The global and independent platform for the SAP community.

Overwhelming circumstantial evidence is nevertheless not proof

When it comes to IT attacks, the first question on outsiders' minds is who is to blame. People want to assign an attack to a perpetrator, at least in their minds.
Raimund Genes, Trend Micro
May 4, 2017
Security
avatar
This text has been automatically translated from German to English.

In many cases, however, this supposedly simple question cannot be answered so easily. Especially not if one bases oneself exclusively on the objective facts and leaves out the subjective formation of opinion through the local/temporal perception of the victim or through the press.

What happens when there is too much subjectivity is easily illustrated by the recent example of EyePyramid - an "information stealer" that has stolen around 87 GB of data in recent weeks. This includes that of private companies, but also government offices and other public organizations.

EyePyramid targeted more than 100 mail domains with more than 18,000 mail accounts. The victims, some of them high-ranking, came from Italy and other European countries, but also from the USA and Japan.

With this overwhelming evidence, the conclusion was clear to many: this is a state-driven or sponsored attack!

This conclusion was then gratefully taken up by the media and the general public. Unfortunately, there was only one problem - it was not true!

As it turned out in retrospect, the people behind EyePyramid are a brother and sister with purely monetary interests. It is not a state-sponsored organization that is going to fight the next cyber war.

This incident clearly shows what happens when facts are interpreted only in the context of one's own "convenient" context or are oversimplified. Serious security researchers limit themselves to technically verifiable information when it comes to "attribution," i.e., assigning attacks to actors.

Of course, there are also "clues" that point in a certain direction or whose combination is reinforced. But the metaphorical "smoking gun" in the attacker's hand is rarely found.

To stay with EyePyramid: Factually, (also) government-related organizations were compromised. These are objective facts. The simplification that a state actor must therefore be behind this is subjective and overly simplistic.

Unfortunately, the factual reporting is far less spectacular than the (incorrect) simplification...

Even though the unjustified simplification of facts annoys me as a technically interested person, the topic could be over at this point. If there were not quite other side effects:

When reporting turns every mosquito into a bull and every cybercriminal action into a cyberwar by state actors, this also has an impact on the security perception or the security behavior of all of us.

When everywhere there is only talk of cyber war and state actors, resignation sets in for many companies and private individuals:

"How am I as a person/company already supposed to be able to protect myself against a state?"

Alternatively:

"Why would a state target me already?"

The "success" of such market-shouting communication is that many do not even perceive the real danger - namely ordinary cybercriminals - and accordingly do not take appropriate protective measures.

To put it bluntly: Yes, there are state actors out there who operate with big budgets. But for normal companies and private individuals, these actors are negligible from a risk assessment perspective! The "normal", monetarily driven cybercriminal poses the far greater risk!

Therefore, my request at this point: Do not let yourself be unsettled by sensational reports on cyberattacks by state actors! Conduct a risk assessment of your business processes, verify which actors pose a real risk there, and set up your security strategy accordingly.

Last but not least, I have a request to the press, bloggers, etc.: Some things cannot be simplified any further! This also applies to circumstantial evidence in IT attacks. Even if the omission/simplification of circumstantial evidence may lead wonderfully to "evidence" that can then be placed as a big sensation.

https://e3magpmp.greatsolution.dev/partners/trend-micro-deutschland-gmbh/

Raimund Genes died unexpectedly at his home on Friday, March 24, as a result of a heart attack.

Trend Micro's longtime Chief Technology Officer turned 54. He built up the Japanese IT security provider in Germany and Europe and gave it an important voice in public.

Starting in 2014, Genes enriched E-3 Magazine with his timely and astute commentary as part of the monthly IT Security column. Here, too, he provided valuable educational work for the SAP community.

We publish his last comment on this page posthumously. Our sympathy goes to his family and friends.

avatar
Raimund Genes, Trend Micro

Raimund Genes was CTO at Trend Micro.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.