The Critical Day
On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at representatives of companies that operate a critical infrastructure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experiences and best practices on IT and physical security of critical infrastructures.
The Schedule
After the arrival of the first participants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the participants’ need for information.
Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and representative of the Federal Office for Information Security (BSI), explained the procedures and processes in the supervisory authority. Randolf Skerka, Head of SRC and responsible for the topic of auditing according to §8a (3) BSIG, described the first experiences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the development of hospital organisation in preparation for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indispensable cornerstone of a meaningful examination, rounded off the morning.
The expert presentations gave the participants a 360° view of the requirements of the BSI audits, which were largely and with good reason vaguely formulated.
At the end of the morning the visual artist Frank Rogge described his view on the questions of criticality in the field of artistic creation.
The afternoon was completely dedicated to the main interests of the participants. Under the moderation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.
The participants independently organized the various contents for nine sessions.
The most significant results of the afternoon
From the session ” Submitting certification findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or deviations formulated down to the last technical detail. A roughly described framework of deviations and a description of a course of action in the test report is useful. Nevertheless, an appropriate measure must be in place for each risk within a critical infrastructure. This is of enormous importance for the BSI.
The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.
In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and implementation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be responsible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guidelines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.
In another session, the participants focused on the safe and simple definition of the scope. The pyramid model was particularly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infrastructure of a sewage treatment plant, the definition of the scope requires identifying and determining which systems clarify the water, what effects a failure would have and how this failure can be compensated by other methods to maintain the critical service.
With this method you systematically move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.
Conclusion of the first “Critical Day” from SRC’s point of view
An example of the fascinating atmosphere was the continuation of the bilateral communication of the participants between the individual sessions. The feedback proved that the participants were able to make many new contacts and gain insights from other KRITIS projects.
The overall positive response of the participants shows us as SRC that the Critical Day is a useful hub for the exchange of information on KRITIS projects between the participants. Our thanks goes to all participants who contributed fundamentally to the success of the Critical Day with their open-mindedness and commitment.
We regard the Critical Day as a successful experiment. This motivates us to start preparing for a follow-up event.
SRC actively supports long-term partnership with the Alliance for Cyber Security
Conducting a free Web Application Security Scan
SRC has been a partner of the Alliance for Cyber Security for many years. As an active support of this partnership, SRC offered a free Web Application Security Scan for a maximum of five members of the alliance in 2018.
Worth knowing about the Web Application Security Scans
Web application security scans aim to identify errors in the architecture and configuration of the examined Web application. Such vulnerabilities could be exploited, for example to change the content of the page (XSS, Cross Site Scripting). Contents of the database could also be downloaded or administrative rights acquired. If a system is compromised in this way, it could be used for further attacks towards its own internal infrastructure.
Unlike fully automated Web Application Security Scans, SRC also checks pages that are only displayed to the user after registration or login. With fully automated scans without consideration of authentication processes such vulnerabilities cannot be uncovered. However, this is exactly what the Web Application Security Scan allows and thus offers a more comprehensive scan result.
The scans are performed “non-destructive” and “non-instrusive”. This means that vulnerabilities are identified. As with penetration tests, for example, this is not an attempt to exploit the vulnerabilities that have been discovered. Scanning is carried out in close consultation with the participant.
Great demand from members of the Alliance
The Web Application Security Scans offered by SRC were met with great demand among the members of the Alliance. For this reason, the five scans offered are already out of stock. A report about the execution of the scans is soon to be found in our blog. Further details can also be found on the Alliance for Cyber Security website.
Critical Day 2018 | Knowledge and experience in a lively exchange
The Critical Day
On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at representatives of companies that operate a critical infrastructure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experiences and best practices on IT and physical security of critical infrastructures.
The Schedule
After the arrival of the first participants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the participants’ need for information.
Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and representative of the Federal Office for Information Security (BSI), explained the procedures and processes in the supervisory authority. Randolf Skerka, Head of SRC and responsible for the topic of auditing according to §8a (3) BSIG, described the first experiences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the development of hospital organisation in preparation for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indispensable cornerstone of a meaningful examination, rounded off the morning.
The expert presentations gave the participants a 360° view of the requirements of the BSI audits, which were largely and with good reason vaguely formulated.
At the end of the morning the visual artist Frank Rogge described his view on the questions of criticality in the field of artistic creation.
The afternoon was completely dedicated to the main interests of the participants. Under the moderation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.
The participants independently organized the various contents for nine sessions.
The most significant results of the afternoon
From the session ” Submitting certification findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or deviations formulated down to the last technical detail. A roughly described framework of deviations and a description of a course of action in the test report is useful. Nevertheless, an appropriate measure must be in place for each risk within a critical infrastructure. This is of enormous importance for the BSI.
The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.
In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and implementation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be responsible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guidelines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.
In another session, the participants focused on the safe and simple definition of the scope. The pyramid model was particularly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infrastructure of a sewage treatment plant, the definition of the scope requires identifying and determining which systems clarify the water, what effects a failure would have and how this failure can be compensated by other methods to maintain the critical service.
With this method you systematically move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.
Conclusion of the first “Critical Day” from SRC’s point of view
An example of the fascinating atmosphere was the continuation of the bilateral communication of the participants between the individual sessions. The feedback proved that the participants were able to make many new contacts and gain insights from other KRITIS projects.
The overall positive response of the participants shows us as SRC that the Critical Day is a useful hub for the exchange of information on KRITIS projects between the participants. Our thanks goes to all participants who contributed fundamentally to the success of the Critical Day with their open-mindedness and commitment.
We regard the Critical Day as a successful experiment. This motivates us to start preparing for a follow-up event.
Transakt complies with the EBA RTS
SRC confirms that the mobile banking solution Transakt by Entersekt meets the PSD2 requirements
Read more
Certificate Course “Information Security Officer for Credit Institutions” — November 6 to 9, 2018
The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, availability, authenticity and confidentiality of data in their IT systems and processes. However, secure and efficient IT is also absolutely essential for the economic success of a credit institution.
The new “Banking Supervisory Requirements for IT” (BAIT) formulate concrete expectations. Among other things, the Federal Financial Supervisory Authority (BaFin) has issued a guideline calling for the new function of the ” Information Security Officer ” to be set up. He or she controls the information security process and reports directly to management.
In cooperation with Bank-Verlag, SRC has already successfully offered three certificate courses to become an “Information Security Officer (ISB) for credit institutions”. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date for this four-day certificate course possible.
From 6 to 9 November 2018, you will again have the opportunity to receive further training in Cologne to become an “Information Security Officer (ISB) for credit institutions”.
Teamed up with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Trinkaus & Burkhardt AG), the SRC experts Sandro Amendola, Florian Schumann and Randolf Skerka will give a lecture on the norms and standards according to ISO and IT-Grundschutz, as well as on all legal/regulatory requirements relevant to you as an ISB. In addition, the topics IT risks and emergency precautions as well as business continuity management will be dealt with.
After passing the final examination, you will receive the certificate “Information Security Officer for Banks”.
Optionally, you will have the opportunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne on 5 November 2018 prior to the event. This course deals with the basics, terms, encryption and IT security techniques in information technology.
SRC supports the 5th Computer Science Conference for University of Bonn Students — CSCUBS 2018
SRC is pleased to support the 5th Computer Science Conference for University of Bonn Students — CSCUBS 2018, which will take place on May 16, 2018.
Promotion of research and scientific exchange
CSCUBS 2018 is organised by PhD and Masters students. Its goal is the promotion of research in computer science, as well as the scientific exchange between students, researchers and practitioners. “The CSCUBS is an initiative from among the students that SRC gladly supports,” says Detlef Kraus, authorized signatory at SRC. “And especially the professional exchange between research, practice and teaching is urgently needed if our society wants to meet the challenges of IT security with confidence,” Kraus continues.
Starting point for personal and professional exchange
The 5th Computer Science Conference for Students of the University of Bonn (CSCUBS 2018) provides a platform for university projects, dissertations and results from research, development and practice in the field of computer science. The conference will take place on 16 May 2018 at the University of Bonn. SRC supports the event not only as a sponsor. We will also be present with a booth to offer a point of contact for personal and professional exchange.
Presentation of a project result at CSCUBS 2018 included
SRC will also present one of its many projects at the CSCUBS. Practice often provides surprising research approaches and exciting insights. The CSCUBS is a welcome platform for SRC to present our work to an interested, young and competent circle of experts and to exchange ideas. Perhaps the many discussions will also provide qualified starting points for using the expertise gathered at CSCUBS 2018 in joint project work.
Critical Day 2018 | on April 25, 2018, critical infrastructure operators meet at SRC
Critical infrastructures and their significance | Critical day 2018 makes an exchange possible
Critical infrastructures (KRITIS) are organisations and facilities of major importance to the public sector, the failure or impairment of which would result in sustainable supply shortages, major public security disruptions or other dramatic consequences. These critical infrastructures are exposed to various dangers. Among other things, there are also various scenarios in which the security of information technology systems in critical infrastructures takes centre stage. The starting point for the conference “Critical Day 2018” with accompanying barcamp.
Professional “networking” with each other
With the aim of establishing personal contacts and stimulating professional exchange, the critical day offers a regular meeting place for people responsible for the protection of critical infrastructures. The target group of the critical day are those people who work in a company or institution that supplies the population with essential goods and services. Furthermore, the critical day addresses people who deal with the topic of critical infrastructures in a practical, advisory, regulatory or scientific way. The first critical day will take place on 25 April 2018 at the SRC Conference Centre with accompanying barcamp. Tickets are now available.
The demand of the Critical Day
The Critical Day aims to provide a world-class platform for representatives of affected companies, the public sector, science and research to network and exchange experiences on developments and best practices in IT and physical security of critical infrastructures. It also plays a role that the participants are encouraged to design the second part of the critical day as a barcamp. A barcamp is an open conference with open workshops, the contents of which are developed by the participants themselves at the beginning of the conference and will be designed in the further course. Barcamps therefore serve the exchange of content and discussion.
SmartCard Workshop on 21 and 22 February 2018 in Darmstadt
Focus of the SmartCard Workshop
The SmartCard Workshop will take place on 21 and 22 February 2018 in Darmstadt. It is one of the most important events for smart cards in Germany. The participants come from all areas of industry, science and politics. They particularly appreciate the technical orientation of the workshop and its extensive neutrality. The workshop offers participants and experts a forum to present new operating system concepts and conceivable new features and applications, as well as to discuss the current state of development, cryptography, information security and standardization.
SRC expert explains authentication procedures
This year, SRC expert Sandro Amendola will give a presentation on security-related and regulatory issues in the “Registration of App-based authentication procedures”. Such authentication methods play an important role in many digital applications and have become very important for all users of online banking systems, especially due to the regulation of the banking market by the PSD2.
Evening event with award ceremony
A special highlight is the evening event. Each year, one expert is honored with the SmartCard prize for special achievements. The prize is donated by Fraunhofer SIT.
SRC actively participates in SmartCard Workshop
SRC supports the workshop as sponsor and through active participation in the Programme Advisory Board.
Image source: Fraunhofer SIT
SRC expert Sandro Amendola contributes to the PSD2 conference meeting
Second EU Payment Services Directive PSD2 comes into force
“Banken+Partner” expert panel on PSD2
The second EU Payment Services Directive PSD2 comes into force in January. The business policy, technical and regulatory need for action to be taken by credit institutions is diverse and at the same time individual for each bank. Among other things, the institutions will have to observe and implement stricter security requirements for the authentication of their customers and prove these to the national supervisory authority. For banks and Sparkassen as service providers and for customers as users, there is a risk that login and payment release will become more inconvenient. At the same time, the interface must be implemented for access by authorised third parties.
SRC expert discusses complex challenges and evaluates solution approaches
SRC expert Sandro Amendola
Sandro Amendola, Division Manager at SRC Security Research & Consulting GmbH, was one of the experts at the table talk of “Banken+Partner”. Mr. Amendola discussed the opportunities and challenges of the PSD2 and outlined possible solutions for banks and Sparkassen.
The challenges for banks and Sparkassen
An example of these challenges are the interfaces for authorised third party providers, which PSD2 requires to be made available by banks. Another example is two-factor authentication, which further enhances account access security. Increased security on the one hand is often not possible without making too great a sacrifice in terms of convenience and customer friendliness on the other. The experts present also explained how this security can be achieved without loss of comfort or customers. Finally, the opportunities that can be exploited through cooperation with the agile FinTechs were discussed.
Possible solutions for banks and Sparkassen
The entire expert discussion, as well as the topics and solutions, can be read in the free e‑paper from “Banken+Partner”. In addition, Sandro Amendola is available for individual workshops and consultations on PSD2 and its implications.
Image source: Banken+Partner/Fotografie Schepp
SRC’s ITSEF laboratory receives extended EMVCo certification
SRC’s certified Common Criteria security laboratory has recently been enriched by another EMVCo certification. The SRC laboratory has long been approved by the German Federal Office for Information Security (BSI) for the evaluation of hardware and software evaluations for smart cards and similar devices. After SRC has now successfully evaluated chip hardware of a well-known and also EMVCo certified manufacturer, EMVCo confirmed the certification of the SRC security laboratory as EMVCo Security Evaluation IC laboratory, which is now also listed as such on the EMVCo website, following a review of the latest findings provided within the scope of an IC security evaluation project.
Further information on the certifications for SRC by EMVCo can be found here.
SRC GmbH hosts the NextGenPSD2 Conference 2017 in Berlin
The NextGenPSD2 standard of the Berlin Group
In the context of the six-week public market consultation of the Berlin Group on its NextGenPSD2 standard for account access “Access to Accounts” (XS2A), which enables third parties to access payment accounts within the framework of the provisions of the revised EU directive for payment services (PSD2), SRC GmbH is also hosting a NextGenPSD2 conference. This will take place on October 25, 2017 in Deutsche Bank’s Atrium in Berlin. The conference offers a detailed program that shows how NextGenPSD2 builds a bridge into the banking system and reduces the complexity of the revised Payment Services Directive (PSD2) and the requirements for access to accounts (XS2A). It also highlights how Third Party Payment Service Providers (TPPs) can provide innovative solutions for customers using modern application programming interfaces (APIs) for secure access to bank accounts.
Change in payment transactions
The conference offers experienced specialists, developers, FinTechs, banks, processors and other experts involved in the PSD2 standard an excellent opportunity to learn in detail how NextGenPSD2 will change daily payment transactions in the coming years. A variety of policy insiders, experts and stakeholders will provide information on the background, goals and details of the open and collaborative NextGenPSD2 XS2A API standard. Accordingly, the meeting offers a great opportunity for a comprehensive explanation of the topic and to clarify open questions. The conference will also be honoured with an insightful keynote opening speech by the European Central Bank and offers several panel discussions with banks, regulators, FinTechs and consumer organisations.
Networking in Microsoft Lounge and Digital Eatery
The conference also offers exceptional networking opportunities: On the evening of 24 October 2017 (from 6 p.m.), the Microsoft Lounge and Digital Eatery will open their doors to the participants and provide access to a get-together event with delicious cuisine and refreshing drinks at no extra cost.