Many companies and organizations had significant problems not only due to the coronavirus pandemic, but also in terms of IT security. 2021 was not a good year for IT security, as it revealed significant security gaps and cyber attacks on companies rose sharply, our 2021 review:

Development of cybercrime

In 2021, there was a significant increase in cyberattacks on companies and organizations. This trend has increased significantly since 2020. According to a study by the website Check Point Research, the number of cyberattacks on organizations of all kinds increased by 40%.

The pandemic created enormous time pressure for IT service providers due to the need to make work more flexible. In addition, hacker attacks occurred much more frequently and became increasingly sophisticated. Hackers were often faster than the defenses against them. One massive problem in IT security was the so-called zero day.

Zero-day gap as a major threat

IT systems are constantly evolving and software is therefore usually quickly outdated. New patches bring the devices up to date and close old security gaps.

However, this so-called zero-day included four security flaws in Microsoft Exchange servers, which were inadvertently implemented by the developers due to faulty programming code. This gave the hacker group Hafnium the opportunity to infiltrate and scan thousands of Exchange servers. However, as it has not yet been possible to clarify whether a backdoor was installed, the consequences for the future cannot yet be determined.

What can we learn from this?

You cannot prepare for a zero day, as they can occur anywhere and undetected. However, you can comply with data protection rules in accordance with the GDPR. There are two versions of this: privacy by design and privacy by default. The latter describes settings that are data protection-friendly by default. Privacy by design describes the data protection processes that are best complied with if they have already been technically integrated during development. A double locked door, so to speak.

However, this requires a reliable IT security policy. This relies not only on progressive technology, but also on an appropriate firewall. IT security is defined by continuous updates and qualitative combating of security gaps.

Review 2021: IT security is a very dominant topic in the IT industry and is associated with a constant striving for quality. In addition to process digitization, increasing the speed of data management and developing digital products is also a challenge for future IT.

In an increasingly digital world, modern IT services are more in demand than ever, as is an attitude towards solid IT security. In addition to qualitative and rapid processing of upcoming tasks by effective service providers, the area of data and network security, or IT security for short, is still an often underestimated sub-area.

As stated by our expert partner Sonicwall in the latest annual report, cyber attacks by ransomware and encrypted threats are increasing significantly. Ransomware attacks in particular have risen by 105% compared to the previous year and by as much as 232% compared to 2019.

In addition to our data protection resources through Harald Rossol and Thorsten Brendel, we also have extensive expertise in IT security and GDPR. Together with our partners, we have the concepts to keep your security up to date.

Ransomware - money or computer?

The method of extorting a 'ransom' by blocking the computer has increased considerably in recent years. The user of a computer then only sees the attackers' 'ransom note' on the monitor. The particularly perfidious thing about this is that if the victim agrees to the demand, their computer usually remains blocked anyway. It is therefore very rare to be able to 'buy your way out'.

Ransomware no longer affects just one operating system. Whether Linux, Mac OS or Windows, all users are affected by this digital form of highway robbery. There have also long been many instructions for building ransomware, known as 'crimeware kits', on the DarkNet. Ransomware usually does not encrypt the entire computer, but rather the data that is important to the user, such as the 'My Documents' folder under Windows.

Protection against ransomware is similar to protection against other viruses or Trojans. For example, a user receives an email with the attachment of an unpaid invoice, with a threat of punishment from the Federal Criminal Police Office, or with alleged usage violations by GEMA. Anyone who opens such an attachment has then handed the blackmailers the 'house key' themselves.

You should therefore NEVER open an e-mail attachment that does not come from an absolutely trustworthy source. GEMA and the BKA still use the good old letter post. It is also important to regularly back up all relevant data on external data carriers, as this keeps it out of reach of the blackmailers. Browsers can be protected against the execution of Java commands by installing applications such as 'NoScript', and ad blockers also offer increased protection.

Firewall: Overcoming walls

A program must always open a 'port' - or at least a porthole - if its generated content is also to be visible on other monitors worldwide. As in the case of a homepage, for example. Where something can leave such a 'port' or 'harbor' into the virtual world, something can of course also enter it. This is why 'firewalls' were created to protect a computer from unwanted access from the network. These security programs make sure that only the desired guests enter the home port according to defined rules. As a rule, every access must overcome two such protective walls: the first at the provider, the second at the client on the network computer.

Privacy by design - IT security as a holistic concept

The two terms 'privacy by design' and 'privacy by default' are older than the new General Data Protection Regulation (GDPR). However, the law has given them a whole new meaning (Art. 25 GDPR).

'Privacy by design' means that the technical structure of a data processing system must be designed in such a way that data protection is automatically integrated into the system. In other words, data protection and IT security must be a system feature. This is done through the 'Technical and Organizational Measures' (TOM) when installing the computers and implementing their programs. This is the manufacturer's turn.

'As quickly as possible', 'create transparency', 'minimize', 'enable' - all phrases that have so far created little more than a wide scope for interpretation.
In short, the rule of 'privacy by design' does not allow for a standardized answer; it depends on the respective data protection requirements. However, it is clear that the possible requirements of the GDPR must be taken into account when setting up a data processing system and when selecting and implementing the technology and software used.

Interested readers can find the complete Cyber Thread Report 2022 from our partner Sonicwall here.

Certified EcoStep management system: b.r.m. has once again been certified in accordance with the EcoStep 5.1 management system for small and medium-sized enterprises. Starting in 2008, this is now the 15th and 16th year in a row that b.r.m. has been certified for its operating procedures and processes. For all management systems, the focus is on ensuring that tasks and activities are in line with the objectives and that operational processes run smoothly.

EcoStep is a practice-oriented alternative to the conventional ISO standards. Combined in one system, it uses the most important standard requirements of the following standards from an SME perspective:

• DIN EN ISO 9001:2015 Quality management
• DIN EN ISO 14001:2015 Environmental management
• DIN ISO 45001:2018 Occupational health and safety

With the help of the three aspects (quality, environmental protection and occupational health and safety), various process descriptions are possible, ranging from value creation processes to management processes. Development processes and other supporting processes are also recorded.

The EcoStep management system uncovers potential for reducing costs, implements controlling and key performance indicator systems to support management and increases legal certainty. Continuous improvement is one of the top priorities here. Not only the certification audit for the award of certification is important here, but also the continuous chain of internal adaptations and adjustment of existing processes to the new, changing circumstances of day-to-day business.

Our thanks go to the great cooperation with the certification body GUTcert. Mr. Markus Rossol from b.r.m. carried out the audit with Mr. Hauke Kreutzfeld from GUTcert.

The resulting potential for improvement is constantly being exploited and we are already looking forward to the next 2 years, after which it will once again be: certified management system according to EcoStep.

You can view our complete certificate here .

In our series "IT Review 2021", we look at the most interesting and dangerous IT security vulnerabilities of the past year, today: Zero-Day and Hafnium. 2021 was not a good year for IT security and shows once again that IT security must be seen as a continuous process. Defenses against attackers must be constantly refreshed, otherwise they will rot like an old unmanned castle wall.

The nightmare par excellence: zero-day and IT security

Software manufacturers usually act very quickly against known security vulnerabilities or have already identified the problem. A corresponding patch closes the security gap and the program can continue to be used for the time being. For this very reason, it is important to have and keep modern IT systems up to date. Continuous improvement is the key to stable and secure operation of IT systems.

However, a massive problem arises from a so-called "zero day". This term refers to the fact that the vulnerability exploited here has been known for zero days, at least to the manufacturer and the public. Therefore, there is no patch or workaround to close this gap. It was simply not known. The most sensational case of a zero-day exploit worldwide is certainly Stuxnet. Here, several zero-day vulnerabilities were used to disrupt production systems and execute unexpected commands.

Zero Day and hafnium, what happened?

At the beginning of March, a total of 4 relevant security flaws, i.e. "zero-days", were discovered on Microsoft Exchange servers. These were presumably used by the hacker group Hafnium to systematically scan and infiltrate thousands of Exchange servers. According to research, the aim was to install a "backdoor" in the systems, so it cannot be conclusively determined to what extent this vulnerability will have an impact in the future.

According to some estimates, Microsoft reacted more slowly than desired, but the exploited security gaps have been closed. Several security patches have ensured that the zero-day exploit is no longer usable.

Proper IT security means continuity

Proper, i.e. reliable IT security is a wish and promise of all those entrusted with IT systems. In addition to the standard technology, such as a firewall, there are also a number of conceptual points to consider. The magic triangle of cost, time and quality naturally also applies to this area of professional activity. With regard to the time factor in particular, it is immediately apparent that there can be no absolute state of security in a dynamic system. In the case of a zero-day exploit, the time component is distorted to such an extent that a correct (qualitative) response immediately generates high resource consumption. A good IT security policy therefore relies on continuous improvement and adaptation to a dynamic threat environment. Systems must not be operated unattended. Only taking action when something no longer works inevitably leads to disaster. Effective and efficient action is characterized by continuity. Please also read the statement by Dirk Arendt from Trend Micro.