Service Navigation

Interview with cyber security expert Frank Fischer: “Cyber criminals have a business case of their own.”

04 Oct 2017

Interview with cyber security expert Frank Fischer: “Cyber criminals have a business case of their own.”

The latest sweeping cyberattacks by trojans WannaCry and Petya/NotPetya were a testament to the crucial importance of cyber security. According to Europol, more than 200,000 computers in 150 countries were affected within a short period of time. What do companies have to do to protect themselves against attacks? Since October is European Cyber Security Month we spoke with Frank Fischer, Chief Security Officer of Deutsche Börse Group.

Frank Fischer, Chief Security Officer of Deutsche Börse Group

What are the motives driving cyber criminals?

We have been detecting three motives. First, there are financial interests, which means cyber criminals are out to make easy money. The second motive is a desire to disrupt a company’s operations or damage its reputation by interfering with key services it provides. The third motive is to gain access to information of interest about the company. That last one is basically a pre-requisite for the first two motives.

How was the WannaCry cyberattack able to have such a big and widespread impact?

Firstly, due to the method of attack used – and secondly, due to weaknesses that were easily exploited. In terms of methods, it is true that any weapons that are created will be used at some point. In the case of WannaCry, the NSA had one of its own malware programmes, Eternal Blue, stolen. It was used to exploit weak spots in the Microsoft code.

So, who is at fault then: the user or the software provider?

Probably both. In the case of WannaCry, the weak spots were known for a long time and were published by Microsoft early on – together with a patch to fix them. However, not all companies or individuals updated their systems accordingly. Furthermore, the trojan uses the common SMB protocol to spread very quickly. Often, the problem is that patches are not implemented fast enough to avoid lateral spreading because processes are too slow and too cumbersome.

What did you learn from the WannaCry attack?

It is crucial to understand where new threats may materialise – before they actually reach a critical stage, i.e. before the attacks have been industrialised to such a degree that they can be used as a weapon against us. Whenever a weak spot has been exploited once, there are quick attempts to launch a large-scale attack. This means, cyber criminals basically create their own business case.

Analysing large attacks forensically, we noticed that, typically, there were initial stages where attackers tried out a few things here and there: basically small pinpricks, which do not do a lot of damage in and of themselves. However, this is how attackers can build capabilities step by step until they have all the ammunition they need for the planned attack.

How do you realise that an attack is in the making?

It is important to identify any deviation from the norm. This means we have to evaluate huge amounts of data to ultimately find the needle in the haystack. In this respect, networking is key as there may be other companies that have developed the necessary capabilities and are able to detect said pre-stages earlier – e.g. in other time zones or regions.

To which do you assign more weight: to industry networks or to collaboration with policymakers?

To industry networks, as they provide more flexibility and agility. Unlike with public authorities, you do not have to wait for them to decide who is responsible. Usually, it is not one, but two or three authorities who say they are in charge. That can have a lot of consequences. In any case, it slows things down and can prevent issues from being solved in a timely manner.

And are these industry networks national, pan-European or global?

If you keep within national borders, you are at a disadvantage, as cyber criminals do not care about borders. This means you have to build international networks early on in order to be able to detect attack patterns early.

We regularly meet in various networks – from our DAX® peers and sub-groups of the World Federation of Exchanges (WFE) to the Financial Services Information Sharing and Analytics Center (FS-ISAC). The latter is a worldwide association of all types of financial firms ranging from small regional banks to global groups such as J.P. Morgan.

These are measures directed outward. How do you ensure an increased level of security within the company?

Our employees are our first line of defence. Why? Because a high number of attacks are conducted via social engineering, meaning that personal trust relationships are abused.

Attackers try to put their victims under intense pressure and thus try to get them to deviate from standard processes. That can be done either by dangling the proverbial carrot to lure the user into performing certain activities or by forcing them into a predicament as a way of circumventing  standard processes and thereby triggering the intended actions or obtaining vital information.

One example is spear-phishing, i.e. an attack in which employees are lured by customised bait, such as VIP tickets for concerts. I assure you that a certain percentage of our employees would in fact fall for that sort of scheme. Simply put: attractive incentives tend to overpower common sense.
This is how cyber criminals deviously gain access, opening the path for the first wave of attacks and enabling them to gain vital information. This might not be sufficient, but it offers them enough insight to allow them to take the next step more easily. An attack is not a single event but a chain of measures. Spear-phishing works by confronting someone with information or opportunities so appealing that the targeted person is forced to take interest. Thus, attackers have already reached their first goal when a potential victim falls for their scam.

Does this mean that employees need training?

Exactly. It is vital to increase awareness of suspicious e-mails, which pose a major threat in terms of being a gateway. In other words, e-mails are like watering cans in that they are designed to get as many people as possible to click on them. Here is an example: you contact 50 million people via e-mail. If just 1 per cent of them clicks, you have 500,000 replies. And if just 10 per cent of those people fall for your malware, then that amounts to around 50,000 victims, from whom you may be able to extort x amount of bitcoins, say. That’s how these cyber criminals quickly build their business case.

Can you describe the concrete measures you undertake to avoid these scenarios?

We provide both motivation and information. E-mail phishing is a topic that needs special and repeated attention, as do general rules of conduct. How do I protect my personal data? And how do I handle this data in public? Am I aware at all times of who I am sharing this information with and which websites I should not be visiting?

We are currently in the process of rolling out a solution to achieve exactly that. This includes regular phishing tests as well as possibly a department ranking. We will have to remain alert and continuously think of new ways to counteract cybercrime because it is quite clear that employees tend to numb again quite quickly.

Considering e-mails pose one of the greatest threats as gateways … how many e-mails does Deutsche Börse receive in a week?

The figure varies between 11 and 13 million per week. A maximum of several hundred thousand of these e-mails contain valid information which are based on real business relationships or are exchanged within the Group. You can basically subtract well over 99 per cent as being of no value whatsoever, and these 99 per cent contain a certain share of objectionable attachments.

As a result of your analyses you collect a large amount of strictly confidential data. What are your safety precautions?

We keep this data in a virtual safe, which means it is encrypted and protected from access, and not stored at its source. The chances for an attacker wanting to cover his tracks are low because we store the log data in a different place. In addition, access to this data is strictly regulated. We only allow a very small team to evaluate subsets of this data, and only under a special obligation of confidentiality.

What does all of this teach us for the future? How are we going to handle security issues and what are the risks and opportunities that arise from cloud computing?

The cloud provides improved possibilities for us to incorporate security issues into the infrastructure. This opens up lots of opportunities to implement certain safety measures both centrally and, at the same time, in an agile way. But, of course, we are under an obligation to find a balance between usability and security, and we must do so in collaboration with regulatory authorities. I am happy to say that the path ahead looks promising.  

Interview: Irmgard Thiessen

European Cyber Security Month is celebrating its fifth anniversary this October. The EU’s annual campaign aims to raise awareness of cyber security threats in the digital domain and provides users with resources on how to protect themselves and sensible data online. From 1 October  to 31 October, hosts will offer over 250 activities in 24 countries across Europe, highlighting the importance of cyber security through education and sharing of good practices. ECSM is coordinated by the European Union Agency for Network and Information Security (ENISA) and partners. Promoting the motto “STOP.THINK.CONNECT.”, the European Union does its part to support a secure and stable cyberspace.


IT-specific terms

Drive-by infectionUnwitting and unintended download of malware to a computer, e.g. triggered by simply visiting a website
ExploitMalware that uses weak spots of computer systems
MalwareGeneral term for programmes developed for the sole purpose of causing damage to software users
PatchPiece of software designed to repair security flaws
RansomwareMalware used to infect and lock a computer – with the intention of asking for money to unlock it again
SMB (Server Message Block)A network protocol used by Windows-based computers that allows systems within the same network to share files
Social engineeringMethod used to seek unauthorised access to information or IT systems by “spying” on the user
Spear-phishingFraudulent e-mail scheme used to seek unauthorised access to confidential data

Additional Information


Internet hotline

Service times: Mon-Fri, 9 a.m. – 6 p.m. CET

+49-(0) 69-2 11-1 16 70