Hackers in the Service of Security

Hardly any other sector offers as lucrative job opportunities as cybersecurity. Employees from the most varied of companies and industries provide astonishing insights into this intriguing sector.

The defense center of Deutsche Telekom takes care of cyber attacks. Photo: Norbert Ittermann/Deutsche Telekom AG

The defense center of Deutsche Telekom takes care of cyber attacks. Photo: Norbert Ittermann/Deutsche Telekom AG

Networked vehicles, smart homes, e-health and online shopping – just a few examples of how Internet-enabled communication and data exchange are having more pronounced effects on our daily lives. In increasing connectivity, one also increases the potential for risk. A string of successful and well-publicized cyberattacks go to show: digital threats are not just theory. They hit Internet users and consumers where it hurts, and through channels taken for granted on a daily basis. For this reason, the cybersecurity sector has experienced a veritable boom in recent years, with hardly any other sector so desperate in its search for experts. Job prospects could hardly be better for recent graduates, those switching professions and experts in this area.

Hackers ensure security of future Volkswagen vehicles

Even businesses from more traditional industries are developing their future-critical cybersecurity competencies. For example, two years ago, Volkswagen founded Tel-Aviv-based subsidiary Cymotive in collaboration with a collective of Israeli IT specialists. The company develops security solutions for the next generation of networked vehicles, and in doing so employs a highly-qualified team of hackers. The hackers identify potential security flaws in the data interfaces of the miniscule computer chips found in various electronic components, as well as in the associated software.

Both the automotive giant and Cymotive keep the names of their hackers confidential, are however able to provide insights into their work. For example, a so-called Red Team employs the same methods and tools as criminal hackers in order to attack and manipulate the systems being tested. If a security flaw is discovered, the Blue Team – located next door – develops concrete defensive measures to address it. Even though these experts are located in Israel, they work closely with their German colleagues at the Volkswagen headquarters in Wolfsburg. The Director of Information Security, Beate Hofer explains: “Cybersecurity is more than just the technological safeguarding of infrastructure and systems.” It also comprises IT security procedures, risk management and a great deal else. “In order to effectively tackle cybersecurity, we need new perspectives – and that includes the perspective of the hacker,” continues Beate Hofer.

Ethical hacking for product security

DEKRA also partakes in this belief. At DEKRA Testing & Certification in Málaga, the team also features a team of so-called Ethical Hackers. Manuel Mancera explains what their daily workload looks like: “We use the same methods as criminal hackers – but with a positive objective. Namely, to expose weaknesses in the security concepts of products tested by DEKRA.” There is a wide spectrum of products investigated by the highly-specialized team, including systems such as smart home devices, e-health products, and of course networked vehicles. For this reason, ­Manuel Mancera works in close collaboration with his colleagues from the Product Safety and Connected Car departments. In this cooperation, everybody involved brings their own perspectives as to what is prerequisite for a comprehensive customer solution. The fact that the team in Málaga are counted among the most learned experts in their field is demonstrated in the fact that they are represented in all preeminent standardization committees across the cybersecurity and networked vehicle sectors, to which they contribute their experiences.

Comprehensive cybersecurity is essential for autonomy. Photo: Science Photo Library/Getty Images, Viaframe/Getty Images

Comprehensive cybersecurity is essential for autonomy. Photo: Science Photo Library/Getty Images, Viaframe/Getty Images

Honeypots protect industrial clients

In addition to protection for products destined for the end consumer, cybersecurity also plays a decisive role in industrial applications. After all, parallel to the Internet of Things, an Internet of Machines is also in development. Under the auspices of Industry 4.0, production facilities are being networked and linked with cloud services. However, this raises the potential risk of industrial espionage and sabotage.

Countering such hazards is just one of the responsibilities of security specialists, such as those employed by Deutsche Telekom’s Bonn-based ‘Cyber Defense and Security Operations Center’ which was founded at the end of 2017. “We analyze all activities across our international network,” reports René Reutter, Senior Security Specialist. “On any given day, we identify around a billion security-relevant incidents.” Among this astonishingly high number of incidents are attacks on both private clients and the systems of Telekom’s corporate clients. It is self-evident that such analyses must be automated. Employees such as René Reutter only intervene when the software-based security and filter systems hit the limits of their capabilities. But this is not all that the specialists do – in order to identify and analyze new attack methods, they place so-called honey­pots in the network. These are specially prepared systems that – to cybercriminals – appear like industrial facilities with open security vulnerabilities. They attract hackers as an open pot of honey attracts bees. Experts such as René Reutter can then observe and investigate how the criminals go about their attempts to penetrate the system.

Humans remain the most important factor

“Even with all the technological solutions available for IT security, one must never lose sight of the human factor,” asserts Mei-Li Lin from DEKRA Insight. She and her colleagues in the Organizational Safety and Reliability Department concern themselves with the relatively new field of Behavioral Cybersecurity. She continues: “It is all about giving employees practical and effective cybersecurity procedures to follow. Even the most effective protection concepts will fail if the rules that users must adhere to are not fit for purpose.” It is therefore critical that security regulations are laid out in such a manner that they can be implemented even in the most stressful of situations. “For example, we examine which IT security-relevant decisions employees make when under pressure.” With special coaching, it is possible to train people to employ healthy cyber habits. And this, according to Mei-Li Lin, is more important and expedient in critical situations than any theoretical approach, which may be cast aside in the heat of the moment.

3 Questions for Manuel Mancera

Manuel Mancera, Ethical Hacker, DEKRA Testing & Certification in Málaga. Photo: Manuel Mancera

Manuel Mancera, Ethical Hacker, DEKRA Testing & Certification in Málaga. Photo: Manuel Mancera

Mr. Mancera, how does one become a hacker for the ‘good side’?

Mancera: I studied information technology at university and specialized in the discipline of cybersecurity. When DEKRA began assembling this group of specialists two years ago, I immediately applied and was thus one of the first members in our department.

How does a day’s work for your department look?

Mancera: We work on a project basis, and normally with a specific product. There are, in principle, two testing approaches – black box and white box. In black box testing, we have no idea of any product details, and try to ‘crack’ the products in question with known exploits – that is publicly accessible safety flaws. This is the more common approach. With white box testing, the manufacturer provides us with specific documentation and insider information. This allows for more penetrating tests in specific areas but may also mean that we pay less attention to attack methods outside of the more obvious ones.

How do you proceed, once you identify a concrete security weakness?

Mancera:  As a rule, the manufacturer takes over at this point and implements concrete improvements to address the identified weakness. Following this, the product comes back to us for further analysis. This may go back and forth a couple of times until we all decide that a sufficient level of security has been established.

Related articles
Magazine Topics
- DEKRA Solutions - Magazine