Tag Archive for: IT Security

SRC and DAkkS accred­i­tation according to ISO/IEC EN 17025: An important step towards EUCC

SRC Security Research & Consulting GmbH kann einen weiteren bedeu­tenden Erfolg verze­ichnen: Die erfol­greiche Akkred­i­tierung durch die Deutsche Akkred­i­tierungsstelle (DAkkS) nach DIN EN ISO/IEC 17025. Dieser Schritt unter­streicht nicht nur die Kompetenz und Zuver­läs­sigkeit unseres Prüflabors für Common Criteria (CC), sondern bereitet uns auch auf die Einführung der EUCC (European Common Criteria) vor, eine wichtige Entwicklung in der europäischen Cybersicherheitslandschaft.

Bedeutung der DAkkS-Akkreditierung

Die Akkred­i­tierung nach DIN EN ISO/IEC 17025 ist ein klares Zeichen für die Profes­sion­alität und den Anspruch von SRC, erstk­lassige Prüfdi­en­stleis­tungen anzubieten. Sie bestätigt, dass unser CC-Prüflabors den inter­na­tional anerkannten Standards entspricht und vertrauenswürdige, konsis­tente Ergeb­nisse liefert.

Vorbere­itung auf die EUCC

Die EUCC stellt das auf den Common Criteria basierende europäische Zerti­fizierungss­chema dar, soll die Sicher­heit­sz­er­ti­fizierung von IKT-Produkten in Europa verbessern. Mit unserer DAkkS-Akkred­i­tierung ist SRC nun bestens gerüstet, um die Heraus­forderungen der EUCC zu meistern und eine führende Rolle in der IT-Sicher­heit­sz­er­ti­fizierung in Europa zu übernehmen. Die EUCC erweitert die Anforderungen der bisherigen Common Criteria und wird künftige Zerti­fizierungen in der EU grundlegend prägen.

Unser Engagement für Qualität und Genauigkeit

Mit dieser Akkred­i­tierung demon­striert SRC sein Engagement für höchste Qualitäts­stan­dards und Unparteilichkeit in unseren Labortätigkeiten. Wir sind stolz darauf, diesen Meilen­stein erreicht zu haben und freuen uns darauf, unseren Kunden weiterhin Dienstleis­tungen auf höchstem Niveau anzubieten.

Bei weiteren Fragen stehen unser Sales-Team Ihnen jederzeit zur Verfügung!

BSI Lagebericht 2023

The BSI Situation Report 2023: Secure Your Business – Discover Our Solutions.”

The latest Situation Report from the Federal Office for Infor­mation Security (BSI) for the year 2023 paints a picture of the German cyber­se­curity landscape that reveals both challenges and calls to action. As digital­ization progresses in all areas of life, the complexity and number of cyber threats are increasing.

Specific IT security threats in 2023

Partic­u­larly, ransomware attacks aimed at encrypting company data and demanding ransoms are becoming more sophis­ti­cated and are affecting not only large corpo­ra­tions but also increas­ingly smaller and medium-sized businesses as well as public institutions.

Another prominent topic of the report is the potential misuse of Artificial Intel­li­gence (AI). With the rapid devel­opment of AI technologies and their appli­ca­tions, new possi­bil­ities for attacks emerge. AI-powered attacks, including deep fakes and manip­u­lated chatbots, represent a serious threat that can undermine not only infor­mation security but also societal stability.

Geopo­litical tensions, especially the conflict in Ukraine, further demon­strate that cyber­at­tacks are increas­ingly being used as a means of warfare and political influence. These devel­op­ments are not limited to state actors but also affect the economy and civil society. The BSI empha­sizes that security in cyber­space is no longer just a matter of technical defense but requires a collective societal effort.

The BSI’s recom­men­dation to strengthen “cyber resilience” reinforces the necessity of being proactive and preventive. This means that companies and author­ities must not only react to attacks but also improve the resilience of their systems in advance.

This is where the expertise of SRC GmbH comes in, a company that specializes in security needs in the digital age.

How SRC can help establish cyber resilience

  • Risk analysis and prevention: SRC offers individual risk analyses to help companies identify and address vulner­a­bil­ities before they can be exploited.
  • Security archi­tecture and design: By designing robust security archi­tec­tures, SRC helps ensure that their clients’ systems can withstand advanced threats.
  • Training and awareness: SRC organizes training for employees to increase awareness of cyber­se­curity and ensure that security policies are under­stood and followed.
  • Regulatory compliance and standards: SRC advises on regulatory require­ments and helps companies meet legal and normative standards.
  • Innovation and technology consulting: With expertise in modern technologies such as blockchain and AI, SRC develops innov­ative solutions that are not only secure but also forward-looking.
  • Emergency planning and response: In the event of a cyber­attack, SRC assists with rapid response and deployment of emergency plans to minimize damage and maintain business operations.

Use the insights from the BSI Situation Report 2023 as a decisive impulse to specif­i­cally review and optimize your cyber­se­curity measures – SRC GmbH is ready to work with you to strengthen critical security areas and build resilience against current and future cyber threats.

20 years SRC

20 years SRC

20 years ago, on 27 November 2000, the founding meeting of the share­holders of SRC took place. That is a long time, but in retro­spect it does not seem to be the case for the acting persons. This perception is of course subjective, but a decisive factor will certainly be the rapid devel­opment in the field of infor­mation technology.
The complexity of digital­i­sation and the constantly growing need to create trust in new solutions is the business basis of SRC, the essential reason why SRC exists. At the same time this is also a big oblig­ation — namely to ensure that new digital solutions are really trustworthy.
SRC’s work on such things that many people experience in their daily life can be explained vividly. These are, above all, contactless payment by card and mobile phone, secure access to bank accounts by third parties, electronic patient files, secure commu­ni­cation in connection with the Galileo system and in the Bundeswehr, or even quite “mundane” things such as bottle deposit machines or tamper-proof cash registers — all topics of digiti­sation with which millions of people come into contact in one way or another every day. The devel­opment does not end there, with Open Finance, IoT and the increased use of AI methods there are still many exciting topics to be addressed.
None of these solutions has been produced or is operated by SRC itself, but we have made a decisive contri­bution to all of them: We provide confi­dence in these digital solutions — for relia­bility, security and future-proofness. We create “a good feeling” in dealing with digitalisation:
— Standards for new technologies create investment security,
— Reliable function­ality of new solutions through testing,
— Technical safety of new solutions through safety concepts and tests.
In fact, this “good feeling”, the trust, is something like the lubricant of digital­i­sation. For many people, the digiti­sation and mecha­ni­sation of everyday life means that processes are no longer manageable and the truth content of infor­mation is sometimes unclear. Trust makes it possible to reduce this complexity and often opens the door to accep­tance of the new ways of experi­encing and acting that digiti­sation aims to create.
The complexity of digital­i­sation and the constantly growing need to create trust in new solutions is the business basis of SRC, the essential reason why SRC exists. At the same time this is also a big oblig­ation — namely to ensure that new digital solutions are really trustworthy.
In the 20 years of SRC’s existence we have carried out more than 20,000 projects. Every year there have been more and also SRC has grown year by year — not only in terms of the number of employees, but especially in terms of the expansion of expertise, partly in areas that did not exist at the time of the foundation of SRC.
The current pandemic situation does not allow us to adequately celebrate our 20th anniversary, which we would have liked to do together with our customers. We are thinking about making up for this at a suitable time. But even without a party, we would be pleased if you, our customers, continue to place your trust in us.


TIBER-DE | Increasing the cyber resilience of the financial system

Digiti­sation of the financial sector — Chances & cyber risks

The increasing digital­i­sation of the financial sector not only provides new oppor­tu­nities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious conse­quences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.

In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resis­tance to cyber attacks. This imple­mention has now taken place.

To whom is TIBER-DE addressed?

TIBER-DE partic­u­larly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER imple­men­tation, the Deutsche Bundesbank empha­sises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resis­tance of the financial sector in a sustainable and cooper­ative way, together and by conducting TIBER-DE tests.

What happens in a TIBER-DE test?

In a TIBER-DE test, commis­sioned hackers (“Red Team”) use infor­mation from a threat intel­li­gence provider (“spy”) to test the cyber resis­tance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:

  • In the prepa­ration phase the initi­ation, the kick-off, the deter­mi­nation of the test scope and the procurement takes place. In particular, the corre­sponding contracts with all parties involved are concluded, the test scope is deter­mined and the financial super­visory authority is informed about the intended TIBER-DE test.
  • In the test phase, infor­mation on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previ­ously defined test scope.
  • Finally, the final phase includes the prepa­ration of the test reports, a replay and feedback, a remedi­ation plan for found vulner­a­bil­ities as well as a final report and the attes­tation including the transfer of results.

Risks of the TIBER-DE Test

The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realis­ti­cally evaluate their cyber-resis­tance. However, this is also accom­panied by risks, e.g. regarding the confi­den­tiality, integrity or avail­ability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appro­priate measures to minimise the risks before a TIBER-DE test is performed.

Furthermore, companies are confronted with organ­i­sa­tional, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be estab­lished and documented. In addition, TIBER-DE tests must be coordi­nated with the various stake­holders concerned, e.g. service providers. Furthermore, a confi­den­tiality oblig­ation must be observed by all parties.

Currently the partic­i­pation in TIBER-DE tests is based on a voluntary basis. Along with the not incon­sid­erable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.

Team up for a successful TIBER-DE test

The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in estab­lishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal prepa­ra­tions are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to support you through the entire process of a TIBER test.

Amendment of BAIT 2021

Amendment of BAIT 2021- The new require­ments for financial institutions

The amendment of BAIT for 2021 means new require­ments for credit insti­tu­tions. In contrast, BaFin faces the challenge of imple­menting the Guide­lines on security measures for opera­tional and security risks under the PSD2 and the Guide­lines on ICT and security risk management of the EBA in Germany. This is to be completed by 31 December 2020 with an amendment to the BAIT (banking super­visory require­ments for IT). First drafts have already been discussed and commented on in the insti­tutes and associations.

BAIT 2021 focuses on IT security

With a separate and new chapter, opera­tional IT security is moving further into focus. The require­ments formu­lated there can only be fulfilled with a Security Infor­mation and Event Management System (SIEM). This also includes the estab­lishment and operation of a Security Opera­tions Centre (SOC). Regular opera­tional checks are required. These include:

  • internal deviation analyses
  • Vulner­a­bility scans
  • Penetration tests
  • the simulation of attacks (“Red Teaming”)

The new require­ments of BAIT 2021 lead to the estab­lishment of a profes­sional cyber security infra­structure. This means extensive and independent internal infor­mation security structures.

The management assumes overall responsibility

It is noticeable that the draft already refers not only to the respon­si­bility of the management. The management is even required to explicitly acknowledge the overall respon­si­bility for infor­mation security. This also includes regular infor­mation about their concerns and the decision to deal with security risks appropriately.

Require­ments for IT emergency management are consolidated

We expect further changes in the area of IT emergency management. The require­ments from BAIT will be consol­i­dated with those from section AT7.3 of MaRisk. This creates uniform national require­ments. In addition, we expect to tighten and specify the require­ments with regard to emergency planning and prevention, BCM, disaster recovery and backup strategies. In our view, outsourcing to service providers will also be covered by the revised version.

Financial insti­tu­tions face major challenges

According to the assessment of the SRC experts for bank compliance, the expected changes will pose great challenges for the affected insti­tu­tions. This concerns especially the required know-how and the limited resources on the labour market.

Unternehmenstag 2019

Unternehmenstag 2019 — SRC partic­i­pates again!

Unternehmenstag 2019 — The Career Fair for Students and Career Starters

The end of the studies is in sight. The degree is within reach. At the latest now, students and graduates need contact to their future employer. SRC is looking forward to this contact. Two days at the University of Applied Sciences Bonn Rhein-Sieg on the campus in Sankt Augustin. This is where the Unternehmenstag 2019 takes place on 13 and 14 November.

The job fair will be rounded off with a wide range of offers relating to careers and career planning. These include lectures, appli­cation photos, job boards and much more.

Career in IT — SRC provides an insight into exciting areas of responsibility

SRC will also be happy to give students and graduates the oppor­tunity to gain an insight into and exchange views on the diverse topics of IT security at the Unternehmenstag 2019. The SRC experts will explain everyday life and the challenges in the assessment of security-relevant IT technologies. A selection of current topics are, for example, mobile payment methods, artificial intel­li­gence and critical infra­struc­tures. We expect our new colleagues to have a strong instinct for potential sources of error in complex technologies, the compe­tence to find solutions and the assertiveness to represent the results of their work to clients.

Current job offers on our career portal

Whether as a working student in our customer management or as a scanworker in the pentest team — completing diverse and exciting tasks while studying is no problem for us. But also graduates will get what they are looking for — we are looking for pentesters, consul­tants and analysts for different areas in our company.

Students and graduates are welcome to inform themselves in advance on our career portal about vacancies at our company. We will be happy to answer any questions you may have at the Unternehmenstag! You also have the option of submitting your appli­cation documents directly to us on site.

ICPS 2019

SRC at ICPS 2019 in dialogue with physics students

SRC attends the ICPS 2019 Jobfair

Physics students will meet for the 34th time at ICPS 2019 in Cologne. The “Jobfair” taking place on Tuesday, August 13, 2019, will provide the setting.

SRC uses the ICPS 2019 to provide physi­cists with insights into and an exchange on the diverse topics of IT security. The SRC experts explain the challenges of technology assessment using examples such as mobile payment methods, artificial intel­li­gence and similar topics. This requires a strong instinct for potential sources of error in complex environ­ments, the compe­tence to find solutions and the will to implement them. Especially students with a physical background bring these valuable qualities with them. Dr. Max Hettrich already reported in the interview “From quantum physicist to security analyst at SRC” on how a career can develop from these qualities.

By students for students — The ICPS 2019

The ICPS finds a new home every year. More than 500 physics students and doctoral candi­dates from more than 50 nations not only have the oppor­tunity to exchange their knowledge; they also get to know the culture and mentality of the host country. The ICPS is organised by the respective student associ­a­tions of the host country. This year, the organ­i­sation team consisting of members of the young German Physical Society, the Institute for Theoretical Physics of the University of Cologne and the Bonn-Cologne Graduate School of Physics and Astronomy who have prepared a programme that will last 8 days.

Matthias Dahlmanns is the project coordi­nator of ICPS 2019 and a working student at SRC. “Coordi­nating the organ­i­sation of the ICPS 2019 is a great experience. The partic­i­pation of SRC makes me personally very happy”, says Matthias Dahlmanns. Dr. Benjamin Botermann, Senior Consultant Test & Quality Assurance, is also looking forward to the exchange with the many inter­ested physics students: “I am very excited about the ICPS Jobfair. As a physicist, I find myself absolutely at home working at SRC. I am looking forward to the exchange with the prospective physi­cists. In a personal conver­sation, I would like to talk about the various fields of activity at SRC and answer the numerous and detailed questions”.

IT Sicherheit in Krankenhäusern

How secure is IT in our hospitals?

Digiti­sation poses IT security challenges for hospitals

Cloud computing, networked commu­ni­cation, virtual teamwork — digiti­sation offers hospitals and other healthcare facil­ities enormous potential for optimi­sation. The effects on the profitability of medical facil­ities and on patient care are sustainably positive. If it weren’t for IT security. How well protected are healthcare networks? Can sensitive data be lost during trans­mission or in the course of collab­o­ration? Or even worse: be inter­cepted? Can IT security in hospitals keep pace with the tempo of digitalisation?

Protection of sensitive patient infor­mation is required

If one thinks about the most sensitive data of a society, then patient infor­mation certainly belongs to it. The need for protection is therefore partic­u­larly high. In the meantime, the legis­lator has also recog­nised this and created a clear legal situation. At the latest, IT security in the healthcare sector will become a playing field for liability risks and claims for damages. This is why IT security is a top priority in hospitals. Several hospitals have already painfully discovered that absolute security can hardly be achieved. In particular, the attack with the ransomware “Wannacry” in 2017 had an enormous impact on hospital IT worldwide. Exami­na­tions had to be postponed, opera­tions had to be cancelled and the financial damage was immense.

The electronic patient file, telemed­icine and cross-sector infor­mation logistics make it extremely demanding to manage data securely. But IT security is no longer just a technical issue. It also concerns the awareness of the employees, the inten­sified data protection and the growing require­ments of the legis­lator. Examples are the Medical Devices Ordinance (MDR) and the audits according to § 8a of the BSI Act.

SRC expert Dr. Deniz Ulucay talks to the KU Gesund­heits­man­agement Magazine

In an interview with Birgit Sander, editor of KU Gesund­heits­man­agement Magazine, Dr. Deniz Ulucay, SRC expert for IT security in healthcare, gives detailed insights into potential threat scenarios and adequate defense strategies. The title of the article asks: “How secure is IT in our hospitals? It can be downloaded here (German).

IT Security Congress 2019

IT-Security Congress 2019 — Arne Schönbohm welcomes SRC

The IT-Security Congress 2019 again offered SRC the platform for dialogues with manufac­turers, partners and repre­sen­ta­tives of public author­ities. The motto of the event was “IT security as a prereq­uisite for successful digiti­zation”. The topics are as varied as the visitors: artificial intel­li­gence and its fields of appli­cation, Common Criteria certi­fi­ca­tions of micro-kernel operating systems and profes­sional perspec­tives for scien­tists and computer scien­tists at SRC. Almost all SRC services were in demand at the stand, whether penetration tests, consulting and certi­fi­cation of infor­mation security management systems or support for product manufac­turers in evalu­a­tions according to Common Criteria.

Sandro Amendola’s lecture at the IT-Security Congress 2019, entitled “Legal Security Require­ments for Payment Proce­dures for Customer Authen­ti­cation Using Mobile Devices”, was widely discussed. The high pace of innovation on the one hand and the parallel devel­opment of regulatory require­ments on the other hand provide continuous material for discus­sions and forecasts of future trends.

The host of the IT-Security Congress 2019, the Federal Office for Infor­mation Security (BSI) (see photo), also stopped by our stand. Thilo Pannen is respon­sible for Business Devel­opment at SRC. “We at SRC are delighted that we have been able to support the BSI for many years with a range of experts,” said Thilo Pannen in his welcoming address. The extensive discussion with BSI President Arne Schönbohm touched all aspects of the extensive cooper­ation with the BSI. Be it the prepa­ration of studies, the support in the various BSI projects or the work of SRC as a BSI-recog­nized testing laboratory. In its function as a testing laboratory, SRC does not only assess according to Common Criteria. The require­ments for the technical domains “Smart­cards and similar Devices” and “Hardware Devices with Security Boxes” are also fulfilled by SRC.
Such extensive and complex cooper­ation in such a dynamic environment requires constant adaptation of the processes. “If we at BSI can contribute to further good cooper­ation, please let me know,” said the BSI President at the end of his visit to the SRC stand.

SRC contributes to the German IT Security Congress 2019

IT security as a prereq­uisite for successful digitalisation

This is the motto of this year’s German IT Security Congress, which is held every two years by the Federal Office for Infor­mation Security (BSI). The congress will take place from 21 to 23 May 2019 at the Stadthalle Bonn — Bad Godesberg. The aim of this year’s congress is to examine the topic of IT security from different perspec­tives, to present and further develop possible solutions.

SRC is at the German IT Security Congress

As a BSI-approved evalu­ation body for evalu­a­tions according to Common Criteria (CC) and various other technical guide­lines, SRC will also be present with a booth at the German IT Security Congress in 2019. Thus we offer the experts of customers, partners and those of the BSI once again the well-estab­lished contact point at the German IT Security Congress. This concept has proven itself over many years. The stable personal network between the partic­i­pants offers the optimal platform for the transfer of complex technical and regulatory aspects.

SRC expert Sandro Amendola talks about compliance, mobile payment proce­dures and customer authentication

The triumphal march of mobile payment proce­dures seems unstop­pable. The legis­lator has also inten­sively considered the security of these proce­dures and the necessary customer authen­ti­cation. Sandro Amendola will talk about “Legal security require­ments for payment proce­dures for customer authen­ti­cation using mobile devices” on Thursday, 23 May 2019 at 11:00 a.m. in the main hall.