Not all success is the same. Some people talk about success when they have climbed an eight-thousand-metre peak for the first time, for others it is a success to be allowed to fly the helicopter on their own, for others it is a success when their product follows the principles of the circular economy and for others it is a success when the profit has been increased.

What makes all examples comparable, they don’t happen overnight. All successes come only after previous work, decisions made, and the necessary time. Failures and setbacks are also part of the journey.

Before the ascent of the eight-thousander, many other peaks were conquered and a meticulous preparation for the ascent of the eight-thousander was planned and implemented. Before the helicopter may be controlled, it requires knowledge in thermals, meteorology, radio basics, of course flying hours and passing the exam. In order to comply with the principles of the circular economy, it requires a transparent knowledge of the materials used, which companies in the entire supply chain meet the requirements and how this can be maintained. In order for a company to increase its profits, it needs to make changes. Whether it is new services, increased efficiency, new sales channels, minimization of expenses, new products, etc., the company needs to make the right decisions. In order to be able to make decisions, it is necessary to understand the existing and how an added value can be realized with targeted optimizations.

Different Angles

Tackling demanding challenges again and again, establishing new things or treading unknown paths is fun. In order to be able to implement this in a business framework, more is needed in addition to the fact-based craft, such as the analysis of data sets and the interpretation of the findings obtained and their impact on future development. It also always requires personal exchange with sparring partners, regardless of the industry they are in. Additional networking beyond one’s own known boundaries is an important building block.

One of the vessels to be recommended is the Swiss Economic Forum (SEF). A business conference with decision-makers from the entire economic landscape. Where is the economy heading, what trends are being followed, what challenges have to be tackled, to continue the networking and cultivating existing acquaintances. Year after year exciting and expanding horizons. It is not about the in-depth technical discussion on a special field, but about the exchange with like-minded people in other companies about to be solved and upcoming challenges. How do they correct this or that and which stumbling blocks do they already know which we can tackle directly. Conversely, the topic of cybersecurity is on everyone’s lips and we are exceptionally qualified to talk about stumbling blocks in this regard.

Internal Change

The handover of the CEO position over to Mr. Tomaso Vasella in October 2021 was preceded by months of preparations, clarifications and discussions. Change always has something frightening and at the same time something liberating. In the new capacity as Chairman of the Board of Directors, the daily routine is a new one. It is surprising how the change has altered the perspective on some business areas and areas of tension. Discussions within the company, on current topics, are very invigorating and purposeful due to the new and additional perspective. So it was also very interesting to experience how the discussions with new contacts but also old acquaintances at this year’s SEF in Interlaken developed differently due to the new perspective. Once again it has been shown that a holistic view from various different points of view is needed in order to better recognize and understand challenges and possible solutions.

Contemplation and Time Travel

There will always be criminal actors in our society, that cannot be changed. The understanding of the use case and the processes and steps that an attacker has to implement in order to be successful enables the defenders to prevent, slow down or track down the culprits.

A bank robber in the Wild West had the problem of putting himself personally in danger, of only being able to take as much gold, valuables, etc. as he could fit in the saddlebags of his horse by weight and volume, and of only taking as much time as he needed until the lawmen were within shooting distance. In return, he had his prey when the job was done. Accordingly, a possible and simple countermeasure for thwarting a bank robbery in the Wild West was to position the police station as close as possible to the bank in order to reduce the time between the burglary and the arrival of the police officers.

Today’s attacker who wants to steal lucrative company data has just as many problems. The big change, compared to the Wild West, is the decoupling of personal exposure when attacking and the possibility to do the same at different companies worldwide at the same time. To do this, he must first figure out which of the companies’ vast amounts of data are valuable and how to get that amount of data past network surveillance without being seen. Even after exfiltrating the coveted data, he still has no financial return. The stolen goods must then be sold and the proceeds obtained converted into real, available money. Accordingly, one of the targeted countermeasures to thwart data theft is to restrict and monitor access to the data sets. Automated detection of data sets and user interactions, versus benchmarks, can prevent data leakage.

The attackers, both in the Wild West and today and in the future, immediately adapt their approach, tools and processes to new countermeasures and circumstances. The prey is too tempting. Likewise, defenders will tweak and adapt their measures. A well-known game: cat and mouse. More knowledge about the respective other side and the inclusion of different elements as well as angles of view gives an advantage.

Fundamentals are Not Adhered to

The networking of the world is in full swing and can deliver significant direct cost savings and real efficiency gains in many areas. The buzzword is digitalization. If companies, institutions or government processes can realize long-lasting cost savings through targeted investments, this is very lucrative and should be prioritized. This rightly brings many new products, service providers and initiatives. The word cybersecurity is very often used in this context to cast the corresponding solution in a golden light. Rightly so, digitization goes hand in hand with cybersecurity, because an insecure networked solution holds an immense potential for damage.

Hence a little train of thought. There are many questions to be answered when developing a solution. In terms of secure implementation, likewise. Let’s ask rudimentary questions about a new system:

• how is user management implemented
• how are credentials stored
• what data is stored
• is this data given different attributes
• is data stored locally
• is data signed
• is local data retrieved externally
• data is transmitted to an external destination
• specific data is processed differently
• plausibility checks are performed for data correctness
• etc.

As trivial as this small selection of questions sounds, they often cannot be defined and answered from the beginning. We don’t even go into the non-trivial questions if there are already ambiguities at the base. Time to market above all. So shortcuts are taken in the development, which have no influence on the actual functionality of the product, but do have an influence on the vulnerability. A treasure box for an attacker. If the solution is also integrated into a large network of systems, the impact of a compromise becomes even more significant. This can have far-reaching consequences for areas other than the actual solution. We have not even mentioned existing solutions that were not developed with global networking in mind or with the cybersecurity buzzword dragged around.

Hardly a day goes by without an announcement in the global press about the lack of security or the vulnerability of interconnected systems. In simpler terms, about cyber security and successful cyber attacks. Or even more simply, and in the context of this article, it is about today’s successful Wild West bank robbers. Currently very prominent, the cyberwar with reference to the Ukraine war. The information situation is confusing and can easily be misused for propaganda purposes. On the other hand, information about ransomware attacks or other successful cyberattacks on companies, institutions, authorities, etc. fades into the background and is not prominently reported.

Conclusion

The attack areas and vulnerabilities will not decrease, but will clearly increase in the future. Our society must adapt to this.

A myriad of possibilities and opportunities. We can learn from known shortcomings and drive improvements. This gives us the time to deal adequately with currently unknown sources of error once they have been identified. It makes no sense to try to solve everything at once. The resulting overload will inevitably lead to failure. Focusing on existing important areas and critical infrastructures such as power, water, medical, food, etc. is a first step to ensuring the continuation of our very carefree lives. This gives humanity the opportunity to address the challenges step by step.

A little thought insertion. An instance of a successful Redteam customer project comes to mind. We accomplished data exfiltration from the customer’s network, which was defined as highly secure, over using a monitored, restrictive and legitimate connection, by transposing the data into music. There’s always a way.

The upcoming networking of all things requires an iterative process of development and will be paved with many setbacks as well as mistakes. The interdisciplinary approach is the successful path for the future.

About the Author

Simon Zumstein has been working in IT since the 1990s as an engineer, project lead, security consultant and CIO. Integral risk management while taking managerial-economic factors and the presentability to decision makers are his area of expertise.

Links

• https://vuldb.com/
• https://www.swisseconomic.ch/