At the beginning of October 2024, we announced the launch of the CYREN^ZH Cybersecurity Clinic . In this clinic, students from ZHAW School of Engineering, ZHAW School of Management and Law, and the University of Zurich offer selected organizations, such as SMEs, start-ups, municipalities, schools, non-profit organizations, and associations, pro bono cybersecurity services. The services cover a broad spectrum of cybersecurity, from technical security aspects to security risk assessments and human factors.

With the clinic, we aim to improve the cybersecurity situation, knowledge, and awareness of these organizations while deepening the education of the next generation of cybersecurity experts by allowing students to apply the knowledge acquired in class to real-world scenarios.

The first four clinic projects were initiated in the fall semester of 2024 and have now all been completed. A total of 10 students worked on the projects and were able to gain valuable practical experience. In the following sections, we will discuss all four projects and report on the results achieved.

If you are also interested in conducting such a project, please do not hesitate to contact us. You can find all relevant information on the website of the CYREN^ZH Cybersecurity Clinic.

The First Project: Penetration Test of a Web Application from TrueYouOmics

Due to the integration of personal and therefore very security-critical data, it is important for TrueYouOmics that the web application has a high level of security. For this reason, a strong focus has been placed on security during the development process. In addition, security was to be analysed by a third party as part of a penetration test, which resulted in this clinic project.

The project was supervised by Prof Dr Marc Rennhard and Thomas Sutter. The work proved to be very challenging as the web application is based on several modern technologies and also integrates third party services. Accordingly, the students had to familiarise themselves with these technologies and attack techniques such as prompt injection as part of their work. However, as the students already had extensive basic knowledge from their studies, including attack techniques on web applications, they were able to acquire the missing knowledge efficiently as part of the project.

The penetration test showed that the web application has an overall good level of security. However, several relevant vulnerabilities were identified, both in the basic web application functionality and in the chatbot integration. For all these vulnerabilities, effective and efficient solutions were proposed and described in such a way that they could be implemented independently by TrueYouOmics.

Statements

The second project: cybersecurity on farms

The Agricultural Engineering Department of the Agricultural Centre of the Canton of St. Gallen (LZSG) deals with the topics of digitalization in agriculture and smart farming. In this context, a pilot event to promote security awareness on farms was offered by the LZSG together with the cantonal police in spring 2024. It turned out that general information did not have the desired effect. On the other hand, neither the exact dangers nor the potentially risky behavior of female farmers are available for specific information, and the necessary knowledge about suitable technical and behavioral change measures is also lacking.

The interdisciplinary clinic project was initiated by the LZSG together with the ZHAW School of Management and Law and the ZHAW School of Engineering with the aim of identifying technical and behavioural vulnerabilities related to cybersecurity on farms in the Canton of St. Gallen.

At the ZHAW School of Management and Law, the research project was carried out by three students as part of a Bachelor of Business Informatics project. The students were supervised by Dr Benjamin Ambühl. The systematic investigation of the different security-relevant behaviours and their influencing factors led to the following results:

• On a day-to-day basis, high-risk behaviour with regard to farm cybersecurity can be found in all areas of the surveyed farms, but particularly in the protection of the IT infrastructure and in the authorisation, control and handling of access rights. As only one of the companies has been affected by a cybersecurity incident so far, it was not possible to make a comprehensive assessment of behaviour in the event of incidents or suspicious occurrences.
• With regard to the factors examined that influence behaviour, there are clear indications of where training or awareness campaigns could be used to specifically change farmers’ behaviour. In particular, the perception of vulnerability and the consequences of cyber-attacks is very low on the farms surveyed. Cyber security measures are consistently perceived as having a poor cost-benefit ratio. Although cybersecurity is described with negative feelings, knowledge of how to act and perceived commitment are very low.

Overall, these results lay the foundation for a subsequent representative survey to identify the most relevant topics for specific future cybersecurity training for farms.

The research project was carried out at the ZHAW School of Engineering as part of the project work of a Bachelor of Science in Computer Science student. The student visited various livestock farms and analysed their existing infrastructure in terms of cybersecurity risks. He found many internet-connected devices and machines. They ranged from advanced milking robots in the barn to smart mixers in the kitchen. Following this inventory, he reviewed each device and the entire IT architecture for technical aspects of cybersecurity and was able to identify specific risks. Based on these findings, he developed practical recommendations for farmers.

The student will continue the work as part of his bachelor’s thesis, in which he will produce safety awareness materials to train farmers. This will include a flyer that can be distributed at agricultural fairs and a website with more information. The aim is not only to raise farmers’ awareness of cyber risks, but also to provide them with concrete and practical suggestions on how to better protect their farms.

Statements

The third project: Cybersecurity hardening for an SME in the canton of Zurich

Many companies face the daily challenge of exchanging sensitive information securely and efficiently between their employees – including both permanent staff and freelancers. For the corporate partner of this Clinic project, an SME from the canton of Zurich, this is also a central task in its daily work.

Since the protection of personal data is essential to ensure the confidentiality of customer, employee and company information, regular cybersecurity health checks with appropriate hardening are essential. Between September and December 2024, Luca Bosin, Phil Frei, and Luca Streiff carried out this clinic project as part of a project assignment at the ZHAW School of Management and Law. The project was supervised by Tibor Dudas (ZHAW SML), while Melanie Knieps (UZH Digital Society Initiative) accompanied the entire process. The project started with a comprehensive inventory of existing IT systems, tools and cloud services. This was complemented by a threat analysis to identify specific risks and attack vectors. This was used to determine the focus of the security audit. Particular attention was paid to password and access management, encryption and data backup, as well as the development of an awareness concept for employees. By the end of the project, the students had identified specific measures to improve security, implemented them where possible and produced a prioritised list of actionable recommendations.

Through the Clinic project, the corporate partner not only gained a deeper understanding of its security risks, but also hardened its systems and received concrete recommendations on how to further improve IT security. This solid foundation enables the SME to take the next steps in its security journey, with the support of a service provider if required.

Statements

The fourth project: Toolbox for penetration testing of web applications

Part of the company Secuteer‘s mission is to make cybersecurity accessible and easy to understand for everyone. This includes web application penetration testing. This involves testing the security of an executable web application through external interaction. It usually makes sense to perform a full penetration test on a web application from time to time, especially when major enhancements or adjustments (major releases) have been made. Such tests are often performed by external experts from specialised companies.

For minor releases or for re-tests after the elimination of previously found vulnerabilities and also generally for empowerment and sensitization in the area of cybersecurity, it would be desirable that the most important tests can also be carried out by the internal developers themselves, which fits in perfectly with Secuteer’s mission. In order to achieve this, the foundations for a toolbox for penetration testing of web applications were laid in this clinic project.

As part of a project in the Computer Science Bachelor’s program at the ZHAW School of Engineering, the project was worked on by Jacobo Schwitter and supervised by Prof. Dr. Marc Rennhard. The main objectives were to define the requirements for the toolbox, select suitable underlying technologies and implement an initial prototype. With the developed prototype, a:e user:in contains concrete and easy-to-understand instructions on how to detect some of the most common types of vulnerabilities in web applications.

The Clinic project has laid a very good foundation for the toolbox. A future Clinic project will build on this, with the aim of making the toolbox available to the general public as open source software.