Image source: Pexels/Sora Shimazaki
Article • IT security
Cyberattacks on critical infrastructures on the rise
Some ten years ago, it was unthinkable that virtually all company data was stored in the cloud. Now it’s what almost every company does. However, the increasing complexity of corporate IT infrastructures also comes at a price.
Report: Madeleine van de Wouw
The sheer size and complexity of the systems makes it difficult to keep track of everything that is going on digitally. And this leads to more and more successful cyberattacks. With all the consequences this entails.
All companies and institutions in Europe have to deal with European regulations such as AVG and GDPR, which must guarantee privacy. Each country may decide for itself what falls under critical infrastructure, but for most that includes healthcare, financial institutions and government. And what counts as critical must comply with all European standards, which are constantly being tightened along the way. The fines for non-compliance are very high and the consequences of a cyberattack can be huge. That is why companies and institutions need to take a preventive approach to secure their IT in order to avoid getting into trouble afterwards. But how do you know exactly what is going on in your company? How can you gain insight into all the systems you have running and what the weak spots are?
Recommended article
Article • Cybersecurity in hospitals
Ransomware: The race between attackers and defenders
Since 2015, the number of known ransomware attacks has not only increased substantially across many industries. Hospitals, and the healthcare industry in general, have also become favorite targets of ransomware attackers, leading to very real incidents in which patient care and patients’ lives have been put at risk.
Identify and manage
Seamless management of your IT’s digital "attack surfaces" is an important step towards cyber resilience. This attack surface refers to all the possibilities that an unauthorised user can have to bring in or steal information. To manage and control that, Dutch cybersecurity company Cybersprint B.V. developed the Cybersprint Attack Surface Management platform: a SaaS solution with continuous monitoring of all possible attack surfaces. For example, by entering a brand or company name, the system searches for anything related to that brand name and the vulnerabilities and misconfigurations associated with it.
How does the platform work?
Sebastiaan Bosman, Product Marketing Manager at Cybersprint, explains: 'Our platform maps the individual digital components of an organisation. Let me explain the three major developments which make control of the digital attack surface necessary.
- Digital transformation:
Certainly during Covid, online and cloud working has accelerated and systems have become larger and more complex. And so companies are increasingly outsourcing digitally. You must therefore take stock of what is housed with third parties. Remember, your company is always responsible for your own data, even if you hire a supplier who makes a mistake, has a leak or whether there has been a successful hacking attempt. - Increasing threat:
Threats are becoming more frequent and more sophisticated. Ransomware attacks and phishing are a big problem, and they are increasingly starting in the supply chain. A while back this happened, for example, with the Microsoft mail exchange. Criminals were able to get into a large software company and send their own piece of malicious software along with its updates. This gave them access to many more companies at once. In addition to securing your own infrastructure, it is therefore also necessary to know exactly where and which third-party software is running so that you can act immediately in the event of an incident. - Rules and laws:
Various authorities such as governments and umbrella bodies within sectors are increasingly prescribing how organisations should run their business, for example in the field of data privacy. Organisations must have control over their own attack surfaces and be able to prove that they know what is going on. If they can not, heavy fines can be issued.
At the end of last year, an ambulance with a patient had to be diverted because of ransomware. The hackers had gotten in by abusing a Citrix environment (at the end of 2019, a major vulnerability had been discovered in this Citrix product). We were on top of this at the time and advised several customers.
Also, the U.S. Department of Homeland Security has issued advisories to highlight the importance of cybersecurity in healthcare. It might even be so that people die because of ransomware. For instance, in Alabama, USA, a baby might be the first-ever death caused by a ransomware attack. According to Pandasecurity.com, there is a lawsuit against a hospital where a newborn baby ended up with severe brain injury. The mother did not receive all necessary tests when admitted to a hospital to deliver her baby because of an ongoing cyberattack. The tests she missed would have shown that the baby’s umbilical cord was wrapped around the fetus’ neck, which eventually caused brain damage. The baby died nine months later.
Recommended article
Article • Cyberattacks and countermeasures
Healthcare cybersecurity in the EU and US: a technical, regulatory or political issue?
The pandemic has put a spotlight on the increasing role of cyberattacks and weaknesses in healthcare. In healthcare as in other industries, cybercrime does not stop at national borders. With this idea in mind, the US consulate general in Düsseldorf and the US embassy in Vienna recently invited interested parties to their Cybersecurity in Healthcare Briefing.
What if, for example, created subdomains haven’t all been neatly passed on to the IT security team? This creates blind spots which you cannot secure
Sebastiaan Bosman
What we think is important is the way in which all this information is collected. When you, from within your organisation, start making an inventory of the digital assets you have, you only see what you already knew you had. But what if, for example, created subdomains haven’t all been neatly passed on to the IT security team? This creates blind spots which you cannot secure.
That is why our platform works from the outside in, without special access or an imposed IP range in advance – just as an advanced hacker would see it. This way, an organisation always has the most up-to-date information, fully automated and continuous. Also, the assets found are at once scanned for any risks, allowing a security professional to know what is wrong and to prioritise.'
Shadow IT is a big problem
A major and often unrecognised problem in many companies is shadow IT. Not only specialists and the IT department can build websites and platforms. A marketing department, for example, can set up a web page for a campaign and link it for instance to a page on Facebook without telling it. Bosman: 'Our platform identifies between 30 and 50 percent of assets that companies and institutions did not even know they had. Take for instance a hospital.
- Step 1: we start searching on brand name and everything related, such as hosting etc. An overview of all domains and underlying infrastructure automatically follows. Especially in larger organisations, there are tens of thousands of assets, also from suppliers. This means an enormous attack surface.
- Step 2 is the rating of the risks in categories. For example, a certificate is not up-to-date, or a patch is required. In our system you can see the software you are using and whether you need to protect it. We indicate the risks on a scale from A to F. While an "A" rating is okay, "F" means that the issue urgently needs to be addressed by the company's IT department.
- Step 3 is the management of all data. What should be tackled first? If there is a problem, the system can help assign ownership to solve it.
- Finally, step 4 is reporting. How can you track risks, measure performance, and perhaps adjust processes?'
According to Pieter Jansen, founder of Cybersprint, there is a difference with other companies in working methods. 'Our system maps everything continuously. You can hire a company to draw up a report, but these are snapshots and the next day it can all be different. We have automated the process and you only have to log in to see all the information you need. We don't change anything ourselves, we only signal what is wrong, we don't go "deeper" in search. The data from our platform serves as a starting point for other security methods, such as red teaming and penetration tests.
Knowing your critical points is also an advantage if you are audited for NEN certification, for example. Regulations and the need to comply with standards (NEN 7510 for information security) are particularly important in the healthcare sector. Our platform also ensures that, within that framework, both the loose ends and the overall processes and security governance can be examined. What about our own security? Good question! Yes, we also comply with the highest requirements and standards, and of course we monitor ourselves!'
About Cybersprint B.V.
Cybersprint is a European IT security company based in The Hague, Netherlands with a team for the DACH region. Cybersprint was founded in 2015 by ethical hacker Pieter Jansen. His goal was to provide organisations with an overview of their IT infrastructure and the associated risks. Clients include government organisations and municipalities, banks, financial institutions and insurance companies, trading companies and critical infrastructure organisations. The service is provided in the form of a subscription with prices that depend on, among other things, the size of the attack surface and the number of brand names. Cybersprint is a member of the European Cyber Security Organisation.
Tech Against Corona
In Tech Against Corona, a Dutch initiative, Cybersprint worked together with other companies to help organisations and healthcare institutions to detect and resolve vulnerabilities. https://techtegencorona.nl/
Profiles:
Passionate cybersecurity specialist Pieter Jansen is CEO & founder of Cybersprint. With his experience as an ethical hacker and security manager, Pieter has worked on both the ‘offense’ and ‘defense’ side of cybersecurity. Pieter saw new possibilities in developing a platform to automatically map the attack surface of organisations. He started his own company, driven by his ambition ‘to make the digital world more secure’. His motto "Defense is hard, offense is easy" forms the base of the Cybersprint platform.
Sebastiaan Bosman is Product Marketing Manager at Cybersprint. With a background in Communications and Linguistics, he is responsible for most internal and external communication. He creates content based on Cybersprint’s own research data and product positioning. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.
18.11.2021