It is no longer a question of if, but when you will have to deal with a hack. So it's not surprising that the Association organized the webinar How easy is an insurer to hack? . Jordi van den Breekel (KPMG) and Ben Brücker (Secura) gave away the necessary tips and tricks.
1. The basics
"It's a huge open door, but just start at the beginning," Jordi says. "Make sure the base is in order and you can make it difficult for attackers. Speaking of attackers, which attackers are in your threat landscape? Where do they come from? What techniques and methods do they use?"
"The basics in order also mean that you have to be aware of the information you have in-house," adds Ben. "What are your crown jewels?"
2. The right mix
The importance of prevention is great, but the chances of a Red Team (or a hacker) coming in are even greater. "We come in (almost) anytime, anywhere," ben said. His advice? "Put together the right mix of security measures. Think one step further. What if someone is inside? What then? Are our crisis exercises in order? Have we taken the right detection measures? And don't forget the outside guard. Recruiters, for example, are a sought-after target to get in. We sometimes send a cv. If it is opened, we can enter the organization through a back door."
Ben Brücker: "Put together the right mix of security measures. What if someone is inside? What then?"
3. Application Whitelisting
Jordi: "There are a lot of resources available. The installation of Whitelisting is a good measure, because it makes it more difficult to execute an uncontrolled code in a workplace. In other words, you can only run an application if it has been approved in advance by the IT team."
4. One horse
"Agree," Ben responds. "The same applies to the use of multifactor authentication. This also makes the life of a hacker more difficult, because he will have to look for another method to get in. But, no matter how good applications are, never bet on one horse. That is not enough. A hacker has hundreds of methods at his disposal."
5. The time
"And, not unimportantly, a hacker has the time. Just like us at Red Team(ing)", Jordi emphasizes. "We always manage to get in and that mainly has to do with the fact that we only need one employee who falls for the phishing mail . Sometimes we need days or even weeks, but if you give us enough time, we'll find that one employee. A standard attack lasts at least twelve weeks and what applies to us applies even more to a hacker. He doesn't have a deadline. In fact, he has months to attack."
Jordi van den Breekel: "A hacker has no deadline.
He has months to attack."
6. Chat GPT
Ben: "The technology stands for nothing. Developments are moving fast. Chat GPT can create beautiful texts, but Chat GPT can also help a hacker. When creating that one specific phishing email. Or when setting up a phishing website. So it's a matter of staying sharp!"
7. Strange people
"Also, be alert to strange people in your building. With Red Team(ing) we use different methods. One of them is to simply break in, for example by supposedly applying for a job and walking into a department. After knocking over a cup of coffee, we leave a device behind. It is very enlightening to show the photos of all the rooms we have been to and which documents we have all gotten hold of."
Ben Brücker: "Very enlightening to show after a test which rooms we have all been in"
8. Raise awareness
Ben tells it almost carelessly. About thirty percent of people in phishing still stink. "So we need to do more to influence people's behavior. How? That can sometimes be very simple. What can employees do if they suspect phishing? Do they know who to turn to? Is that accessible? And do they know what to do if they spot a suspicious person? It's small things, but make it easy for people to behave safely."
9. Crisis
"People are important and certainly not always the weakest link in the defense," says Jordi. "Yet we often do social engineering, for example in a workshop for a small group. Then we show the entire organization how and what happened. A lot of people think it never happens to them and they don't fall for a phishing email until you show them how it happens."
Ben: "That's why you not only have to test the technical and detection measures, but also test a real crisis situation. Only then is the MT prepared. If the day ever comes and you fall victim to a cyberattack, you've practiced at least once. In a safe environment."
Jordi van den Breekel: "Many people think that they never fall for a phishing email until they see how it happens"
10. Red Teaming
Just over fifty percent of the participants in the webinar indicate that they have no experience with Red Team(ing). Almost a quarter know that the organization has no experience with it either. While about three-quarters consider it "possible" or "likely" that hackers can enter. Both Ben and Jordi emphasize that a Red Team(ing) is a realistic simulation of a cyber attack. The aim is to test the detection, response and mitigation capabilities of the defenders. "Red Team(ing) is for learning. You can't pass or fail a test."
Want to read more about testing? Then take a look at our longread, in which Rob Wassink (DNB) goes deeper into DNB's TIBER tests, among other things.
Was this article useful?