March 28, 2023
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
When cyber insurers and penetration testers work together, the result is great added value for everyone involved. Why this is so and how these synergy effects can be used even better in the future is explained by our co-founder Immanuel in this interview with the trade magazine for risk and capital management AssCompact.
At the beginning of the interview, Immanuel makes it clear why dealing with cyber security and corresponding cyber insurance is important for every company: Even if "only" systems are attacked in a hacking attack, the consequences ultimately affect people.
For example, a successful cyber attack can cause people to lose their jobs. It can also cause severe restrictions for customers or users. This was demonstrated by the attack on the Chambers of Commerce and Industry (CCI) in September 2022. Immanuel clarifies that not only the internal systems of the CCI were affected by this attack: "The training system within the CCI member companies as well as citizen-oriented CCI services were also completely knocked out."
It is irrelevant whether it is a predominantly digitally active company or a corporate group. Even a carpenter's workshop with a web store can fall victim to hackers, Immanuel makes clear. After all, cybercrime is a lucrative business that thrives on broad distribution: "Cybercrime is by far the most effective way to make money. There is no industry that scales so rapidly and has such a high turnover." The current global wave of cyber attacks is a case in point.
For Immanuel, it's clear that "hacker attacks are deeply embedded in our society in 2022." But he also has good news in store: "In 2023, however, cyberattacks with fatal consequences are preventable." And, "There is an antidote to all cyberattacks."
One example: Approximately 75 percent of all cyber attacks start with malicious e-mail attachments via the human factor. This danger can be drastically reduced by so-called sandboxing technology. This is an isolated environment in which potentially unsafe software code can be executed on a test basis. If it is indeed malicious code, it can be blocked in this environment without infecting the rest of the network.
By now at the latest, every company and government agency should be proactively addressing the issue of cyber security. In the following sections, we explain how professional hackers like Immanuel can help and what role cyber insurance plays.
If companies want to protect themselves comprehensively against damage from hacking attacks, penetration tests and cyber insurance should go hand in hand. On the one hand, even with supposedly secure systems, there is always a residual risk that can be covered by insurance policies. On the other hand, a company can significantly increase its insurability in the event of cyber attacks if it undergoes a thorough check by professional pentesters, explains Immanuel.
The truth is: questionnaires say nothing about the actual IT security of a company.
Ultimately, all sides benefit from this "synergy effect". Only a genuine penetration test can provide a realistic picture of a company's cyber security and be the cornerstone for its optimization. Alternatives such as questionnaires are not sufficient for this, as Immanuel clearly explains in the interview:
Immanuel reports on the case of a client friend: An insurer's rating via questionnaire had indicated that the client was "safe" enough for cyber risk protection.
But then the penetration testers from ProSec came along and had no trouble gaining access to highly sensitive data. Both the insurer and the customer benefit from this reality check - the company can fix the vulnerabilities found and for the insurer the risk of having to pay in the event of a claim is minimized.
So it's a win-win.
It is therefore not surprising that insurers "above a certain protection requirement class" call on the expertise of cyber security specialists like ProSec. In certain cases, insurers would even cover the entire cost of our services for the customer when underwriting the policy, adds Immanuel. The "bonus section" at the end of this article goes into this in more detail.
Insurers themselves would also do well to check their own security with comprehensive penetration tests. After all, there is a lot of sensitive data on their systems, which makes them a very attractive target for ransomware attacks by hackers. Immanuel explains the logic behind it:
Most cyber attacks are about achieving the highest possible level of monetization. They usually achieve this through ransomware attacks, in which hackers encrypt data and blackmail the attacked company by threatening to publish it. In the case of cyber insurers, this leverage works particularly well for data protection reasons, which is why they are a popular target for hackers.
Another "bonus" for the attackers is the content of the captured data itself: Here they learn which other companies have taken out a cyber policy with ransom payment. These companies, in turn, represent suitable follow-up targets, since ransom demands are very likely to be fulfilled.
From his practice as a professional hacker, Immanuel currently sees these three points as concrete tasks for cyber insurance companies:
Let's assume that the child has fallen into the well and a company has been successfully hacked. This is a very stressful situation for all those responsible. The good news is that this very situation can be the starting point for a strengthened and sustainably secure IT of this company. What is needed for this is a pentest with incident reference.
The difference between a proactive pentest and a pentest in the specific context of a hacking incident lies mainly in scoping: Before each pentest, service providers such as ProSec work with the company to determine the scope and framework conditions for the test. Without a concrete incident, those responsible must assess which components should be tested particularly thoroughly and which paths attackers would most likely choose.
If there is a real attack, the available information about this attack can be used for scoping. However, this does not mean that the pentest is reduced to the exact kill chain of precisely this attack: Here, too, testing is carried out across the board to include other attack scenarios.
The usual procedure to date following a hacking incident on the part of cyber insurers provides for a forensic investigation. The aim of this is to identify possible perpetrators by investigating the methods and routes of attack used.
In connection with an attack that has taken place, a pentest also investigates how it was probably carried out. However, the goal is different: It is less about identifying the perpetrators and more about identifying the vulnerabilities. A good penetration test provider does not stop at the identification, but also supports the subsequent remediation of these vulnerabilities.
Figuratively, you can imagine the difference as follows: After a burglary, investigators look for fingerprints in order to subsequently search a database for matching entries and thus possibly identify the perpetrator. Pentesters also search for fingerprints. However, they are not concerned with matching them to a specific person. Rather, they are concerned with whether the perpetrators broke in through the front door or a window and how they subsequently moved through the house. Overall, pentesters put on "attacker's glasses" in their work and also include other possible burglary routes in their investigation.
Why does this focus make sense? In the case of hacking attacks, the probability of being able to identify individual perpetrators is unfortunately vanishingly small compared to crimes "in the real world". However, the risk of being hacked again after a hacking incident is relatively high. That is why it makes more sense to focus on protection against future attacks. ProSec ensures this by means of a technical workshop that is conducted after the actual pentest. Here, the pentesters transfer their expertise to the company's IT specialists and support them in remediating the findings.
Cyber insurance companies often rely on questionnaires (already discussed above) and automated vulnerability scans. The great advantage of such tools is obvious: they are extremely highly scalable and deliver results quickly. That is why they have their justification and are an important tool on the way to more cyber resilience.
The limitations of such scans are equally clear: they are exclusively external and remain non-invasive. This ignores the gateway par excellence: The human factor and its susceptibility to social engineering. In addition, it remains unclear how attackers spread throughout systems after exploiting a vulnerability and what damage they can cause there. These questions can only be answered by a comprehensive pentest that includes social engineering and also the physical security of a company.
The following example shows how all parties can benefit from an incident-based pentest: A medium-sized logistics company had been hacked a few months ago. When handling the incident, the IT service provider recommended that the company call in ProSec as a "specialist". This is because, contrary to what is often assumed, not every IT company is automatically an expert in IT security. This is understandable if you consider the analogy to "general practitioners" and "specialists".
In the example given, we took a close look at the customer's cyber policy. In doing so, we found that measures to harden IT security were covered after a hacking incident. This is exactly what our penetration tests with the subsequent technical workshop are aimed at. Therefore, in this case, our service could be covered by the customer's insurance.
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Burp Suite by Portswigger and OWASP ZAP are both programs with a proxy server that run on your local device. With
Our co-founder Immanuel was a guest at Radio Bonn/ Rhein-Sieg and told the presenter team Nico Jansen and Jasmin Lenz and