Event takeaway: Deutscher IT-Security Kongress

My key takeaways

• hardening backup systems is key
  • disconnected from the AD
  • designed in a way, that it may continue functioning even if all other systems are shut down
• due to testing and verification of software patches in most B2B environments before rollout, the time a system remains unpatched is prolonged
  • more time for the black hats to pop a system
  • alternative: some manufacturers are pretesting the patches for their clients in a client-specific sandbox
• Incident response is key
  • be prepared with business continuity plans
• Remmers Logistik is part of a supply chain
  • A company may also be affected if another company in the supply chain is held hostage: no delivery, no production, no sales
• How do you document transactions in an emergency situation so that the data can be transfered in a new ERP afterwards? <- think ahead
• It not hit&run anymore: ransomware criminals are using exfiltrated data to contact customers or business partners with these information, so that the shame builds up pressure for the victim to pay
• If the emails get compromised, the contained information is used to create highly targeted spearfishing campaigns
  • the information in the emails may seem worthless, but for an attacker it might be valuable information to build a pretext
• There are not so much more attackes but they get much more sophisticated and targeted
• The State Commissioner of Data Protection for Niedersachsen recommends to not use Microsoft Office 365 due to issues regarding GDPR
• A successor for safe harbour is unlikely
  • Binding Corporate Rules may be a required
• Main security concerns with remote working employees
  • connectivity: no business contracts with Telcos, no SLAs
  • access: who can listen to conversations? Who can read the screen in a public environment?
  • access control: eg theft of hardware, what data is on the devices
• Printing is also an issue when working from home
  • more and more business try to become paperless
  • secure disposal or printed information otherwise also a major concern
• Awareness trainigs does not want to make every employee a security expert. It creates awareness. Best case is encouraging to question a situation, due to this awareness.
• Training must be attractive not just required
  • storytelling
  • short sequences of 20-60 min
  • multimedia
• Awareness training for employees is often required to get a cyber insurance

Env

• Provided by pco

• Presenter:

  • Céline Flores Willers

• Speaker (that I have attended):

  • Clemens Westerkamp, Hochschule Osnabrück
  • Barbara Thiel, State Commissioner of Data Protection for Niedersachsen
  • Heiko Dirks, Remmers
  • Mark Semmler, Mark Semmler Security Services
  • Stefan Köster, KÖSTER eConsulting
  • Christian T. Drieling, IGEL
  • Waldemar Stirtz, Polipol
  • Philipp von Bülow, lawpilots
  • Christian Gäbel, pco
  • Tim Gravemann, pco

additional links

• https://www.pco-online.de/kongress2021
• agenda