Compliance Policies are used by companies, organizations, or authorities to check whether all products, applications, operating systems and other components used meet certain specifications. The Center for Internet Security (CIS) provides so-called CIS benchmarks for this purpose. Since March 2021, the Greenbone solutions also offer the possibility to check the fulfillment of CIS Benchmarks – with the help of new compliance policies.

But what do we actually mean by a compliance policy?

In addition to legal requirements, companies, organizations and authorities often have their own requirements that must be met for the secure configuration of a system. Such requirements can be formulated, for example, by a software or application vendor for its own products, but also by IT security organizations.

The aim is to ensure the information and data security of a company or an authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.

All specifications and guidelines, but also recommendations to be fulfilled for this purpose, are bundled in a policy in written form.

These guidelines form the basis for compliance policies developed by Greenbone, i.e., for the collection of tests that a Greenbone solution runs on a target system. A vulnerability test is developed for each individual requirement or recommendation to check compliance with that requirement or recommendation. All tests are combined to scan configurations by Greenbone and added to the Greenbone Security Feed.

Since the scan configurations in this case map company or authority guidelines, they are referred to as “compliance policies”.

Example: A company issues a policy with the following requirements:

  • Version 2 of software A is installed on the target system
  • SSH is enabled on the target system
  • Software B is not installed on the target system

For each of the requirements, Greenbone develops a vulnerability test that queries whether the respective condition is met.

The three tests are then combined into a compliance policy that a user of Greenbone solutions can select for running a vulnerability scan. During the scan, it is then checked whether the conditions listed above are met on the target system.

 CIS Benchmarks as decisive security guidelines

The Center for Internet Security (CIS) also publishes such security guidelines: the so-called CIS Benchmarks. CIS is a non-profit organization founded in 2000 to provide best practices for IT security that are used by governments, industry and academia.

One of the largest fields of activity of the organization is the so-called CIS Benchmarks. These are recommendations for handling and configuring numerous products from a wide range of product families. For example, there are CIS benchmarks for web browsers such as Mozilla Firefox or Google Chrome, for operating systems like Microsoft Windows or different Linux distributions, but also for the Microsoft Office products.

In contrast to many other security standards, which only make basic specifications regarding IT security – for example, that there must be vulnerability management – the CIS benchmarks are very detailed. They provide requirements that must be met in order to harden a system, i.e. make it more secure and protect it against attacks. Among other things, this can include criteria for passwords, but also the specification for a certain installed software version.

The CIS Benchmarks are provided by CIS free of charge as a PDF and are constantly being expanded. For CIS SecureSuite Members – just like Greenbone is since 2021 – the CIS Benchmarks are also available via the CIS Workbench in other formats, for example for Microsoft Word or Excel.

CIS-certified Compliance Policies at Greenbone

As with the security policies of other companies, organizations or authorities, Greenbone has now developed own compliance policies based on the CIS benchmarks. These enable users of a Greenbone solution to check their networks, systems and applications against the requirements from the CIS benchmarks. Since March 2021, several compliance policies that map CIS benchmarks are included in the Greenbone Security Feed.

And the special thing about it: the compliance policies developed by Greenbone are certified by CIS! This means that users can be sure that their system is tested according to the hardening recommendations of CIS.

Users can now check their systems to see whether the CIS requirements are met. This also simplifies the preparation of audits. Important criteria can already be checked in advance with a scan by a greenbone solution and any weaknesses found can be eliminated.

But these CIS certified compliance policies will not be the end of the story. Many more policies that map CIS Benchmarks are in the planning or even already in development at Greenbone.

The water sector is one of the critical infrastructures (CRITIS). A successful attack on the sector can lead to significant hygiene and health problems and, in the worst case, threaten human lives. At the 6th VDI conference on “Optimizing Industrial Wastewater Treatment Plants”, Greenbone will provide information on vulnerability management in the water sector and how the attack surface of IT infrastructures can be reduced by early detection and elimination of vulnerabilities.

Everything Fine Thanks to Digitization?

Digitization is seen as the savior of the hour. Even if this may be viewed critically at times, this development cannot be stopped. There are simply too many reasons in favor of digitization. But there are also many reasons that we need to take a critical look at, especially where our security is concerned. The more information technology we put in place, the more digitized attack surfaces we offer.
Malicious users of these attack surfaces can operate globally, and likewise digitized currencies like Bitcoin allow them to profit from vulnerabilities globally as well.

Unlike a bank robbery, an attack on an industrial wastewater facility is more of a a means to an end. The attacker does not want the contents of a safe, but rather targets the vulnerability as such in order to gain advantages, usually through blackmail. Not only technical systems themselves are attacked, but often also the technical and organizational environment from networks to administration. These attackers are not hackers with hoodies and matrix screen savers who just happen to have emergency on their account, but criminal organizations that are industrially and professionally organized. We must arm ourselves against them with resilient organizations, processes and solutions. This brings the topic of cyber resilience more and more to our attention.

Cyber resilience is the ability of a company or organization to maintain its business processes despite adverse cyber circumstances. These can be cyber attacks, but also unintentional obstacles such as a failed software update or human error. Cyber resilience is a comprehensive concept that goes beyond IT security. It combines the areas of information security, business continuity, and organizational resilience. To achieve a state of cyber resilience, it is important to identify vulnerabilities early, prioritize them economically, and eliminate them.

Why Cyber Resilience Is Particularly Important for Critical Infrastructures

Sustainable cyber resilience is important for companies in all industries. But it is indispensable in the area of critical infrastructure (CRITIS). As defined by the German government, this includes “organizations or facilities of critical importance to the state community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.”

CRITIS organizations must therefore protect themselves particularly well against cyber attacks – this is required by law. The EU launched the European Programme for Critical Infrastructure Protection (EPCIP) back in 2006 and expanded and supplemented it in subsequent years. Member states are implementing the EU NIS directive in national law, Germany for instance with the IT Security Act (IT-SIG). Large economic nations have already developed regulatory bodies. In the U.S., for example, this is the National Institute of Standards and Technology (NIST) and in Germany the Federal Office for Information Security (BSI).

In Germany, the critical infrastructures are divided into 9 sectors. One of these is the water sector with the divisions of public water supply and wastewater disposal. It includes, for example, waterworks, pumping stations, water pipelines and networks, wastewater treatment plants, the sewerage system, and dam and flood protection facilities. They all play a critical role in our society.

Attacks on the water supply could therefore hit a society to the core and, in the worst case, threaten human lives. Attacks on the wastewater disposal system are just as dangerous. If it no longer functions, the result would be considerable hygienic and health problems. Since the water infrastructure uses many IT systems and electronic control systems (ICS) nowadays, it becomes an attractive target for hackers.

Incidents Show the Vulnerability of the Water Sector

In recent years, there have been numerous attacks on water infrastructures worldwide. Fortunately, there have been no serious consequences so far. However, the attacks show that hackers are exploring how to take control of control systems and prepare further attacks. In 2013, for example, Iranian hackers attempted to penetrate the systems of the Bowman Avenue Dam near the town of Rye Brooke, near New York. The dam is used to control the flow of water after heavy rains and prevent flooding of the town. The hackers managed to gain control over the flood gates’ control system. However, as these were currently offline due to maintenance, the cyber criminals were fortunately unable to cause any damage.

In March 2016, security specialist Verizon reported a cyber attack on a U.S. water utility known by the pseudonym Kemuri Water Company in its monthly Security Breach Report. Hackers had penetrated the SCADA platform. This allowed them to manipulate programmable logic controllers. They changed settings on the water flow and the amount of chemicals added for water treatment. Fortunately, the water utility quickly discovered the incident and was able to correct the settings without causing any major damage. For their attack, the hackers exploited an unpatched vulnerability in the customer payment portal.

Between November 2016 and January 2017, cyber criminals hacked several wireless routers at a U.S. water agency. The routers were used to provide secure wireless access for pump station monitoring. Fortunately, however, the attackers were not looking to sabotage, but were targeting the agency’s Internet resources. Their bill rose from an average of $ 300 per month to a whopping $ 45,000 in December and $ 53,000 in January. For their attack, the hackers exploited a vulnerability in the routers of the manufacturer Sixnet. According to its own information, Sixnet had already made a patch available in May, but the authority had not installed it.

Over the past year, Israel has been the victim of multiple cyber attacks on water supply and treatment facilities. In April, hackers undertook a major cyber attack on control and monitoring systems at wastewater treatment plants, pumping stations and sewers, the Israeli National Cyber Directorate (INCD) said in a statement. The INCD then demanded companies in the water sector to change passwords for all systems connected to the Internet-connected systems and to ensure that control system software is up-to-date. The hackers attempted to change the chlorine content of water at a water treatment plant. The attack was not successful. Had it been, it could have resulted in mild intoxication of the population served by the treatment plant. Back in June, there were two more attacks on Israel’s water facilities. This time, agricultural water pumps were affected.

Although there has not yet been a comparable incident in Germany, the Federal Office for Information Security (BSI) reports about the implementation of the necessary organizational and technical precautions to prevent disruptions in its current report on the state of IT security in Germany. In the water sector, this reveals deficiencies in the areas of network separation, emergency management and physical security. In the reporting period from June 2019 to May 2020, there were several incidents in the water sector in Germany that were due to faults in control components. Remediation of the malfunctions was very lengthy and costly. Damage was avoided by operators acting prudently and having redundancies in place.

Attack Points in the Water Sector

IT and OT systems support the water cycle. In water production (1), quality control systems and digital pump control are used to manage water inflow from various sources towards water distribution (2). Digital metering and control methods monitor water pressure and quality in the water network and are thus part of the overall IT attack surface. In sewage systems (3), wastewater pumps and pre-treatments by filters, which are monitored at central points, are used. Water treatment (4) is a critical component due to the necessary digitalized control of physical, chemical and biological processes.

Many networked IT systems and industrial control systems are therefore used in drinking water supply and wastewater disposal, enabling largely automated processes. Examples include sensors for temperature, flow rate, or chlorine content, remotely readable meters, and web portals and mobile apps for customers.

Challenges for Cyber Resilience in the Water Sector

To reduce their attack surface for cyber criminals, water sector organizations must consider the full range of networked systems, devices and applications.

But this is not always easy. One problem is that the ICSs used in the water infrastructure come from different generations. Many of the older control systems were developed at a time when little or no consideration was given to cyber security. This leads to a heterogeneous, vulnerable IT landscape. Additionally, the high degree of automation and dependence on industrial controls makes water infrastructure particularly vulnerable to attack. Furthermore, the IT systems in use are becoming increasingly complex. This makes it difficult for companies to achieve a sufficient level of protection. The increasing networking of components within the field and control level as well as the control and process control technology increases the complexity even further.  At the same time, this increases the attack surface for hackers. They have more and more opportunities to penetrate networks, steal data or manipulate industrial controls.

Even Previously Unexploited Vulnerabilities Should Not Be Underestimated

A recent study by Kenna Security found that the total number of vulnerabilities discovered per year has increased from 4,100 in 2011 to 17,500 in 2021. On the other hand, the percentage of vulnerabilities exploited by hackers has not grown at the same rate. What is the reason for this?

Cyber crime follows the same economic rules as any other business model: least investment for maximum result. But cyber crime also suffers from the same problem as the IT industry in general: experts are a limited resource.

Companies cannot change this initial situation, but they can ensure that their attack surface is reduced. Tolerating a large attack surface, even if the vulnerabilities are not yet weaponized, is replacing control with gambling. As soon as it seems cheaper for cyber criminals or the outcome is promising, cyber crime will focus on vulnerabilities that are not yet weaponized, and the conversion of vulnerabilities into weapons will happen quickly.

Even worse is the motivation of cyber terrorists, who have so far been fortunately unsuccessful due to a lack of expertise. It is unclear whether they will gain the necessary skills and if so, when. But they do not follow the rules of economics, which makes them less predictable in selecting targets and suitable weaponized vulnerabilities.

In essence, there are two good general reasons why organizations should establish a process to manage and minimize their entire attack surface and not just focus on current (or likely) weaponizable vulnerabilities:

  • Pandemic risk: while it may not be attractive for a single criminal organization to invest in turning a more expensive vulnerability into a weapon, the more organizations choose not to do anything about that vulnerability, the more interesting it becomes. The fewer that are vaccinated, the better the pandemic spreads.
  • Automation risk: automating exploits is not only an attractive, cost-effective way to go. It significantly reduces the window of opportunity to respond with countermeasures.

Reduced Attack Surface with Vulnerability Management

Regardless of how many vulnerabilities exist, managing damage and actively countering ongoing attacks becomes exponentially expensive for organizations if not accompanied by an ongoing process that identifies, manages and reduces the attack surface.

Cyber resilience is a continuous process. It strengthens an organization’s ability to withstand an attack and enables it to continue to function during an attack. To achieve this, it is important to reduce the attack surface and thus stabilize the base. This means identifying vulnerabilities that could be exploited by an attacker and thus staying one step ahead of the attacker.

999 out of 1,000 vulnerabilities have been known for over a year. With vulnerability management, this means that these vulnerabilities can be identified and eliminated before they are exploited by an attacker. This greatly reduces the attack surface of the IT infrastructure.

Vulnerability management systems are fully automated and, thanks to features such as schedules and custom scan configurations, offer users the ability to create complete vulnerability management processes that constantly scan for vulnerabilities. As a result, vulnerability management ensures more resilient systems in the long term.

Contact Free Trial Buy Here Back to Overview

It was one of the most spectacular cyber attacks of all time: hackers attacked SolarWinds in the fall of 2019 and injected malware into an update of SolarWinds’ Orion platform in the spring of 2020. Customers who installed the compromised version of the network management software got the “SUNBURST” backdoor right out of the box – including numerous U.S. government agencies and large corporations. Well camouflaged, the hackers were able to spy on data unnoticed for a long time. Here you can learn if you are affected by the SolarWinds attack and how you can protect yourself using Greenbone’ solutions.

The cyber criminals have thus pulled off an almost perfect coup. There is an element of irony to the attack since SolarWinds’ customers use the Orion platform to monitor their IT environment for suspicious behavior. The hackers were hiding in plain sight, as it were, and proceeded in a very targeted and extremely sophisticated manner. They first attacked SolarWinds with the specially developed “SUNSPOT” malware. This injected the malicious “SUNBURST” backdoor, also called “Solorigate”, into the “SolarWinds Orion Platform” update product line. The malware was embedded directly into the code where it obtained valid software signatures, making it perfectly camouflaged. With the update compromised, the backdoor could then be distributed to customers undetected.

Undetected for a Long Time

On 12th December 2020, SolarWinds was informed about the incident and launched an investigation. Security firm FireEye, which itself had been infected with the malware, published additional information about the intrusion into its network. According to its research, the cyber criminals had stolen various attack tools from FireEye, which the company use for testing its own customers’ security. Other SolarWinds customers also reported security breaches. In addition, during the investigation of the incident, security researchers found another backdoor that had apparently originated from a second, independent hacker group. The attackers had exploited the previously unknown vulnerability CVE-2020-10148 in the Orion platform to install a malicious web shell called “SUPERNOVA” on targets running the Orion platform. More recently, multiple new vulnerabilities have also been discovered, vulnerabilities that could allow full remote code execution if left unpatched.

In the Greenbone Security Manager, the Appropriate Vulnerability Tests Are Already Integrated

Around 18,000 customers have received the compromised SolarWinds update, making them particularly vulnerable to an attack. However, not all of them have been hacked by cyber criminals through the back door and have tapped into data. The hackers have so far concentrated on particularly attractive, lucrative targets. Are your networks also at risk? As a Greenbone customer, you can find out right away as we integrated corresponding vulnerability tests into the Greenbone Security Manager (GSM) as soon as the incident became known. Our vulnerability scanning will show you whether your IT environment is at risk via “SUNBURST”/”Solorigate” or CVE-2020-10148, making you one of the potential attack targets. In addition, the GSM can check whether you have already fallen victim to “SUPERNOVA”, or the additional malware tools used by the hackers “TEARDROP” or “Raindrop”.

The Situation Is Serious, but There Are Solutions out There

Anyone affected by the vulnerabilities mentioned above should work to close them immediately using the hotfixes and patches SolarWinds has published for them as the unknown hacker group is still active and at large. Only recently, the security firm Malwarebytes announced that it was the victim of a cyber attack. Obviously, the same actors are behind this as in the SolarWinds hack, although Malwarebytes itself does not use SolarWinds software at all. In this instance, the cyber criminals misused applications with privileged access to Office 365 and Azure environments as an attack vector. Fortunately, the damage was reported to be minor and Malwarebytes software was not compromised.

All these incidents have shown that we have reached a new dimension of cyber crime. Actors are carrying out perfectly planned, complex and multi-stage attacks, first hijacking trusted software to then gain access to other more lucrative victims. To ensure such attacks have as few chances as possible to succeed, it is important to identify and close vulnerabilities as soon as possible.

Are there actually independent reviews of Greenbone solutions?
Of course – we are proud to present the latest report from a leading industry magazine: “IT-Administrator tried the system [solution from Greenbone] and was thrilled with its functionality”. (IT Administrator 01/2021)

In September 2020, the magazine IT-Administrator – a German professional journal for system and network administration – asked Greenbone if they could write a test report about a Greenbone appliance.

The report is currently published in the January issue of the magazine. Here you can read the detailed report.

In the test, IT-Administrator took a closer look at the GSM 150. The GSM 150 is a physical appliance designed for vulnerability management in small to medium-sized businesses, or organizations with medium-sized branch offices. It scans up to 500 IP addresses within 24 hours and can also be used as a sensor for larger appliances.

Everything that must be done in a standard deployment of a Greenbone Security Manager was tested: from the initial setup via the console, to configuring scans on the web interface, to evaluating a scan report.

For testing the vulnerability scans, IT-Administrator had prepared different target systems with different security status to examine the differences in the results. Authenticated scans were also part of the test.

Read the full article here (German only).

With the help of compliance policies, a company can check whether all components integrated in the system meet the required specifications. The increasing digitalization and the associated growth of new technologies create opportunities, but also risks. For this reason, the demands on compliance are increasing as well. With GOS 20.08, all compliance policies were made available via the Greenbone Security Feed and four new compliance policies were added: TLS-Map, BSI TR-03116: Part 4, Huawei Datacom Product Security Configuration Audit Guide and Windows 10 Security Hardening.

Compliance policies for different industries

What is a compliance policy anyway?

In addition to legal requirements, companies and public authorities often have their own guidelines that must be met for the secure configuration of a system. The aim is to ensure the information security of the company or authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.

All specifications and guidelines that are necessary for this are summarized in one document to form a policy.

Based on the individual criteria of the guidelines, Greenbone develops vulnerability tests – roughly speaking: one criterion results in one vulnerability test. Greenbone combines these tests into a scan configuration.

Such scan configurations, which reflect policies of companies or authorities, are called Compliance Policies.

Example: a company releases a security policy with the following requirements:

  • Version 2 of software A is installed on the target system
  • SSH is activated on the target system
  • Software B is not installed on the target system

Greenbone develops a vulnerability test for each of the requirements, which checks whether the respective condition is fulfilled.

The three tests are then combined into a compliance policy that a user of the Greenbone solutions can choose when performing a vulnerability test. During the scan, it is checked whether the conditions mentioned above are met on the target system.

New: distribution of compliance policies via the Greenbone Security Feed

Starting with GOS 20.08, all standard scan configurations, reports formats, port lists, and compliance policies of Greenbone are distributed via the Greenbone Security Feed.

Among other things, this allows the publication and distribution of scan configurations for current, hot vulnerability tests. In the past, these were published as XML files for manual download on the Greenbone download website and had to be imported by the users themselves – which was very tedious and left room for mistakes, making a quick application hardly possible.

But this is not the only advantage. It also makes troubleshooting much easier and faster for the customer: objects can be updated and, if necessary, fixed for all setups with a single feed update.

In addition to this innovation, the Greenbone Security Feed has been extended by some important compliance policies.

More Compliance Policies in the Greenbone Security Feed

Four new compliance policies were added to the Greenbone Security Feed in the 4th quarter 2020:

  • TLS-Map
  • BSI TR-03116: Part 4
  • Huawei Datacom Product Security Configuration Audit Guide
  • Windows 10 Security Hardening

About the Special Scan Configuration TLS-Map

Note: TLS-Map is a scan configuration for special scans that are different from vulnerability scans. For reasons of simplicity, this special scan configuration is listed in this article along with the compliance policies.

The special scan configuration TLS-Map is helpful wherever secure communication over the Internet is required. TLS – short for Transport Layer Security – is a protocol for the secure transmission of data on the Internet. It is the successor of SSL – Secure Sockets Layer – which is why both protocols are still often used synonymously today. However, all SSL versions and TLS versions prior to version 1.2 have been outdated since 2020 at the latest and are therefore insecure.

The largest area of application for TLS is data transfer via the World Wide Web (WWW), for example between a web browser as the client and a server such as Other areas of application are in e-mail traffic and in the transfer of files via File Transport Protocol (FTP).

The special scan configuration TLS-Map checks whether the required TLS version is available on the target system and whether the required encryption algorithms – so-called ciphers – are offered.

About the Compliance Policy BSI TR-03116: Part 4

The Technical Guideline BSI TR-03116 Cryptographic Requirements for Federal Projects from the Federal Office for Information Security (BSI) is used for Federal Government projects. This means that if a federal project should be implemented, this guideline must be fulfilled. It consists of 5 parts in total:

  • Part 1: Telematic infrastructure
  • Part 2: Sovereign identification documents
  • Part 3: Intelligent measuring systems
  • Part 4: Communications procedures in applications
  • Part 5: Applications of the Secure Element API

The compliance policy, which Greenbone Network has developed accordingly, checks whether the contents of the fourth part of the policy are fulfilled. This part contains requirements for communication procedures.

The compliance policy BSI TR-03116: Part 4 in the Greenbone Security Feed tests the three main requirements – minimum TLS version as well as necessary and not legitimate ciphers – of the technical guideline.

About the Compliance Policy Huawei Datacom Product Security Configuration Audit Guide

Compliance policies for Huawei solutions have been part of the Greenbone Security Feed for quite some time.

Greenbone had already developed compliance policies for the following two solutions:

  • EulerOS: Linux operating system, based on CentOS
    Related compliance Policy: EulerOS Linux Security Configuration
  • GaussDB: database management system (DBMS)
    Related compliance policy: GaussDB 100 V300R001C00 Security Hardening Guide

With a compliance policy for Huawei Datacom, a product category that also includes routers and switches with their own operating system, a third compliance policy for solutions developed by Huawei is added now.

For all three products – Huawei Datacom, EulerOS and GaussDB – there are security configurations that were specified by Huawei. Based on these configurations, Greenbone has developed compliance policies which check the compliance with those security configurations. The different compliance policies are always applied if the corresponding solution is available on the target system.

For the Huawei Datacom operating system, Huawei distributes the Huawei Datacom Product Security Configuration Audit Guide. The associated, newly developed compliance policy tests, for example, whether the correct versions of SSH and SNMP are available on the target system.

About the Compliance Policy Windows 10 Security Hardening

The compliance policy Windows 10 Security Hardening includes vulnerability tests to evaluate the hardening of Windows 10 according to industry standards.

Among other things, the compliance policy checks different password specifications such as age, length and complexity of the password, specifications for the assignments of user rights, and requirements for different system devices.

Even faster integration of compliance policies with GOS 20.08

As digitalization continues, compliance requirements are growing in companies of all sizes and in all industries.

Through the direct integration of compliance policies via the Greenbone Security Feed and the inclusion of new compliance policies, the testing of target systems is even more efficient, easier and quicker, thus increasing the protection of the IT infrastructure without the need for special compliance know-how. Of course, we continue to work on new compliance policies on an ongoing basis. So be curious!

Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago.

What else can we do to get as much systems as possible off the public Internet?

Within the software space, we have used responsible disclosures for some time (for example with D-Link earlier this year), so the idea was to apply the same logic.

Still, following that idea wasn’t easy and straight forward, as a couple of concerns had to be addressed.

  • What data shall we use to substantiate the fact that there is a data leak within the organization we address?
  • How do we identify the organization, the right contacts there?
  • What format and method of disclosure shall we use? And finally..
  • What should we say in the disclosure so that it is seen as an information and not as a threat?

We worked along the questions, with the help of friends, partners and valuable insights of security professionals across the globe (thanks to Troy Hunt for the presentation about the topic:

What data to use?

Simple answer: as little as possible, a single data set should be enough, and even this one needs to obscured as we are likely to transmit the information via unsecured channels.

We decided to use a single, current date set from each system for each provider and note it down. No, nothing was downloaded & stored or copied and pasted from these PACS. We don’t want that. Pencil and Paper are our tools here.

How to identify the system owners?

No question, we were not supposed to contact any person within the data to find out about their healthcare provider: “Hey, we got your data from an unsecured system on the Internet can you name me your radiologist?” wouldn’t work well. As the information contained in the PACS also indicates the name of healthcare providers and of physicians, this was our starting point.

We used a list of sites, Google of course, but also:

So, all the work was done using OSINT.

What should be the format?

Letters, Faxes, Emails? We discussed about the pros and cons, and we decided to use Email as the format and method to transmit the responsible disclosure. Email is fast but it is also the main inroad for attack attempts like phishing, so we had to scale down from fancy HTML to plain text. Having the RFC style & format in mind, we drafted some initial versions and circulated them among capable advisers.

What should we say?

Emails talking about data leaks are very often received as threats, “do this, pay that or we will release ..:”. Formulating this email to avoid that specific effect was a bit of a challenge. We kept it as simple and short as possible, suggested actions instead of demanding them (which is anyway nothing we could possibly do). That one took us a bit of work.

Finalization and Concerns

Our full notes were then transferred into a consolidated list of details (already obscured), becoming the source for our little email campaign. As security researchers, we know that some recipients will totally misunderstand our intentions and “shoot the messenger”. That reaction happened in the past, too often.

We will keep you posted…

Below is the final text which we sent out the afternoon on DEC 10th, 2019.

Sent to: email address

Personal Health Information Data Leak – Responsible Disclosure

Attention to



With this email, we want to inform you about an identified data leak likely affecting your organization. A server storing medical information of patients affiliated with your organization, a PACS server (Picture Archiving and Communication System), is connected to the public Internet without any protection. We believe this server is affiliated with your organization, and is configured in a way that allows free access to Personal Health Information of patients being treated in your facilities. We work for a team of computer security researchers, and are bringing this matter to your attention through the principles of RESPONSIBLE DISCLOSURE so you may address the exposure and protect your organization and patients.

To substantiate the fact, please see the obscured details of one single data set of a patient below.

Exam date & hour: __________ (exact timing shortened, but available on the system)

Patient name: __________ (obscured for privacy concerns and clear text transmission)

Patient DoB: __________ (shortened to year, if in the system)

Patient ID: __________ (as it appears on the system)

Exam ID: __________ (if and as it appears on the system)

Physician’s name: __________ (obscured, if and as it appears on the system)

Organization’s name: __________ (as identified during our research)

The network address of this system is the following IP address (and tcp-port): __________

In September 2019, we have informed Government authorities across the globe about the systems we identified. You receive this email as part of our efforts to alert more than one hundred organizations in the US affected by that type of data leak. We would like to suggest to you to take the necessary measures to secure the named PACS system. Potential measures can be, among others:

  • Implement access control to the system
  • Verify unnecessary port forwards
  • Deploy VPN access

Please consult with your information security staff, your IT service provider and/or the relevant Government authorities in the US about the range and scope of measures possible in your specific setup.

Please note also:

  • We recently conducted and published a research about this type of data leak, which lead to this disclosure. More information can be found here [1] and here [2].
  • Our research paper describes ways how to verify this data leak for yourself [3].
  • This email is written in plain text and contains no attachments.
  • Should you require further information, please feel free to contact us. Within limits imposed by the situation, we will try to help. There is no demand for compensation related to this.
  • This is a responsible disclosure; again, there is no demand of compensation for it or any intent to publish the data or details of your organization.
  • This is not a cyber-attack, it is about systems connected to the public Internet without any protection at all, allowing uncontrolled access to personal health data.

With best regards

Greenbone AG
Dirk Schrader
(CISSP, CISM, ISO/IEC 27001 Practitioner)
Mobile: +49-
Office: +49-541-760278-0
Greenbone AG
Neumarkt 12
49074 Osnabrück, Germany
AG Osnabrück, HR B 202460
Managing Director: Dr. Jan-Oliver Wagner





Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.

Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?

It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.

Here are Greenbone’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:

1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.

2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.

3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.

4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.

5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.

Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.

This includes vulnerability management.