March 17

Event takeaway: 2. IT-Grundschutz-Tag 2021

Security

0  comments

My key takeaways

  • Digitalization and cyber secuirty goes hand in hand
  • Hafnium
    • BSI: about 10k Exchange server affected in DE by Hafnium
    • Remediation advices
      • almost everybody who exposed OWA
      • Save personalized settings before starting!
      • patch = Exchange admin rights required)
      • look in IIS for Github fragments in Inetpub folder
  • #DEVSECOPS is the mandatory development system, facing more and more severe security implications in software development
  • Minimalism as important quality factor for software development in the future: "do we really need this feature?"
  • code not written can't be attacked
  • automation in agile software development is mandatory. So it has to become for security testing during the development, not just after shipping the final product.
  • Observerability means: "how well internal states of a system can be inferred from knowledge of its external outputs" and might be become a thing for InfoSec as well
  • The "Cyber-Sicherheitsnetzwerk (CSN)" is a german initiatve for a decentralized network of incident responders. First training will be available from April 2021.
  • Crime-as-a-Service has 9 subcategories and cybercriminal are well organized
  • The security level depends on organization, people and technology. A balanced harmony of all three maximizes the security level.
  • A maturity model like OpenSAMM might help to identify most urgent aspects to improve software secruity
  • To avoid suply chain attacks like "Sunburst/Solarwinds" hashing signatures in a decentralized blockchain might be an idea
  • There are already a lot of "IT-Grundschutzbausteine" available to make development of individual software more secure, like CON.8, APP.7 and OPS.1.1.3
  • A lot of "Grundschutzbausteine" are requested right now, eg for Videoconferencing Systems and the BSI tries to come up with draft asap. But they are also very open to send drafts in from the community to boost up the development speed as well.

Env

additional links

Tags

BSI IT-Grundschutz, event, webinar takeaway

You may also like

Event takeaway – SecIT 2023

My key takeaways from SecIT conference 2023 Setting 15.03. – 16.03.2023 Location: Hannover Congress Centrum, Hannover, Germany 2 halls, 3 stages small enough to see everything and have time to talk with exhibitors without FOMO large enough to fill two days without getting bored Parking quite affordable with 3,50€ per day I didn’t book any

Read More

Event takeaway: 4. BSI Grundschutztag

My key takeaways 3.BSI Grundschutztag was canceled ISMS = management in normal situations; BCM = management in crisis situations There is no statistic available yet, how security impacts have changed after getting certified by BSI Grundschutz BIA focusses primarily on availability where risk analysis questions why a system might not be available increasing combination of

Read More
Leave a Comment