Partners in the virtual battle against hackers

Organized data theft is becoming a central issue in our digital society. TÜV SÜD shows businesses how they can better protect themselves

Computer problems: TÜV SÜD helps keep hackers out of computer systems.
Video: TÜV SÜD

Data krakens, the NSA affair, WikiLeaks, phishing – the crisis catchwords are displacing one another in increasingly rapid succession. But the general issue remains: How safe is our data? TÜV SÜD develops new approaches in this area.

A few cryptic commands on the keyboard, a few clicks of the mouse and he’s in: Only a few seconds pass and the young man in front of the computer screen has cracked the password-protected area of the network. His access point: a programming error on the company’s Web site – security on a database that customers can access was inadequate. The latest strategy, design plans for a newly developed machine, and all sorts of customer and employee data can be quickly copied from the company network.

A horror scenario for any business. Spiegel magazine reported that SAP alone repels around 3,000 attacks every month. Across Germany, the daily attacks number in the hundreds of thousands. One prominent example in recent history: the activities of the NSA, the US foreign intelligence service, which is being accused of explicit corporate espionage by countries including Germany.  

In his office on Munich’s Ridlerstraße, Marcel Mangel is trying his hand at this type of spying. He wants to leverage the security system of a garden equipment company. Using a port scan, he tests where the company Web site’s external interfaces are – and how they are secured. “These ports are like the windows in a house,” explains Mangel. “Most of them are barred or locked. But sometimes, the owner forgets to close a window.”

Marcel Mangel earns his money as a hacker – but it’s completely legal. He’s an IT expert with TÜV SÜD. His customers: Businesses – ranging from tiny Web shops to global corporations – that want to know if they can trust their Web sites, databases, or even their entire IT infrastructure.

Penetrating another system from outside is sometimes easier than many people think. Mangel clicks in the search field on the Web site he is checking. This is actually where customers should research products. Instead, Mangel enters a code: an order to the database to allow him full access. His misfortune for today: The page blocks it. Attack repelled!

TÜV SÜD has been taking the attacker’s perspective for around 15 years: In the midst of the first wave of the New Economy in 1999, when a growing volume of business was being processed online, TÜV SÜD started focusing on the subject. A team under Rainer Seidlitz developed the first testing programs back then. “Data security was clearly in the foreground early on, for example, the question of whether Web shops are always available or that the entered data was processed correctly,” recounts Seidlitz. But data protection – meaning the issue of how secure customer data or payment processes were – was already part of the certification at that time. The result: The tests associated with the s@fershopping internet seal.

“Small pen tests were always included with s@fershopping,” explains Seidlitz. They have existed as an independent product since 2007. Since then, the small team consisting of two employees and a network of third parties perform around 300 tests lasting three to five days on average. The trend is on the rise. Businesses with up to 1,000 employees that often do not have a highly specialized IT department are the primary customers. Firms ranging from pharmaceutical companies to retailers to banks order the broadest variety of industry pen tests.

The customer determines what these tests look like. Usually, the job order comes directly from the IT department that wants to have information about specific systems after an incident. “However, it sometimes happens that we are contracted directly by the executive board – without the knowledge of the IT department,” says Seidlitz. 

In the end, the customer receives something that is not at all typical of TÜV SÜD: No certificate with a quality seal, no certification, “and certainly not a certificate of assurance,” according to Seidlitz. But it does provide a detailed overview of possible weak points in programming, entire IT systems or processes – and tips on how to rectify them.

Marcel Mangel claps his hands together in his office in Munich. It worked! The outdated version of a standard software program that runs the contract form yielded to an exploit in the attack. Mangel could now trawl through the database with thousands of customer names and contact addresses. But he limits himself to documenting his success with screenshots for the customer, and to notifying him that he urgently needs to close a few windows in his house.