Why did the B2B-Center order cyber attack to itself? The technical director Artem Lomakin — about approaches to protection against hackers

Artem Lomakin: The trading volume of the Russian companies on the platform constantly grows. For 2018 it increased by 29% and was 2 trillion rubles. In total our clients carried out 184 thousand electronic procurement.

For the first four months 2019 on B2B-Center there took place purchases for 856 billion rubles. It is 53% more, than for January-April, 2018.

Today the B2B-Center is the largest Russian platform in a segment of purchases of business companies.

Artem Lomakin: Our main advantage – flexibility. We are aimed at work with business therefore we are able to configure service under tasks of clients from any industry – power, the industry, construction, agriculture, retail, telecommunications and IT.

The B2B-Center is not only the platform on which it is possible to carry out any types of biddings. Our clients can automate completely purchasing process and tender sales: planning, management of work with suppliers and customers, selection of suitable purchases and potential partners, management of the normative reference information, attraction of financing and many other things.

Our service should conform to high requirements in the field of cyber security. First, they are shown by the legislation and regulatory state agencies. Secondly, our clients customers. Among them there are largest corporations of the country – Rosatom, AVTOVAZ, RUSAL, MegaFon and many others. Therefore the cyber security for us is not an additional service for clients, and an obligatory element of infrastructure.

If it is short, then we should provide confidentiality of information on participants of purchases and their offers which contains personal data and a trade secret and also stability of work of the platform. Service should work 24/7 since purchases pass across the whole country - from Kaliningrad to Vladivostok.

Besides, there are also formal requirements. Due level of security we should support by the documents – certificates, certificates and reports on carrying out audits.

Artem Lomakin: We use the most modern practices at software development and we regularly book audit. But it is not a panacea from vulnerabilities therefore once a year we involve external contractors – experts in the field of cyber security. It helps to estimate protection of the platform a look of professionals who can make recommendations about new techniques and approaches.

Besides, external audit is a requirement of a part of our clients. They need authoritative confirmation of the security level.

Artem Lomakin: We book external audits many years, but an eye is hackneyed not only at us, but also any contractor. Therefore in 2019 decided to attract other partner. At a team of professionals eyes when there is a new large object for check always light up. And we just need a new view on infrastructure.

Group-IB has a reputation of professionals in fight against cyber crime. They study its methods of work many years therefore know as it attacks and what schemes for this purpose uses. They, so to say, not "paper auditors". It is an important factor since during pentest of internal perimeter we really let the contractor in the most protected part of service and we want to know precisely that this protection works.

On our request Group-IB provided an example of the depersonalized report on similar security audit. It very much was pleasant to us: accurate structure, technique, detailed justification of outputs and practical recommendations.

Plus we decided to carry out simulation of the sotsioinzhenerny attack on the staff of the company together with pentest. We had no such experience yet.

In general, approach of Group-IB to work with clients was pleasant. Everything was quickly and conveniently: from the first call before drawing of the offer. We quickly agreed on all conditions - terms, amount of works, the adequate price – and started pentest of the platform.

Artem Lomakin: Pentest of external and internal perimeter and also phishing mailing to employees by e-mail. We did not put tough terms of carrying out audit, but wanted to begin, as soon as possible. We managed it – check began in two-three weeks and took two months.

Artem Lomakin: Pentest confirmed the high level of security of B2B-Center. We are really well prepared.

At the same time specialists of the direction of Audit and Consulting of Group-IB defined points for further growth, including for improvement of our internal processes of development and control. Besides, we managed to receive assessment of the used instruments of information security support.

Artem Lomakin: We seriously rebuilt architecture after last audit therefore wanted to be convinced that everything works correctly.

Internal pentest imitated threat model when the malefactor's equipment somehow appeared in our internal network. For example, it was connected on public Wi-Fi, threw a flash card or infected the employee's computer through the e-mail.

Within internal audit we estimated what damages the malefactor can put whether he can get access to confidential information or break work of service.

Artem Lomakin: We are happy with quality, terms and effectiveness of audit. We very much liked reports - any "water", accurately described technique, detailed justification of all finds and the recommendation how to improve protection.

The sotsiotekhnichesky attack was the most impressive. Experts of Group-IB made phishing mailing on e-mail of employees with a subject, relevant for all.

We had no such experience, but we understood that the person – the weakest link in a security system. Even the most abrupt protection cannot exclude this factor. Case at all not in malicious intent, and in absent-mindedness or excessive curiosity. It does social engineering by the most powerful weapon of malefactors.

Pleased us that the company very quickly reacted. Employees understood that it is the attack in 12 minutes after mailing. Though we, of course, warned nobody.

But the main effect was in another. A part of colleagues believed the letter and on own example was convinced of reality of cyberthreats. It worked much better than any instructing and a talk which turn into a routine over time. The phishing attack demonstrated to all sceptics as cybercriminals and what danger they bear not only for business of B2B-Center, but also for each employee work.

Artem Lomakin: We already implemented recommendations and resolved all comments which received based on audit.

One of the main results of check is an increase in consciousness of staff of the company. The cyber security is always connected with unpopular solutions: it is necessary to remember long passwords, more often to change them, to undergo two-factor identification, etc.

But real experience and the conclusion of professionals helps to convince all that threats are real. And we should do everything possible to protect the company and our clients.

Artem Lomakin: We book external audits annually or after serious changes of architecture. But you should not rely only on audits of external specialists since new vulnerabilities in the equipment and software products detect much more often. Therefore we regularly check protection independently.

Artem Lomakin: Often under the guise of pentest suggest to scan perimeter the one and only software product, making a minimum of efforts for the analysis of results. In reality such approach is used only by hooligan school students. Started the scanner – something responded – tried – worked! It is the most primitive attack.

For conducting normal pentest it is necessary to think and work as the real malefactor who needs really to break protection. It can be the multiple-pass, uncommon sequence of actions. Such approach meets in the market infrequently.

Therefore, first, look for a creative command. Auditors should use many different tools and skills. Professionals in the field of security who can detect vulnerabilities in well protected perimeter are necessary.

Secondly, select the auditor with reputation in the market and considerable experience. You should trust it since you will give access to sensitive data.

Thirdly, in advance get acquainted with result of similar works. There will be enough depersonalized report on the carried-out pentest to estimate the level of the contractor.

At last, time in 2-3 years change the auditor. Stable long-term partnership relaxes both the customer, and the contractor. In the field of cyber security the new view is especially relevant.