One of the most distinguished IT security research scientists in Germany, Norbert Pohlmann has been working in IT security since 1984. Meanwhile he is Professor of Information Security at the Westphalian University of Applied Sciences, where he heads the Institute for Internet Security that he founded in 2005. In this interview, Pohlmann explains how companies can identify their security risks and determine their protection needs.
- A good starting point for determining a company’s own security needs is the IT Baseline protection Manual of the BSI (German Federal Office for Information Security).
- Another option is to implement IT security strategies based on three key elements – prevent, counter and identify.
- Increasingly, special consultation packages are available for SMEs.
Mr Pohlmann, in 2011 you were voted Professor of the Year – how did that come about?
I was especially delighted by this award, in which students in Germany vote for their favourite professors in four fields of science based on various assessment criteria. In my case they highlighted in particular the way I looked after them during their studies and the support I provided to help them enter the work environment. Both these aspects are very important to me in my work as a professor.
Which security topics are you currently investigating at your research establishment?
Our research institute has a staff of around 50, so we cover a lot of different topics. One of the areas we are currently focusing on is risk-based adaptive authentication, where we are investigating which modern IT security technology could replace passwords in future. The project is attracting a lot of positive attention. Artificial intelligence and block chain are also major areas of research for us. One very exciting project is currently looking at the security of IoT components. Here in the Ruhr area, some abandoned coal mines are being flooded with water for use as heat stores. But there are various risks associated with this. If, for example, an attacker were to manage to raise the water temperature to boiling point, the Ruhr region could collapse. This means that sensors or control components have to be designed to be particularly reliable.
Talking of risks, how can companies identify which risk factors are hidden in their IT?
Normally they perform a risk analysis. Cyber-attacks generally focus on digital assets that are stored in bits and bytes. The associated risks can be subdivided into different categories e.g. unauthorised reading of electronic assets like customer or development data. But it could also involve the manipulation of data, like changing inventory levels so that perhaps nobody would know which articles are available. This could result in a supplier or online shop barely being able to operate. Sabotage can also be a reason, e.g. where attackers attempt to influence the availability of IT systems or shut down interconnected production facilities or cause them to manufacture products that are not usable. IT security managers need to evaluate what risks there are in their companies and figure out what attackers are likely to target.
How can companies determine their special risks, i.e. their specific threat potential?
The IT Baseline protection Manual from the BSI (German Federal Office for Information Security) is a good starting point for determining a company’s protection needs. The reason for doing this is to clarify which electronic assets need what kind of protection and therefore to manage the selection of appropriate IT security measures for these individual assets. In this context, the protection goals are confidentiality, integrity and availability.
The need to protect electronic assets is based on the extent of the damage that could occur if their functioning is impaired. With this in mind, protection need categories are defined depending on the effects of a damaging event.
That sounds pretty complicated; do companies sometimes struggle to deal with this?
Companies are almost always out of their depth in this situation. Over time, the BSI’s IT Baseline protection Manual has become increasingly extensive and complex. It’s often difficult to even determine the scale of the risk and decide how valuable certain information is. Take the example of an innovative young company that performs design work for a major automobile manufacturer. If the company specifies the value of its data to be EUR 20,000 but the order volume is around EUR 1 million, then something isn’t right. Because naturally, the calculation needs to be based on the order volume and the value would then be around a million, which is on a very different scale.
Given this complexity, is it not helpful to engage consultants?
That can definitely be helpful, especially when dealing with certifications like ISO-27001, which often require you to answer hundreds of questions. Sometimes small companies cannot manage this on their own because they lack the manpower and experience. However, increasingly there are moves to help SMEs in particular by offering brief consultation packages so that they too can protect themselves adequately.
Are there other approaches that work for smaller companies in particular?
I often recommend that companies take a different perspective and look at cybersecurity strategies that concern the strategic impact of cybersecurity mechanisms. These strategies include preventing attacks, minimising data volumes or reducing the attack surface. In this context, the focus is on prevention. Sometimes quite simple strategies can help, e.g. using a second browser. So if one browser is vulnerable you simply use the other one. This already helps to ward off attacks. It also makes sense to discuss whether your “crown jewels” need to be distributed over several servers. Often, data that needs protecting can be collected on a specially secured server for much better protection. This reduces the attack surface available.
Another strategy is to counteract the attacks. If I know which data are at risk I can encrypt them, for example, and in this way defend against any attacks. The point is to use lots of suitable IT security approaches to make it hard for the attackers.
What else should companies think about?
If an attack cannot be countered, the third strategy needs to be implemented, i.e. identifying attacks. To do this I use identification tools like SIEM (Security Information and Event Management), to recognise attacks as quickly as possible and be able to ward them off. This at least allows you to minimise the damage. This strategy shouldn’t be underestimated. Many more things will be digitised in future and this will result in additional attack surfaces that are still completely unknown and for which there are not yet any IT security solutions available to combat attacks on them.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.