Successful Implementation of the First Four Cybersecurity Clinic Projects

At the beginning of October 2024, we announced the launch of the CYRENZH Cybersecurity Clinic . In this clinic, students from ZHAW School of Engineering, ZHAW School of Management and Law, and the University of Zurich offer selected organizations, such as SMEs, start-ups, municipalities, schools, non-profit organizations, and associations, pro bono cybersecurity services. The services cover a broad spectrum of cybersecurity, from technical security aspects to security risk assessments and human factors.

With the clinic, we aim to improve the cybersecurity situation, knowledge, and awareness of these organizations while deepening the education of the next generation of cybersecurity experts by allowing students to apply the knowledge acquired in class to real-world scenarios.

The first four clinic projects were initiated in the fall semester of 2024 and have now all been completed. A total of 10 students worked on the projects and were able to gain valuable practical experience. In the following sections, we will discuss all four projects and report on the results achieved.

If you are also interested in conducting such a project, please do not hesitate to contact us. You can find all relevant information on the website of the CYRENZH Cybersecurity Clinic.

The First Project: Penetration Test of a Web Application from TrueYouOmics

TrueYouOmics is a start-up based in Winterthur that offers health risk assessments by integrating DNA, RNA, and protein data from blood tests. The approach used combines biomedical knowledge graphs and AI. The results of the analysis are provided to clients via a web application, which also features an AI-based chatbot for real-time support and consultation. The following image shows a screenshot of the web application.

Due to the integration of personal and therefore very security-critical data, it is important for TrueYouOmics that the web application has a high level of security. For this reason, a strong focus has been placed on security during the development process. In addition, security was to be analysed by a third party as part of a penetration test, which resulted in this clinic project.

The project was supervised by Prof Dr Marc Rennhard and Thomas Sutter. The work proved to be very challenging as the web application is based on several modern technologies and also integrates third party services. Accordingly, the students had to familiarise themselves with these technologies and attack techniques such as prompt injection as part of their work. However, as the students already had extensive basic knowledge from their studies, including attack techniques on web applications, they were able to acquire the missing knowledge efficiently as part of the project.

The penetration test showed that the web application has an overall good level of security. However, several relevant vulnerabilities were identified, both in the basic web application functionality and in the chatbot integration. For all these vulnerabilities, effective and efficient solutions were proposed and described in such a way that they could be implemented independently by TrueYouOmics.

Statements

Kevin Yar, CEO TrueYouOmics:
«The clinic project gave us valuable insight into our safety situation and clearly showed us where there was room for improvement. The students’ detailed analysis and practical corrective actions are of great value to us and will help us to further improve our safety standards.»

Tobias Leu and James Leadbeater, Computer science students at the ZHAW School of Engineering:
«We have already learnt a lot about penetration testing during our computer science studies. However, by applying it to a real web application of an innovative company, we were able to significantly deepen our knowledge and learn a lot of new things. The regular dialogue with TrueYouOmics and the ZHAW supervisors also made a decisive contribution, and we are very satisfied with the results..»

The second project: cybersecurity on farms

The Agricultural Engineering Department of the Agricultural Centre of the Canton of St. Gallen (LZSG) deals with the topics of digitalization in agriculture and smart farming. In this context, a pilot event to promote security awareness on farms was offered by the LZSG together with the cantonal police in spring 2024. It turned out that general information did not have the desired effect. On the other hand, neither the exact dangers nor the potentially risky behavior of female farmers are available for specific information, and the necessary knowledge about suitable technical and behavioral change measures is also lacking.

The interdisciplinary clinic project was initiated by the LZSG together with the ZHAW School of Management and Law and the ZHAW School of Engineering with the aim of identifying technical and behavioural vulnerabilities related to cybersecurity on farms in the Canton of St. Gallen.

At the ZHAW School of Management and Law, the research project was carried out by three students as part of a Bachelor of Business Informatics project. The students were supervised by Dr Benjamin Ambühl. The systematic investigation of the different security-relevant behaviours and their influencing factors led to the following results:

  • On a day-to-day basis, high-risk behaviour with regard to farm cybersecurity can be found in all areas of the surveyed farms, but particularly in the protection of the IT infrastructure and in the authorisation, control and handling of access rights. As only one of the companies has been affected by a cybersecurity incident so far, it was not possible to make a comprehensive assessment of behaviour in the event of incidents or suspicious occurrences.
  • With regard to the factors examined that influence behaviour, there are clear indications of where training or awareness campaigns could be used to specifically change farmers’ behaviour. In particular, the perception of vulnerability and the consequences of cyber-attacks is very low on the farms surveyed. Cyber security measures are consistently perceived as having a poor cost-benefit ratio. Although cybersecurity is described with negative feelings, knowledge of how to act and perceived commitment are very low.

Overall, these results lay the foundation for a subsequent representative survey to identify the most relevant topics for specific future cybersecurity training for farms.

The research project was carried out at the ZHAW School of Engineering as part of the project work of a Bachelor of Science in Computer Science student. The student visited various livestock farms and analysed their existing infrastructure in terms of cybersecurity risks. He found many internet-connected devices and machines. They ranged from advanced milking robots in the barn to smart mixers in the kitchen. Following this inventory, he reviewed each device and the entire IT architecture for technical aspects of cybersecurity and was able to identify specific risks. Based on these findings, he developed practical recommendations for farmers.

The student will continue the work as part of his bachelor’s thesis, in which he will produce safety awareness materials to train farmers. This will include a flyer that can be distributed at agricultural fairs and a website with more information. The aim is not only to raise farmers’ awareness of cyber risks, but also to provide them with concrete and practical suggestions on how to better protect their farms.

Statements

Foto von Benjamin Ambühl

Benjamin Ambühl, lecturer at ZHAW School of Management and Law and supervisor of the project:
«An innovative research project like this, which breaks new ground, is a challenge for everyone involved. It is all the more rewarding when the results are useful in practice and stimulate further research questions – as in this project. The results of this pioneering work are of direct benefit to farms, as the LZSG is currently considering the creation of a new cybersecurity consultancy service.»

Elias Csomor, computer science student at the ZHAW School of Engineering:
«Our agriculture is part of the critical infrastructure, which is why it absolutely must be protected.We need a heightened awareness of the problem, then even simple measures can have a big impact.»

The third project: Cybersecurity hardening for an SME in the canton of Zurich

Many companies face the daily challenge of exchanging sensitive information securely and efficiently between their employees – including both permanent staff and freelancers. For the corporate partner of this Clinic project, an SME from the canton of Zurich, this is also a central task in its daily work.

Since the protection of personal data is essential to ensure the confidentiality of customer, employee and company information, regular cybersecurity health checks with appropriate hardening are essential. Between September and December 2024, Luca Bosin, Phil Frei, and Luca Streiff carried out this clinic project as part of a project assignment at the ZHAW School of Management and Law. The project was supervised by Tibor Dudas (ZHAW SML), while Melanie Knieps (UZH Digital Society Initiative) accompanied the entire process. The project started with a comprehensive inventory of existing IT systems, tools and cloud services. This was complemented by a threat analysis to identify specific risks and attack vectors. This was used to determine the focus of the security audit. Particular attention was paid to password and access management, encryption and data backup, as well as the development of an awareness concept for employees. By the end of the project, the students had identified specific measures to improve security, implemented them where possible and produced a prioritised list of actionable recommendations.

Through the Clinic project, the corporate partner not only gained a deeper understanding of its security risks, but also hardened its systems and received concrete recommendations on how to further improve IT security. This solid foundation enables the SME to take the next steps in its security journey, with the support of a service provider if required.

Statements

Tibor Dudas, Research associate at the ZHAW School of Management and Law and head of the project:
«Every week, Swiss SMEs fall victim to cyber attacks. For some, this means the end of their business. The number of reported attacks has increased by around 20% compared to 2023. With the CYRENZH Cybersecurity Clinic, SMEs on a tight budget have the opportunity to receive an assessment of their threat situation, measures to harden their systems and a catalogue of further recommendations for action. For the students, some of whom are already working in the security sector alongside their studies, it is an excellent opportunity to specialise further in the field and gain additional practical experience. All in all, it’s a win-win situation for everyone involved: strengthening the Swiss economy and optimising the education of our students.»

Foto von Melanie Knieps

Dr. Melanie Knieps, Senior Researcher at the Digital Society Initiative at the University of Zurich and head of CYRENZH:
«The Cybersecurity Clinic benefits everyone involved: students gain valuable practical experience, SMEs strengthen their cybersecurity expertise, and university staff help to train the next generation of specialists in the best possible way. In addition, increased risk awareness can lead to a higher demand for security services – a benefit for the Swiss economy and society.»

The fourth project: Toolbox for penetration testing of web applications

Part of the company Secuteer‘s mission is to make cybersecurity accessible and easy to understand for everyone. This includes web application penetration testing. This involves testing the security of an executable web application through external interaction. It usually makes sense to perform a full penetration test on a web application from time to time, especially when major enhancements or adjustments (major releases) have been made. Such tests are often performed by external experts from specialised companies.

For minor releases or for re-tests after the elimination of previously found vulnerabilities and also generally for empowerment and sensitization in the area of cybersecurity, it would be desirable that the most important tests can also be carried out by the internal developers themselves, which fits in perfectly with Secuteer’s mission. In order to achieve this, the foundations for a toolbox for penetration testing of web applications were laid in this clinic project.

As part of a project in the Computer Science Bachelor’s program at the ZHAW School of Engineering, the project was worked on by Jacobo Schwitter and supervised by Prof. Dr. Marc Rennhard. The main objectives were to define the requirements for the toolbox, select suitable underlying technologies and implement an initial prototype. With the developed prototype, a:e user:in contains concrete and easy-to-understand instructions on how to detect some of the most common types of vulnerabilities in web applications.

The Clinic project has laid a very good foundation for the toolbox. A future Clinic project will build on this, with the aim of making the toolbox available to the general public as open source software.

Valentin Zahnd, Founder Secuteer GmbH:
«The basis for the Penetration Testing Toolbox created in the Clinic project is ideal for enabling developers to test web applications independently in the future, thus simplifying access to cybersecurity knowledge.»

Marc_Rennhard

Prof. Dr. Marc Rennhard, Fachabteilungsleiter an der ZHAW School of Enginering und Betreuer des Projekts:
«The development of a penetration testing toolbox allowed the student to deepen his knowledge of cybersecurity through a practical problem, which is one of the main goals of the CYRENZH Cybersecurity Clinic.»