My key takeaways
- hardening backup systems is key
- disconnected from the AD
- designed in a way, that it may continue functioning even if all other systems are shut down
- due to testing and verification of software patches in most B2B environments before rollout, the time a system remains unpatched is prolonged
- more time for the black hats to pop a system
- alternative: some manufacturers are pretesting the patches for their clients in a client-specific sandbox
- Incident response is key
- be prepared with business continuity plans
- Remmers Logistik is part of a supply chain
- A company may also be affected if another company in the supply chain is held hostage: no delivery, no production, no sales
- How do you document transactions in an emergency situation so that the data can be transfered in a new ERP afterwards? <- think ahead
- It not hit&run anymore: ransomware criminals are using exfiltrated data to contact customers or business partners with these information, so that the shame builds up pressure for the victim to pay
- If the emails get compromised, the contained information is used to create highly targeted spearfishing campaigns
- the information in the emails may seem worthless, but for an attacker it might be valuable information to build a pretext
- There are not so much more attackes but they get much more sophisticated and targeted
- The State Commissioner of Data Protection for Niedersachsen recommends to not use Microsoft Office 365 due to issues regarding GDPR
- A successor for safe harbour is unlikely
- Binding Corporate Rules may be a required
- Main security concerns with remote working employees
- connectivity: no business contracts with Telcos, no SLAs
- access: who can listen to conversations? Who can read the screen in a public environment?
- access control: eg theft of hardware, what data is on the devices
- Printing is also an issue when working from home
- more and more business try to become paperless
- secure disposal or printed information otherwise also a major concern
- Awareness trainigs does not want to make every employee a security expert. It creates awareness. Best case is encouraging to question a situation, due to this awareness.
- Training must be attractive not just required
- storytelling
- short sequences of 20-60 min
- multimedia
- Awareness training for employees is often required to get a cyber insurance
Env
-
Provided by pco
-
Presenter:
-
Speaker (that I have attended):
- Clemens Westerkamp, Hochschule Osnabrück
- Barbara Thiel, State Commissioner of Data Protection for Niedersachsen
- Heiko Dirks, Remmers
- Mark Semmler, Mark Semmler Security Services
- Stefan Köster, KÖSTER eConsulting
- Christian T. Drieling, IGEL
- Waldemar Stirtz, Polipol
- Philipp von Bülow, lawpilots
- Christian Gäbel, pco
- Tim Gravemann, pco