March 14, 2024
Leadership vs. Management, what exactly are the differences? And what is needed in both areas to meet the current challenges?
In June 2022, our founders Tim and Immanuel were guests on "Update available", the BSI's "Podcast for digital security in everyday life". Subsequently "Hacking against cyber attacks? Talking to White Hat" from June 30, 2022, they talk to the moderation team Ute Lange and Michael Münz about their personal motivation and possible educational paths to white hat (ethical and legally working hackers), about the human factor and social engineering as well as insights into the current situation of IT security industry.
The topic of digital security is becoming increasingly important for companies, but also for private consumers. The podcast quotes the initiative "Germany safe online" (DsiN), according to whose index consumers are currently less well protected than in the past. This is also shown by the 2nd report on digital consumer protection by the BSI: Private individuals are increasingly being affected by cyber attacks without being attacked directly. This is the case, for example, when hospitals, payment systems or administrative authorities are hacked.
Tim once hacked a hospital's WiFi to put a message in the manager's inbox.
In the podcast, Tim reports on a very personal experience: When he was in the hospital with his wife, who had cancer, for treatment, it could not be carried out because the hospital was just being hacked. Up to this point, the hospital management was apparently convinced that one could not protect oneself from such incidents anyway and had to live with it. Tim then hacked the hospital's WLAN in order to put a message in the inbox of the managing director: He should please contact ProSec, since one can very well protect oneself against such incidents with the right know-how. This ultimately resulted in free testing and advice from our “white hats” in order to better protect the hospital and its patients from cyber attacks in the future.
Immanuel and Tim's personal motivation, which led them to pursue a career as ethical hackers and found ProSec, resonates in the story of the hospital incident. Immanuel reports on his key personal experience: At a hacker congress, a proof-of-concept document was circulated that described how pacemakers can be hacked. For Immanuel, that was a decisive point in his biography, to make a clear decision in favor of the "good" side of hacking.
"Can we manage to save lives with hacking?"
Even Tim could never reconcile the way illegal hackers work with his own "moral compass", as he explains in the podcast. Because in order to earn money through illegal hacking, attacks must be widely distributed. It is therefore not possible to foresee in advance who will be hit by the attacks and what the consequences will be for human lives, Tim continues. This raised the question for Tim and Immanuel at the beginning of their founding careers as to whether hacking could save human lives instead of endangering them. Therefore, our founders have made it their task to explain the methods of the "bad hackers", to uncover them and to develop appropriate protective mechanisms.
In summary, Tim makes it clear: "We also want to make money because we are a company and have to pay salaries, but we don't do that at the expense of others!"
We all know the cliché image that Immanuel draws in the podcast: someone slips into a dark hoodie, pulls the hood wide over his face, sits in front of a computer and thus mutates into a "hacker". But what does that look like in reality? How does one become a security analyst or penetration tester, as the official designations in the legal field are?
One question that occupies the moderation team is that of the professional career to become a “professional hacker”. There are courses that address relevant topics, but "hacker" is definitely not a classic apprenticeship. For this reason, the employees at ProSec often found their current job in a roundabout way, for example through their hobby or interfaces with completely different professional fields. For example, Tim reports on an employee from our marketing department who helps develop social engineering scenarios. Immanuel mentions a graduate philosopher in the solution area of our team.
The problem when finding new employees: small time window
However, Tim emphasizes that he would not hire employees who have already committed criminal offenses through illegal hacking - whether they were caught or not. Therefore, the time window for finding new talent is very small. At the crucial point, however, he would like to offer young hackers the perspective that hacking can also be carried out legally and in the service of a good cause.
Employees wanted!
ProSec is actually always looking for new employees because the market is booming and the demand from companies for testing their IT security is huge. This is not least due to the Ukraine war.
On the subject of the Ukraine war, Tim mentions the keyword bloody trade: companies that have a direct or indirect business relationship with Russia or the Ukraine are quickly targeted by the other side. This may also affect companies where hacker groups like Killnet wrongly assume a relationship with one of the two countries. In order to warn companies of possible attacks, ProSec has developed a scanner that searches the hackers' forums for targets. The results are freely available on our website:
For example, memes are shared on social media under the hashtag #bloodytrade, which are intended to call for attacks on certain targets. This shows that marketing departments must increasingly be included in the identification of threat situations.
How did Tim and Immanuel get into hacking?
Our founders also report on their own entry into the world of hacking. Tim's journey began in third grade: after switching from modem to ISDN, there were CDs with vouchers containing codes for 3 free hours of ISDN. Tim then learned to program, to test such codes automatically. This is how he got his first "Internet flat rate".
Immanuel, on the other hand, got into hacking through his private biography: after fleeing his country of origin, he wanted to obtain information about family connections. As a teenager, he became interested in methods of gathering information and the human factor.
Companies commission us with the questions "Am I safe?" or "Where do I have security gaps?" and want to have their IT security checked by tests. In contrast to illegal or private hackers, companies like ProSec have project management and appropriate insurance to professionally handle and secure such tests.
After the commissioning and the clarification of the general conditions, different teams take care of the planning and implementation of the tests: from physical access to buildings to network attacks to social engineering with the human factor, all access routes that illegal hackers would also use are included . At the end, the tested company receives a detailed overview of the security gaps found and possible improvement approaches for its security management.
The security management of companies already starts with the detection: Are attacks detected? Another important factor is the separation of individual subnets, so that an attacker does not immediately have access to all network areas after penetrating one area. Update and patch management are also very important for reliable protection.
With all these factors, Immanuel believes that it makes almost no difference how big a company is and how many people work there. Digitization always means interfaces and these in turn always offer attack vectors. This starts with the vacuum cleaner robot and extends to a new telephone system that may not yet have been fully installed to the production facility of a machine builder.
In their attacks, hackers often use the weakest link in the chain of defense – the human factor. Tim explains that people succumb to the same weaknesses over and over again: emotions like curiosity and fear. If a hacker cannot get into a network using technical means, they can usually do it through the users.
"Don't think of yourself as safer than everyone else!"
Immanuel and Tim give an example of how the human factor can be cracked using social engineering: If attackers can gain physical access to an office building (e.g because of a simple wooden wedge...), they could deliberately lay out manipulated USB sticks. For employees with a weakness for beautiful things, this could be golden USB sticks, for example. In the IT department, sticks with the imprint “My Bitcoin Wallet” are more likely to work.
Tim admits that even at a weak moment, such a stick could tempt him enough to connect to his laptop. His message is therefore, despite all caution, not to consider yourself infallible and to be aware of your own weaknesses. Immanuel adds that such an attack via social engineering does not necessarily have to be aimed at oneself, but can also target family members, for example to gain access to the home network.
In this context, moderator Michael Münz reports on an experience during a conference: someone asked him for a USB stick and he carelessly handed it over. Later he asked himself whether he could still use this stick safely at all.
His colleague Ute Lange adds incidents from the Bundestag: Criminals have contacted several members of the Bundestag via SMS and pretended to be politicians. In the SMS, they ask for a confidential conversation on a secure channel. For this purpose, the persons addressed should create a new account on this channel. The aim of the scammers is to intercept the authentication code in order to create another account in the name of the member of the Bundestag. The exact motives for this procedure are still unclear, according to the moderator.
The moderation team and our founders agree: the best technical security does not protect against human manipulation. A certain skepticism is therefore generally appropriate. Despite all the know-how, ProSec is not exempt from hacking attacks. Tim admits that our company has also been attacked in the past - albeit without success. From his own experience, he knows the queasy feeling between recognizing the attack and being certain that the perpetrators were successfully repelled.
The BSI sees the primary responsibility for protecting user data as being on the manufacturers and providers of digital products. But Michael Münz makes it clear that consumers can, on the one hand, make sure that they select particularly suitable products and, on the other hand, can take action themselves when it comes to protecting their data online. His colleague Ute Lange, for example, recommends the Identity Leak Checker from the Hasso Plattner Institute to check whether your own identity is involved in a data leak. Tim adds the similar service "Have I been pwned?".
Is my identity part of a known data leak? This can be checked here:
What happens if you are affected by such a data leak? The team of moderators explains that this can lead to receiving spoofing calls (where the caller pretends to be someone else) or SPAM emails. Ute Lange warns the audience that even the telephone number of the BSI is currently being misused for spoofing calls. Victims should change their account passwords immediately.
Tim and Immanuel also recommend using a password manager. Such a "safe" allows you to use a separate password that is as complex as possible for each login without having to remember them all. That's actually not a new tip, laughs Tim, but it's still relevant for many people. It is also important to be aware of your own human weaknesses. In appropriate situations, one can reflect on whether one can make a rational decision. So if you receive an email that puts you in an anxious mood, you should control that emotion before clicking a link, for example.
Motto: "Head and context"
Finally, Immanuel bundles the tips on the “human factor” in a mnemonic, which moderator Ute Lange is also very present with during the wrap-up in the next episode: “Head and context”. Immanuel explains these keywords as follows: In borderline situations, one should always ask oneself whether the details fit into the overall context and whether one's own head is just clear enough to make a rational decision. For example, Immanuel's mother once received a smishing message (smishing = phishing via text message) on her senior cell phone. It said there was a package waiting for her to pick it up. But his mother immediately noticed that the context couldn't be right: she hadn't even ordered a package.
Better an hour at the dentist without injections than an hour without protection on the internet!
Ute Lange closes the podcast episode with the firm intention of integrating the tips of the ProSec founders into her everyday life: Just as we don't leave our keys in the front door in the analogue world, we should also look around in the digital world take care of the security of our data. Because Immanuel and Tim immediately agree on an either/or question at the beginning of the podcast: Better an hour at the dentist without injections than an hour without protection on the internet!
Leadership vs. Management, what exactly are the differences? And what is needed in both areas to meet the current challenges?
Should standard users in your tenant be allowed to complete an Azure App Registration? The answer is clearly “no” and this article
The bad news first: In Germany there is no central nationwide emergency number for hacked companies or authorities. That's why it is