Self-Attack is the Best Defense

“When it comes to cybersecurity, the German economy relies too one-sidedly on mere defense measures and neglects the self-attack to check cyber resilience,” says Rainer M. Richter from the security company Horizon3.ai. He points out that the European Central Bank (ECB) has been carrying out stress tests in the financial sector for years. During the pentest, white hat hackers attempt to crack company computer networks in order to uncover vulnerabilities. “White hat hackers are no longer needed because there are autonomous stress test platforms that are readily available from the cloud for a reasonable price,” says Richter.

Increasing requirements for cyber resilience

In addition to specific security requirements for the financial sector, other sectors of the economy must strengthen their cyber resilience due to stricter EU legislation. These include the new NIS2 Directive or the German law implementing the EU requirements (NIS2UmsuCG), which is due to come into force in October 2024 and will affect at least 30,000 companies in Germany.

One way to identify your own vulnerabilities is to use autonomous pentests from the cloud, which, according to Richter, are “affordable for every medium-sized company”. A cloud-based pentest platform also includes connected machines and devices in the test. The costs scale with the number of workstations and the size of the computer network. The pentest costs must also be set in relation to potential damage from cyber attacks. The IT industry association Bitkom puts the total annual damage to the German economy at over 223 billion euros.

Overview of vulnerabilities

“If hackers take control of the security cameras on the factory premises, it jeopardises the security of the entire company,” says the Head of Europe and Asia at Horizon3.ai, giving a concrete example of how the call for greater cyber resilience extends far beyond companies’ computer systems. Most IT departments have long since lost track of all the potential vulnerabilities in their computer networks, says Richter. This is understandable, “because computer and network constellations are becoming increasingly complex and attacks are becoming more sophisticated and faster.”

As Horizon3.ai has discovered with its own AI-based pentesting platform NodeZero in company-commissioned attack scenarios, it is usually possible to overcome companies’ defense systems within a few minutes. NodeZero also uses social engineering skills to exploit human weaknesses, for example when an employee reveals the name of their dog on social networks and simultaneously uses it as a password for the company network.

70 new vulnerabilities per day

“Many companies have 20 to 40 separate security systems running simultaneously to defend against cyber attacks, but hardly know how well they work together,” says Richter. He refers to research by the BSI, according to which an average of more than 2,000 vulnerabilities are recorded in software products every month, 15 percent of which the BSI classifies as “critical”. Richter: “ Given that there are almost 70 new potential gateways for hackers every day, a stress or penetration test is basically recommended every day, but definitely once a week”.