The one where we stole some cars – Cybersecurity Insights by Immanuel Bär

 "I gave them a get-out-of-jail-free card”, says Schneider. “They were supposed to take everything that was possible – nobody knew about it except me, not even the management.” The penetration testers at ProSec take their assignments very seriously - and sometimes literally. During this penetration test, they even ended up stealing several company cars without anyone noticing. How little was needed for this and how our co-founder Immanuel Bär and his team colleagues were able to gain full control over the IT of an apparently well-secured production company during the course of the operation is impressively described in this article on heise online:

Read the full story in the article on heise online:

Missing Link: How a company lost control in a cyberattack

Here we have compiled the most important learnings for those responsible in companies from the article so that your company cars, data and infrastructures are protected against malicious hackers in the future.

10 lessons from a realistic cyber attack for your security

Can our penetration testers (or, the real problem: malicious hackers) just walk into your company and gain access without hindrance? Here are 10 lessons that will help you confidently answer this question with “No!” in the future:

  • Secure physical access and always be vigilant:
    "Companies often underestimate how easily physical access points can be overlooked," says Immanuel Bär. The test reveals how crucial it is to consciously secure entrances - including side doors and extensions - and to check them regularly.
heise online Immanuel Bär
Ethical Hacker on a Mission: ProSec co-founder Immanuel Bär checks the IT security of a company, including physical access. (Photo: Jan P. Wall)
  • Don’t give away trust blindly, but build a culture of security:
    "The strategy is to become one with the company and show people: We belong here," says Bär, explaining the approach. Companies should convey to employees that security always comes with a healthy dose of mistrust - but without rash actionism.
  • Establish clear reporting channels and contact persons in case of emergency:
    "It is not advisable to confront a stranger directly if you sense danger," warns Bär. It is much more important that employees know exactly where they can ask whether technical maintenance or similar actions are actually taking place.
  • Minimize social engineering risks from garbage, social media and unsecured areas:
    "Show me your trash and I'll show you your identity," explains Bär, as his team accesses social media information in addition to physical data. Regular awareness-raising against social engineering - whether through unattended documents or social media - can have a preventative effect here.
heise online Immanuel Bär
"Show me your garbage and I'll show you your identity." Immanuel Bär on dumpster diving as an attack vector for hackers. (Photo: Jan P. Wall)
  • Use weaknesses as growth opportunities: "I didn't think it would be such a big project, but we were able to gain some very good insights," reflects IT manager Schneider. For companies, a penetration test is an opportunity to realistically assess their own security strategy and make improvements in the right areas.
  • Regularly train employees in all departments: "IT security does not only affect IT - it also includes the human resources department, facility management because of open doors, but also production, because the employees ultimately have to implement it," emphasizes Bär. In order to close security gaps, regular training is necessary so that all employees - not just in IT - are aware of potential threats.
  • Strong security measures and a well-thought-out architecture in the digital and physical areas: "Eight years ago, we invested 35.000 euros in anti-virus protection and that was security," recalls Schneider. The company has learned that today's threats require much greater and more comprehensive investments in security solutions.
  • Targeted attack simulations to identify undiscovered vulnerabilities: The test simulations that Bär and his team conduct show how important it is to play through real scenarios. From unsecured company premises to social manipulation techniques, the test reveals how companies can specifically improve their defense mechanisms.

IT security does not only affect IT – it is a task for the entire company.

ProSec co-founder Immanuel Bär
Can we just walk in?
No? Have you ever tested it?
Contact us now