Event takeaway: 2. IT-Grundschutz-Tag 2021

My key takeaways

• Digitalization and cyber secuirty goes hand in hand
• Hafnium
  • BSI: about 10k Exchange server affected in DE by Hafnium
  • Remediation advices
    • almost everybody who exposed OWA
    • Save personalized settings before starting!
    • patch = Exchange admin rights required)
    • look in IIS for Github fragments in Inetpub folder
• #DEVSECOPS is the mandatory development system, facing more and more severe security implications in software development
• Minimalism as important quality factor for software development in the future: “do we really need this feature?“
• code not written can’t be attacked
• automation in agile software development is mandatory. So it has to become for security testing during the development, not just after shipping the final product.
• Observerability means: “how well internal states of a system can be inferred from knowledge of its external outputs” and might be become a thing for InfoSec as well
• The “Cyber-Sicherheitsnetzwerk (CSN)” is a german initiatve for a decentralized network of incident responders. First training will be available from April 2021.
• Crime-as-a-Service has 9 subcategories and cybercriminal are well organized
• The security level depends on organization, people and technology. A balanced harmony of all three maximizes the security level.
• A maturity model like OpenSAMM might help to identify most urgent aspects to improve software secruity
• To avoid suply chain attacks like “Sunburst/Solarwinds” hashing signatures in a decentralized blockchain might be an idea
• There are already a lot of “IT-Grundschutzbausteine” available to make development of individual software more secure, like CON.8, APP.7 and OPS.1.1.3
• A lot of “Grundschutzbausteine” are requested right now, eg for Videoconferencing Systems and the BSI tries to come up with draft asap. But they are also very open to send drafts in from the community to boost up the development speed as well.

Env

• Provided by BREDEX GmbH
• Presenter:
  • Holger Schildt, BSI
  • Daniel Gilles, BSI
  • Joachim Weber, BSI
  • Florian Göhler, BSI
  • Alexandra Schladebeck, BREDEX GmbH
  • Donald Ortmann, Berater für Informationssicherheit
  • Rainer Siebert, Berater für Informationssicherheit
  • Stefan Muhle, Staatssekretär im Niedersächsischen Ministerium für Wirtschaft, Arbeit, Verkehr und Digitalisierung
• Moderator: Ron Kneffel, BREDEX GmbH

additional links

• Initiative Cyber-Sicherheitsnetzwerk
• Mindeststandard des BSI für Videokonferenzdienste
• Slides: www.bsi.bund.de/dok/393218
• Video: