LANCOM 1900EF

Lancom 1900EF VPN Router receives first Accel­erated Security Certi­fi­cation (BSZ)

The BSI has granted LANCOM Systems GmbH the first certificate according to the new BSI scheme “Accel­erated Security Certi­fi­cation” (BSZ for short). In this pilot procedure, SRC evaluated the security features of the Lancom 1900EF VPN Router and finally recom­mended approval to the BSI.

LANCOM has already had the security of its solutions tested and confirmed or certified by SRC in many proce­dures using Common Criteria evalu­a­tions or penetration tests. With the pilot evalu­ation for the BSZ, the BSI, LANCOM and SRC have jointly set a further standard for the certi­fi­cation of IT security solutions, with the aim of achieving time-to-market certification.

The Accel­erated Security Certi­fi­cation (BSZ) allows manufac­turers to have their products evaluated and certified by the BSI within a specified period of time. The evalu­ation must be carried out by a test centre recog­nised by the BSI. With the BSZ, the total effort of the evalu­ation, in comparison to e.g. Common Criteria evalu­a­tions, is prede­ter­mined from the beginning (fixed time). This allows manufac­turers to estimate the expected effort well.

When designing the attack scenarios, the BSZ allows the evalu­ators a relatively large leeway. This test catalogue must be presented to the BSI exten­sively and in detail. This design leeway demands an above-average degree of expertise, care and creativity from both the evalu­ation facility insti­tution and each individual evaluator. The test catalogue and the final evalu­ation in the test report draw on a broad know-how of cryptog­raphy, penetration tests, protocol attacks. The imple­men­tation by the manufac­turer is evaluated by the test centre and the respon­sible persons at SRC have to defend this against the critical view of the BSI.

“Accel­erated security certi­fi­cation will certainly play a major role, especially in the field of IOT devices,” says Gerd Cimiotti, Managing Director of SRC Security Research & Consulting GmbH. Like Lancom and the BSI, he expresses his thanks for the profes­sion­alism on all sides with which this pilot procedure was ultimately brought to a successful conclusion.

Ralf Koenzen, founder and managing director of LANCOM Systems GmbH, gives the manufacturer’s perspective: “When you do something for the first time, the effort is always greater. It is precisely then that you feel the experience and expertise of a partner like SRC as orien­tation and noticeable relief.”

As a long-standing partner of the BSI, SRC has already carried out a large number of projects in the most diverse approval schemes. SRC is currently in the process of being recog­nised as a test centre for accel­erated security certification.

We would also be happy to accompany your accel­erated security certi­fi­cation. If you have any questions about the BSZ, please do not hesitate to contact us.

AI security: The right measure for regulating AI

AI security: The right measure for regulating AI

Precisely because of their enormous potential, their diverse areas of appli­cation and their ability to learn, artificial intel­li­gence (AI) systems must be and remain safe and control­lable at the same time. Here, it is important to find the right balance in regulation.

Voice assis­tants, trans­la­tions at the push of a button, predictive mainte­nance or applicant management systems. Despite the diverse areas of appli­cation, artificial intel­li­gence (AI) is only at the beginning of its devel­opment. many of the future areas of appli­cation are not even foreseeable yet. This opens up great oppor­tu­nities for devel­opers and manufac­turers to achieve compet­itive advan­tages with improve­ments based on the use of artificial intelligence.

In addition to further coordi­nation, a great deal of detailed work will now have to be done in the future; the corre­sponding norms and standards will have to be worked out or adapted and proce­dures for conformity assessment will have to be developed. In doing so, the organ­i­sa­tional and technical effort for manufac­turers should be kept within reasonable limits so as not to hinder the devel­op­ments of AI systems. At the same time, it is also important to gain economic and social trust in this promising technology.

Under the german title “KI-Sicherheit: Das richtige Maß zur Regulierung von KI finden”, the magazine “it-daily” gave Randolf-Heiko Skerka, Division Manager IS Management at SRC Security Research & Consulting GmbH, the oppor­tunity to comment comprehensively.

If you are inter­ested, we look forward to hearing from you.

ISB

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — November 16 to 19, 2021

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. But secure and efficient IT is also absolutely essential for the economic success of a credit institution.

The new “Banking Super­visory Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority calls for the newly estab­lished function of “infor­mation security officer” in its directive. This officer controls the infor­mation security process and reports directly to the management.

In cooper­ation with the publishing house Bank-Verlag, SRC has success­fully completed multiple certificate courses to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions” since 2016. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date for this four-day certificate course possible.

From 16th to 19th November 2021, you will again have the oppor­tunity to train as an “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions” on the premises of Bank-Verlag GmbH in Cologne.

Attention! Online-course

Taking into account the current Covid-19 situation, we offer both the certificate course Infor­mation Security Officer (ISB) for credit insti­tu­tions and the optional basic IT seminar as an online course.

In a team with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Germany), the SRC experts Dagmar Schoppe, Florian Schumann and Dr. Deniz Ulucay will give a lecture and provide you with compre­hensive infor­mation on the norms and standards according to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments relevant for you as an ISB. In addition, the topics of IT risks and emergency precau­tions as well as business conti­nuity management will be addressed.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Credit Institutions”.

Optionally, you have the oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar on 15 November 2021 in Cologne prior to the event. This seminar deals with the basics, terms, encryption and IT security techniques in infor­mation technology.

Web-Site to the course

Online-regis­tration
IT Security Act 2.0 approved by the Bundesrat (Upper House)

IT Security Act 2.0 approved by the Bundesrat (Upper House)

On Friday, 07 May 2021, the Bundesrat finally approved the contro­versial IT Security Act 2.0. The Bundestag had already approved it at the end of April 2021. In this regard, Federal Minister of the Interior Horst Seehofer spoke of a “good day for cyber security in Germany”. He commented: “Digital­i­sation permeates all areas of life, and the pandemic has once again accel­erated this process enormously. Our protection mecha­nisms & defence strategies must keep pace — this is what the IT Security Act 2.0 is for”. As early as November 2020, the discussion about the IT Security Act was reignited with a third draft bill. In terms of content, many aspects that were already the subject of the government draft from 2020 have been retained. However, they have been modified in detail. Thus, the continuing industry-wide criticism of the IT Security Act 2.0 seems hardly surprising.

Expanded powers for the BSI, inventory data disclosure and the so-called “Huawei clause

A central aspect of the new IT Security Act is the expanded powers for the Federal Office for Infor­mation Security (BSI). There are improve­ments in the draft law at least in the concreti­sation of overriding protection goals and the work of the BSI geared to them. In addition, the handling of vulner­a­bil­ities and security gaps is to become more trans­parent. The new law is intended to make the BSI a key player in the fight against botnets and the spread of malware. To this end, 799 new positions will be created.

Detection of security vulnerabilities

The BSI will be empowered to detect security vulner­a­bil­ities at the inter­faces of IT systems to public telecom­mu­ni­ca­tions networks by means of port scans. In addition, it will be allowed to use honeypots and sinkholes to analyse malware and attack methods.

Storage and collection of inventory and log data

A partic­u­larly critical aspect of data protection is that in future the BSI will be allowed to store and evaluate “log data” and personal user infor­mation (such as IP addresses) generated during online commu­ni­cation between citizens and federal admin­is­trative insti­tu­tions for a period of 12 to 18 months. This also includes internal “logging data” from the author­ities. Furthermore, the BSI may obtain inventory data infor­mation from providers of telecom­mu­ni­ca­tions services. This is intended to protect those affected and to detect attacks, e.g. by Trojans such as Emotet.

The so-called “Huawei clause” — hurdle for the exclusion of equipment suppliers

The so-called “Huawei clause” sets the hurdle for the exclusion of individual equipment suppliers from network expansion for 5G, for example, quite high. It is also part of the amendment. The federal government is to be able to prohibit the use of “critical compo­nents” in the event of “probable impairment of public safety and order”. To this end, there will be a certi­fi­cation oblig­ation and manufac­turers will have to issue a guarantee declaration.

In this regard, the BSI tweets in the sense of a “self-image” that security vulner­a­bil­ities will be commu­ni­cated trans­par­ently and remedied quickly, consumers will be provided with even more neutral, up-to-date infor­mation on digital topics and critical infra­struc­tures will be supported with close-meshed advice and supervision.

Strength­ening consumer protection and more security for businesses

In addition, the new IT Security Act contains regula­tions to strengthen consumer protection and increase security for companies. To this end, consumer protection is included in the BSI’s catalogue of tasks. Furthermore, a uniform IT security label will in future make it clear to consumers which products already comply with certain IT security standards.

In order to increase corporate security, operators of critical infra­struc­tures and, in the future, other companies in the special public interest (e.g. arms manufac­turers or companies of partic­u­larly great economic impor­tance) must implement certain IT security measures and will be included in the trustful exchange of infor­mation with the BSI.

Draft of a second ordinance amending the BSI Criti­cality Ordinance (BSI-KritisV) published

The IT-SiG 2.0 not only refers to the Critis Ordinance, it also expands the existing oblig­a­tions of the CRITIS operators. For this reason, it is not surprising that on 26 April 2021, the Federal Ministry of the Interior published the draft of a second ordinance amending the BSI Critis Ordinance as part of the consul­tation of associ­a­tions, specialist groups and academia. Corre­sponding comments are to be submitted by 17 May 2021.

The draft bill contains consid­erable changes and adjust­ments to the content as well as new additions in the individual annexes to determine the categories of instal­la­tions and concrete threshold values, in particular in part also the individual numerical assessment criteria. In addition, software and IT services that are necessary for the provision of a critical service are now also identified as invest­ments within the meaning of the regulation. Furthermore, trading in securities and deriv­a­tives is included as a new critical service.

Support from SRC experts

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in the imple­men­tation of the require­ments from IT-SIG and BSIG as well as in the provision of evidence within the scope of §8(a) BSIG (“Critical Service Examination”).

IT security in the health sector: Regulation is necessary and overdue

IT security in the health sector: Regulation is necessary and overdue

Open inter­faces, outdated technology and different interests: IT security in the health sector is a complex topic, after all it is about the needs and safety of the patient. A major problem is the lack of regulation on the part of author­ities such as the Federal Institute for Drugs and Medical Technology and the Federal Office for Infor­mation Security — currently there are only recom­men­da­tions but no binding guidelines.

The Federal Office for Infor­mation Security (BSI), the Federal Institute for Drugs and Medical Devices (BfArM) and gematik are the competent author­ities for IT security of medical devices in Germany. It must be ensured that unautho­rised persons cannot use the IT in medical devices and systems against the patient and that compo­nents and systems are only open to autho­rised persons. Companies special­ising in IT security, such as SRC Security Research & Consulting GmbH from Bonn, can help here. Regulation is necessary to create security standards — although a sense of proportion is needed here. Because over-regulation can also cause damage.

Under the title “IT Security in the Healthcare Sector: Regulation is necessary and overdue” (german), the magazine “all about security” gave Randolf-Heiko Skerka, Head of IS Management at SRC Security Research & Consulting GmbH, the oppor­tunity to comment comprehensively.

If you are inter­ested, we would be pleased to hear from you.

BSI publishes CC certifi­cates of connectors in the healthcare sector

Within the framework of the gematik telem­atics infra­structure, a connector coordi­nates and encrypts the commu­ni­cation between the client system, eGK, HBA/SMC and the central telem­atics infra­structure. It thus repre­sents the link between these compo­nents on the decen­tralised service provider side and the central telem­atics infrastructure.

A connector fulfils security require­ments that have been laid down in corre­sponding protection profiles.

The connector in product type version 3 comprises the following components:

  • the network connector,
  • the appli­cation connector including a signature application,
  • the specialised modules “Versicherten­stam­m­daten­man­agement” (VSDM), “Notfall­daten­man­agement” (NFDM) and “Arneimitteltherapiesicherheit/elektr. Medika­tion­splan” (AMTS/eMP).

SRC has success­fully evaluated the network and appli­cation connector in product type version 3 of the company Research Indus­trial Systems Engineering (RISE) Forschungs‑, Entwick­lungs- und Großpro­jek­t­ber­atung GmbH. The certifi­cates BSI-DSZ-CC-1052-V3-2021 and BSI-DSZ-CC-1132–2021 have been published by the BSI.

In addition SRC has success­fully evaluated the network and appli­cation connector in product type version 3 of the company secunet Security Networks AG. The certifi­cates BSI-DSZ-CC-1044-V3-2020 and BSI-DSZ-CC-1135–2020 have been published by the BSI.

For questions about Common Criteria or other evalu­a­tions, please contact us.

Certification of fiskaly Cloud Crypto Service Provider

Certi­fi­cation of fiskaly Cloud Crypto Service Provider

Among other things, the Tax Code provides for a combi­nation of technical and organ­i­sa­tional measures to effec­tively prevent manip­u­lation of digital basic records. The core of the tax code is a certified technical security device (TSE for short). The TSE is the central technical component for securing the basic records against subse­quent manip­u­lation. The certi­fi­cation aims to ensure a uniform minimum level of trust and security in the TSE as well as compliance with necessary inter­op­er­ability requirements.

Cash register systems carry out digital basic records in the above sense. Therefore, the cash register security ordinance of the Federal Ministry of Finance specifies require­ments for the certi­fi­cation of TSEs, which have been imple­mented accord­ingly by the BSI. These include detailed require­ments for the security module, the storage medium, the digital interface and the electronic storage, which have been published in the form of several technical guide­lines and protection profiles.

The central security component of a TSE is a so-called Crypto­graphic Service Provider (CSP). This is the component that performs the crypto­graphic signature opera­tions and securely manages essential compo­nents such as crypto­graphic keys and other parameters.

The BSI has certified fiskaly’s CSP Light based on the evalu­ation results of the SRC. This CSP Light is imple­mented as a cloud service to enable integration into networks.

In contrast, CSPs can also be created in the form of smart cards for stand-alone systems. Such products have also already been evaluated by SRC.

PCI DSS v4.0 release delayed

PCI DSS v4.0 release delayed

The publi­cation of a new, funda­men­tally revised version of the payment trans­action standard PCI DSS has been announced since 2019. We are eagerly awaiting the changes that the new version will bring.

After PCI DSS v4.0 had already undergone two RFC phases in 2019 and 2020, the PCI Security Standards Council has now decided to also initiate an RFC phase for supporting documents, in particular for

  • the template for the Report on Compliance (ROC),
  • the template for the Attes­tation of Compliance (AOC), and
  • the self-assessment question­naires (SAQs)

in June 2021. However, this will also delay the publi­cation of PCI DSS v4.0.

Instead of the announced release period in Q2 2021, the aimed period of final­ization is now Q4 2021. The actual release date has not yet been specified.

We must therefore be patient a little longer before we can properly plan the migration. With the shift of the publi­cation date, the planned transition periods from PCI DSS v3.2.1 to v4.0 have also been postponed. We are therefore also postponing our PCI DSS v4.0 webinars to 2022.

How cryptocurrencies create new market opportunities for banks and financial services providersHow cryptocurrencies create new market opportunities for banks and financial services providers

How cryptocur­rencies create new market oppor­tu­nities for banks and financial services providers

“The impor­tance of cryptocur­rencies is growing ever faster. Banks can use their expertise in imple­menting regulatory issues to gain a good starting position in the market for cryptocur­rency services such as key custody. Through their existing compe­tences in dealing with crypto­graphic proce­dures, e.g. in autho­ri­sation, online banking or PIN protection, banks already bring along a large part of the technical prereq­ui­sites for entering this business field.” SRC expert Dagmar Schoppe explains the oppor­tu­nities for banks and financial service providers with regard to the devel­opment of cryptocur­rencies in an article just published on the specialist platform “it-daily.net”.

Are there depen­dencies on the digital euro?

The increasing interest in cryptocur­rencies — in addition to the rapid rise in the euro equiv­alent to a bitcoin observed in recent days — should also be seen in connection with the discussion about the intro­duction of a digital euro. The digital euro — according to the perception in the German banking industry (DK) — is assessed as a forward-looking means of payment in a digital economy that coher­ently comple­ments the existing and proven systems and struc­tures. In this context, the greatest possible synergies should be sought with existing payment trans­action solutions so that access to digital central bank money can be secured for end consumers.

New oppor­tu­nities in the digital­i­sation of business processes

Insti­tu­tions face the challenge of increasing their visibility in this new market segment in order to then be able to respond to requests from customers, retailers as well as service providers. In the medium term, the generally growing interest in cryptocur­rencies can also result in oppor­tu­nities for insti­tu­tions that, for example, offer their corporate customers self-issued cryptocur­rencies to support them in the digital­i­sation of their business processes.

The SRC experts follow the exciting devel­op­ments in the field of cryptocur­rency and the digital euro for you and support you in the reali­sation of your crypto custody service. We will be happy to inform you about the oppor­tu­nities to get involved in this innov­ative sector.

further liter­ature

SRC TeleTrusT

SRC joins the German IT Security Associ­ation (TeleTrusT)

SRC joined the German IT Security Associ­ation (TeleTrusT) at the beginning of the year.

The Bundesverband IT-Sicherheit e.V. (TeleTrusT) is a compe­tence network comprising domestic and foreign members from industry, admin­is­tration, consulting and science as well as themat­i­cally related partner organisations.

Due to the perma­nently changing require­ments in the field of IT security, it is important for SRC that its experts regularly inform themselves about and exchange infor­mation on new neces­sities, techniques, processes and regulations.

TeleTrusT offers partic­u­larly good condi­tions for this, since in addition to the exchange of experts from the business world, contact is also estab­lished with politics and science.

SRC will contribute its wide-ranging expertise to the various working groups of TeleTrusT and thus give further signif­i­cance to the status of IT security in Germany and Europe.