TIBER-DE

TIBER-DE | Increasing the cyber resilience of the financial system

Digiti­sation of the financial sector — Chances & cyber risks

The increasing digital­i­sation of the financial sector not only provides new oppor­tu­nities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious conse­quences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.

In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resis­tance to cyber attacks. This imple­mention has now taken place.

To whom is TIBER-DE addressed?

TIBER-DE partic­u­larly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER imple­men­tation, the Deutsche Bundesbank empha­sises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resis­tance of the financial sector in a sustainable and cooper­ative way, together and by conducting TIBER-DE tests.

What happens in a TIBER-DE test?

In a TIBER-DE test, commis­sioned hackers (“Red Team”) use infor­mation from a threat intel­li­gence provider (“spy”) to test the cyber resis­tance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:

  • In the prepa­ration phase the initi­ation, the kick-off, the deter­mi­nation of the test scope and the procurement takes place. In particular, the corre­sponding contracts with all parties involved are concluded, the test scope is deter­mined and the financial super­visory authority is informed about the intended TIBER-DE test.
  • In the test phase, infor­mation on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previ­ously defined test scope.
  • Finally, the final phase includes the prepa­ration of the test reports, a replay and feedback, a remedi­ation plan for found vulner­a­bil­ities as well as a final report and the attes­tation including the transfer of results.

Risks of the TIBER-DE Test

The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realis­ti­cally evaluate their cyber-resis­tance. However, this is also accom­panied by risks, e.g. regarding the confi­den­tiality, integrity or avail­ability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appro­priate measures to minimise the risks before a TIBER-DE test is performed.

Furthermore, companies are confronted with organ­i­sa­tional, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be estab­lished and documented. In addition, TIBER-DE tests must be coordi­nated with the various stake­holders concerned, e.g. service providers. Furthermore, a confi­den­tiality oblig­ation must be observed by all parties.

Currently the partic­i­pation in TIBER-DE tests is based on a voluntary basis. Along with the not incon­sid­erable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.

Team up for a successful TIBER-DE test

The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in estab­lishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal prepa­ra­tions are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to support you through the entire process of a TIBER test.

IT compliance through the intro­duction of an ISMS

Increasing compliance requirements

The depen­dency of core and value-added processes on the IT infra­structure and the IT systems operated there is constantly increasing at credit insti­tu­tions. This means that the associated compliance require­ments are also increasing almost to the same extent”. In an article that has just been published on the specialist platform “Security Insider”, SRC expert Dagmar Schoppe explains the different regulatory and legal require­ments that determine the daily business of credit insti­tu­tions and how IT compliance is improved by the intro­duction of an ISMS.

Value creation processes are threatened

The protection of these value-added processes through compliance with regulatory and legal require­ments, e.g. from BAIT, MaRisk or the IT Security Act, is a very topical issue. After all, the danger of hacker attacks is a real and current threat. This is one of the reasons why IT security is one of the central audit focuses of the BaFin. The TIBER-EU programme, which is intended to strengthen the resilience of the financial world against cyber attacks, also aims in this direction.

Holistic infor­mation security management system creates security

For a holistic approach to the protection of corporate values, the various organ­i­sa­tional and technical aspects must be combined into a holistic concept. This leads to the intro­duction of an infor­mation security management system, e.g. on the basis of ISO 27001.

The experts of the SRC division Banking Compliance will gladly advise you on regulatory and legal require­ments and their imple­men­tation, e.g. by intro­ducing an infor­mation security management system (ISMS) or by carrying out TIBER tests. SRC is a member of the Cyber-Alliance.

NextGenPSD2 certification

New BSI guidance on evidence according to § 8a paragraph 3 BSIG

The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Infor­mation Security (BSI) accom­panies law and regulation with the so-called BSI Orien­tation Guide to Evidence.

IT-Sig 2.0 — Is it coming or not?

Unfor­tu­nately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic impor­tance) is also being considered. For these companies, the prepa­ration of safety concepts, the oblig­ation to report incidents, the regis­tration and management of a reporting office and the trust­wor­thiness of the employees in the area are important. The planned tight­ening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is partic­u­larly striking.

New guidance on evidence

While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concreti­sa­tions and clari­fi­ca­tions of the facts and require­ments. In addition, there are further signif­icant changes. For example, the new Form P combines the infor­mation contained in the previ­ously used forms PD (test perfor­mance), PE (test results) and PS (testing body). In addition to the written submission, a digital/­ma­chine-readable copy is now also required. The list of safety deficiencies and the imple­men­tation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for infor­mation security (ISMS) and business conti­nuity (BCMS). The strong focus on the aspect of trace­ability is also very noticeable. This becomes visible at various points:

  • Detailed description of the scope (with its inter­faces, depen­dencies and parts of the critical service operated by third parties) and
  • the instal­lation (including associated parts of the critical service and all essential features) as well as
  • Provision of a compre­hen­sible network structure plan.
  • In addition, a list of deficiencies must also be compre­hen­sible without the need for further documents.

Even without IT-Sig 2.0, the new BSI orien­tation guide requires attention. SRC experts will be pleased to discuss the innova­tions and their effects with you and support you in the imple­men­tation of the extended requirements.

Amendment of BAIT 2021

Amendment of BAIT 2021- The new require­ments for financial institutions

The amendment of BAIT for 2021 means new require­ments for credit insti­tu­tions. In contrast, BaFin faces the challenge of imple­menting the Guide­lines on security measures for opera­tional and security risks under the PSD2 and the Guide­lines on ICT and security risk management of the EBA in Germany. This is to be completed by 31 December 2020 with an amendment to the BAIT (banking super­visory require­ments for IT). First drafts have already been discussed and commented on in the insti­tutes and associations.

BAIT 2021 focuses on IT security

With a separate and new chapter, opera­tional IT security is moving further into focus. The require­ments formu­lated there can only be fulfilled with a Security Infor­mation and Event Management System (SIEM). This also includes the estab­lishment and operation of a Security Opera­tions Centre (SOC). Regular opera­tional checks are required. These include:

  • internal deviation analyses
  • Vulner­a­bility scans
  • Penetration tests
  • the simulation of attacks (“Red Teaming”)

The new require­ments of BAIT 2021 lead to the estab­lishment of a profes­sional cyber security infra­structure. This means extensive and independent internal infor­mation security structures.

The management assumes overall responsibility

It is noticeable that the draft already refers not only to the respon­si­bility of the management. The management is even required to explicitly acknowledge the overall respon­si­bility for infor­mation security. This also includes regular infor­mation about their concerns and the decision to deal with security risks appropriately.

Require­ments for IT emergency management are consolidated

We expect further changes in the area of IT emergency management. The require­ments from BAIT will be consol­i­dated with those from section AT7.3 of MaRisk. This creates uniform national require­ments. In addition, we expect to tighten and specify the require­ments with regard to emergency planning and prevention, BCM, disaster recovery and backup strategies. In our view, outsourcing to service providers will also be covered by the revised version.

Financial insti­tu­tions face major challenges

According to the assessment of the SRC experts for bank compliance, the expected changes will pose great challenges for the affected insti­tu­tions. This concerns especially the required know-how and the limited resources on the labour market.

SRC-Expertin Ehlers: Standards of the Payment Card Industry (PCI)

SRC-Expert Ehlers: Standards of the Payment Card Industry (PCI)

PCI compliance requires know-how and resources.” SRC expert Jana Ehlers explains the different PCI security standards in an article which has just been published on the profes­sional platform “All About Security”.

In view of the increasing number of card payments in pandemic times, the protection of payment card data is a very current topic.

All PCI standards aim at protecting payment card data of inter­na­tional payment systems. The most well-known standard alone, PCI DSS, has around 250 individual require­ments. If these are already taken into account when setting up networks and struc­tures, there is often no need for complex and expensive retrofits. But also the permanent mainte­nance of PCI DSS conformity poses challenges for companies.

SRC examines and advises on PCI standards since their emergence in 2006. This experience can be used to correctly under­stand and consider the inten­tions of the PCI standards. SRC accom­panies through the whole process. Thus, not only PCI-conformity can be achieved in an under­standable way, but also a great deal more security for the customers’ payment card data worthy of protection.

Corona

Despite Corona — the support of SRC is certain!

The corona virus has reached our everyday life. The pandemic is directing our focus on what is now the most important thing: the protection of the health, safety and well-being of our employees, our partners, customers and families.

The vast majority of our employees use the oppor­tunity to work from home; some are available at the locations to sign, receive mail and much more.

In the relatively short period of time it has already become apparent that the staff of SRC is very committed to ensure the conti­nuity of the opera­tional processes.

Especially in these difficult times, we pay special attention to the concerns of our customers. We are still in a position to support our customers, some of whom operate urgently needed critical infra­struc­tures, compre­hen­sively and with a maximum of flexi­bility. We will continue to meet our great respon­si­bility and oblig­ation towards our customers in these times.

Even if many of us are not at the SRC locations: We are still available for you via the usual commu­ni­cation channels.

We continue to do what we are good at.

As an alter­native to on-site appoint­ments we have, for example, developed proce­dures for remote support. We can …

  • conduct consul­ta­tions and inter­views in the form of telephone conferences,
  • Check system settings using web conferences,
  • Carry out on-site inspec­tions using video transmissions.

Please contact your contact person at SRC in order to coordinate the concrete procedure.

We at SRC are convinced that we will learn from the experi­ences of this situation for our future. We will emerge strengthened from this crisis.

Please pay attention to the health of your fellow men and families.

SRC recognized as SPoC/CPoC Lab by the PCI SSC

SRC recog­nized by PCI SSC as SPoC and CPoC Security Lab

Today, the worldwide operating PCI Security Standards Council has recog­nized SRC as the fourth laboratory for the perfor­mance of security tests for SPoC and CPoC solutions.

With SPoC solutions (Secure PIN Entry on Commercial-off-the-Shelf devices) a merchant can accept payments with commer­cially available mobile devices.

While the SPoC program describes solutions with PIN entry, the CPoC program is aimed exclu­sively at contactless solutions that do not require PIN entry.

A SPoC solution consists of four core components

  • a Secure Card Reader for PIN (SCRP), an external and PCI PTS approved card reader,
  • a tested PIN CVM App for secure PIN entry on the merchant’s standard mobile device,
  • the retailer’s mobile device (COTS device) such as a smart­phone or tablet, and
  • a background system that contributes signif­i­cantly to the security of the overall system by means of attes­tation, monitoring and processing.

With CPoC, the PCI SSC has developed require­ments for solutions for processing contactless payments without PIN entry (“Tap and Go”) on commer­cially available mobile devices (commercial off-the-shelf, COTS), such as smart­phones or other mobile commercial off-the-shelf (COTS) devices with NFC interface.

With the SPoC and CPoC programs, the PCI SSC meets the increasing demand for new and secure accep­tance solutions and ensures security in the accep­tance of payments via mobile phones and tablets. The corre­sponding tests are now also carried out by SRC.

The recog­nition of SRC as a lab for the programmes SPoC and CPoC is an important signal to the market. Customers from this innov­ative environment can now also make use of SRC’s expertise for the devel­opment of secure payment solutions.

PCI DSS guidance for Large Organizations

PCI DSS best practices guidance for large organi­za­tions published

SRC Security Research & Consulting GmbH contributed to the most recent PCI (Payment Card Industry) Security Standards Council Special Interest Group (SIG). The resulting guidance on PCI DSS for Large Organi­za­tions is now published.

Complex organi­za­tions, corpo­ra­tions and companies often face specific challenges when imple­menting PCI DSS (Payment Card Industry Data Security Standard) require­ments: the hetero­geneity of their infra­struc­tures and processes, the constant change of corporate struc­tures, and dealing with diverse require­ments, respon­si­bil­ities and management tasks.
The new guidance on PCI DSS for Large Organi­za­tions helps large and/or complex organi­za­tions coordinate and manage their PCI DSS activ­ities across multiple environments.

  • PCI DSS guidance for Large Organi­za­tions //document.
OMNISECURE 2020

SRC is partner of OMNISECURE 2020

As experts for IT security, we at SRC know that levels of protection are essential in the digital­ization of industry and society. The experts from the industry will present the security concepts required for this at the annual OMNISECURE. As a partner of OMNISECURE, SRC tradi­tionally enriches the discourse on these topics with the knowledge we have gathered in many projects. The OMNISECURE will take place in Berlin from 20 — 22 January 2020.

Electronic identi­fi­cation and the security required for it are one of the overar­ching topics at SRC and at the same time the core topic of the event. For SRC, the OMNISECURE provides an important platform for the cross-industry exchange of knowledge and experience with experts, specialists and execu­tives from business, politics, public admin­is­tration and science.

As a partner of OMNISECURE, SRC makes its contri­bution to provide partic­i­pants with a compre­hensive overview of new appli­ca­tions, hazards and solutions, technology trends, progress or delays in well-known, trend-setting projects. Ideas and relevant legislative projects are discussed in the same way as failures, from which one can always learn. The OMNISECURE offers a wealth of food for thought and encounters with renowned experts. It is not unusual for the foundation stones for future projects and decisions to be laid here.

We at SRC are looking forward to two rich days and to the varied and rich discus­sions with experts and customers.

EMVCo

SRC recog­nised as SBMP Evalu­ation Laboratory by EMVCo

Mobile Payments: From chip card to mobile device

Mobile Payment is an electronic form of payment using mobile devices such as mobile phones, tablets or smart­watches. Electro­mag­netic, i.e. contactless, techniques are used to initiate, authorise and realise the payment. This makes the security of this form of payment a challenge.

EMVCo and Software-Based Mobile Payment (SBMP) Programme

EMVCo, which defines and further develops the EMV standard and checks its imple­men­tation, addresses these challenges with its new SBPM approval process. SBPM stands for Software-Based Mobile Payment Evalu­ation Process. This evalu­ation examines whether the security mecha­nisms and protective measures of a component or solution have the minimum security level defined by EMVCo. Manufac­turers are certified with a security assessment certificate that their products can withstand known attacks.

With the SBPM approval process, EMVCo supports the global security and inter­op­er­ability of mobile payment trans­ac­tions. The range of security assessment processes has so far included products for integrated circuits (IC), platforms and integrated circuits (ICC). For the first time, EMVCo has extended the scope of its approval processes to include software compo­nents and solutions for mobile payments.

EMVCo recog­nises SRC as SBPM Evalu­ation Laboratory

SRC is recog­nized by EMVCo as a security lab/assessor for the security assessment of software-based mobile payment solutions and compo­nents, in addition to the existing Mastercard and Visa recognitions.

SRC performs compre­hensive checks of the security mecha­nisms of a Mobile Payment App or its compo­nents. The imple­mented measures are examined using state-of-the-art methods, such as reverse engineering, side channel and runtime analyses, and their resilience/resistance to attackers and protection against misuse is evaluated.

If you are inter­ested in further infor­mation on the subject or the evalu­ation of your payment solution, please contact us.