Security-Strategy

Security-Strategy

Guidelines, Activities & Processes

Security-Strategy

Guidelines, Activities & Processes

Security-Strategy

Organizational & technical activities to increase safety

In today's threat environment, the monitoring of your public services is perticularly important. The mix of increasing public products and services an daylie new vulerabilities, a today scanned system can be criticallly threatened tomorrow.

Theory & Practice

Only a continuous checking process of your systems increases the security. But how do you establish a security strategy that sustainably increases the security level? There are some guidelines that offer a good introduction to the topic, such as VdS10000 or ISO 27001. Based on these guidelines, technical and organizational activities can be derived in practical steps. But which guideline is the right one for you?

Example VdS 10000 & ISO 27001 as Security Framework

vds 10000

The VdS10000 is a process model to establish a sustainable and organized information security especially for small and medium-sized enterprises.

  • In addition to the basic procedure, concrete measures for the organizational and technical safeguarding of IT infrastructures are described. These are to be seen as minimum requirements for information security. They offer exactly the level of protection that small and medium-sized enterprises need without overtaxing them financially or organizationally.
iso 27001

IS0 27001 confirms the effective application of an information security management system within the company.

  • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

A component of the guidelines is a continuous security check or a vulnerability analysis.

Why a vulnerability analysis?

The number of externally released services is constantly increasing. An automatic vulnerability analysis continuously checks your services for security. A manual check is very time-consuming, even for a single service (web server, SMTP server, etc.). Attention must be paid of the combination of service, product and version. After that you get the information whether any vulnerabilities are known for your system from Databases like CVE (Common Vulnerabilities and Exposures). An automatic analysis reduces this process and analyses the service, the product and the product version, compares this information and reports the results in the report. In addition, possible countermeasures are suggested directly (e.g. implementing a patch or workaround). With an established vulnerability management, resources can be saved and the attack vector can be greatly reduced at the same time.

How does an automatic vulnerability analysis work?

In the first step, the analysis recognizes the services provided and analyzes what kind of serivce (Webservice/SMTP Server etc.). and on what version the service runs. With this information, a comparison is carried out in several databases. A meaningful report is then generated, which is made available for download in encrypted form.

Info graphic
Info graphic
Info graphic

The password for the access to AssetSec is stored securely according to current technical possibilities. In addition, the account can be protected by two-factor authentication.

Info graphic

e.g. Web server misconfigurations DDoS-related misconfigurations,
DDoS-related misconfigurations, unused websites, incorrectly configured HTTP headers and options, expired SSL / TLS, cross-site scripting

Info graphic

e.g. security misconfigurations
Standard logon information, firewall misconfigurations, elevated permissions, open shares

Info graphic

e.g. security gaps
Operating system vulnerabilities, third party vulnerabilities, zero-day vulnerabilities, end-of-life software

PDCA cycle

The procedure in vulnerability management can be adapted to the PDCA cycle. Just as provided by the cycle, vulnerability management is a continuous review and improvement of the systems.

Plan
Which IP addresses should be scanned? When and how often should I scan? How aggressive should scanning be?

Do
The IP addresses are scanned. The software installed on the targets and whether there are vulnerabilities in the software or its configuration are recorded.

Check
The results are recorded in a report. These are sorted by severity and contain proposals for resolving the issue.

Act
In the last step, the measures are implemented. Then the cycle starts again. Thus the corrections made are automatically checked

Act
In the last step, the measures are implemented. Then the cycle starts again. Thus the corrections made are automatically checked

Check
The results are recorded in a report. These are sorted by severity and contain proposals for resolving the issue.

Plan
Which IP addresses should be scanned? When and how often should I scan? How aggressive should scanning be?

Do
The IP addresses are scanned. The software installed on the targets and whether there are vulnerabilities in the software or its configuration are recorded.

Measures & Activities for a Security Strategy

Vulnerability management is only one (albeit significant) part of the security process in a company. Many processes as well as technical and organizational have to be considered. If you want to get an overview of your status, please contact the IT architects of the SIEVERS-GROUP.

Arrow down Technical

  • Network separation of commercial and technical network, possibly further subdivision of critical systems
  • Evaluation of the individual systems for importance (e.g. required availability) and sensitivity of the data
  • Provision only of individual services on server systems
  • Central storage (e.g. SIEM system) of information / log entries / warnings and error messages from individual systems
  • Automatic analysis of internal and external vulnerabilities
  • Alerting system for critical vulnerabilities or critical messages
  • Comprehensive patch management for Windows and third-party systems

Arrow down Organizational

  • Offer security awareness training for employees (e.g. online seminar)
  • Process for eliminating and addressing open and new vulnerabilities
  • Process for critical messages with regard to processing and control
  • Monitoring and regular audit of security systems (firewall, virus scanner, IPS, IDS, …)
  • Further training of employees in the area of security

The Cyber Security Check: Protect yourself against cyber attacks.

FMany business partners, compliance requirements of the legislator or the requirements for the Taking out a cyber insurance policy usually require not only the implementation of measures to cyberSecurity, but also a concrete proof of how Cyber Security is implemented in the company.

You can use the security check to determine whether you meet all the prerequisites for ISO27001 or VdS10000 and what measures you might need to take.

As IT Architects, we see ourselves as partners on the road to your digital future. Our self-image is to support you as independent IT strategy consultants in order to consistently drive the rapid change towards digital business models, cloud technologies and new forms of cooperation.

index.alt.profilePicture

Stefan Ohlmeyer IT Architect
SIEVERS-GROUP

Any further questions?

Contact us by e-mail or messenger. We will be happy to answer any questions you may have. You can test AssetSec free of charge for 7 days. We are happy to answer your questions. We look forward to hearing from you!