Client
The "Versorgungswerk der Zahnärztekammer Berlin (VZB)" is the professional pension fund of dentists for the chamber areas of Berlin, Brandenburg and Bremen. The VZB ensures the financial security of its members and grants all members of the Chamber and their families a legal entitlement to pension benefits in old age, in the event of death and in the event of occupational disability. Managed as a corporation under public law, the organization has a committee structure. A total of 19 employees work at the institution's location in Berlin.
Challenge
What is the overall level of IT security? What IT security measures are required in the short and medium term to ensure the protection of the pension fund against attacks by cyber criminals? Are employees and committee members sufficiently sensitized to recognize and defend against potential cyberattacks via social engineering? Do IT security gaps exist that need to be closed immediately? In order to gain a complete picture of the current status quo of IT security, the company consulted the Hamburg-based IT security specialist Allgeier secion. Based on recommendations from the ranks of employees at one of the pension fund's Hamburg affiliates, those responsible quickly and unbureaucratically decided to commission Allgeier secion with a comprehensive security audit.
Solution
The project was characterized by the selection of optimal audit methods and by the determination of a suitable sequence for their execution. In the first step, Allgeier secion's IT security consultants decided on a black box audit to first obtain an attacker's view of the organization from the outside. Internal network and server systems are frequently chosen targets of cybercriminals. The unique feature of this process: The pentesters did not have any insider knowledge; existing security vulnerabilities in the IT infrastructure had to be uncovered by them independently. To do this, they took on the role of a "real attacker" and identified potential IT security gaps and vulnerabilities, then checked the systems using individual attack scenarios. The IT security consultants then classified the findings according to risk levels and provided IT managers with prioritized recommendations for action.
In addition to technical resilience, the security awareness of VZB employees and committee members was also reviewed in a social engineering audit. In this test, the IT security experts attempted to exploit the "human vulnerability" through social manipulation and, for example, to obtain security-relevant information (such as passwords) by telephone or e-mail. The findings of the social engineering audit formed the starting point for the subsequent awareness training.
But technical and human vulnerabilities are not the only potential threats to IT security. Inadequately defined organizational processes for emergencies are partly responsible for the majority of operational failures. Therefore, a comprehensive "Incident Response Readiness Strategy" is of utmost importance. The utility concluded the project series with an organizational audit. Existing process and behavioral plans of the utility were analyzed, optimized and laid down in a dedicated emergency plan.
Result
Thanks to the critical external view of the measures and the three comprehensive audits as well as accompanying training measures, the "Versorgungswerk der Zahnärztekammer Berlin" was able to significantly improve the security of its IT infrastructure. The vulnerabilities identified in the black box audit were recorded in a detailed result report according to risk levels. The report also includes vulnerability remediation measures prioritized by urgency. The Social Engineering Audit and the security training based on it have raised the awareness of employees and committee members for security risks that actually exist. The recovery or emergency plan, which was developed individually for VZB by the IT security experts as part of the organizational audit, was implemented step by step in the organization.
"The IT security audits performed by Allgeier secion as well as the training measures have contributed to a significant improvement of IT security in our organization. Due to the very good experience with the Allgeier secion experts during the initial Black Box Audit project, we gradually expanded the originally planned project scope. The Allgeier secion consultants convincingly guided us through all projects with individual consulting and their incisive knowledge. The cooperation was very constructive and pleasant. We recommend Allgeier secion without reservation."