Hackers now working towards IT security

Series (2): Philipp Kalweit, white hat hacker, confronts cyber criminals deploying viruses during pandemic
23 June 2021

Remote working has become the norm for many employees in the wake of the pandemic as the number of such work places has more than doubled, according to a survey by the German Federal Office for Information Security (BSI). Some 64 per cent of employees work fully or partially from home which is proving a headache in terms of IT security. Robust IT solutions are needed in companies and now remote workers' IT systems and their connections have to be protected as well. A lack of protection means more and more cybercriminals are making forays. The Federal Criminal Police Office of Germany (BKA) has noted a corona-related increase in such attacks. Around 108,000 cybercrime offences were committed in 2020 alone and experts say the number of unreported cases is far higher.

Achieving holistic cybersecurity

"Many entrepreneurs believe their IT security is sufficient." However, belief alone is not enough, according to Philipp Kalweit, 20. "If you buy bulletproof glass, you want to have been tested it beforehand." Enter Kalweit ITS GmbH! "Basically, we are a consulting company specialising in IT security." Kalweit's clients pay him to hack their IT systems. Yet, Kalweit is not merely a hacker. Forbes magazine recently ranked him among the 30 most important young talents in the German-speaking countries. At the tender age of 17, Kalweit was allowed set up his own company after previously hacking companies on their behalf with a goal of holistic cybersecurity.

Understanding the mindset of attackers

"Our clients pay us to identify security weak points and to puncture their system as far as possible," Kalaweit noted. This requires an authentic cyber incident. "It's about understanding the mindset of the attackers to protect effectively." As hackers know no borders, different cultural mindsets and patterns have to be accounted for. Thus Kalweit ITS has branches in Vienna, Kiev and Singapore, in addition to its headquarters in Hamburg's Esplanade.

Easy targets for cybercriminals 

The attackers are by no means professionals only, according to Kalweit. Simple phishing emails with information on corona emergency aid have proven typical targets during the pandemic. Recipients of the fraudulent emails are asked to enter their personal data including PINs or TANs. "Organised gangs that launch automated mass attacks are frequently behind those emails. Even if most of the addressees do not react, the rest are worth the attack," he pointed out. No mastermind is needed for a successful attack in most cases.

Programming errors, outdated software and the human factor are the three main gateways for hackers. "Companies frequently do not have go to a tremendous IT security effort. But minimum security is essential. It's about knowledge and motivation. Employees including managers, of course need to know why they should use secure passwords and change them regularly and why being wary of 'foreign' emails is sensible."

Cybersecurity - one wrong click...
© Yvonne Scheller
One wrong click and everything goes awry!

Hacker colour theory

Kalweit's world is based on a colour theory. "We are the law-abiding white hat hackers. Then there are grey hat hackers, who abide by the law to a certain extent, but operate more on the dark side, sometimes more on the light side. And then there are black hat hackers, i.e., cybercriminals," Kalweit explained. Others like politically motivated "hacktivists" e.g., are members of the Chaos Computer Club and keen on helping society through their hacks.

Cybersecurity -  not a trend

Cybersecurity is not yet a trend, but Kalweit hopes to raise awareness of the issue. Although great entrepreneurial responsibility among owner-managed SMEs in the north of the Hanseatic region is noticeable, an aversion to alleged trends is also tangible there. "Cybersecurity is not a trend, but a business mandate," said Kalweit, as the damage can have far more devastating consequences and go beyond purely financial losses. "Many companies shy away from publicly admitting 'yes, we have been hacked', as such news is always associated with a loss of reputation."

The Office for the Protection of the Constitution, for instance, guarantees confidentiality. "Unlike the police and the public prosecutor's office, the Federal Office for the Protection of the Constitution is not obliged to prosecute. Companies can seek advice there without having to fear the consequences of prosecution. On the other hand, anyone who reports an attack contributes to overall economic security as the more detailed the knowledge of cybercriminal tactics becomes, the more proficient Kalweit and his employees become at developing protective mechanisms.