Posts

Unternehmenstag 2019

Unternehmenstag 2019 — SRC partic­i­pates again!

Unternehmenstag 2019 — The Career Fair for Students and Career Starters

The end of the studies is in sight. The degree is within reach. At the latest now, students and graduates need contact to their future employer. SRC is looking forward to this contact. Two days at the University of Applied Sciences Bonn Rhein-Sieg on the campus in Sankt Augustin. This is where the Unternehmenstag 2019 takes place on 13 and 14 November.

The job fair will be rounded off with a wide range of offers relating to careers and career planning. These include lectures, appli­cation photos, job boards and much more.

Career in ITSRC provides an insight into exciting areas of respon­si­bility

SRC will also be happy to give students and graduates the oppor­tunity to gain an insight into and exchange views on the diverse topics of IT security at the Unternehmenstag 2019. The SRC experts will explain everyday life and the challenges in the assessment of security-relevant IT technologies. A selection of current topics are, for example, mobile payment methods, artificial intel­li­gence and critical infra­struc­tures. We expect our new colleagues to have a strong instinct for potential sources of error in complex technologies, the compe­tence to find solutions and the assertiveness to represent the results of their work to clients.

Current job offers on our career portal

Whether as a working student in our customer management or as a scanworker in the pentest team — completing diverse and exciting tasks while studying is no problem for us. But also graduates will get what they are looking for — we are looking for pentesters, consul­tants and analysts for different areas in our company.

Students and graduates are welcome to inform themselves in advance on our career portal about vacancies at our company. We will be happy to answer any questions you may have at the Unternehmenstag! You also have the option of submitting your appli­cation documents directly to us on site.

ICPS 2019

SRC at ICPS 2019 in dialogue with physics students

SRC attends the ICPS 2019 Jobfair

Physics students will meet for the 34th time at ICPS 2019 in Cologne. The “Jobfair” taking place on Tuesday, August 13, 2019, will provide the setting.

SRC uses the ICPS 2019 to provide physi­cists with insights into and an exchange on the diverse topics of IT security. The SRC experts explain the challenges of technology assessment using examples such as mobile payment methods, artificial intel­li­gence and similar topics. This requires a strong instinct for potential sources of error in complex environ­ments, the compe­tence to find solutions and the will to implement them. Especially students with a physical background bring these valuable qualities with them. Dr. Max Hettrich already reported in the interview “From quantum physicist to security analyst at SRC on how a career can develop from these qualities.

By students for students — The ICPS 2019

The ICPS finds a new home every year. More than 500 physics students and doctoral candi­dates from more than 50 nations not only have the oppor­tunity to exchange their knowledge; they also get to know the culture and mentality of the host country. The ICPS is organised by the respective student associ­a­tions of the host country. This year, the organ­i­sation team consisting of members of the young German Physical Society, the Institute for Theoretical Physics of the University of Cologne and the Bonn-Cologne Graduate School of Physics and Astronomy who have prepared a programme that will last 8 days.

Matthias Dahlmanns is the project coordi­nator of ICPS 2019 and a working student at SRC. “Coordi­nating the organ­i­sation of the ICPS 2019 is a great experience. The partic­i­pation of SRC makes me personally very happy”, says Matthias Dahlmanns. Dr. Benjamin Botermann, Senior Consultant Test & Quality Assurance, is also looking forward to the exchange with the many inter­ested physics students: “I am very excited about the ICPS Jobfair. As a physicist, I find myself absolutely at home working at SRC. I am looking forward to the exchange with the prospective physi­cists. In a personal conver­sation, I would like to talk about the various fields of activity at SRC and answer the numerous and detailed questions”.

IT Sicherheit in Krankenhäusern

How secure is IT in our hospitals?

Digiti­sation poses IT security challenges for hospitals

Cloud computing, networked commu­ni­cation, virtual teamwork — digiti­sation offers hospitals and other healthcare facil­ities enormous potential for optimi­sation. The effects on the profitability of medical facil­ities and on patient care are sustainably positive. If it weren’t for IT security. How well protected are healthcare networks? Can sensitive data be lost during trans­mission or in the course of collab­o­ration? Or even worse: be inter­cepted? Can IT security in hospitals keep pace with the tempo of digital­i­sation?

Protection of sensitive patient infor­mation is required

If one thinks about the most sensitive data of a society, then patient infor­mation certainly belongs to it. The need for protection is therefore partic­u­larly high. In the meantime, the legis­lator has also recog­nised this and created a clear legal situation. At the latest, IT security in the healthcare sector will become a playing field for liability risks and claims for damages. This is why IT security is a top priority in hospitals. Several hospitals have already painfully discovered that absolute security can hardly be achieved. In particular, the attack with the ransomware “Wannacry” in 2017 had an enormous impact on hospital IT worldwide. Exami­na­tions had to be postponed, opera­tions had to be cancelled and the financial damage was immense.

The electronic patient file, telemed­icine and cross-sector infor­mation logistics make it extremely demanding to manage data securely. But IT security is no longer just a technical issue. It also concerns the awareness of the employees, the inten­sified data protection and the growing require­ments of the legis­lator. Examples are the Medical Devices Ordinance (MDR) and the audits according to § 8a of the BSI Act.

SRC expert Dr. Deniz Ulucay talks to the KU Gesund­heits­man­agement Magazine

In an interview with Birgit Sander, editor of KU Gesund­heits­man­agement Magazine, Dr. Deniz Ulucay, SRC expert for IT security in healthcare, gives detailed insights into potential threat scenarios and adequate defense strategies. The title of the article asks: “How secure is IT in our hospitals? It can be downloaded here (German).

IT Security Congress 2019

IT-Security Congress 2019 — Arne Schönbohm welcomes SRC

The IT-Security Congress 2019 again offered SRC the platform for dialogues with manufac­turers, partners and repre­sen­ta­tives of public author­ities. The motto of the event was “IT security as a prereq­uisite for successful digiti­zation”. The topics are as varied as the visitors: artificial intel­li­gence and its fields of appli­cation, Common Criteria certi­fi­ca­tions of micro-kernel operating systems and profes­sional perspec­tives for scien­tists and computer scien­tists at SRC. Almost all SRC services were in demand at the stand, whether penetration tests, consulting and certi­fi­cation of infor­mation security management systems or support for product manufac­turers in evalu­a­tions according to Common Criteria.

Sandro Amendola’s lecture at the IT-Security Congress 2019, entitled “Legal Security Require­ments for Payment Proce­dures for Customer Authen­ti­cation Using Mobile Devices”, was widely discussed. The high pace of innovation on the one hand and the parallel devel­opment of regulatory require­ments on the other hand provide continuous material for discus­sions and forecasts of future trends.

The host of the IT-Security Congress 2019, the Federal Office for Infor­mation Security (BSI) (see photo), also stopped by our stand. Thilo Pannen is respon­sible for Business Devel­opment at SRC. “We at SRC are delighted that we have been able to support the BSI for many years with a range of experts,” said Thilo Pannen in his welcoming address. The extensive discussion with BSI President Arne Schönbohm touched all aspects of the extensive cooper­ation with the BSI. Be it the prepa­ration of studies, the support in the various BSI projects or the work of SRC as a BSI-recog­nized testing laboratory. In its function as a testing laboratory, SRC does not only assess according to Common Criteria. The require­ments for the technical domains “Smart­cards and similar Devices” and “Hardware Devices with Security Boxes” are also fulfilled by SRC.
Such extensive and complex cooper­ation in such a dynamic environment requires constant adaptation of the processes. “If we at BSI can contribute to further good cooper­ation, please let me know,” said the BSI President at the end of his visit to the SRC stand.

IT Security Congress

SRC contributes to the German IT Security Congress 2019

IT security as a prereq­uisite for successful digital­i­sation

This is the motto of this year’s German IT Security Congress, which is held every two years by the Federal Office for Infor­mation Security (BSI). The congress will take place from 21 to 23 May 2019 at the Stadthalle Bonn — Bad Godesberg. The aim of this year’s congress is to examine the topic of IT security from different perspec­tives, to present and further develop possible solutions.

SRC is at the German IT Security Congress

As a BSI-approved evalu­ation body for evalu­a­tions according to Common Criteria (CC) and various other technical guide­lines, SRC will also be present with a booth at the German IT Security Congress in 2019. Thus we offer the experts of customers, partners and those of the BSI once again the well-estab­lished contact point at the German IT Security Congress. This concept has proven itself over many years. The stable personal network between the partic­i­pants offers the optimal platform for the transfer of complex technical and regulatory aspects.

SRC expert Sandro Amendola talks about compliance, mobile payment proce­dures and customer authen­ti­cation

The triumphal march of mobile payment proce­dures seems unstop­pable. The legis­lator has also inten­sively considered the security of these proce­dures and the necessary customer authen­ti­cation. Sandro Amendola will talk about “Legal security require­ments for payment proce­dures for customer authen­ti­cation using mobile devices” on Thursday, 23 May 2019 at 11:00 a.m. in the main hall.

International Common Criteria Conference

SRC gives lecture on JTEMS at the Inter­na­tional Common Criteria Conference in Amsterdam

From 30 October to 1 November, the 17th Inter­na­tional Common Criteria Conference will take place in Amsterdam. The Inter­na­tional Common Criteria Conference is presented with the support of the Common Criteria User Forum (CCUF). The CCUF provides a voice and commu­ni­cation channel between the CC community and the organ­ising committees of the Common Criteria, CCRA member organ­i­sa­tions (national programmes) and policy makers.

SRC will also actively partic­ipate in this year’s conference. In a presen­tation by our expert Sven-Martin Hühne on the topic “JTEMS — a Payment Scheme Independent Framework for POI Terminal specific Security Evalu­a­tions based on Common Criteria” the JTEMS Framework is presented and the current “state of affairs” is explained. The presen­tation deals with the advan­tages of a CC-based and Payment Scheme independent evalu­ation and certi­fi­cation procedure for POI terminals. The framework is a living example of the active use of the CC method by inter­ested parties from the private sector (German banking industry and UK Finance or Common.SECC). The possi­bility of embedding the JTEMS framework in current discus­sions of the EU Commission for a “European Security Certi­fi­cation Scheme” will also be discussed.

In the panel discussion “The Why and How of Using CC in Private Schemes”, Regine Quent­meier discusses these aspects from the point of view of users from the European banking industry in an exchange with repre­sen­ta­tives of other economic sectors.

Employee Interview

From Quantum Physicist to Security Analyst at SRC — An Employee Interview

The following employee interview with Dr. Max Hettrich allows a look behind the scenes of SRC. We at SRC always have an open ear for our employees and are happy that we were able to ask Max about his career and his work at SRC.

Hey, Max, let’s just start right away. What education do you have?

I’m a physicist. After my studies I first worked in academic research, namely in exper­i­mental quantum optics. It was all about lasers, vacuum chambers, and quantum physics. But also computer simula­tions and digital measurement technology. The IT topic has always been there, even if not in the first place.

How did you become aware of SRC and the job adver­tisement and why did you apply to SRC?

I became aware of SRC through a colleague at that time, who again knew an employee at SRC. After I learned that physi­cists are very welcome at SRC and that I have always been inter­ested in IT security topics, my curiosity was aroused.

How long have you been with SRC?

I joined SRC in July 2017, less than a year ago.

How did your training go?

Very carefully considered and struc­tured. Those respon­sible have really thought carefully about the projects to be considered. I always had enough freedom to find out which topics I liked most.

Which topics are you currently working on?

On the one hand, I deal with many compliance issues in the IT security environment, and on the other hand with reverse engineering of software for mobile devices in order to assess their security against various attack scenarios. These are two quite different subject areas, but they complement each other perfectly.

What are your main tasks and activ­ities in your daily work routine?

Compliance projects are always about analysing a customer’s system and assessing if it meets regulatory require­ments. Since no two systems are alike, it never gets boring.

The goal of reverse engineering is to under­stand the function of software and to extract any hidden assets without having access to the source code. This requires, for example, reading and analysing native code or debugging and instru­menting running programmes.

What does your typical working day look like? Do you travel a lot?

Mostly I work in my office in the SRC office in Wiesbaden. I am, atypical for a consulting firm, rather little on travel, since most work can be done simply best if I am in direct contact with my colleagues on site.

What do you partic­u­larly like about SRC?

I find the rather flat hierarchy partic­u­larly positive, and great freedom with regard to the selection of fields of activity.

And how do you feel about the working atmos­phere at SRC?

I find the atmos­phere here extremely pleasant. The fact that SRC is a rather small company with about 120 employees allows a rather informal and direct commu­ni­cation among each other. I believe that many conflicts do not arise as a result.

Keyword Work-Life-Balance: How can work at SRC be recon­ciled with your private life?

This really works out great! Our working hours at SRC are flexible, overtime hours are always logged and can be compen­sated later.

What do you think appli­cants need to bring with them in order to be successful at SRC?

I think the most important thing is a pronounced analytical thinking, and strong self-initiative. If you already have experience in one of SRC’s fields of activity, the better. But my impression is that gener­alists are also welcome at the SRC. You then have the oppor­tunity to acquire the necessary specialist knowledge on more closely defined topics as required.

One last question: What would you suggest to potential appli­cants?

Don’t be shy! You can easily find out whether you like SRC’s fields of activity if you have a look at our website and our career portal. If this is the case: Just send us your appli­cation!

KRITIS 2018

Critical Day 2018 | Knowledge and experience in a lively exchange

The Critical Day

On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at repre­sen­ta­tives of companies that operate a critical infra­structure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experi­ences and best practices on IT and physical security of critical infra­struc­tures.

The Schedule

After the arrival of the first partic­i­pants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the partic­i­pants’ need for infor­mation.

Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and repre­sen­tative of the Federal Office for Infor­mation Security (BSI), explained the proce­dures and processes in the super­visory authority. Randolf Skerka, Head of SRC and respon­sible for the topic of auditing according to §8a (3) BSIG, described the first experi­ences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the devel­opment of hospital organ­i­sation in prepa­ration for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indis­pensable corner­stone of a meaningful exami­nation, rounded off the morning.

The expert presen­ta­tions gave the partic­i­pants a 360° view of the require­ments of the BSI audits, which were largely and with good reason vaguely formu­lated.

At the end of the morning the visual artist Frank Rogge described his view on the questions of criti­cality in the field of artistic creation.

The afternoon was completely dedicated to the main interests of the partic­i­pants. Under the moder­ation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.

The partic­i­pants indepen­dently organized the various contents for nine sessions.

The most signif­icant results of the afternoon

From the session ” Submitting certi­fi­cation findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or devia­tions formu­lated down to the last technical detail. A roughly described framework of devia­tions and a description of a course of action in the test report is useful. Never­theless, an appro­priate measure must be in place for each risk within a critical infra­structure. This is of enormous impor­tance for the BSI.

The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.

In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and imple­men­tation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be respon­sible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guide­lines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.

In another session, the partic­i­pants focused on the safe and simple defin­ition of the scope. The pyramid model was partic­u­larly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infra­structure of a sewage treatment plant, the defin­ition of the scope requires identi­fying and deter­mining which systems clarify the water, what effects a failure would have and how this failure can be compen­sated by other methods to maintain the critical service.

With this method you system­at­i­cally move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.

Conclusion of the first “Critical Day” from SRC’s point of view

An example of the fasci­nating atmos­phere was the contin­u­ation of the bilateral commu­ni­cation of the partic­i­pants between the individual sessions. The feedback proved that the partic­i­pants were able to make many new contacts and gain insights from other KRITIS projects.

The overall positive response of the partic­i­pants shows us as SRC that the Critical Day is a useful hub for the exchange of infor­mation on KRITIS projects between the partic­i­pants. Our thanks goes to all partic­i­pants who contributed funda­men­tally to the success of the Critical Day with their open-mindedness and commitment.

We regard the Critical Day as a successful exper­iment. This motivates us to start preparing for a follow-up event.

SmartCard Workshop

SmartCard Workshop on 21 and 22 February 2018 in Darmstadt

Focus of the SmartCard Workshop

The SmartCard Workshop will take place on 21 and 22 February 2018 in Darmstadt. It is one of the most important events for smart cards in Germany. The partic­i­pants come from all areas of industry, science and politics. They partic­u­larly appre­ciate the technical orien­tation of the workshop and its extensive neutrality. The workshop offers partic­i­pants and experts a forum to present new operating system concepts and conceivable new features and appli­ca­tions, as well as to discuss the current state of devel­opment, cryptog­raphy, infor­mation security and standard­ization.

SRC expert explains authen­ti­cation proce­dures

This year, SRC expert Sandro Amendola will give a presen­tation on security-related and regulatory issues in the “Regis­tration of App-based authen­ti­cation proce­dures”. Such authen­ti­cation methods play an important role in many digital appli­ca­tions and have become very important for all users of online banking systems, especially due to the regulation of the banking market by the PSD2.

Evening event with award ceremony

A special highlight is the evening event. Each year, one expert is honored with the SmartCard prize for special achieve­ments. The prize is donated by Fraun­hofer SIT.

SRC actively partic­i­pates in SmartCard Workshop

SRC supports the workshop as sponsor and through active partic­i­pation in the Programme Advisory Board.

Image source: Fraun­hofer SIT

Portfolio Items