The announcement that some 500 Microsoft Exchange servers “need immediate attention”, issued by Luxembourg’s cybersecurity agencies last week, was echoed by financial regulator the CSSF just before last weekend. The head of Luxembourg’s agency covering the private sector said the financial sector has already faced cyber-attacks and computer criminals target weaknesses in such servers.
A noted international cybersecurity expert linked this to the difficulty in finding top cybersecurity talents in Luxembourg. “The struggle that people in Luxembourg have, certainly clients that we’re talking to, that want to work with us, but don’t yet, is that they can’t find the skill sets,” said George Ralph (photo) of Richard Fleishmann and Associates (RFA).
Friday’s CSSF press release cited announcements from the Luxembourg House of Cybersecurity and CIRCL, the Computer Incident Center Luxembourg, that 553 MS-Exchange servers needed updating, including a mid-February critical software patch for Microsoft Exchange servers concerning “remote code authorisation vulnerabilities.” Some servers have been awaiting an update since 2021, which is an “alarming situation,” according to CIRCL.
“There's a huge gap between the servers that are being fixed in a timely manner and the rapidity of new vulnerabilities being discovered, being exploited,” said Pascal Steichen, CEO of the Luxembourg House of Cybersecurity on Tuesday.
No shame
The action of the CSSF in broadcasting the alert was welcome, he said. “And we are rather happy that an entity like the CSSF is also communicating this to I would say help little us in raising awareness about these topics.” He noted that the size of the financial sector in Luxembourg means it shares these cybersecurity concerns. “Previously we have been in contact with entities from the financial sector having cybersecurity intrusions,” he said, quickly adding that there was “no shame”.
There are troubling indications of a structural basis to these problems.
“When we take over technology for new clients in Luxembourg, they don't seem to have proper risk management processes,” said Ralph, the global managing director and chief revenue officer at internationally active RFA, who’s a certified cyber assessor, auditor and architect and widely experienced cybersecurity professional. “They have an idea of what their risk is from a very high level like, ‘we have a server and the backups are nightly’.”
Very high level
He continued: “they don't have a proper risk management process. They don't have a director in the organisation who's responsible for checking the mitigating actions. They don't have a CVSS scoring system for risk. They tend to use major brands for antivirus and things rather than looking at endpoint security holistically.”
The headline number of 500 unpatched servers is a historical accumulation and does not indicate how many firms have failed to install the latest Microsoft software update.
“What is really relevant is the acceleration of the situation which we have seen in the last few months,” Steichen explained. “Because there is the accumulation of all the different vulnerabilities that have been detected.”
Steichen acknowledged the report was alarming. “But the positive thing is that there is nowadays information out, and… there is knowledge about what needs to be done, how it needs to be done.” Steichen described CIRCL, which is part of his organisation, as having the mission “to help support and be the contact point for companies in Luxembourg when there are cyber security attacks, threats, incidents, these kinds of things.”
Skills shortage even here
While communicating and raising awareness about the threat, Steichen was quick to acknowledge that Luxembourg has an issue attracting staff with the right skills.
RFA’s Ralph said the state of Luxembourg’s cybersecurity is linked to the early days of IT. “Historically, a lot of cybersecurity has been delivered by people who have grown into roles in the Luxembourg market.” But with the rise of public cloud usage in the world, “there are different skill sets coming to light.” He explained that in his experience it’s “very hard to keep up with the latest technology.”
Part of the problem is that many legislative texts have the effect of requiring that there’s a Luxembourg-based team or a Luxembourg-based server rack, which raises the burden for what may be a small part of an international firm’s operation. There are also limits on how long external experts can spend in Luxembourg.
Ralph praised the EU’s Digital Operational Resilience Act (Dora) process. “The Dora process opens it up a little bit more, it makes it slightly less locked down.”
Steichen acknowledges there is a shortage of skills in Luxembourg. “We definitely see that there is a huge gap in skills in the global sense in cybersecurity … in the cybersecurity experts that they need in companies but also in the individual competences … that operational people have, that also managers nowadays need to have when it comes to the cybersecurity topic.”