IT Security Archive - DoubleClue

How well is your company protected against hacking?

30. June 2021/in Identity & Access Management, IT Security/by Michaela Senft

Missing access policies, poor password hygiene, and lack of awareness of social engineering: humans are the biggest risk factor for your IT security. It doesn’t have to be. A comprehensive identity protection solution like DoubleClue protects your employee identities and access from misuse – and improves internal workflow in a compliant manner for smooth operations.

Social Engineering: Humans at the Heart of Hackers

Digitization brings with it a major challenge: ensuring that only authorized individuals have access to certain devices, applications, and data. In addition to safeguarding against technical attacks (firewall, VPN clients, and anti-virus software), this also includes a social component.

Because modern hacking attacks have long relied on the biggest weak point in your IT landscape: the human factor. And their negligence in dealing with basic security requirements: passwords that are too short or used multiple times, a lack of awareness of social engineering, or simply too lax settings in the area of identity and access management form the gateway for criminal machinations.

DoubleClue: IT Security for the Human Factor

Granular distribution of access rights to employees as well as external resources using comprehensive Identity and Access Management (IAM) including Privileged Access Management (PAM)
Multifactor Authentication (MFA) protects employee identities from misuse
Centralized password management increases enterprise password security while enabling a pleasant user experience
Centralized password and data storage encrypted from both external and internal access

Automate approval processes using digital signatures

DoubleClue offers companies many options for user self-service via the system: autonomous addition of devices and applications, automated password reset without administrator involvement, as well as digital approval of document access and granting of approvals via push messages. This saves time and resources on day-to-day operations.

At the same time, these approval processes are tamper-proof thanks to Public Key Infrastructure (PKI). Thus, push messages generated by DoubleClue comply with the standards of the Digital Signature Act and PSD 2 regulation.

Encrypted data storage

The integrated DoubleClue CloudSafe enables centralized encrypted storage of highly sensitive files on your own servers (on-premises) or in the cloud. This allows device-independent access, which can also be shared with internal and external parties. Furthermore, this advanced type of storage rules out decryption by third parties. Thus, passwords and confidential documents can be stored in DoubleClue without hesitation.

Uninterrupted workflows through reduced password entry

Software that combines IAM, MFA, and password management enables single sign-on (SSO). This means that your employees* only need to log into DoubleClue once to gain uninterrupted access to their applications. This leads to higher employee productivity and satisfaction in your organization.
The innovative DoubleClue Single Sign-On additionally embeds automated log-in to applications that rely on common third-party MFA.

Invest in the passwordless future today

IT security is the foundation of your modern enterprise. At the same time, a future-proof solution must map the future needs of innovative companies today.
Predictions from business experts* indicate that passwords will be replaced by more secure authentication options – today, they remain a reality for the vast majority of applications.

With DoubleClue, which brings the integrated PasswordSafe, you have a state-of-the-art software solution while being prepared for the passwordless future. The innovative range of functions forms the basis for smooth workflows and efficient collaboration in your company. This makes DoubleClue the optimal and secure solution for identity protection.

Learn more about DoubleClue here.

You should know these forms of multifactor authentication

24. June 2021/in IT Security, Multifactor authentication/by Michaela Senft

The purely password-based log-in has had its day. At least it should have. Regardless of whether you want to protect a private or professional account, you should reach for multifactor authentication (MFA).

But what is MFA actually? In short, multifactor authentication is an authentication method that asks for the main factor (usually a password) and another factor to verify the user’s identity. Only those who can enter both pieces of the information correctly are granted access to the requested resource. For the second factor, a distinction is also made as to whether it is a factor that the person physically possesses (a hardware component) or something that the person brings with him or her (biometric data). After all, not all MFA is the same.

We show you what forms of authentication there are – and how they differ.

Password as the first factor

The most basic form of verifying one’s identity with online services or with local applications is the password. Usually, this is requested in combination with a user name or an e-mail address. However, as mentioned at the beginning, this form of authentication is susceptible to security incidents. If the combination of these simple access data falls into the hands of another person, this person can gain unhindered access to the account and even lock out the actual “owner” – for example by changing the password and/or the stored e-mail address. In the worst case, an attacker not only gains access to the account but can even take it over completely. Therefore, you should avoid authentication with passwords and usernames alone. Whenever a service offers another form of authentication, you should use it as well.

Security questions do not provide security

Security questions are not really a form of multifactor authentication. Nevertheless, most of us have certainly used them nicely more than once. Basically, these queries serve a similar purpose as multifactor authentication; they are used when a user has “locked out” of their mail account and now wants to reset the password. Or, to verify identity when changes are made to the account. This also served to prevent the case described above, where someone could simply take over the account.

Unfortunately, the answers are often almost easier to guess than the password itself. Your pet’s name? Can definitely be found on Facebook or Instagram! Your mother’s maiden name? Via Facebook or Instagram. Your favorite color? You guessed it – exactly, on Facebook or Instagram. Therefore, it is not very advisable to consider this method as a 2nd factor. If used at all, you can of course “trick” the system here and, for example, enter your mother’s maiden name at this point instead of the color. But be honest: Would you still know that after a year?

SMS or voice code as the most common second factor

A very common form of multifactor authentication is the so-called SMS or voice code. With this form of authentication, you store a mobile or landline phone number to which you are sent a code via SMS or voice message for authentication purposes. You then use this code to verify your identity with the application. The hurdles to using this MFA method are low: most of us carry our smartphones with us at all times, so authentication is possible at any time. Even entering a four- to six-digit code from the SMS is as easy as can be.

Although very common, this is a comparatively weak form of multifactor authentication. This is due to several things:

The delivery of SMS is not error-free: delivery is not possible, for example, due to reception problems. Sometimes SMS can also be “lost” during sending. Or require a delivery longer than the time-out of the application allows.
At the same time, SMS and phone calls are just as vulnerable to phishing and social engineering as passwords themselves. This concerns, for example, the possibility of having a replacement SIM card issued based on data obtained through manipulation.
Further, SMS could be read along using a Trojan already installed on your smartphone.
A smartphone can be stolen or lost; if a screen lock is not set up here, a third party could gain access to your codes.

Don’t get us wrong: this form of MFA is more secure than not having an MFA. An installed Trojan is the most likely scenario. But ultimately, your account data (password/username) would have to be stolen with your phone data or smartphone. At a time when a code is valid. Taken together, this is quite unlikely after all; or requires a lot of groundwork on the part of the hackers to get all the information about you, your passwords, and your devices bundled together.

Trusted device for easy verification

You can also use a device that cannot be duplicated for authentication. This “trusted device” can be, for example, a smartphone that is unique due to its composition of individual hardware and software components. In most cases, the lock code of the home screen, for example, is also used to query the identity to prevent misuse of the device. Using this form of authentication is also very simple. We carry our smartphones with us all the time, and we are used to entering our lock codes from everyday life. However, losing the hardware can result in you no longer being able to access your MFA-protected services and applications. Therefore, it is advisable to store an alternative authentication method.

Multi-weapon Authenticator Apps

Various manufacturers offer so-called Authenticator Apps. These are suitable for the popular iOS and Android versions and can be used on the vast majority of smartphones. To add a service or an application to the Authenticator, compatible services usually offer scanning via QR code. This is generated once for the user. After linking the Authenticator and the application, further authentication on a specific device using the 2nd factor can be excluded for a certain period of time. This significantly increases the user experience.

Basically, there are three possible applications for Authenticator apps:

Push approvals.
These are a convenient way to confirm a login attempt to connected service. Users can confirm their own login attempt with one click – or reject suspicious events. Access is only granted after confirmation. For increased security, these push approvals are only valid for a set time.
Creation of one-time codes.
At the same time, Authenticator apps create verification codes. Code generation is mostly based on the automated so-called OATH TOTP (Time-based One-Time Password) method; this uses a key known to you and the server, as well as the current time, to generate a new unique code every 30 seconds. Due to the short-lived nature of these codes, even a cracked code becomes worthless.
Biometric login.
A frequently used option is logging in with biometric features such as fingerprint or face scan. These are stored once in the app so that no more login information has to be entered in the future. The biometric login is considered particularly secure, as it is extremely difficult to fake. But not all biometric scans are the same; depending on the manufacturer, the security of the systems can vary due to the method.

The Authenticator apps combine several advantages for the user. They run on traditional (mobile) devices that each of us carries with us all the time. At the same time, they automate the login to various services or applications and are very user-friendly due to their setting options. And they are particularly secure at the same time. Some authenticator apps also offer encrypted storage in the cloud – or at least an encrypted backup token via it. This makes their loss- and failure-proof, since they are not tied to a single device.

Hardware tokens

Another option is to use so-called hardware tokens. These are small memory chips with different appearance and functionality depending on the manufacturer. Like Authenticator apps, these are used to generate one-time passwords, which is why they are also known as OTP (one-time-password) tokens. The generated one-time codes work similarly to the codes generated in an Authenticator App. In addition to OTP tokens, there is also the option to rely on FIDO U2F TOKEN. This is based on public-key encryption and thus relies on a completely different form of encryption, in which the user must also identify himself on the hardware.

The advantage of hardware tokens is clearly that even employees who do not own a company smartphone can be equipped cost-effectively. At the same time, hardware tokens offer less convenience in use than, say, a smartphone. This is because the latter is an integral part of our everyday lives, whereas a hardware token is often perceived as a nuisance.

Which form of authentication with a second factor you ultimately rely on is up to your preferences. Each form has advantages and disadvantages, especially in the area of handling and user-friendliness.

And yet it remains to be noted: Any form of multifactor authentication is better than no multifactor authentication.

Deepfake – what is real?

7. May 2021/in Identity & Access Management, IT Security/by Michaela Senft

The digital and analog worlds are becoming increasingly blurred. With the rapid development of artificial intelligence and machine learning, the information we receive is becoming increasingly complex. Nevertheless, we are finding that what we humans find very easy – such as facial recognition – first has to be taught to artificial intelligence. This so-called deep learning is a very complex process. Put simply, the algorithm breaks down the complex structures of the object into individual hierarchically structured concepts. This is how the machine “learns” to recognize and interpret complex structures. And even – to manipulate them. This makes the transition between real and fake news fluid. For example, today we encounter image manipulation in the form of deepfake. This term is borrowed from Deep Learning denotes a deep identity fraud: with the help of state-of-the-art AI-supported software, it is possible to fake images, soundtracks, and even entire videos. Deceptively real.

Media manipulation through deepfake

At first, using AI-based systems to create new identities and stories sounds quite exciting and entertaining. A bit like Sims back then, only much more real and with better graphics. On the Internet, you can find some sites where you can create freely invented faces. Why not give them a story as well? At the same time, the boundaries between reality and lies are blurred here.

At the same time, this form of artificial intelligence shows us how easily our media can be manipulated. And how difficult it is for us to distinguish manipulated recordings from real ones. This has an impact on how we deal with media. Because if we can’t be sure that the image we’re shown is real, what are we supposed to believe? Which part of the information offered is genuine, which possibly cleverly faked?

Depending on how we evaluate a piece of information, this can influence our decisions. This starts with credibility in our private lives, but can ultimately change our political landscape as well.

Especially in the area of cyberstalking against private individuals and celebrities, deepfake has already made inroads. Through clever video manipulation, an alternative story can be attributed to anyone, a private person or a public figure. In the form of Revenge Porn, fake content is found that imputes an apparent past to people – even if in reality a video has been manipulated or even reinvented using Deepfake. In the end, this not only damages reputations, but also the mental health of those affected.

Social Engineering 2.0

Deepfake is also finding new dangerous methods in the area of white-collar crime. Social engineering attacks that have a personal connection to the victim are already particularly successful. Time pressure, pressure to perform, or hierarchical constraints often lead to the successful disclosure of identification features or internal information. But how much more successful is a CEO fraud in which voice swapping (=imitation of voices using deepfake) is used? In other words, when the supposed CEO on the phone actually sounds like the CEO or even appears in a video conference. It is then no longer possible for people to distinguish between a fake and a real telephone call.

The end of biometric credentials?

Ultimately, the development that any image, video, or voice recording can be manipulated also has an impact on the possibilities of logging in with biometric data. After all, how secure are biometric logins via FaceID if really anyone can forge an image? The answer is nevertheless reassuring: Compared to passwords or other character-based login methods, biometric authentication is comparatively secure. However, there is still a residual risk, which is why you should never rely on just one authentication method. Only the interaction of at least two authentication methods makes a login secure – both privately and professionally.

3 reasons to invest in digital identity security

12. March 2021/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

Our world is increasingly digitized and in many areas only takes place online. This also increasingly applies to our everyday working lives; companies are networked in the cloud thanks to communication and collaboration tools. Our systems such as CRM or ERP have also been outsourced to the cloud for better data availability. At the same time, questions are now increasingly being asked about the best possible protection for this outsourced infrastructure. It has become clear that VPN and virus protection alone are no longer sufficient to reliably protect your company’s IT from unauthorized access.

For this reason, you should definitely consider—if you haven’t already done so—meaningful identity management and deeper protection of your employee identities. This includes the question of how your employees can digitally identify themselves. So they can protect themselves from misuse of their own identity and its consequences. We’ve rounded up 3 key reasons why you should invest in digital identity security in your organization now, at the latest.

Secure tomorrow’s workplace today

The future is digital—that also means remote! True, remote work has existed before 2020. But 2020 was a booster for faster digitization in office applications. “Digital-only” therefore already applies to collaboration and communication. Despite the misgivings of many companies, employees have coped surprisingly well with this. They have quickly learned to anticipate these new ways of working and reap the benefits for themselves. But this is only part of the story. Although the introduction of communication and collaboration tools has been well received, network security and, in particular, the safeguarding of employee identities have often been neglected. The priority was to get operationally up and running quickly; thinking about IT security was a second step if it was thought about at all.

Yet the shift of (working) life to the digital world has created the perfect conditions for cybercrime. Phishing and social engineering attacks on companies have increased as a result of the crisis. By introducing a second factor to secure applications, they prevent identity misuse. After all, only those who can identify themselves twice—with a 2nd factor known only to them—will ultimately gain access to a file or system. Sensible and restrained access management also ensures that only those employees who really need access to sensitive areas of your corporate IT have it.

Improved usability increases employee satisfaction

Today, we expect a high level of usability and a consistent user experience with our applications. No longer just in our private lives, but also in the applications we use at work. Passwordless login increases the productivity and acceptance of your employees: because they don’t have to remember a multitude of complex passwords and can log on to their PC and applications with a single click. The combination of a multifactor authentication solution with single sign-on functionality allows fast, convenient, and uninterrupted switching between different applications. Without compromising on security.

Simplify your compliance processes

Centralized management of user identities and simplified login via single sign-on increase the productivity and effectiveness of your employees in the long term. Lengthy processes for (repeated) logins to individual applications and mandatory password changes in specific cycles are eliminated. Life is also easier for your administrators, who can dispense with complex password policies and the need to control them. Even a simple, insecure password has become a secure login with the highest security requirements through MFA.

At the same time, with a sensible Identity and Access Management and a secure multifactor authentication method, you introduce an important milestone to protect your corporate compliance. After all, the theft of (employee) identities poses a profound threat to your company; the compromise of your IT landscape and the possible associated data loss can be followed by data protection lawsuits and corporate compliance investigations. These are often more expensive than the actual damage caused by lost productivity.

The consequences of phishing attacks for companies

17. February 2021/in IT Security/by Michaela Senft

Phishing attacks on companies are on the rise. You would think that everyone would be familiar with the term. In fact, a recent report from Proofpoint showed that many employees are unaware of what phishing actually is. And they are therefore unable to assess how they could be affected by it. And, ultimately, how they can protect themselves from such attacks.

That’s why we’d like to start by defining the term before going into what consequences this has for companies. And we show you what simple tools can help with prevention.

Where do we face phishing?

Phishing describes the process by which fraudsters attempt to obtain personal data using forged e-mails, instant messages, or websites. A special form is a so-called vishing, in which this fraudulent process is carried out via the telephone.

In the case of private individuals, the aim is usually to obtain payment and identity data or passwords directly. A variation is the (surreptitious) download of malware; whether in the form of ransomware to extort a ransom after data encryption or to form a so-called botnet. This ensures that the PC can be remotely controlled, whereby it can become the starting point of another wave of infections, for example.

In the business environment, phishing attacks do not necessarily primarily target the individual concerned. Often, the entire company is at the center of such attacks. Even if companies still have weaknesses in their technical security, the phishing phenomenon shows that people are the most fragile link in the security chain. This is because people are targeted using mailings or telephone campaigns to elicit relevant information from them. Employee awareness training repeatedly shows how carelessly employees pass on information or follow (dubious) links during good social engineering campaigns.

For a large-scale social engineering campaign against a specific company, tapping user and access data can certainly be the first step. Often, however, the actual attack is preceded by espionage attempts. Perpetrators use fictitious e-mails and/or phone calls to specifically identify people responsible for the finance or IT departments, for example. This enables them to launch the actual attack on the company at the right point. These targeted attacks on the upper management level are often more successful than an untargeted attack on individual employees since a broad information base is available here; built up via external as well as internal sources.

Possible campaigns on companies

Possible campaigns based on lucrative profits alone are the focus of phishing attacks. Small and medium-sized companies and large hidden champions are particularly often targeted by fraudsters. Because of their low profile, they often lull themselves into a false sense of security and neglect the protection of their networks and systems. This is a fatal mistake. Since weak security systems and access restrictions, as well as a lack of investment in employee awareness and training, can be very costly.

One form of social engineering campaign that has become increasingly common is CEO fraud, also known as business email compromise. In this case, e-mails are sent to employees in the name of superiors up to the top management level to obtain their data. At the same time, however, executives, in particular, are also targeted by cybercriminals.

In addition to such targeted campaigns, attackers also continue to use classic methods, such as fake links or attachments to supposedly download business-relevant documents. Especially in the business environment, where there is a compulsion to open files or follow up on information, attackers have an easy game if they target relevant topics.

The consequences for companies

A successful phishing attack can cause several major problems for businesses. We have summarized the most common consequences and causes in the graphic.

Well protected thanks to MFA and IAM

When dealing with phishing, it is essential to particularly safeguard the human factor. Even the best firewall or the latest anti-virus program is of no use if an employee – on the phone or in a fake e-mail link –reveals company information or access data. At least you can protect yourself and your company against the latter using sensible identity and access management and MFA (multifactor authentication).

One example of such software is DoubleClue, which combines both. Find out more about all the benefits of using DoubleClue here.

Digital Collaboration—IT security while working from home

4. February 2021/in Digital Transformation, Identity & Access Management, IT Security/by Michaela Senft

The past year was a catalyst for the digitization of German companies. This relates in particular to how and especially where we worked. Many companies suddenly and mostly abruptly started to work from home.

According to Bitkom, almost every 2nd employee was affected by this development in the spring. However, this accelerator of many digitization projects also has downsides. Since the attack surface for cyberattacks has increased as a result of the decentralized IT infrastructure. We should therefore take a look at how well IT security has been ensured in this time. And especially ask ourselves the question: What could we learn from this for the current “home office”-wave?

IT security or smooth operations while working from home?

This should not be a matter of decision! Even if reality has shown that this was certainly the case. And unfortunately, it is again the case today. Because many companies have reacted to the crisis: Due to the decentralized way of working, new cloud and collaboration tools had to be introduced, such as MS Teams or Zoom. Often, however, the question of the security of these applications, which were operated almost exclusively via private Internet lines, has fallen by the wayside.

Virtually overnight, employees—and with them, the IT they use—have started to work from home. Since many companies were not prepared for such a situation, this also meant that their IT structures were not designed for remote work at all. Therefore, the priority here was to create structures that kept the daily business alive despite the home office—which often meant that questions about security took a back seat.

Lack of security standards while working from home

Both companies and employees had to consider so many things: How do I deal with the fact that my company laptop is running on the same network as my in-house network printer, the private laptop as well as my children’s smartphones? How can I ensure that the private network printer does not allow intrusion into the company network?

Responsibility for the security of in-house networks and the devices used are often passed on to employees. Often, however, the basics of IT security are lacking, such as training in IT security-related actions, for example, in the case of phishing emails or about fraudulent websites, or the necessary infrastructure for working from home.

A survey by Computerbild makes it clear that basic security measures were not being used: Only just under two-thirds of respondents said they had password protection for their computers and installed virus protection programs. And only just under half mentioned the (necessary!) separation of devices used for private and business purposes. VPN connections and multifactor authentication (MFA) were ultimately affirmed by only about one-third of respondents. This clearly shows that only just under a third of all home workplaces meet these IT security standards.

Whose IT security is affected while their employees are working from home?

In short, everyones.

However, small and medium-sized companies, in particular, lull themselves into a false sense of security; in fact, size is no guarantee that they will not be affected by ransomware attacks or similar attacks. According to a recent Bitkom study, it is small and medium-sized companies that are particularly lucrative for extortionists; unlike large companies, they often have no way of bridging economic downtime and the associated costs. A “small” ransom of a few 100,000 to a single-digit million figure often seems to be paid more quickly here than waiting for lengthy decryption processes with an uncertain outcome. Multinational players have completely different (financial) options here.

The human factor as the greatest target

Yet it is almost always the human factor that poses the greatest risk to your company’s security. Our algorithms and the AI that underlie today’s virus scanners and threat protection are so good and sophisticated that they can detect malware well. Unfortunately, humans often don’t: In the morning, we want to briefly skim through the mails over a cup of coffee. We are still tired, perhaps also under time pressure; especially in such situations, we are inclined to open an attachment or follow a link without closer examination. Especially in the environment of our own places, such carelessness is fatal: the infrastructure is less protected, the virus programs may not be up to date. A single infected PC can then paralyze your entire IT infrastructure.

In addition to carelessness, attackers also rely on emotions. Data and personal (identification) information are thus often willingly revealed. It is true that malware spam inherently uses social engineering methods to play on people’s fears and concerns. Central themes in recent months have been the new insecurities associated with the Corona crisis. Supposed instructions from superiors, authorities, or colleagues—today, well-crafted malware spam can hardly be distinguished from genuine requests and is also not intercepted by Mail Protection. This also becomes clear when you consider how well hackers have succeeded in tapping personal data via fake Corona help pages. Currently, the LKA in North Rhine-Westphalia, for example, is warning against such offers.

The consequences of a ransomware attack

Ransomware is malware that prevents access to local data or a network by encrypting and/or stealing data. The aim is usually to extort ransom money to unlock the data. Another extortion method is also the threat of successive publication or sale of sensitive data on the Internet if payment is not made.

Ransomware is usually spread via links or attachments in emails, with the spreaders relying on advanced social engineering methods and also exploiting professional constraints or emergencies in particular. After all, without human assistance, infecting the PC is almost impossible, or at least unrealistic. The human factor is the biggest vulnerability in your system. This is because, despite bugs and loopholes in programs, an attack via humans themselves is less time-consuming and resource-intensive.

The damage of such attacks—both financially and in terms of reputation—is enormous. Only very few companies are adequately secured against ransomware attacks, although around three-quarters of German companies are affected by data attacks. The damage is often in the millions, as ransomware encrypts systems and data, making it impossible to continue working. If backups are also encrypted, which are often just as vulnerable to attack as the original data due to their location on the servers, companies must reckon with definitive data losses. Since most ransomware attacks rely not only on encryption but also data extraction, even after successful decryption, further data protection lawsuits by those affected are to be expected.

These measures secure your IT

So you see: In addition to the technical component, the human factor, in particular, must be included when securing your IT systems. After all, the human factor is THE weak point in your IT system.

Short-term measures such as the strict separation of private and professional devices are a good start for the current situation. In the long term, however, you need a holistic strategy that starts with the choice of technical solutions used. This includes VPN clients, cloud applications, firewalls, and anti-virus programs. Ideally, these building blocks go hand in hand, so that the maintenance effort for your IT infrastructure is reduced.

It is also essential that you become even more aware of the importance of the human security risk—and take active measures. This starts with training courses on social engineering and manipulation. This training should not only focus on the basic problems but also explain the technical aspects. Only then can a basic understanding of the dangers of such attacks emerge.

Become aware of the importance of identity protection! Today, this can be secured with simple means such as multifactor authentication. This also kills two birds with one stone: modern multifactor authentication relies on passwordless login methods and single sign-on. This not only protects your IT but also offers your employees a simpler and more effective work experience.

DoubleClue – Your protection for the human factor

Therefore, we advise you to implement an improved identification policy in your company. Using multi-factor authentication, users must identify themselves through a second component when logging on to different applications or devices. This ensures security against unauthorized use by third parties. Multifactor authentication is especially important for all those employees who have administrative rights or remote access rights to third-party servers and devices. No matter how well you train your employees, a technical barrier that prevents unauthorized access without exception is mandatory. As a single human error by a single user is enough to cause maximum damage.

Your advantages when implementing DoubleClue

Short roll-out time: In total, you need about one day to secure your corporate network against external attacks with multifactor authentication
We accompany you completely during implementation and roll-out and offer you full support afterward

Request your 30-day free trial here.

How secure is the Electronic Patient Record?

12. January 2021/in Data Protection, Identity & Access Management, IT Security/by Michaela Senft

Since the beginning of the month, the Electronic Patient Record has been available in Germany, in which insured persons can store and manage their data in a central location. The central storage of their health data is intended to facilitate communication between patients and doctors. In the initial phase, however, patients will have to take care of filling their digital files themselves. There are also still data protection concerns: Patients will not be able to select which doctor has access to which parts of the medical record until 2022. For the time being, anyone who wants to use the Electronic Patient Record provides their doctor with all the information it contains – or none at all.

What is an Electronic Patient Record?

The Electronic Patient Record allows patients to voluntarily store their health and diagnostic data centrally in one place. The information it contains can be shared with doctors, pharmacies, and hospitals to shorten treatments. Or prevent duplicate examinations. In the future, patients will also be able to use the app to manage the information it contains. They can then decide which doctor can see which information. The digitization of bonus books, vaccination cards, and maternity records is also planned for the future.

When does the Electronic Patient Record come into effect?

Patients will be able to have their health insurers issue the Electronic Patient Record from the beginning of 2021. For the time being, however, they will have to fill it out themselves. Until July, it will only be available to around 200 practices and hospitals on a trial basis; only then will its use be extended to the whole of Germany. The health insurers, on the other hand, have no insight into the stored data, even though the Electronic Patient Record is intended to provide communication channels to their own health insurer. This prevents the insured person from suffering any disadvantages as a result of diagnoses or findings.

How secure is my data?

The Electronic Patient Record stores patient data in encrypted form. Data is exchanged with doctors and other healthcare facilities via the so-called telematics infrastructure network. However, critics have still identified security deficiencies here: For example, the TI’s virus protection is said to be insufficient to actually protect sensitive health data reliably. Also, too lax IT security measures in medical practices can be a security risk. Easy-to-guess passwords or shared admin and access rights are unfortunately still commonplace in many medical practices. You can also read a comprehensive review of the current data security in healthcare as well as the criticism of the telematics infrastructure in our blog post here.

Cases from abroad, such as a successful hacker attack in Finland, have also shown how weakly protected our sensitive healthcare data still is. Experts, therefore, advise being selective about what information you want to include in the Record. The inclusion of psychotherapeutic documents is currently not advisable. This is because such data could have negative consequences for those affected when looking for new insurance companies or employers, should this data fall into the hands of third parties without authorization.

Unfortunately, the risks and benefits of the Electronic Patient Record must be weighed up here as well. On the one hand, centrally stored data enables faster and more favorable treatment success. This saves time, costs, and nerves on both sides. However, if this sensitive data falls victim to a cyberattack, the insured person may suffer disadvantages, the consequences of which cannot yet be assessed.

Will you use the Electronic Patient Record? Join the discussion here.

DDoS attack on vaccination portal

8. January 2021/in Identity & Access Management, IT Security, Malware/by Michaela Senft

At the end of December, vaccination against the COVID-19 virus began in the European Union; it has now become known that a cyberattack on the vaccination portal of the Association of Statutory Health Insurance Physicians in Thuringia and the Thuringian Ministry of Health had already occurred in December. This was probably a so-called DDoS (Distributed Denial of Service) attack. As the vaccination center announced, the servers were overloaded by a high number of requests and collapsed as a result. Booking vaccination appointments via the site was therefore initially not possible.

What is a DDoS attack?

This form of cyberattack is an attempt to paralyze a server, a website, or even just parts of a website. For this purpose, countless (and pointless) requests are sent to the respective server within a very short time. How many requests are necessary depends on the server’s capacity. In Thuringia, about 158,000 requests were necessary.

The requests are usually sent by a mixture of botnets and reflectors. Botnets are infected devices that can be directly controlled by the hacker by means of malware. These “zombie” computers then send misleading connection requests to other computers, which are then called reflectors. These reflectors do not necessarily have to be infected themselves. Because here, hackers exploit the characteristics of our modern devices to also want to “answer” queries. In this way, they manage to build up a comparatively small botnet and also cover their tracks, since devices that are not involved in themselves now also support the attack.

Who is the target of DDoS attacks?

The good news, if you will, upfront: the target of such attacks is not private individuals. Such attacks usually target large websites and opinion leaders – but also, as the current case shows, the healthcare sector, governments, or banks. In other words, important and critical infrastructure. This is why some security experts classify DDoS attacks in the realm of digital warfare, as they can paralyze critical civilian networks and thus harm society.

It is important to note, however, that a DDoS attack does not primarily have monetary goals. It is often about protesting against a site that does not correspond to one’s own political opinion. Or even just to prove that one has the skills to carry out such hacks. These attacks become really critical when the primary goal is not to cripple the site, but other actions are running in the background. The superficial distraction facilitates the cover-up of a more serious hack in the background. If critical infrastructures are affected, a ransom demand can also follow in order to release the server as quickly as possible and get it up and running again.

For the current case, however, the background of the act is not further known.

How can you protect yourself from a DDoS attack?

Since you as a private individual are not the primary target of such an attack, the sobering answer here is: very little to nothing. However, your primary goal should always be to protect your PC as best as possible against malware being installed. After all, this is how you can at least prevent yourself from becoming part of the botnet. Therefore, always update your virus software on the devices you use in a timely manner. The router also plays an important role in protecting your network and should therefore always be up to date. The same applies to your passwords. Wherever possible, set up modern password protection with multifactor authentication. A password manager can help you keep track of your passwords.

As a web administrator, you basically have options available to defend against such attacks. For example, if you notice an unusual data stream in time, you can redirect it to a “black hole” (= a non-existent server). A bandwidth management tool as well as good virus software will help you in advance to fend off simple DDoS attacks if necessary. The last option is to rent a higher bandwidth to ensure availability despite high traffic. For your users, unfortunately, the only option is to wait until your service is available again.

Digital Transformation and Cybersecurity

18. December 2020/in Digital Transformation, IT Security/by Michaela Senft

Digital transformation and the associated (IT) change management have evolved from buzzwords to important drivers in companies. German SMEs are also catching up with these important developments, albeit still hesitantly. Many entrepreneurs shy away from major upheavals in their IT landscapes. Often, they are also faced with the question of how they can drive these important fields forward – without the important topic of cybersecurity falling behind?

The increasing networking of all machines, as well as business processes, means that entire IT landscapes are at risk from external influences. Therefore, in addition to a digital strategy, a security strategy based on it should also be introduced in the company. This also means that the budgets for corporate IT must be adjusted. After all, a technical upgrade without security measures in the background is on shaky ground.

Here are some important tips

Dismantle isolated solutions

IT structures are usually evolved solutions that have been expanded and supplemented whenever necessary for the respective business model. These isolated solutions are sometimes better, sometimes worse connected via different interfaces – but sometimes they exist side by side so that each branch or subsidiary has its solution. It is obvious that not only the application structure is confusing, but also the security of the systems is often rather nebulous in such a landscape. Each system must be protected separately, and if – for example when an employee leaves – the network and security plans have not been properly documented and passed on, it is also possible that important protection and security measures may not have been properly checked and adapted.

In addition to economic reasons, the security aspect should also be reason enough for most companies to dismantle these heterogeneous, poorly networked IT landscapes and replace them with an end-to-end application and network landscape. This saves costs and resources in setting up and maintaining company networks and ensures uniformly high-security standards in your company.

Do not rely on top-down communication

When describing the approach of German companies to digitization, one often encounters the terms “hesitant,” “slow” and “risk-averse.” Nevertheless, it is clear that something is happening – but also that SMEs, in particular, are having a hard time. Especially when it comes to introducing new systems, which may also entail the introduction of new processes. Especially at the management level, people are too attached to the old, which they then want to transform into the new. This does not work! Particularly because the employees are not included in the process. Because digital transformation and change management thrive on the dialog. And especially from down-top communication. Yes, you read that correctly. Your employees are the key to the success of your digital transformation process.

Therefore: Take your employees with you

This means two things: learn from your employees. The younger, tech- and IT-savvy generation, in particular, wants to, and especially can, get involved. They contribute ideas. And more importantly, they will provide and implement knowledge. At the same time, it is also important to take along those employees who are rather critical of new technology and the associated change. Take their concerns seriously and address them in your IT and security concept.

But it also means that you should invest in your employees’ knowledge of cybersecurity. Important here: all employees who work in your network and access at least one of your systems or one of your deployed applications. Because no matter how well your company is technically positioned in terms of cybersecurity, the biggest weak point in your security network is the human factor: phishing and social engineering attacks are becoming increasingly sophisticated. That’s why you should optimally prepare your employees for such an emergency through training and testing. In this way, you can proactively close gaps for attackers in the best possible way.

Be proactive

Many companies, but also private individuals, still underestimate how important it is to invest in preventive security measures. As a result, the budget for digital transformation in companies is often large, but the budget for the associated security mechanisms is incomparably smaller. This “what’s going to happen to us” mentality can quickly become very expensive. Even if it doesn’t seem like it at first: investing in security upfront is much cheaper than reacting to damage that has occurred.

Have you been hacked? That means downtime, possible data loss, but even worse: loss of reputation and, in the worst case, dwindling order numbers due to late deliveries or due to your customers’ lack of trust in you and your compliance.

You see: Action pays off. And the reaction can therefore only be the last resort.

Your benefits from a digital transformation based on Cybersecurity

Application and data security and availability

High-security standards ensure that your employees always have access to the applications they need. This is the only way to ensure that business processes run smoothly. At the same time, you protect your company’s data and that of your customers. In addition to operational processes, this is also more than necessary concerning legal regulations.

Best user experience, first-class compliance management, and cost-efficiency

Networked systems allow your employees to quickly and easily switch between applications with similar user interfaces. This saves a lot of time when learning new programs, but also in the daily workflow. At the same time, with such networking, these systems must be adequately protected so that they cannot be compromised. This sounds costly at first, but imagine the effort if you had to install and maintain security mechanisms at the same high level on every single application. This way, you make things easier for your IT, as well as for the end-user at the workstation. And you can deliver a higher security standard for a lower budget.

Corona vaccine data targeted by hackers

11. December 2020/in Data Protection, IT Security/by Michaela Senft

On Wednesday evening, unknown hackers managed to penetrate the system of the European Medicines Agency (EMA). In doing so, they were able to capture individual pieces of information on a Corona vaccine that is currently in the approval process. The authority is currently reviewing the approval of the vaccine developed by the Mainz-based company Biontech and the US pharmaceutical giant Pfizer. EMA has not yet disclosed exactly how many and which data are involved.

Who has an interest in data on the Corona vaccine?

It is also still unclear who is responsible for the attack. Experts suspect that secret services, for example from Russia or China, are behind the attack. However, this has not yet been proven. Nevertheless, there are indications that this was a state-initiated attack; The initial approval of an effective and low-risk Corona vaccine is more than just a prestige project for a nation; it is of great economic value. For one thing, patent sales have a direct impact on the national economy. For another, an effective vaccine can ease lockdown regulations, which additionally allows the national economy to recover more quickly.

Biontech and Pfizer emphasize that no data were stolen that would allow conclusions to be drawn about individual test subjects. EMA also announces that the incident has no impact on the further approval process.

Can such attacks be prevented in the future?

Nevertheless, the cyberattack shows how important increased IT security standards are for all organizations in a chain: Biontech and Pfizer’s IT systems are very well secured, experts say. The company emphasizes that it could not notice any activity on their systems. This shows that the hackers did not focus on the well-secured private sector systems. But on the less well-secured ones of the EU authority.

Data protection experts have previously complained, particularly for the healthcare sector, that important data is often only secure in the government’s own system. It is not advisable to assume that upstream and downstream systems meet the same security requirements. This has been proven once again by the current incident. The introduction of a uniformly high-security standard in public institutions as well would therefore be beneficial.

You can read more about data protection problems in IT in the German healthcare sector here.

In this blog article, we have summarized why the healthcare sector is coming under the scrutiny of hackers, especially in times of a pandemic.