Article
Articles by our Consultants
Against the Procured Security Incident - Supply Chain Risk Management
From Bruno Blumenthal 18.03.2024
Suppliers and service providers have a significant impact on a company’s security. No organisation operates in isolation. High-profile incidents such as SolarWinds (2020) or Xplain (2023) show how significant the impact of security incidents at suppliers can be. Supply Chain Risk Management (SCRM) or Third Party Risk Management (TPRM) is therefore increasingly...
The Special Requirements of an IoT PKI
From Michael Veser 19.06.2023
A public key infrastructure (PKI) is an important aspect of modern information security. For years, it has been the standard that all sensitive connections are encrypted. Even if you may not be aware of it, you are constantly dealing with a wide variety of PKIs! The fact that you hardly notice this in everyday life is a quality feature of well-functioning PKIs....
How a Key Management System Can Help You With FADP Compliance
From Michael Veser 19.06.2023
The new Federal Act on Data Protection (FADP) comes into force on September 1, 2023 and is the talk of the town, not least because of the personal criminal liability enshrined in the law in the event of violations. Even if the revision initially seems daunting for many companies, a closer look reveals numerous overlaps with existing security frameworks.
What is...Network Services - Unattainably Good
From Daniel Brunner 30.09.2022
Even in times of cloud services, complexity is increasing rather than decreasing. After years of customizing software solutions, a new abstraction was sought to simplify the lifecycle of products and the change of manufacturer. As a result, there was an increased focus on standard software components and manufacturers developed their own as-a-code solutions. The...
Cyber Resilience with the ICT Minimum Standard
From Bruno Blumenthal 03.06.2022
The Federal Office for National Economic Supply (FONES) published the ICT minimum standard in 2018. This is intended as a recommendation to help companies better protect themselves against cyberattacks. The target audience of the minimum standard is primarily operators of critical infrastructures, but the standard is intended to be applicable to all organizations....
The Challenges of Online Meetings: How To Make Your Meeting a Success
From Daniel Brunner 02.06.2022
The world has rarely been more connected than it is today: people exchange more information and there is more information for everyone and about everything. So you would think that an online meeting would be easy to organize, especially if a company has years of experience with it. However, organizing an online meeting can sometimes be difficult. Let’s take a...
Basic Knowledge Devsecops
From Daniel Brunner 01.06.2022
DevSecOps is an extension of the existing approach of placing development and operations in a single team. DevSecOps also places security in the same team, giving it a central role.
With DevSecOps, you generally move from a world in which most services are managed centrally to a world in which services are only made available. This also strengthens the principle of...
Identify and Protect before Detect and Response
From Bruno Blumenthal 17.01.2022
In recent years, it has been recognized that it is no longer enough to simply take preventive protective measures against cyber attacks. The detection of cyberattacks and the rapid response to attacks have increasingly come into focus, not least due to standards such as the NIST Cybersecurity Framework or the ICT minimum standard of the federal government. While it...
The Dark Side of Collaboration Platforms
From Thomas Kessler 01.12.2021
Anyone who works with several partner companies on different collaboration platforms will be familiar with them: platform-specific logins, increasingly with 2-factor authentication that is also platform-specific.
Anyone who is responsible for a company’s Identity and Access Management (IAM) fears them: collaboration accounts that persist after the collaboration...
The Elegance of Let's Encrypt in an Internal PKI
From André Clerc, Nishanthan Sithampary 01.12.2021
Which administrator hasn’t experienced this? An expiring TLS certificate brings down an important application and, in the worst case, paralyzes important services across the board. Error analysis proves to be difficult and time-consuming, as error messages in logs such as “Unable to connect to server” or “Service unreachable” do not say...
Modern Authentication - Token Exchange
From Thomas Bühler 29.06.2021
Modern authentication protocols have become indispensable in the age of the cloud and increasing cross-site collaboration. After Kerberos had set the benchmark in the on-premise world for decades, OASIS adopted SAML V1.0 in 2002, enabling standardized SSO integration of web applications for the first time. In 2005, Brad Fitzpatrick and Johannes Ernst introduced the...
Summary of the Solarwinds Attack
From Thomas Bühler 16.03.2021
Advanced persistent threat (APT) cyberattacks, identity access management (IAM) and authentication management are topics in the field of information security that most security experts have probably dealt with at some point. But why do deficiencies in IAM and authentication management repeatedly lead to APT attacks? And why are they not detected even though existing...
Swift CSP: What Will Change for BIC Users in 2021
From Markus Günther 16.03.2021
2021 brings two changes for SWIFT users. Firstly, the need for an Independent Self-Assessment and secondly, a new version of the Customer Security Controls Framework (CSCF) in the 2022 version. While the latter is a calculable innovation, the former is a serious tightening.
What will change for BIC users in 2021The change from pure self-assessment to an independent,...
2-factor Authentication of Healthcare Professionals
From Thomas Kessler 09.03.2021
Two-factor authentication of users should become a matter of course when accessing cloud services in the healthcare sector. For this to succeed, hospitals and care homes need an electronic equivalent to an ID card.
Passwords are the Achilles heel of IT securityWhen logging in with a user name and password, users prove their identity by revealing a secret, namely...
Threat Analysis of the EKANS Ransomware - How Honda had to Stop Production
From Gregor Walter 15.12.2020
In June of this year, Honda had to shut down parts of its production at various locations due to a cyberattack. The attackers exploited known security vulnerabilities to gain access to the internal network and programmed the information they obtained into the ransomware. The malware was then distributed internally and encrypted selected files on the infected PCs that...
Central Authentication and Authorization Management - An Opportunity for the Future
From Thomas Bühler 12.10.2020
Nowadays, IT architects are faced with the challenge of having to meet the diverse requirements of the business department, security and regulators. The topics range from cloud integration and multi-factor login to app integration, and all of this in light of the constantly increasing need for protection, which in turn requires new approaches.
Let’s take the...
In Our SOC We Trust: On the Importance of Trust
From Bruno Blumenthal 25.11.2019
The common blueprints for setting up a Security Operation Center (SOC) often lack an important element, namely trust in the SOC by the organization it is supposed to protect. When the inevitable critical incident occurs, this is of the utmost importance because management should be able to rely on the analyses and recommendations of its SO.
Would you like to set up a...
ISMS 2020 - A Tiger in Sheep's Clothing
From Daniel Felix Maurer 02.09.2019
Some people just want to run away when they read what is listed in Wikipedia under the keywords Information Security Management System and ISO/IEC 27001 and 27002. It talks about procedures and rules that need to be permanently maintained and continuously improved. What a boring thing to say! It smacks of hard work, effort and diligence - definitely not the kind of...
How to Migrate Securely to the Cloud
From Bruno Blumenthal 20.08.2019
Security and the cloud have an extremely ambivalent relationship. Many security specialists are still skeptical about the cloud and see it primarily as a risk. However, the cloud can also be an opportunity and even be beneficial to security. The risks change with the migration of a business application to the cloud. Whether this change is negative depends on various...
EPR HCP Administration: Vision Meets Reality
From Thomas Kessler 04.07.2019
The management of healthcare professionals in the national Health Provider Directory of the electronic patient dossier follows a long-term vision of the legislator. This article shows how this vision can be linked to today’s reality.
Healthcare professionals (HCPs) who wish to use the electronic patient dossier must be listed in the national Health Provider...
2-factor Authentication: Not Only Important for the EPR!
From Thomas Kessler 01.03.2019
The EPDG requires two-factor authentication not only for patients, but also for healthcare professionals and their assistants. This article shows how this can be implemented using the resources available in the hospital or care home.
Identity theft is one of the major problems of information security: user accounts for online services that can be accessed from the...
Industry 4.0 (IIoT): The Advent of Cryptography
From André Clerc 11.02.2019
Digitalization in industry (Industry 4.0, IIoT) is rapidly increasing the number of connected physical devices and systems on the Internet, and experts predict that the total number of connected sensors and devices will rise to more than 50 billion by 2022. Although this opens up interesting possibilities, it also raises major concerns. Major concerns because...
The Agony of Choice: Android and iOS in Corporate use
From André Clerc 18.12.2018
Mobile devices such as smartphones and tablets are playing an increasingly important role in both professional and private environments. In many companies, iOS devices from Apple are the standard - but why aren’t devices with the Android operating system also used? With over 88% market share, Android dominates the international market for mobile devices and the...
Sourcing a SOC / CDC requires Consideration
From Daniel Felix Maurer 18.09.2018
The detection and handling of security incidents, also known as Security Information and Event Management (SIEM) or “Detection and Response” according to the NIST Cybersecurity Framework, is - unfortunately - becoming increasingly important. The Security Operations Center (SOC) or Cyber Defense Center (CDC) plays a central role in the implementation of...
Data Protection vs. Information Security?
From Michael Roth 30.06.2018
The issue of data protection always plays a role in the design and operation of information security - not always to the delight of business managers.
Information security consulting usually deals with topics such as cybersecurity, identity and access management or information security management systems. These areas are usually located in the client’s IT or...
Informational Self-Determination: How do we Deal with the Upcoming Upheaval?
From Thomas Kessler 14.05.2018
The impact of the European General Data Protection Regulation (GDPR), which can be felt by everyone, has so far been limited to the laborious confirmation of cookie policies. Behind the scenes, however, a revolution is underway that could shake the very foundations of how security managers see themselves today. This revolution is already visible in various new...
Death to the Password - Long Live the Password
From Adrian Bachmann 29.03.2018
The password is still aliveA few years ago, the media (see e.g. [1]) but also experts announced the death of passwords. Biometrics in all its facets (e.g. fingerprint, iris, palm veins, heart rate, voice) is just one example that was supposed to bring about its imminent death. Years later, even in the age of blockchain and cryptocurrencies, we still handle passwords...
Priceless: New Swift Rules for Financial Service Providers
From André Clerc 21.11.2017
Last year, hackers almost managed to pull off one of the biggest fraud cases of all time and steal almost a billion US dollars. The SWIFT network is now exerting pressure to strengthen IT security in the banking network across the board.
It was an operation that had all the makings of a thriller. In February 2016, hackers who are still unknown managed to exploit the...
Information Security in Cloud Computing
From Thomas Kessler 07.11.2017
Cloud computing in the (medical) practiceWith cloud computing (or “computing in the cloud”), IT applications or data are no longer located locally with users, but centrally with a cloud service provider. This shift of IT to the cloud has also resulted in different use cases:
- The most widespread is data exchange via the cloud. Strictly speaking, an...
Information Security for the EPR Connection
From Thomas Kessler 08.09.2017
When a healthcare facility joins an EPR master community and thus the national EPR trust organization, this does not remain without consequences for the internal processes and systems. This article highlights the need for action, particularly in the area of information security.
Hospitals and care homes must join an EPR community by 2020 and 2022 respectively. They...
Swift Arms Itself in the Fight against Cyber Attacks
From Alex Rhomberg 08.07.2017
Dr. Rhomberg, it was a hacker attack the likes of which the banking world had never seen before: In February 201, hackers managed to feed fake transfers of more than 950 million US dollars into the SWIF network at Bank Bangladesh. How could this happen?
It turned out that, on the one hand, the bank concerned had considerable deficiencies in its IT security. Secondly,...
The EPR as a Litmus Test for Informational Self-Determination
From Adrian Bachmann 16.08.2016
The electronic patient record (EPR) and informational self-determination are two topics that we will be hearing, reading and thinking a lot about in the coming years. Let’s talk about why the EPR is becoming a touchstone for informational self-determination.
On June 19, 2015, Parliament passed the Federal Act on the Electronic Patient Record (EPDG). When the new...
Prevention, Detection and Response: Why Pure Prevention Is Not (or No Longer) Enough
From Adrian Bachmann 25.09.2015
Viruses, worms, Trojans, phishing, drive-by attacks and social engineering are just a small selection of the possible means of attack used by criminals to carry out profitable attacks on information systems. The professionalization of the criminal side has taken on frightening proportions. It is no longer (just) bored computer nerds in dark basements who hack systems,...