When the red team is let loose on the blue team at the “yellow bank”, it’s all in the name of security. IT security specialist Philipp Rohrbach explains what’s behind it.
Vulnerability management involves the continuous monitoring and evaluation of all IT components such as servers, networks, computers and cloud technologies. Identified vulnerabilities are evaluated, prioritized, rectified and documented.
Clearly defined responsibilities are crucial in order to organize the process effectively. In this way, companies minimize the risk of security incidents, increase cyber security and ensure compliance with legal provisions, especially when handling sensitive data. Growing regulatory pressure is forcing companies to take these threats seriously in order to avoid data breaches and reputational damage.
Ethical hacking enables companies to proactively assess their IT systems for security vulnerabilities. Professional hackers employed for this purpose, known as ethical hackers, carry out penetration tests to uncover vulnerabilities in networks, applications and systems before they can be exploited by cyber criminals. This boosts the company’s resilience against cyber attacks and minimizes the risk of costly security incidents that could damage the company’s reputation. In this way, ethical hacking ensures that measures can be planned and implemented to meet security standards and compliance regulations.
Network and system administration is the backbone of a company’s IT infrastructure and plays a central role in vulnerability management. As well as optimizing performance, regular scans and analyses also help to identify vulnerabilities in the systems that need to be rectified in order to ensure a stable and secure IT environment.
In software development and IT implementation, it is crucial that security vulnerabilities are identified and addressed during the development process. Vulnerabilities in newly developed or implemented IT systems can pose serious security risks. Meticulous security testing during the development process and before the go-live plays an important role here so that vulnerabilities in the software are uncovered before it goes live. This ensures that new applications and systems are robust and secure, improving the efficiency and security of IT systems.
Technologies such as encryption systems and authentication methods secure digital business processes and support seamless data processing. However, vulnerabilities in these systems pose significant security risks, especially when it comes to protecting sensitive information. This means it is all the more important to expose vulnerabilities in security-critical technologies such as encryption systems. These security audits are an integral part of vulnerability management and ensure that companies can operate their systems securely.
Practical training and simulated cyberattacks can demonstrate to employees how system vulnerabilities emerge and how they can be intentionally exploited. This fosters a deep understanding of the importance of following security protocols and proactively responding to potential threats. Employees should also be trained regularly in applying effective security practices, such as secure password management or recognizing phishing attempts. This raises awareness of the need for robust protection of company data throughout the entire organization.
When the red team is let loose on the blue team at the “yellow bank”, it’s all in the name of security. IT security specialist Philipp Rohrbach explains what’s behind it.
They’re the good guys – ethical hackers work for companies to expose vulnerabilities in web applications, networks and systems before illegal hackers get the chance to do the same. One of these ethical hackers is Philipp Rohrbach, who leads the red team in IT Security at PostFinance. In the interview, he explains his work in detail and how he goes about it.
In the red team, we take on the role of the attacker within PostFinance’s IT security. We make use of the technologies or attack scenarios as they are applied in “real” attacks to specifically target our own systems. For example, we try to use our services and systems for a purpose for which they were not intended, with the aim of exposing vulnerabilities before anyone else can. When you operate a service in IT that’s accessible from the outside world, you have to assume that you will be attacked. It’s not a question of whether it will happen, but rather how often, and of how well the attacks can be detected, fended off and contained by our blue team. The colour designations are originally military terms: the red team is the offensive part of IT security, the blue team the defensive part.
Let’s say we’re testing an app. The first steps we take are to talk to the specialists who develop, operate or refine the app and to define the goals of our testing. One such goal can be to manipulate a financial transaction in a test environment, or to get our hands on information via an interface within the app. We then determine the approach we want to take – the black box, grey box or white box approach. With the black box approach, we’re given access to the application for testing with no further information about its internal structure. With the grey box approach – which is much more common – we get a little more support, by being able to work with a version in which some protective measures are switched off, for example. This gives us an edge over potential attackers, who generally have more time on their hands than we do, and the ability to use our valuable testing time for actual testing rather than for circumventing security measures. Or you can go one step further with the white box approach, where the source code is available to us, making it easier for us testers to circumvent the protective measures. We then arrange the test setup and get to work. We test aspects such as app authentication, the login procedure or the resetting of passwords for logical errors and deviations from standards. Or we observe how the app behaves when we feed it with information for which it was not actually intended. For example, if a payment from customer A to customer B runs through 10 steps in the background, we look to see what happens if we change the content or the order of the steps. Once we’ve tested enough starting points of this kind, we draw our conclusions and document them. Where necessary, measures are then taken to eliminate the identified vulnerabilities.
It’s always different, depending on the scope of the test and the effort involved. For small tests, one person is sufficient, whereas several testers are required for larger ones. We make use of internal staff, but we also use external people. It’s especially important to ensure that the same people don’t always examine the same test objects, because security testing in particular also often calls for out-of-the-box thinking, with individual experience and personal expertise playing a major role.
Requirements include a solid knowledge of networks, a sound understanding of how web applications work and how computers and servers interact and are structured (see also box). But one of the most important things is a sense of curiosity: ethical hackers want to understand cyberspace and see it time and again with different eyes. They want to look behind the scenes. And they possess the qualities of tenacity and perseverance: they try to keep feeding the object being tested until something unexpected happens. And then to understand why what happened came about. Our goal is to find vulnerabilities that have not been seen before, either by other people or by automated quality assurance tools.
Knowledge of
There are different test types. However, there are no courses of study on offer that cover and focus on our entire area of responsibility. If you want to become an ethical hacker, a great deal of what you learn can and must be self-taught, with support from a community that is very happy to share its knowledge. Good ways to practice your skills are platforms like TryHackMe or Hack The Box, which offer challenges or public bug bounty programmes.
The enormous variety. On the one hand, I get many opportunities to grapple with various technologies – such as different programming languages, applications or frameworks, while on the other I’m constantly coming into contact with different people. We are not specialists in every field, but we do have many very good people at PostFinance. When we’re preparing for a test, we can tap into their knowledge and experience. That’s very, very exciting. There’s also the fact that while we do indeed use a consistent methodology for testing, we apply it again and again to different test objects, which range from voice authentication using a normal web application to very complex systems that process financial transactions. And all else aside, this job is not just work, it’s also an attitude: I want to do my bit to keep making cyberspace a little safer all the time.
I originally trained as an electronics technician before getting into the area of project management in plant engineering. Because I then found myself missing the technical aspect somewhat, I studied IT and systems engineering at a higher technical school, after which I was responsible for the area of new media at an agency, where I acquired a sound understanding of web applications and mobile apps in numerous projects. I then completed a degree in IT with a focus on IT security. The subject of ethical hacking has always been with me on my journey. Out of personal interest, I taught myself a great deal about it. After my studies, I ultimately switched to IT at Swiss Post as an operations specialist in the area of e-voting, where I came into contact with security screening. So when PostFinance started looking for an IT security specialist in the area of ethical hacking, I said to myself: this is my opportunity. Since taking on a managerial role this year, I’ve had the opportunity to work with a dedicated team to continuously improve the security of PostFinance’s IT systems and processes for its customers.
Philipp Rohrbach has been working in IT Security at PostFinance since 2019.
