365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
I was especially delighted by this award, in which students in Germany vote for their favourite professors in four fields of science based on various assessment criteria. In my case they highlighted in particular the way I looked after them during their studies and the support I provided to help them enter the work environment. Both these aspects are very important to me in my work as a professor.
Our research institute has a staff of around 50, so we cover a lot of different topics. One of the areas we are currently focusing on is risk-based adaptive authentication, where we are investigating which modern IT security technology could replace passwords in future. The project is attracting a lot of positive attention. Artificial intelligence and block chain are also major areas of research for us. One very exciting project is currently looking at the security of IoT components. Here in the Ruhr area, some abandoned coal mines are being flooded with water for use as heat stores. But there are various risks associated with this. If, for example, an attacker were to manage to raise the water temperature to boiling point, the Ruhr region could collapse. This means that sensors or control components have to be designed to be particularly reliable.
Normally they perform a risk analysis. Cyber-attacks generally focus on digital assets that are stored in bits and bytes. The associated risks can be subdivided into different categories e.g. unauthorised reading of electronic assets like customer or development data. But it could also involve the manipulation of data, like changing inventory levels so that perhaps nobody would know which articles are available. This could result in a supplier or online shop barely being able to operate. Sabotage can also be a reason, e.g. where attackers attempt to influence the availability of IT systems or shut down interconnected production facilities or cause them to manufacture products that are not usable. IT security managers need to evaluate what risks there are in their companies and figure out what attackers are likely to target.
The IT Baseline protection Manual from the BSI (German Federal Office for Information Security) is a good starting point for determining a company’s protection needs. The reason for doing this is to clarify which electronic assets need what kind of protection and therefore to manage the selection of appropriate IT security measures for these individual assets. In this context, the protection goals are confidentiality, integrity and availability.
The need to protect electronic assets is based on the extent of the damage that could occur if their functioning is impaired. With this in mind, protection need categories are defined depending on the effects of a damaging event.
Companies are almost always out of their depth in this situation. Over time, the BSI’s IT Baseline protection Manual has become increasingly extensive and complex. It’s often difficult to even determine the scale of the risk and decide how valuable certain information is. Take the example of an innovative young company that performs design work for a major automobile manufacturer. If the company specifies the value of its data to be EUR 20,000 but the order volume is around EUR 1 million, then something isn’t right. Because naturally, the calculation needs to be based on the order volume and the value would then be around a million, which is on a very different scale.
That can definitely be helpful, especially when dealing with certifications like ISO-27001, which often require you to answer hundreds of questions. Sometimes small companies cannot manage this on their own because they lack the manpower and experience. However, increasingly there are moves to help SMEs in particular by offering brief consultation packages so that they too can protect themselves adequately.
I often recommend that companies take a different perspective and look at cybersecurity strategies that concern the strategic impact of cybersecurity mechanisms. These strategies include preventing attacks, minimising data volumes or reducing the attack surface. In this context, the focus is on prevention. Sometimes quite simple strategies can help, e.g. using a second browser. So if one browser is vulnerable you simply use the other one. This already helps to ward off attacks. It also makes sense to discuss whether your “crown jewels” need to be distributed over several servers. Often, data that needs protecting can be collected on a specially secured server for much better protection. This reduces the attack surface available.
Another strategy is to counteract the attacks. If I know which data are at risk I can encrypt them, for example, and in this way defend against any attacks. The point is to use lots of suitable IT security approaches to make it hard for the attackers.
If an attack cannot be countered, the third strategy needs to be implemented, i.e. identifying attacks. To do this I use identification tools like SIEM (Security Information and Event Management), to recognise attacks as quickly as possible and be able to ward them off. This at least allows you to minimise the damage. This strategy shouldn’t be underestimated. Many more things will be digitised in future and this will result in additional attack surfaces that are still completely unknown and for which there are not yet any IT security solutions available to combat attacks on them.
Author: Uwe Sievers
_____________
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.
