October 7

Event takeaway: Deutscher IT-Security Kongress

Security

0  comments

My key takeaways

  • hardening backup systems is key
    • disconnected from the AD
    • designed in a way, that it may continue functioning even if all other systems are shut down
  • due to testing and verification of software patches in most B2B environments before rollout, the time a system remains unpatched is prolonged
    • more time for the black hats to pop a system
    • alternative: some manufacturers are pretesting the patches for their clients in a client-specific sandbox
  • Incident response is key
    • be prepared with business continuity plans
  • Remmers Logistik is part of a supply chain
    • A company may also be affected if another company in the supply chain is held hostage: no delivery, no production, no sales
  • How do you document transactions in an emergency situation so that the data can be transfered in a new ERP afterwards? <- think ahead
  • It not hit&run anymore: ransomware criminals are using exfiltrated data to contact customers or business partners with these information, so that the shame builds up pressure for the victim to pay
  • If the emails get compromised, the contained information is used to create highly targeted spearfishing campaigns
    • the information in the emails may seem worthless, but for an attacker it might be valuable information to build a pretext
  • There are not so much more attackes but they get much more sophisticated and targeted
  • The State Commissioner of Data Protection for Niedersachsen recommends to not use Microsoft Office 365 due to issues regarding GDPR
  • A successor for safe harbour is unlikely
    • Binding Corporate Rules may be a required
  • Main security concerns with remote working employees
    • connectivity: no business contracts with Telcos, no SLAs
    • access: who can listen to conversations? Who can read the screen in a public environment?
    • access control: eg theft of hardware, what data is on the devices
  • Printing is also an issue when working from home
    • more and more business try to become paperless
    • secure disposal or printed information otherwise also a major concern
  • Awareness trainigs does not want to make every employee a security expert. It creates awareness. Best case is encouraging to question a situation, due to this awareness.
  • Training must be attractive not just required
    • storytelling
    • short sequences of 20-60 min
    • multimedia
  • Awareness training for employees is often required to get a cyber insurance

Env

additional links

Tags

awareness training, GDPR, MS365, privacy, ransomware

You may also like

Boosting Cybersecurity in German SMEs with Gamification and Serious Play

TL;DR Gamified cybersecurity training offers an engaging and effective way to improve security awareness and practices within German SMEs. The ALARM Information Security project demonstrates the success of integrating gamification into training, enhancing retention and understanding of cybersecurity principles. By leveraging customized game scenarios, regular workshops, and participatory feedback loops, SMEs can bolster their cybersecurity

Read More

Unlock Effective Cybersecurity: Simplify Policies with the Clarity of the OSI Model

TL;DR Diving into the essence of effective cybersecurity, this article shines a light on the transformative power of simplifying policy language, inspired by the OSI model’s structured communication layers. It goes beyond theoretical insights, offering actionable strategies for CISOs to demystify complex jargon and make cybersecurity policies accessible and engaging for every team member. Highlighting

Read More
Leave a Comment