Cybersecurity basics: Everything you should know

When the Internet was invented more than thirty years ago, little attention was paid to security for private users to begin with – no one assumed there would be such a thing as online crime. That changed in the following years and terms like cybersecurity and cyberattacks were coined.

Cybersecurity deals with all aspects of security in information and communications technology and embraces a wide range of different measures, concepts and guidelines. These aim to protect computers, servers, mobile devices and networks connected to the Internet against unauthorized access, data theft, attacks and manipulation from the whole of cyberspace.

A cyberattack is a hostile attack on another party’s computer network or system, in which an attacker spies on the network or system, cripples it or even manipulates it to their own advantage. Cybercriminals target individual citizens, companies, political institutions, public authorities and even an entire country’s infrastructure.

The reality is that cybersecurity is growing in importance: The IT network of Volkswagen, the world’s largest car manufacturer, is attacked 6,000 times a day, according to the German Federal Office for Information Security (BSI). High-tech companies like Infineon are also the target of many cyberattacks. Infineon’s Business Continuity (BC) department organizes its defenses.

According to the BSI, there are 20 highly specialized and serious attacks on the German government’s network itself every day. And the experts from Kaspersky Lab detect around 360,000 new malicious files a day worldwide. Companies with a lot of customer data, such as online shops or e-mail providers, are affected in particular. The objective: To steal personal data, such as account details and passwords.

Connected devices deliver a great deal of convenience, for example, by allowing you to turn up the heating by smartphone while you’re out, so that you come home to a warm living room. Yet they also offer attack surfaces and a doorway to cyberattacks. According to Statista, there will be about 75 billion connected devices worldwide by 2025.

Cybercrime may have different aspects:

• Internal versus external perpetrators
• "Lone wolves" versus organized crime
• Criminals with a financial motive
• Government-sponsored attackers
• Hidden attackers versus attackers aiming to attract public attention

Devices connected over the Internet offer useful functions, such as being able to reach one another remotely. Yet that also makes them potential targets for attackers:

• Cybercriminals attack an individual user’s privacy, steal passwords, empty bank accounts or shop at the expense of the victim.

• The many connected devices used by individuals, such as routers, tablets, cameras or PCs, if not appropriately secured, can be hijacked by attackers and joined together in botnets. These can then conduct denial-of-service (DoS) attacks and so cause telecommunications outages, for example.

• Attackers try to steal business secrets through espionage or sabotage machinery at companies. The damage this causes in Germany is put at around 50 billion euros a year by the country’s Federal Office for the Protection of the Constitution.

• In the case of attacking a state’s infrastructure, power grids (such as in Ukraine in 2015) and even the entire Internet of another country (as was the case in Estonia in 2007) are crippled.

The world of cyber threats is changing rapidly. Clever attackers are constantly inventing new attack techniques. For example, ransomware encrypts data and locks computers, demanding a ransom to decrypt it. Even while an attack is ongoing, the malware grows more specialized, takes on a life of its own and becomes smarter.

If attackers use ransomware, they can manipulate the victim’s computer so that it can no longer be used – the PC or server and its data are hijacked virtually, as it were. The attacker only frees the computer and data once the victim – a person or a company – has paid a ransom.

“Stealing data by phishing was a top issue two years ago. Now it’s ransomware that’s a major focus of security experts, as well as law enforcement authorities,” says Dr. Detlef Houdeau, an expert for the cybersecurity market at Infineon.

As the number of devices that communicate with each other grows, so too does the complexity of potential attack scenarios. Houdeau illustrates that with a specific example: “The images from a CT (computed tomography) scanner at a hospital are sent automatically to the person’s doctor. The scanner is connected to the hospital’s IT (information technology) system, but comes from a manufacturer of medical products. If the scanner is not protected, someone can penetrate it and then manipulate the IT system. So it’s not enough to protect the hospital IT system. Connected devices must also be protected against cyberattacks.”

Attacks can exploit various weak points: in the home networks of private users, as well as the networks of companies and public authorities – even in government networks. The risks this entails are wide and diverse.

• Users themselves can be the weak point: They might introduce malware by using an infected USB stick, use a password that’s easy to guess, such as their own birthday, or not (adequately) encrypt sensitive data.

• Network equipment, such as broadband routers, may also have security In the fall of 2016, a million Germans were without digital TV, the phone and Internet for two days because a widely used router has been attacked.

• Attacks on a country’s critical infrastructure are even more dangerous. Adversaries may try to injure or kill people and severely hit the economy with a digital attack on hospitals, airports, trains, pipelines, banks or power grid. Defenders may not know when, where and how the attack will come.

Conventional methods, such as firewalls and anti-virus scanners, are no longer enough to ward off the different ways of being attacked. The attacks are simply too sophisticated. To use the Internet, connected vehicle, smart home, smart grid and industrial internet securely, we need new security concepts. They are based on a technological approach known as “security by design” and are built into the product or system when it is developed. Security standards are now being created in more and more IoT sectors and finding their way into new products.

The objective is to protect information so that only authorized persons, computers, machines or general network nodes can access it. That requires two steps: secured identification and authorization of the entities. The example of connected cars illustrates what that might look like. The cars of the future will have far more electronic equipment on board – and hence more external interfaces that may be vulnerable.

The software in the car needs regular updates to protect these interfaces. For that to work, it is necessary to ensure that the computer supplying the updates and the gateway in front of the car’s control system authenticate themselves to each other. That means only these two devices are allowed to exchange data. Moreover, communication between the interfaces must be encrypted to prevent eavesdropping and integrity protected to prevent undetected interference. To avoid the need to go to a workshop for updates, they will be increasingly be sent over-the-air (OTA), just like for a smartphone.

That requires appropriate hardware, which is why Infineon is equipping control units with chips that are responsible for authentication and encryption. Such secured identification processes are crucial in machine-to-machine communication.

Market analysts expect, for example, that around 100 million vehicles will be connected with the Internet by 2025, making the car a sort of “computer on four wheels.” On top of that, they will be connected to the infrastructure (V2I) and with each other (V2V), while autonomous vehicles will use new standards like 5G and ITS-G5.

Older products and systems, such as production machinery, railway signaling systems, medical products, cars and aircraft, pose a real challenge. The manufacturers have discontinued maintenance of the products and upgrading them would involve excessive cost and effort. One frequently tried approach is to separate these old devices from other systems using security gateways and firewalls. But this approach has not been successful when attackers find a way to breach these protections, e.g. Ukrainian power grid attacks.

You should always observe these tips if you want to use the Internet securely:  

Power, healthcare, finance and transportation are examples of sectors in a country that constitute critical infrastructures. Citizens in Europe have a right to the basic services they provide. If those infrastructures were attacked, that would entail massive outages and chaos, also causing harm to people. That is why public authorities have taken measures to increase cybersecurity for these sectors:

• Germany’s IT Security Act, which came into effect in 2015, obligates operators of around 2,500 facilities in Germany to ensure their IT systems are especially protected. For example, they have to meet more stringent security requirements and furnish proof of that in audits. They are also obliged to warn customers if they discover any data abuse. Moreover, they have to report incidents to the authorities. The counterpart EU law is called the NIS Directive and applies simultaneously in all EU Member States.
• In the USA, Presidential Policy Directive 21 identifies 16 critical infrastructure sectors and the agencies responsible for overseeing security in each sector. Although some sectors are regulated, most operate on a voluntary model. The NIST Cybersecurity Framework is widely used to ensure that risks are considered and best practices followed.
• At the same time, public authorities also support private users in defending against cyberattacks and, as part of that, rely on the initiative of online service providers and hardware manufacturers. Under the Cybersecurity Act adopted by the EU, consistent regulations on certification of consumer devices are to be developed. The aim of that is to help raise the security level for consumer electronics (CE) in the business-to-consumer (B2C) market in the EU. Moreover, products, solutions and services in the business-to-business (B2B) market are also to embody certified IT security to a greater extent. In the public sector (business-to-government or B2G), the goal is to maximize and harmonize the standard of IT security across all EU Member States moving ahead.
• In the USA, cybersecurity for consumers, non-profits, and small businesses is promoted through the National Cyber Security Awareness Month and throughout the year by resources available from the Federal Trade Commission and other agencies.
• The EU Commission plans to establish a new agency called the EU Cybersecurity Competence Center (ECCC) at the end of 2019. Know-how on new threats and suitable means of countering them will be pooled there in the future. An EU-wide network of more than 600 test and inspection labs is to be created.

However, it is also in the own interests of the electrical and electronics industry to boost cybersecurity moving ahead. As the German Electrical and Electronic Manufacturers’ Association (ZVEI) states: “The advantages of digitalization cannot be leveraged if personal and technical data is not protected. We feel sure that cybersecurity will grow in importance when it comes to protecting consumers, ensuring the quality of products and enhancing customer loyalty.”

It should come as no surprise that router manufacturers are making the first move. After all, routers are the core piece of equipment in every home network. They are the interface between the home network and the Internet – and that makes them a popular target for attacks.

Last update: October 2019