Cyber-attacks
February 3, 2013
"Hello Paul - we met a few weeks ago at your party at the Cebit trade show. The caipirinhas at your stand were great! I took a couple of pictures of you and your nice colleague Suzanne that I thought you guys might want to take a look at. All the best and see you next year in Hanover, Rob."
Paul works for a large German telecommunications company and although he doesn't remember meeting "Rob," Paul and his colleague Suzanne did indeed have Brazilian cocktails at the end of the trade show. So, Paul doesn't think twice before clicking on the photos attached to Rob's e-mail. Except the pictures must have been broken somehow, no matter how many times Paul tries to open them nothing happens.
Social engineering attacks
By opening the seemingly defect file, Paul infects his company's computer network with tailor-made spy software that generally cannot be traced by regular anti-virus programs and which will allow "Rob" access to the company's IT systems. "Rob" was never even at the trade fair sipping drinks with Paul and Suzanne - he just found the personal details in a few public posts on social networking sites.
Experts call such attacks "social engineering," and the method is proving to be effective for cyber-criminals. Recent cyber-attacks at the US newspapers The New York Times, The Wall Street Journal and The Washington Post were the result of social engineering via infected e-mails thought to have been sent from China.
China, followed by Russia and then the rest of Eastern Europe are regarded as German companies' main danger points for electronic attacks by unknown parties, according to a survey of 500 industry leaders on e-crime conducted by the consultancy KPMG.
No 100 percent protection
There is hardly ever a way to be completely sure who or what is responsible for a cyber-attack, the study's head Alexander Geschonnek said. He added that many German managers may not have realized the danger social engineering and other types of cyber-attacks pose to their businesses.
He said corporate leaders are aware cyber-attacks take place but are convinced they will not happen at their own businesses. "This view is very surprising and stems from companies feeling safer than they actually are," he added.
Companies often do not even realized they have been hacked. The data, Geschonnek said, is not generally abused or removed but copied and no one is aware of the attack until the data turns up somewhere it shouldn't be - including in the hands of blackmailers or in a competing company's boardroom. Geschonnek said even after companies realized their data has been hacked, they avoid reporting the crime to police out of fear of what the digital break-in would have on their reputations.
Been attacked? The state wants to know
But the secrecy will have to end if German Interior Minister Hans-Peter Friedrich gets his way. He wants at least some industries to be required to register all cyber-attacks.
"It has to do with having to protect all the so-called critical infrastructure - power supply, communications, and logistics - all the things that make our daily activities possible," the minister told public broadcaster WDR. "If there are serious attacks on a system, then our cyber-defenses are also in a position to get a picture of the situation as quickly as possible and take defensive measures."
The German minister received backing this weekend at a security conference in Munich from the European Commission. The commission also wants companies in critical industries to be required to report "large incidents" of cyber-attacks.
Germany's Federal Office for Information Security has, so far, stuck to the voluntary exchange of information about cyber-attacks with initiatives that allow companies to warn each other of the schemes they have caught or fallen prey to.
There's no way to prevent all attacks, according to Dirk Häger, the office's head of operative network defenses. "We all want to use IT. We want to communicate and we want to communicate easily," he said. "That means that we get e-mails from the Internet and do not really check where it's coming from."
But if attacks cannot always be prevented, Häger said, companies should do their utmost to minimize the consequences.
Internal security leaks
Geschonnek of the KPMG said he recommends companies focus on protecting the data "crown jewels," as no company can completely lock down every piece of data.
That includes taking a close look at employees. In one case from the United States, a company conducted a security review and saw its internal network was regularly being accessed from China. But this time it wasn't a hacker. Instead, it was an employee who had outsourced his job to a Chinese programmer for months - and for just a fraction of his paycheck. He had simply sent the password generator his company required to access the secure network to his personal Chinese employee.