Smart Energy
Janine Wolff

SRC Smart Energy Expert at Round­table in Cologne

On Wednesday, 22 August 2018, an expert round­table will take place in Cologne. Organised by eco — Verband der Inter­netwirtschaft, the expert round­tables are charac­terised above all by high expertise, multi­dis­ci­plinary perspec­tives and high discussion intensity.

In August the motto of the event is “Smart Energy: Not without my “Smart Meter?” and among other things it will deepen the previous round­table on the topic “Smart Home”. For many years people have been talking about smart metering, but the actual devel­opment seems to be far behind the plans and prognoses of that time. New framework condi­tions, new approaches and new success factors will now be discussed in the panel of experts to be held on 22 August 2018.

Dr. Jens Oberender, Senior Consultant at SRC, will discuss in an oral contri­bution on the thematic field “Security and perspec­tives of the Smart Meter” if Smart Meters and their environment can be considered as secure. Dr. Oberender draws on his many years of experience in consulting projects relating to the certi­fi­cation of Smart Meter Gateways.

Cloud Security
Janine Wolff

SRC expands compe­tencies in Cloud Security

Cloud computing sets high standards for IT security

Cloud computing and cloud security has long since become the norm, and more and more companies are outsourcing parts of their infra­struc­tures and services to the cloud in order to be able to act more flexibly.

However, the security challenges in the cloud go beyond tradi­tional IT security require­ments. For example, it must be techni­cally guaranteed that only autho­rised persons have access to the sensitive data. Special care must be taken to secure the cloud management interface. The biggest organ­i­sa­tional challenge is the distri­b­ution of security respon­si­bil­ities among several parties. This is exactly what must also be taken into account when drafting contracts and fulfilling compliance requirements.

Incorrect config­u­ration of cloud accounts — billions of data freely acces­sible in the Web

A recent incident also shows how sensitive this issue is. Due to faulty config­u­ra­tions of Amazon Cloud Simple Storage Services (Amazon S3) storage units and web servers, a number of confi­dential documents ended up freely acces­sible to everyone on the net. These included payrolls, confi­dential patent appli­ca­tions and secret construction plans for products in the devel­opment process. According to the report of the security company “Digital Shadows”, about 1.5 billion data have landed on the net. Especially confi­dential data, such as internal reports, photos of department stores or data centers or lists of security holes in internal company software, can be misused by attackers for hacker attacks on the company or for theft.

SRC employees acquire Certificate of Cloud Security Knowledge

SRC accom­panies its customers in these challenges with compe­tence. For this purpose, several employees have acquired the Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance.

The CCSK is the first Cloud Security Certificate offered by the world’s leading cloud security provider, the Cloud Security Alliance. The Cloud Security Alliance is a non-profit organ­i­sation and develops — in cooper­ation with ENISA — the vendor-independent standard for cloud security. By acquiring the certificate, SRC employees gained the necessary breadth and depth of knowledge to implement holistic cloud security programmes to protect sensitive infor­mation according to globally recog­nised standards.

International Common Criteria Conference
Janine Wolff

SRC gives lecture on JTEMS at the Inter­na­tional Common Criteria Conference in Amsterdam

From 30 October to 1 November, the 17th Inter­na­tional Common Criteria Conference will take place in Amsterdam. The Inter­na­tional Common Criteria Conference is presented with the support of the Common Criteria User Forum (CCUF). The CCUF provides a voice and commu­ni­cation channel between the CC community and the organ­ising committees of the Common Criteria, CCRA member organ­i­sa­tions (national programmes) and policy makers.

SRC will also actively partic­ipate in this year’s conference. In a presen­tation by our expert Sven-Martin Hühne on the topic “JTEMS — a Payment Scheme Independent Framework for POI Terminal specific Security Evalu­a­tions based on Common Criteria” the JTEMS Framework is presented and the current “state of affairs” is explained. The presen­tation deals with the advan­tages of a CC-based and Payment Scheme independent evalu­ation and certi­fi­cation procedure for POI terminals. The framework is a living example of the active use of the CC method by inter­ested parties from the private sector (German banking industry and UK Finance or Common.SECC). The possi­bility of embedding the JTEMS framework in current discus­sions of the EU Commission for a “European Security Certi­fi­cation Scheme” will also be discussed.

In the panel discussion “The Why and How of Using CC in Private Schemes”, Regine Quent­meier discusses these aspects from the point of view of users from the European banking industry in an exchange with repre­sen­ta­tives of other economic sectors.

CSCUBS 2018
Janine Wolff

SRC provides students with insight into exciting projects as part of CSCUBS 2018

Review of the 5th Computer Science Conference for University of Bonn Students

The CSCUBS 2018 took place on May 16th in the premises of the University of Bonn and was organised by PhD and MSc students with the aim of promoting research in computer science and scien­tific exchange among students. The partic­i­pation of researchers and practi­tioners was also encouraged. The students also had the oppor­tunity to submit their own contri­bu­tions describing new research or devel­opment work in connection with computer science. This also included university projects, disser­ta­tions and results of other profes­sional or leisure activ­ities. In addition to the sponsoring companies, the students themselves gave lectures.

SRC staff provides students with insight into exciting projects

Max Hettrich of SRC also reported on the company’s fields of activity in a lecture. The focus was on payment evolving. The aim here is to put the “Girocard into the mobile phone”. What is partic­u­larly inter­esting here is what the security evalu­ation for payment cards looks like so far and what new challenges will now arise for mobile payment in the future. Reverse engineering of the appli­ca­tions used will play a central role in the security evalu­ation of smart­phone-based solutions. The examiner takes on the role of an attacker and tries to find ways to compromise the payment appli­cation. This is a central building block for evalu­ating the effec­tiveness of the imple­mented protection mecha­nisms. Where in the past the SRC evalu­ation facility in particular evaluated the security of payment cards, in future the department for penetration testing will also contribute its expertise in the evalu­ation of mobile solutions.

In addition, the lecture also included more general topics, such as the fields of activity and working atmos­phere of the SRC. The core business of payment cards has developed over the many years that SRC has been in existence into a multitude of other business areas. It was also discussed what makes SRC as an employer special and what qualities SRC offers.

Conclusion and impres­sions from the view of the SRC

“The high proportion of inter­na­tional students, the active partic­i­pation in the event and the consis­tently independent organ­i­sation of the CSCUBS made a lasting impression on us,” said Jochen Schumacher of SRC. The BSI, BC Technologies and SRC accom­panied the CSCUBS 2018 with presen­ta­tions. We were partic­u­larly pleased that SRC’s practical contri­bution provided material for a productive discussion. The security of modern payment trans­ac­tions is a topic that also moves students. This was demon­strated by the many meaningful discus­sions in the plenum and the personal exchange at SRC’s specially set up stand. CSCUBS 2018 was an extremely successful and infor­mative event. SRC is looking forward to the new edition in 2019.

Image credit: https://twitter.com/CSCUBS_Bonn
Employee Interview
Janine Wolff

From Quantum Physicist to Security Analyst at SRC — An Employee Interview

The following employee interview with Dr. Max Hettrich allows a look behind the scenes of SRC. We at SRC always have an open ear for our employees and are happy that we were able to ask Max about his career and his work at SRC.

Hey, Max, let’s just start right away. What education do you have?

I’m a physicist. After my studies I first worked in academic research, namely in exper­i­mental quantum optics. It was all about lasers, vacuum chambers, and quantum physics. But also computer simula­tions and digital measurement technology. The IT topic has always been there, even if not in the first place.

How did you become aware of SRC and the job adver­tisement and why did you apply to SRC?

I became aware of SRC through a colleague at that time, who again knew an employee at SRC. After I learned that physi­cists are very welcome at SRC and that I have always been inter­ested in IT security topics, my curiosity was aroused.

How long have you been with SRC?

I joined SRC in July 2017, less than a year ago.

How did your training go?

Very carefully considered and struc­tured. Those respon­sible have really thought carefully about the projects to be considered. I always had enough freedom to find out which topics I liked most.

Which topics are you currently working on?

On the one hand, I deal with many compliance issues in the IT security environment, and on the other hand with reverse engineering of software for mobile devices in order to assess their security against various attack scenarios. These are two quite different subject areas, but they complement each other perfectly.

What are your main tasks and activ­ities in your daily work routine?

Compliance projects are always about analysing a customer’s system and assessing if it meets regulatory require­ments. Since no two systems are alike, it never gets boring.

The goal of reverse engineering is to under­stand the function of software and to extract any hidden assets without having access to the source code. This requires, for example, reading and analysing native code or debugging and instru­menting running programmes.

What does your typical working day look like? Do you travel a lot?

Mostly I work in my office in the SRC office in Wiesbaden. I am, atypical for a consulting firm, rather little on travel, since most work can be done simply best if I am in direct contact with my colleagues on site.

What do you partic­u­larly like about SRC?

I find the rather flat hierarchy partic­u­larly positive, and great freedom with regard to the selection of fields of activity.

And how do you feel about the working atmos­phere at SRC?

I find the atmos­phere here extremely pleasant. The fact that SRC is a rather small company with about 120 employees allows a rather informal and direct commu­ni­cation among each other. I believe that many conflicts do not arise as a result.

Keyword Work-Life-Balance: How can work at SRC be recon­ciled with your private life?

This really works out great! Our working hours at SRC are flexible, overtime hours are always logged and can be compen­sated later.

What do you think appli­cants need to bring with them in order to be successful at SRC?

I think the most important thing is a pronounced analytical thinking, and strong self-initiative. If you already have experience in one of SRC’s fields of activity, the better. But my impression is that gener­alists are also welcome at the SRC. You then have the oppor­tunity to acquire the necessary specialist knowledge on more closely defined topics as required.

One last question: What would you suggest to potential applicants?

Don’t be shy! You can easily find out whether you like SRC’s fields of activity if you have a look at our website and our career portal. If this is the case: Just send us your application!

Image IT Security
Janine Wolff

SRC actively supports long-term partnership with the Alliance for Cyber Security

Conducting a free Web Appli­cation Security Scan

SRC has been a partner of the Alliance for Cyber Security for many years. As an active support of this partnership, SRC offered a free Web Appli­cation Security Scan for a maximum of five members of the alliance in 2018.

Worth knowing about the Web Appli­cation Security Scans

Web appli­cation security scans aim to identify errors in the archi­tecture and config­u­ration of the examined Web appli­cation. Such vulner­a­bil­ities could be exploited, for example to change the content of the page (XSS, Cross Site Scripting). Contents of the database could also be downloaded or admin­is­trative rights acquired. If a system is compro­mised in this way, it could be used for further attacks towards its own internal infrastructure.

Unlike fully automated Web Appli­cation Security Scans, SRC also checks pages that are only displayed to the user after regis­tration or login. With fully automated scans without consid­er­ation of authen­ti­cation processes such vulner­a­bil­ities cannot be uncovered. However, this is exactly what the Web Appli­cation Security Scan allows and thus offers a more compre­hensive scan result.

The scans are performed “non-destructive” and “non-instrusive”. This means that vulner­a­bil­ities are identified. As with penetration tests, for example, this is not an attempt to exploit the vulner­a­bil­ities that have been discovered. Scanning is carried out in close consul­tation with the participant.

Great demand from members of the Alliance

The Web Appli­cation Security Scans offered by SRC were met with great demand among the members of the Alliance. For this reason, the five scans offered are already out of stock. A report about the execution of the scans is soon to be found in our blog. Further details can also be found on the Alliance for Cyber Security website.

KRITIS 2018
Janine Wolff

Critical Day 2018 | Knowledge and experience in a lively exchange

The Critical Day

On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at repre­sen­ta­tives of companies that operate a critical infra­structure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experi­ences and best practices on IT and physical security of critical infrastructures.

The Schedule

After the arrival of the first partic­i­pants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the partic­i­pants’ need for information.

Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and repre­sen­tative of the Federal Office for Infor­mation Security (BSI), explained the proce­dures and processes in the super­visory authority. Randolf Skerka, Head of SRC and respon­sible for the topic of auditing according to §8a (3) BSIG, described the first experi­ences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the devel­opment of hospital organ­i­sation in prepa­ration for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indis­pensable corner­stone of a meaningful exami­nation, rounded off the morning.

The expert presen­ta­tions gave the partic­i­pants a 360° view of the require­ments of the BSI audits, which were largely and with good reason vaguely formulated.

At the end of the morning the visual artist Frank Rogge described his view on the questions of criti­cality in the field of artistic creation.

The afternoon was completely dedicated to the main interests of the partic­i­pants. Under the moder­ation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.

The partic­i­pants indepen­dently organized the various contents for nine sessions.

The most signif­icant results of the afternoon

From the session ” Submitting certi­fi­cation findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or devia­tions formu­lated down to the last technical detail. A roughly described framework of devia­tions and a description of a course of action in the test report is useful. Never­theless, an appro­priate measure must be in place for each risk within a critical infra­structure. This is of enormous impor­tance for the BSI.

The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.

In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and imple­men­tation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be respon­sible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guide­lines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.

In another session, the partic­i­pants focused on the safe and simple defin­ition of the scope. The pyramid model was partic­u­larly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infra­structure of a sewage treatment plant, the defin­ition of the scope requires identi­fying and deter­mining which systems clarify the water, what effects a failure would have and how this failure can be compen­sated by other methods to maintain the critical service.

With this method you system­at­i­cally move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.

Conclusion of the first “Critical Day” from SRC’s point of view

An example of the fasci­nating atmos­phere was the contin­u­ation of the bilateral commu­ni­cation of the partic­i­pants between the individual sessions. The feedback proved that the partic­i­pants were able to make many new contacts and gain insights from other KRITIS projects.

The overall positive response of the partic­i­pants shows us as SRC that the Critical Day is a useful hub for the exchange of infor­mation on KRITIS projects between the partic­i­pants. Our thanks goes to all partic­i­pants who contributed funda­men­tally to the success of the Critical Day with their open-mindedness and commitment.

We regard the Critical Day as a successful exper­iment. This motivates us to start preparing for a follow-up event.

Transakt entspricht dem EBA-RTS
Homepage Admin

Transakt complies with the EBA RTS

SRC confirms that the mobile banking solution Transakt by Entersekt meets the PSD2 requirements

Read more

Information Security Officer for Credit Institutions
Homepage Admin

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — November 6 to 9, 2018

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. However, secure and efficient IT is also absolutely essential for the economic success of a credit institution.

The new “Banking Super­visory Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority (BaFin) has issued a guideline calling for the new function of the ” Infor­mation Security Officer ” to be set up. He or she controls the infor­mation security process and reports directly to management.

In cooper­ation with Bank-Verlag, SRC has already success­fully offered three certificate courses to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions”. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date for this four-day certificate course possible.

From 6 to 9 November 2018, you will again have the oppor­tunity to receive further training in Cologne to become an “Infor­mation Security Officer (ISB) for credit institutions”.

Teamed up with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Trinkaus & Burkhardt AG), the SRC experts Sandro Amendola, Florian Schumann and Randolf Skerka will give a lecture on the norms and standards according to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments relevant to you as an ISB. In addition, the topics IT risks and emergency precau­tions as well as business conti­nuity management will be dealt with.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Banks”.

Optionally, you will have the oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne on 5 November 2018 prior to the event. This course deals with the basics, terms, encryption and IT security techniques in infor­mation technology.

Course website
Online regis­tration
Course Flyer
CSCUBS 2018
Homepage Admin

SRC supports the 5th Computer Science Conference for University of Bonn Students — CSCUBS 2018

SRC is pleased to support the 5th Computer Science Conference for University of Bonn Students — CSCUBS 2018, which will take place on May 16, 2018.

Promotion of research and scien­tific exchange

CSCUBS 2018 is organised by PhD and Masters students. Its goal is the promotion of research in computer science, as well as the scien­tific exchange between students, researchers and practi­tioners. “The CSCUBS is an initiative from among the students that SRC gladly supports,” says Detlef Kraus, autho­rized signatory at SRC. “And especially the profes­sional exchange between research, practice and teaching is urgently needed if our society wants to meet the challenges of IT security with confi­dence,” Kraus continues.

Starting point for personal and profes­sional exchange

The 5th Computer Science Conference for Students of the University of Bonn (CSCUBS 2018) provides a platform for university projects, disser­ta­tions and results from research, devel­opment and practice in the field of computer science. The conference will take place on 16 May 2018 at the University of Bonn. SRC supports the event not only as a sponsor. We will also be present with a booth to offer a point of contact for personal and profes­sional exchange.

Presen­tation of a project result at CSCUBS 2018 included

SRC will also present one of its many projects at the CSCUBS. Practice often provides surprising research approaches and exciting insights. The CSCUBS is a welcome platform for SRC to present our work to an inter­ested, young and competent circle of experts and to exchange ideas. Perhaps the many discus­sions will also provide qualified starting points for using the expertise gathered at CSCUBS 2018 in joint project work.