Remote Desktop Protocol) should be secured in such a way that access from outside is not possible. And above all: business-critical areas and the visitor and patient WIFI should not be connected under any circumstances!

And – we can’t repeat this often enough – activate Multi-Factor Authentication (MFA) for all applications connected to business-critical networks. This provides a high hurdle against intrusion by unauthorized third parties and above all against compromising the systems by them.