Tag Archive for: BSI

BSZ Certificate

SRC recog­nized as test center for accel­erated safety certi­fi­cation (BSZ)

On 01 October the “Accel­erated Security Certi­fi­cation (BSZ)”, the new certi­fi­cation procedure of the German Federal Office for Infor­mation Security (BSI) has started. Already on September 28, SRC was recog­nized by the BSI as a testing body for this new procedure. Sandro Amendola is head of the department Standard­ization, Certi­fi­cation and Security of Telecom­mu­ni­cation Networks at the BSI. On behalf of the BSI he handed over the certificate of recog­nition to Peter Jung, who is respon­sible for the BSZ at SRC.

Accel­erated Security Certi­fi­cation is the BSI’s new light­weight procedure for certi­fying the security of IT products. In contrast to a CC certi­fi­cation, a certi­fi­cation according to BSZ has several advan­tages: a consid­erably lower documen­tation effort, a signif­i­cantly shortened imple­men­tation and thus a lower cost.

The certi­fi­cation scheme follows a risk-based approach. In this process, the security perfor­mance of the IT product is tested by a recog­nized testing body such as SRC within a fixed timeframe using confor­mance and penetration tests to determine its security perfor­mance and its resis­tance to attacks.

The user also benefits. He receives compre­hen­sible documen­tation of the security perfor­mance and the promise that any vulner­a­bil­ities that occur are guaranteed to be remedied within the certificate’s validity period.
“After SRC has already carried out the first successful evalu­ation according to BSZ, we are very pleased about the recog­nition as a test center for this innov­ative certi­fi­cation scheme that has now taken place” says Peter Jung as repre­sen­tative of the test center and topic respon­sible for the Accel­erated Security Certi­fi­cation BSZ at SRC.

SRC was one of the first test centers to be recog­nized for BSZ. SRC performed the evalu­ation of the LANCOM-1900EF, the first certified BSZ product ever.

LANCOM 1900EF

Lancom 1900EF VPN Router receives first Accel­erated Security Certi­fi­cation (BSZ)

The BSI has granted LANCOM Systems GmbH the first certificate according to the new BSI scheme “Accel­erated Security Certi­fi­cation” (BSZ for short). In this pilot procedure, SRC evaluated the security features of the Lancom 1900EF VPN Router and finally recom­mended approval to the BSI.

LANCOM has already had the security of its solutions tested and confirmed or certified by SRC in many proce­dures using Common Criteria evalu­a­tions or penetration tests. With the pilot evalu­ation for the BSZ, the BSI, LANCOM and SRC have jointly set a further standard for the certi­fi­cation of IT security solutions, with the aim of achieving time-to-market certification.

The Accel­erated Security Certi­fi­cation (BSZ) allows manufac­turers to have their products evaluated and certified by the BSI within a specified period of time. The evalu­ation must be carried out by a test centre recog­nised by the BSI. With the BSZ, the total effort of the evalu­ation, in comparison to e.g. Common Criteria evalu­a­tions, is prede­ter­mined from the beginning (fixed time). This allows manufac­turers to estimate the expected effort well.

When designing the attack scenarios, the BSZ allows the evalu­ators a relatively large leeway. This test catalogue must be presented to the BSI exten­sively and in detail. This design leeway demands an above-average degree of expertise, care and creativity from both the evalu­ation facility insti­tution and each individual evaluator. The test catalogue and the final evalu­ation in the test report draw on a broad know-how of cryptog­raphy, penetration tests, protocol attacks. The imple­men­tation by the manufac­turer is evaluated by the test centre and the respon­sible persons at SRC have to defend this against the critical view of the BSI.

“Accel­erated security certi­fi­cation will certainly play a major role, especially in the field of IOT devices,” says Gerd Cimiotti, Managing Director of SRC Security Research & Consulting GmbH. Like Lancom and the BSI, he expresses his thanks for the profes­sion­alism on all sides with which this pilot procedure was ultimately brought to a successful conclusion.

Ralf Koenzen, founder and managing director of LANCOM Systems GmbH, gives the manufacturer’s perspective: “When you do something for the first time, the effort is always greater. It is precisely then that you feel the experience and expertise of a partner like SRC as orien­tation and noticeable relief.”

As a long-standing partner of the BSI, SRC has already carried out a large number of projects in the most diverse approval schemes. SRC is currently in the process of being recog­nised as a test centre for accel­erated security certification.

We would also be happy to accompany your accel­erated security certi­fi­cation. If you have any questions about the BSZ, please do not hesitate to contact us.

IT Security Congress 2019

IT-Security Congress 2019 — Arne Schönbohm welcomes SRC

The IT-Security Congress 2019 again offered SRC the platform for dialogues with manufac­turers, partners and repre­sen­ta­tives of public author­ities. The motto of the event was “IT security as a prereq­uisite for successful digiti­zation”. The topics are as varied as the visitors: artificial intel­li­gence and its fields of appli­cation, Common Criteria certi­fi­ca­tions of micro-kernel operating systems and profes­sional perspec­tives for scien­tists and computer scien­tists at SRC. Almost all SRC services were in demand at the stand, whether penetration tests, consulting and certi­fi­cation of infor­mation security management systems or support for product manufac­turers in evalu­a­tions according to Common Criteria.

Sandro Amendola’s lecture at the IT-Security Congress 2019, entitled “Legal Security Require­ments for Payment Proce­dures for Customer Authen­ti­cation Using Mobile Devices”, was widely discussed. The high pace of innovation on the one hand and the parallel devel­opment of regulatory require­ments on the other hand provide continuous material for discus­sions and forecasts of future trends.

The host of the IT-Security Congress 2019, the Federal Office for Infor­mation Security (BSI) (see photo), also stopped by our stand. Thilo Pannen is respon­sible for Business Devel­opment at SRC. “We at SRC are delighted that we have been able to support the BSI for many years with a range of experts,” said Thilo Pannen in his welcoming address. The extensive discussion with BSI President Arne Schönbohm touched all aspects of the extensive cooper­ation with the BSI. Be it the prepa­ration of studies, the support in the various BSI projects or the work of SRC as a BSI-recog­nized testing laboratory. In its function as a testing laboratory, SRC does not only assess according to Common Criteria. The require­ments for the technical domains “Smart­cards and similar Devices” and “Hardware Devices with Security Boxes” are also fulfilled by SRC.
Such extensive and complex cooper­ation in such a dynamic environment requires constant adaptation of the processes. “If we at BSI can contribute to further good cooper­ation, please let me know,” said the BSI President at the end of his visit to the SRC stand.

SRC contributes to the German IT Security Congress 2019

IT security as a prereq­uisite for successful digitalisation

This is the motto of this year’s German IT Security Congress, which is held every two years by the Federal Office for Infor­mation Security (BSI). The congress will take place from 21 to 23 May 2019 at the Stadthalle Bonn — Bad Godesberg. The aim of this year’s congress is to examine the topic of IT security from different perspec­tives, to present and further develop possible solutions.

SRC is at the German IT Security Congress

As a BSI-approved evalu­ation body for evalu­a­tions according to Common Criteria (CC) and various other technical guide­lines, SRC will also be present with a booth at the German IT Security Congress in 2019. Thus we offer the experts of customers, partners and those of the BSI once again the well-estab­lished contact point at the German IT Security Congress. This concept has proven itself over many years. The stable personal network between the partic­i­pants offers the optimal platform for the transfer of complex technical and regulatory aspects.

SRC expert Sandro Amendola talks about compliance, mobile payment proce­dures and customer authentication

The triumphal march of mobile payment proce­dures seems unstop­pable. The legis­lator has also inten­sively considered the security of these proce­dures and the necessary customer authen­ti­cation. Sandro Amendola will talk about “Legal security require­ments for payment proce­dures for customer authen­ti­cation using mobile devices” on Thursday, 23 May 2019 at 11:00 a.m. in the main hall.

Aspects of Common Criteria Certifications

Aspects of Common Criteria Certi­fi­ca­tions — Guest lecture at the Vienna University of Technology

Aspects of Common Criteria Certi­fi­ca­tions — this is the topic of the lecture that the experts of the SRC evalu­ation body for Common Criteria will address at the Vienna University of Technology. The lecture will take place on 10 May 2019 as part of the lecture IT Security in Large IT Infra­struc­tures at the Institute of Infor­mation Systems Engineering.

Common Criteria in science

With the help of Common Criteria for Infor­mation Technology Security Evalu­ation (CC), IT products can be evaluated regarding their security according to general criteria. As an inter­na­tionally recog­nised standard, Common Criteria is of interest to the scien­tific world. Initially, an evalu­ation is carried out by an evalu­ation body accredited by the German Federal Office for Infor­mation Security (BSI). SRC is accredited as such a CC evalu­ation body. The BSI then carries out the certification.

Guest lecture for students

The SRC experts will discuss the Aspects of Common Criteria Certi­fi­ca­tions at first hand. The lecture informs the students about the basic approach for product certi­fi­ca­tions according to Common Criteria. Infra­struc­tures in the European Union that rely on Common Criteria certi­fi­cation will be highlighted. The formal side including the respon­sible certi­fi­cation and recog­nition bodies will also be considered. The comparison of Common Criteria with other concepts concludes the lecture. Certi­fi­ca­tions according to technical guide­lines of the BSI, ISO27001 or the criteria of the Payment Card Industry (PCI) will be considered.

CSCUBS 2018

SRC provides students with insight into exciting projects as part of CSCUBS 2018

Review of the 5th Computer Science Conference for University of Bonn Students

The CSCUBS 2018 took place on May 16th in the premises of the University of Bonn and was organised by PhD and MSc students with the aim of promoting research in computer science and scien­tific exchange among students. The partic­i­pation of researchers and practi­tioners was also encouraged. The students also had the oppor­tunity to submit their own contri­bu­tions describing new research or devel­opment work in connection with computer science. This also included university projects, disser­ta­tions and results of other profes­sional or leisure activ­ities. In addition to the sponsoring companies, the students themselves gave lectures.

SRC staff provides students with insight into exciting projects

Max Hettrich of SRC also reported on the company’s fields of activity in a lecture. The focus was on payment evolving. The aim here is to put the “Girocard into the mobile phone”. What is partic­u­larly inter­esting here is what the security evalu­ation for payment cards looks like so far and what new challenges will now arise for mobile payment in the future. Reverse engineering of the appli­ca­tions used will play a central role in the security evalu­ation of smart­phone-based solutions. The examiner takes on the role of an attacker and tries to find ways to compromise the payment appli­cation. This is a central building block for evalu­ating the effec­tiveness of the imple­mented protection mecha­nisms. Where in the past the SRC evalu­ation facility in particular evaluated the security of payment cards, in future the department for penetration testing will also contribute its expertise in the evalu­ation of mobile solutions.

In addition, the lecture also included more general topics, such as the fields of activity and working atmos­phere of the SRC. The core business of payment cards has developed over the many years that SRC has been in existence into a multitude of other business areas. It was also discussed what makes SRC as an employer special and what qualities SRC offers.

Conclusion and impres­sions from the view of the SRC

“The high proportion of inter­na­tional students, the active partic­i­pation in the event and the consis­tently independent organ­i­sation of the CSCUBS made a lasting impression on us,” said Jochen Schumacher of SRC. The BSI, BC Technologies and SRC accom­panied the CSCUBS 2018 with presen­ta­tions. We were partic­u­larly pleased that SRC’s practical contri­bution provided material for a productive discussion. The security of modern payment trans­ac­tions is a topic that also moves students. This was demon­strated by the many meaningful discus­sions in the plenum and the personal exchange at SRC’s specially set up stand. CSCUBS 2018 was an extremely successful and infor­mative event. SRC is looking forward to the new edition in 2019.

Image credit: https://twitter.com/CSCUBS_Bonn
KRITIS 2018

Critical Day 2018 | Knowledge and experience in a lively exchange

The Critical Day

On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at repre­sen­ta­tives of companies that operate a critical infra­structure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experi­ences and best practices on IT and physical security of critical infrastructures.

The Schedule

After the arrival of the first partic­i­pants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the partic­i­pants’ need for information.

Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and repre­sen­tative of the Federal Office for Infor­mation Security (BSI), explained the proce­dures and processes in the super­visory authority. Randolf Skerka, Head of SRC and respon­sible for the topic of auditing according to §8a (3) BSIG, described the first experi­ences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the devel­opment of hospital organ­i­sation in prepa­ration for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indis­pensable corner­stone of a meaningful exami­nation, rounded off the morning.

The expert presen­ta­tions gave the partic­i­pants a 360° view of the require­ments of the BSI audits, which were largely and with good reason vaguely formulated.

At the end of the morning the visual artist Frank Rogge described his view on the questions of criti­cality in the field of artistic creation.

The afternoon was completely dedicated to the main interests of the partic­i­pants. Under the moder­ation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.

The partic­i­pants indepen­dently organized the various contents for nine sessions.

The most signif­icant results of the afternoon

From the session ” Submitting certi­fi­cation findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or devia­tions formu­lated down to the last technical detail. A roughly described framework of devia­tions and a description of a course of action in the test report is useful. Never­theless, an appro­priate measure must be in place for each risk within a critical infra­structure. This is of enormous impor­tance for the BSI.

The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.

In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and imple­men­tation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be respon­sible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guide­lines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.

In another session, the partic­i­pants focused on the safe and simple defin­ition of the scope. The pyramid model was partic­u­larly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infra­structure of a sewage treatment plant, the defin­ition of the scope requires identi­fying and deter­mining which systems clarify the water, what effects a failure would have and how this failure can be compen­sated by other methods to maintain the critical service.

With this method you system­at­i­cally move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.

Conclusion of the first “Critical Day” from SRC’s point of view

An example of the fasci­nating atmos­phere was the contin­u­ation of the bilateral commu­ni­cation of the partic­i­pants between the individual sessions. The feedback proved that the partic­i­pants were able to make many new contacts and gain insights from other KRITIS projects.

The overall positive response of the partic­i­pants shows us as SRC that the Critical Day is a useful hub for the exchange of infor­mation on KRITIS projects between the partic­i­pants. Our thanks goes to all partic­i­pants who contributed funda­men­tally to the success of the Critical Day with their open-mindedness and commitment.

We regard the Critical Day as a successful exper­iment. This motivates us to start preparing for a follow-up event.

EMVCo certification

SRC’s ITSEF laboratory receives extended EMVCo certification

SRC’s certified Common Criteria security laboratory has recently been enriched by another EMVCo certi­fi­cation. The SRC laboratory has long been approved by the German Federal Office for Infor­mation Security (BSI) for the evalu­ation of hardware and software evalu­a­tions for smart cards and similar devices. After SRC has now success­fully evaluated chip hardware of a well-known and also EMVCo certified manufac­turer, EMVCo confirmed the certi­fi­cation of the SRC security laboratory as EMVCo Security Evalu­ation IC laboratory, which is now also listed as such on the EMVCo website, following a review of the latest findings provided within the scope of an IC security evalu­ation project.

Further infor­mation on the certi­fi­ca­tions for SRC by EMVCo can be found here.

Tag Archive for: BSI