"IT has many advantages, no question about that. But there are also disadvantages: By using IT, we increase the complexity of our lives and thus also our vulnerability."
Wolfram Geier, Bundesamt für Bevölkerungsschutz ( German Federal Office for Civil Protection) at a symposium of the German Red Cross in Berlin in November 2017.

Nahaufnahme eines reissenden Seils

Eine Steckdose als Symbol für Strom, ein Wasserhahn als Symbol für Wasserversorgung und ein Mann in Doktorkittel als Symbol für MedizinCritical infrastructures

For us, it goes without saying that electricity and water are always available. That we receive medical care around the clock. And that we can conduct financial transactions at any time. We only realise how much we rely on them, when these critical infrastructures are disrupted or fail completely.
This can cause supply bottlenecks that lead to price increases or even endanger public safety. Critical infrastructures (CRITIS) include the areas of energy, water, food, IT / telecommunications, health, transport / traffic and finance / insurance.
Operators of critical infrastructures must therefore take effective measures to protect the systems. They must regularly demonstrate these to the Bundesamt für Sicherheit in der Informationstechnik (BSI) ( German Federal Office for Information Security).
Such a supervisory authority does not exist for companies under private law. However, there are standards and norms that provide a framework for cyber security measures. For example

  • the ISO/IEC 27001
  • the IT-Grundschutz (“basic IT protection”) of the BSI and
  • the NIST Standard (National Institute of Standards and Technology) from the USA.

 

Ambulanz fährt bei Regen in der NachtWorst-case scenarios

A lucrative target for criminals within critical infrastructures is currently the healthcare sector. Particularly sensitive data is stored and transmitted here. Therefore, according to the BSI, the potential for blackmail is particularly high. Affected institutions are very likely to comply with ransom demands in order to avoid destruction or publication of the data.
In the worst case, companies affected by malware have to cease operations. If companies in critical infrastructures are affected, the consequences are particularly catastrophic.
In such a case, a clinic can no longer admit patients or perform operations. Digital patient files with information on medication can also no longer be opened. Likewise, electricity and water supplies could be affected or display boards at railway stations or airports could be manipulated.

 

Schriftzug Data Breach auf BildschirmWorthwhile targets for hacker attacks

In the past, it was mainly large corporations that were worthwhile targets for hackers. Today, however, ransomware (extortion software) also makes small and medium-sized companies interesting. In order to avoid data protection violations such as the publication of sensitive data, the ransoms demanded are often paid.
The fact that hacking robots are increasingly doing the groundwork also contributes to smaller companies becoming attractive targets. These programmes automatically search for poorly secured systems and attack when they find them. If they are successful, the hackers take over and plan further strategic action.

 

Rotes Warnzeichen leuchtet auf BildschirmRed alert for the IT security situation in Germany

According to the BSI, the IT security situation in Germany is tense to critical. Due to the current political situation in Ukraine, there is even a red alert. At least in some areas of the digital space.
Overall, cyber extortion, system failures and business disruptions more than quadrupled in 2020/21 compared to the same period last year. Thus, 9 out of 10 companies became victims of cyber attacks. According to Bitkom, they caused total damage of 220 billion euros in Germany.
This means an average damage of 6.5 million euros per company. Businesses are often paralysed for six weeks or even longer. It is therefore not surprising that every tenth company sees its business existence threatened.
Comprehensive protection of one’s own IT systems and data is becoming a critical success factor. But how can this be achieved? Quite simply. With cryptography.

 

Aktenschrank Schublade Top Secret wird geöffnet

Cryptography is always used when only a specific recipient should be able to read a message (confidentiality / access protection). Furthermore, it also ensures the integrity of a message. The recipient can therefore trust that the message has not been changed after it has been sent (change protection).

Authenticity can also be checked and thus the originator or sender can be clearly identified (forgery protection). And last but not least, cryptography also ensures bindingness: it documents the originator of the data or message (non-repudiation).
Not only people can be recipients. Devices or applications also receive data for further processing. Examples are smart devices such as mobile phones or IoT devices (Internet of Things) such as webcams.
Digital certificates are therefore used in many places as cryptographic elements:

In the server environment for TLS/SSL transport encryption of

  • web servers (TLS/SSL)
  • SSL servers on the intranet

With e-mails for the

  • reliable and unambiguous identification of sender and recipient
  • encryption of the messages to prevent that contents can be read
    by unauthorised persons
  • signature against manipulation of the contents
  • securing the mail gateways
When securing communication from or via

  • VPN tunnel (Virtual Private Network): unique authentication of the endpoints and encryption of the data traffic (important e.g. when working from home)
  • cloud instances such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). Here, the encryption of files and database content is particularly important.
  • smart devices such as mobile phones, tablets and smart home devices
  • IoT devices like webcams, timetable displays and medical devices

 

Blockchain-Symbole leuchten über ComputertastaturSpecial case blockchain

A blockchain is a list of data records in which individual blocks are strung together and which can be continuously expanded. New data records are combined into another block, cryptographically signed and appended to the existing chain. This consensus mechanism confirms the validity of the new blocks.
The procedure prevents earlier blocks from being manipulated or removed. In that case, all later blocks would also have to be changed.
For this reason, blockchain technology is also called the internet of values. It is the technical basis for trading cryptocurrencies (e.g. Bitcoin).
There is only one way to prove that you are the owner of a Bitcoin amount. You have to know the matching private key (public key method).
This is why blockchain could also be used to securely prove identities and ownership in the IoT (Internet of Things).

 

Frau legt ihren Zeigefinger auf den MundImplement cryptographic measures in a compliant manner

If you want to make your own IT environment secure, it is often difficult to get started. It is therefore a good idea to consult guidelines such as the BSI Grundschutz or ISO 27001. The NIST Cybersecurity Framework and two special publications also provide a comprehensive basis. Both come from the American National Institute of Standards and Technology.
Similar to the BSI Basic Protection, the NIST Cybersecurity Framework was also developed for public authorities. In the meantime, many companies have adopted it as a standard guideline for cybersecurity.
At the European level, DIN EN ISO/IEC 27001 plays a particularly important role. It lists the requirements for an ISMS (Information Security Management System). An ISMS has a direct impact on the data security of companies.
They all have in common that cryptographic measures are established to protect the confidentiality, authenticity and integrity of information. Requirements for the administration and handling of digital certificates are also included. Furthermore, in order to comply with the standard, it must be ensured that the measures are implemented and further developed.
For example, under A.10.1.2 Key Management, the guideline recommends that cryptographic keys and digital certificates be monitored over their entire lifecycle. This includes their use, protection and lifetime.
Another section (A.18 Compliance) addresses compliance with legal, contractual or company-internal requirements for key material and certificates. It also prescribes their documentation as well as their regular further development.

 

Icon eines geschlossenen Schlosses leuchtet über TastaturCertificates – central building blocks of IT security

In addition to regular software updates, data encryption by means of digital certificates serves to minimise risks.
More and more devices are communicating within the company, across the group or with partner companies. Therefore, the number of certificates used in the network is increasing significantly. Some IoT devices introduce their own certificate into the network without being noticed.
At the same time, the validity of the certificates is limited for security reasons. They must be renewed in time, otherwise there is a risk of system failures. Expired certificates do not only cause system failures and loss of revenue. If they remain undiscovered, they also provide gateways for malware from cyber criminals.
It is easy to lose track of which certificates are in use and when they expire. That is why a certificate management tool like essendi xc is useful.

 

Comprehensive crypto management with essendi xc

Cyber risks must therefore always be kept in mind. We thus recommend including them in the company’s risk and precautionary management. essendi xc supports you in significantly increasing your company’s IT security:

Logo essendi xc auf Monitor

  • It documents the complete life cycle of all digital certificates in the company. In case of an audit, you can prove your procedure in an audit-proof manner at any time.
  • Compliance rules (ISO 27001, NIST, KRITIS, BSI Grundschutz) are automatically adhered to.
  • Standardised self-service processes automate the process handling from certificate application to installation in the target systems. You save costs for time spent and incorrectly applied for certificates.
  • All certificates in the system are listed in the clearly laid out dashboard. Automatic alerting ensures that no certificate can expire unnoticed. This increases the availability and operational security of your systems.

You can achieve even more security with optional add-on modules such as essendi cd (certificate scanning). The tool also detects certificates that have entered the network unnoticed. It includes these in the administration and alerting.
Want to know more? Please contact us!