Hacker´s hand is going to extract data from a computer. Cloud computing.
#Digital Infrastructures

A secure web

Expert Opinion
8 Mins.

With hackers constantly on the lookout for vulnerabilities, developers of devices, networks, and applications may unwittingly be creating previously unknown vulnerabilities every time they seek to enhance functionality.

Despite huge advances in technology over recent years, the proportion of business and government networks that undertake proper cybersecurity, including a vulnerability assessment that involves automatically checking the authorizations of new devices and applications, is surprisingly small.

“Asset discovery software regularly finds companies ‘hosting’ up to 25% more devices on their networks than they think they are, even in manufacturing situations,” says Peter Rost, Director of Business Development at secunet. Most of the web’s systematic vulnerabilities are due to its “100% trust” origins. This is true for all aspects of the broader web, including endpoint devices, applications, networks, and even identities. So where are the weak points and what can be done to enhance security?

OS cyberthreats

Endpoint devices, including PCs, smartphones, tablets and smartwatches, all run on operating systems (OS), such as Windows, macOS, Linux, Android, or IOS. It’s comparatively easy to secure macOS and IOS devices, because they are closed systems owned by a single manufacturer. Other devices can be more challenging because they are based on open source software, which affords widespread access to the source code. Procuring devices supported by vendors with a clear commitment to timely and regular security updates is an important first step.

At the level of government, military and critical infrastructure with an exceptionally high level of protection is required. Here, an intermediate virtualization layer between the PC hardware and the OS, such as secunet’s SINA Workstation line, provides full control of incoming network connections while a crypto file system allows several OS to be run safely in parallel on the same PC. The SINA Workstation establishes a VPN tunnel via any internet connection, so data transmission is encrypted and tap-proof. Also, the login to the computer takes place via two-factor authentication with a smart card.

Which sites are ‘safe’?

Browsers, too, represent a major weak point as new features designed to permit faster browsing and add functionality also inevitably create opportunities for hackers to install malware on PCs and smartphones.

There’s a lot of misinformation about the types of websites most likely to present a malware threat or ransomware infection to users. The risk of infection to a network by individual users accessing dubious websites operated by criminals, for example, is quite high.

Equally the risks posed by very well-known sites, such as Amazon or Google, is extremely low. But between these two extremes lie many millions of sites which may be infected without their (often IT-agnostic) owners even knowing it. Furthermore, while “bad” sites can often be identified, supposedly “good” sites may not actually be “good” all the time.

So the only safe assumption any corporate or large network manager can make is that, at some point, individual users will ignore instructions to restrict access to known and approved sites.

The optimum solution in this situation may be the creation of a “demilitarized zone” between the individual user and the internet. The browser in this case is not running on the individual PC but provided on a well-protected internet-facing server within the company, with end users simply seeing the pixels being forwarded to their screens.

Network protection in the cloud

The ubiquitous “cloud,” consisting of networks, endpoints, and software applications, provides huge advantages today in terms of terms of cost, scalability and data sharing. The challenge, however, is to ensure that only the right people have access to that data. In this respect, it’s worth remembering the saying much loved by computer engineers: “The cloud is just other people’s computers.”

That makes security even more complicated because the user’s data and applications are often running at data centers in unknown locations. Data encryption and a cloud workload protection platform, such as secunet’s SecuStack, which constantly monitors workflows while it is running in the cloud and encrypts data either in transit or residing in the cloud, addresses these security challenges.

360° protection against vulnerabilities

Close-up of businessman wearing suit dialing number while have coffee break in small cafe
The perfect protection for every organization is a holistic, 360° combination of solutions that increase resilience

Security is a never-ending journey, not a destination. While hackers are constantly looking for vulnerabilities, developers of devices, networks, and applications may unwittingly create previously unknown vulnerabilities every time they seek to enhance functionality.

“The defense side needs to discover these vulnerabilities first in order to address them with security patches. Using independent ‘white hat’ hackers, such as those we employ on behalf of our clients, has been proven to be very effective,” says Rost.

“Using independent ‘white hat’ hackers, such as those we employ on behalf of our clients, has been proven to be very effective“
Peter Rost
Director of Business Development, secunet

Above all, it’s important to recognize that cyberthreats require a holistic response. A chain is only as strong as its weakest link and attackers are increasingly automating their activities.

“This is why it’s far better to secure everything, even to a minimum extent, at modest cost, rather than merely providing an expensive ‘belt and braces’ solution to only one or two aspects,” says Rost. “Investing in a fully secure browser while doing nothing about identities or the cloud only means that the attack, when it comes, is less likely to do so through the browser.”

Regrettably, he adds, cybersecurity measures are too often seen as a cost, in much the same way as insurance. “Few enterprises that have not suffered a severe ransomware attack are proactive in employing cybersecurity technology. Those that have, are – and they now regard cybersecurity as a true business enabler.”

Zero trust architecture

The perfect protection for every organization is a holistic, 360° combination of solutions that increase resilience through security gateways, network encryption devices, hardened endpoints, virtualized browsers and OS, and security-tested applications, supported by professional identity and access management solutions.

This approach results in a “zero trust” architecture which identifies, integrity checks, and properly authorizes every component of the internet. A managed security service provider using threat intelligence feeds to access information on the latest cyberthreats and risks in real time is an invaluable support to this.

Published: 10/05/2020

Share this article

Listen to our G+D articles

On the go? We've made it easier for you to access our articles, wherever you are.
Explore our audio articles