The National Security Office of the Slovak Republic warns companies on a monthly basis: Increase cyber security! Small and medium-sized businesses are the target of more than 70 percent of all cyberattacks. They are the ones that are most likely to meet customer demands. What is their vulnerability and what to do about it?
First and foremost: the vulnerability of any company lies in underestimating their importance to cyber criminals. Secondly: this is where it really pays to invest in effective protection and rely on specialists. The result is: investment = profit. I protect myself, I am protected, and in the event of a destructive attack, I protect my long-standing work and employees.
TUBAPACK, a.s., the largest manufacturer of aluminium and laminate tubes in the Central European region, providing products and services to customers in the cosmetic, chemical, food and pharmaceutical industries, behaves in such a responsible and exemplary business manner. Congratulations! The company’s representatives are aware of the importance and significance of gradually increasing IT security, its preventive measures, and pre-treating vulnerabilities from the perspective of cyber resilience. We talked to Peter Truben, IT Administrator at TUBAPACK, a.s., about their good decisions.
Responsibility and vulnerability appear to be opposites, but in your case they go hand in hand. How did your company’s journey to cyber accountability eliminating vulnerability begin?
Vulnerability analysis and tests. That is, by thoroughly verifying the state of our cyber resilience. Step by step? An initial analysis mapped the status and vulnerability tests identified several vulnerabilities. After obtaining the results from the analysis, we went through each point, explained the vulnerabilities and security risks, and consulted recommendations to remedy the current state. In parallel, we ran a Proof of Concept of security monitoring on Security Onion technology. The results from the monitoring, log collection and evaluation complemented the outputs from the analysis and vulnerability tests.
Security monitoring should be part of cyber and information security management in every organisation, regardless of its size and legislative obligations. In the absence of such a system, an organisation has zero or significantly reduced visibility, i.e. visibility over the security of its own infrastructure.
This gave us a summary output of the security resilience of our infrastructure and allowed us to gradually eliminate and remediate the points of penetration of possible attacks: we replaced the firewall, upgraded ESET licenses, and proceeded to the necessary network settings and segmentation.
With the first measures we have already increased the security level of our company by several tens of percent. Improved standards for business continuity and avoiding breaches of data confidentiality, integrity and availability are the result.
The first phase of infrastructure security investigation is monitoring. What is it like for a successful company to know the first results?
Good, we know where to go. From the very first moment we had discussions with the security consultant from GAMO about how to cover the next level of security. And the result was an offer to deploy the Proof of Concept security solution Security Onion, which we welcomed.
The analysis – centralized data collection and monitoring, was carried out in real operation and on a pre-agreed part of the infrastructure. The monthly deployment of the security monitoring tool allowed us to gain insight into the overall data flow, number of logs and data sources that our enterprise network is exposed to. The pilot phase served to uncover the specifics of our environment as well as several instances of potentially malicious activity within our network. We were able to see the functionality of the security monitoring ‘first hand’ and gained parameters for decision making and the right choice of a production hardware solution for the future. Today, we can scale this according to real results just from PoC.
PoC is sometimes an unnecessary scarecrow, weren’t you worried about infrastructure failure for example?
Certainly not. It was enough that we provided basic assistance to the provider in installing the physical server in the rack in the server room and in connecting to the network and selected segments. We then went through the setup of the monitoring interface on the server and selected network elements, as well as the setup of the logging to the external sever. The provider assured us that the entire process did not pose any increased risk to our infrastructure, that even in the event of a complete system failure, the security of the infrastructure or information systems operation could not be compromised, and it was. And the scarecrow: we were assured that in the event of an outage, we would only temporarily lose the visibility of the environment, i.e. it would be a return to the pre-launch state. There was nothing to hesitate over.
Security Onion is actually a kind of probe inside the company, what did you find from its pilot deployment?
The report summarized the findings on the state of the network and vulnerable assets, presenting a potential path to attack or network problems. For example, we were alerted to a client on the local network using inappropriate adult sites – while, sure, it could have been malware sending such DNS queries – and the recommendation thanks to Security Onion was: Quickly check the devices and block the activity. So we did.
Vulnerability testing is also part of the Starter Security Services package. Did you appreciate the benefit?
Of course. Its task is to search for computer and network systems and devices with existing technical vulnerabilities and impact on the stability and security of information systems and data. The first vulnerability test in our country was carried out to identify risks and detect weaknesses. Following the application of corrective measures, a control test will also be carried out, but this is still pending. And from the vulnerability tests carried out, it has become clear that a large number of the vulnerabilities identified can be remedied quite simply – by regularly updating the systems.
On average, it takes 1 hour and 42 minutes for an attacker to get into the rest of a company's network after 'hacking' one of the company's devices. The interesting thing is that the user or the entire company that is attacked does not even know that they have an intruder on their system. The exception is not at all that the attacker just secretly 'walks' in the system and does not do anything officially. And for weeks or months to come, the hacked company may not even notice that it has been hacked. Source: Microsoft Digital Defense Report 2023
Protecting against cyber threats is crucial for any organisation. According to statistics cited by Microsoft, up to 95% of successful attacks are caused by the human factor. Have you come across this statement?
Yeah. And we quickly understood that deploying a security solution would be ineffective and not fit for purpose if our employees were not informed about the issue. That’s why we focused on increasing employee awareness of cybersecurity through training, taking into account different job roles.
Did the training fulfil its purpose and company-wide responsibility?
We’ve had them in multiple cycles. The training for ordinary IT users from the staff was aimed at learning the concepts and basic rules of cyber security and incident prevention procedures. In their case, we focused mainly on the area of security risks associated with the protection of corporate know-how and sensitive data, as well as on the presentation of real-life examples from the field of cybercrime. Our goal was to make employees aware of the rules of safe behaviour in cyberspace, to be able to recognize the elements of phishing campaigns, to follow the principles of identity protection (passwords, MFA, e-mail, social networks, etc.).
Training for team leaders and IT specialists has been extended to include the implementation of security measures, monitoring, evaluation and management of security incidents. We appreciated the approach when the training provider approached the issue and applied cybersecurity risks to employees’ private lives. After all, websites and social networks are full of dangerous content.
Every day, our work email inboxes are flooded with a lot of information. Attack phishing campaigns do not go beyond the borders of Slovakia, they also attack our companies and email accounts. In fact: it is in Slovakia that attack groups often train their tactics, learn and improve. That is why it is important to be informed and know how to protect ourselves in the online world. It is essential to be prepared for all possible scenarios and to know how to defend against different types of attacks. For example, learning how to spot fraudulent emails and websites, securing access accounts and files, and being cautious when opening unknown attachments are all very basic.
Clicking on a seemingly favourable offer can trigger malware, which then spreads to related devices. It’s true – people are being tricked by scammers and losing their money. They regularly find fraudulent messages in their email inbox about court or police summonses, fake delivery information, financial windfalls or urgent requests for support.
Therefore, the training fulfilled its purpose doubly – in accountability in corporate behaviour in the IT space, but also privately for our employees. In addition, if you point out attack campaigns and warn them about malicious content that could deprive them of their own money, privacy and identity, they are then able to be more vigilant and follow the rules in the corporate environment as well.
Listening to a responsible manager about the company’s settings is not only rewarding for the employee. What are your next plans for development?
TUBAPACK, a.s. invests in the development of IT infrastructure in the long term according to the needs of the company. In the near future, we want to continue to keep pace with the increasing demands: whether of legislation regarding cyber security or developments in IT technologies for more efficient production processing. We therefore have several solutions in the pipeline.
Of course, the modernization of computer technology, which in recent years is becoming obsolete somehow faster (the speed of development in the field of IT is increasing and gives us new possibilities that we can apply in the production of aluminum or laminate tubes). We have completed the goal of virtualizing outdated servers and improving data backup. After all, a company’s data is its most valuable commodity. In the future, we are considering to use some of the cloud solutions for storing company data outside the company as well as the possibility to communicate with our customers using our own security storage with data exchange and graphic templates.
At the moment, due to insufficient space capacity, we have to expand the company by additional production premises, which need to incorporate IT infrastructure (to ensure automation of entrances, monitoring by camera system, connection to existing network and wireless elements). Last year we commissioned the aluminium tube production line with serial number 10 and we are currently working on the completion and commissioning of line number 11. The intention is to meet the demand for aluminium tubes in the market and to expand our production range with new diameters and sizes of tubes.
Last but not least, we strive to automate production. We are completing the automation of packaging of tubes and continuously implementing new elements into production (tablets, PDA readers for QR code, portable printers with bluetooth connection, camera systems to check the quality of tubes directly on the production lines) leading to more efficient production.
