Cyber Security. Simply. Make it Happen. (eBook)

Dr. Ferri Abolhassan is a member of the T-Systems Board of Management, responsible for the IT Division and Telekom Security. From 1985 to 1988, Dr. Ferri Abolhassan completed a bachelor’s degree in computer science at Saarland University in Saarbrücken, Germany. After graduating, he worked at Siemens and IBM prior to completing his doctorate in 1992. He held various senior positions at SAP and IDS Scheer, before joining T-Systems in September 2008 as Head of Systems Integration and a member of the Board of Management. In late 2010, Abolhassan took on the role of Head of Production, before becoming Director of Delivery in 2013. In January 2015, Abolhassan was appointed Director of the T-Systems IT Division, with responsibility for approximately 30,000 employees and some 6,000 customers. Moreover, to address new IT imperatives, Deutsche Telekom has created an organizational unit for security solutions, to be headed up by Abolhassan. The new business will combine all of Deutsche Telekom’s security activities, and will market its cyber security offerings.

Foreword 6
Trust Is the Basis of Digitization 6
Digitization Offers Great Opportunities 6
Data Protection and Digital Business Models Are Not in Opposition 7
Security Has to Be Simple 7
Contents 10
1: Security: The Real Challenge for Digitalization 15
1.1 Introduction 15
1.2 Status Quo: The Cloud Is the Backbone of Digitalization 16
1.3 Data Security: Only a Secure Cloud Will Lead to Secure Digitalization 17
1.3.1 Risk Transformation: It Has to Be Easy to Get into the Cloud 18
1.3.2 Risk of an Incident: Making Sure the Cloud Doesn´t Crash 19
1.3.3 Risk of Technical/Physical Attack: A Castle Wall Alone Isn´t Enough 20
1.3.4 Risk of a Cyberattack: Ensuring Data and Devices Aren´t Casualties 21
1.4 Looking to the Future 23
1.5 Conclusion 23
References 24
2: Security Policy: Rules for Cyberspace 26
2.1 Taking Stock: Digital Warfare in the 21st Century 27
2.2 Challenges for the Political Sphere: Rules, Resources and Expertise 28
2.3 Outlook: A Strategy for the Digital Age 31
References 32
3: Data Protection Empowerment 34
3.1 Code Is Law 35
3.2 Empowerment 36
3.3 Information Technology and Social Values 39
References 39
4: Red Teaming and Wargaming: How Can Management and Supervisory Board Members Become More Involved in Cybersecurity? 40
4.1 Cybersecurity: A Management Board Issue 40
4.2 Integrating the Management Board into Existing Cybersecurity Strategies 41
4.3 Red Teaming and Wargaming 41
4.3.1 Red Teaming Defined 42
4.3.2 Wargaming Defined 42
4.3.3 Differences Compared with Methods Currently in Use 42
4.4 Use of Red Teaming in Combination with Wargaming at Companies 43
4.4.1 Classification 44
4.4.2 Definition of a Target 44
4.4.3 Composition of the Teams 45
4.4.4 Analysis: Data Collection and Evaluation 45
4.4.5 Wargaming 46
4.4.6 Report 47
4.5 Conclusion 47
References 47
5: The Law and Its Contribution to IT Security: Legal Framework, Requirements, Limits 49
5.1 Key Features of the Existing Legal Framework 50
5.1.1 IT Compliance: A Challenge for Management Boards and Executives 50
5.1.1.1 The Cornerstone of IT Compliance: IT Security 50
5.1.1.2 Liability of the Management Board and Executives 51
5.1.2 Who Is Responsible? 51
5.1.2.1 Requirements for Software Manufacturers 51
5.1.2.2 Requirements for Network and Platform Operators 52
5.1.2.3 Legal Framework for Providers of IT Services 52
5.1.3 Regulation on Determining Critical Infrastructure 53
5.1.4 Controversial: Changes Affecting Telemedia Services 54
5.2 International Issues: The European Union´s Directive on Security of Network and Information Systems (NIS Directive) 54
5.3 Data Protection and Data Security in the United States 55
5.4 Data Exchange Between EU and US Companies 55
5.4.1 Safe Harbor 56
5.4.2 Privacy Shield 56
5.5 Conclusion: Many Legal Issues to Consider 56
References 57
6: IT Security: Stronger Together 59
6.1 The Trinity of IT Security 60
6.2 CSSA - Security Through Collaboration 61
6.2.1 Targeted Interaction 62
6.2.2 Network of Trust 62
6.3 The Six Elements of an Integrated Defense Strategy 63
6.3.1 Prevention Is Better Than the Cure 64
6.3.2 Knowledge Is Power 65
6.3.3 IT Security Is Not an End in Itself 66
6.3.4 It´s Only a Matter of Time: Incident Management 67
6.3.5 Fitness Training: Prepare for Emergencies 68
6.3.6 Stronger Together 68
6.4 Conclusion 68
References 69
7: The German Security Market: Searching for the Complete Peace-of-Mind Service 70
7.1 Challenges for IT Security Managers 70
7.2 Choosing the Right Protection in a Fragmented Market 72
7.2.1 Data Leakage/Loss Prevention (DLP) 72
7.2.2 Security Information and Event Management (SIEM) 72
7.2.3 Email/Web/Collaboration Security 72
7.2.4 Endpoint Security 73
7.2.5 Identity and Access Management (IAM) 73
7.2.6 Mobile Security - Are Employees Really the Biggest Risk? 74
7.2.7 Network Security 75
7.2.8 Conclusion 76
7.3 Security from a Single Source: Managed Security Services 76
7.3.1 Managed Service or Cloud Solution? 77
7.3.2 Selection Criteria 78
7.3.3 Assessment of Deutsche Telekom/T-Systems as a Managed Security Services Provider 78
7.3.4 Specialized Managed Security Services 80
8: CSP, not 007: Integrated Cybersecurity Skills Training 82
8.1 The New Profession of Cybersecurity Specialist: From IT Worker to IT Security Expert 82
8.2 Hands-on Experience in All-Round Security 83
8.3 Cybersecurity Expertise for Managers, too 84
8.4 Conclusion 84
Reference 85
9: Human Factors in IT Security 86
9.1 IT Security Is Just Not Very People-Centric 86
9.1.1 The Thing with Passwords 87
9.1.2 The ``Security versus Productivity´´ Dilemma 88
9.2 Social Engineering 88
9.3 Human ``Weaknesses´´ Are Often Social Norms or Simple Instincts 90
9.3.1 Would You Mind Installing This Malware on Your Computer? 90
9.3.2 Excuse Me, What Exactly Is Your Password? 92
9.4 Would You Please Transfer Me a Few Million? 93
9.5 Defensive Measures 94
9.5.1 Recognizing Social Engineering 95
9.5.2 The Learning Objective: Reporting Suspicious Activity 95
9.5.3 Practice Makes Perfect 96
9.6 Conclusion: IT Must Work for and Not against Users 97
Reference 97
10: Secure and Simple: Plug-and-Play Security 98
10.1 Data Security in the Danger Zone 99
10.2 Digitalization Needs New Security Concepts 102
10.3 Digital Identity Is the New Currency 103
10.4 Does Absolute Protection Exist? 104
10.5 This Is What Attack Scenarios Look Like Today 105
10.6 In Need of Improvement: Security at SMEs 106
10.7 Expensive Does Not Necessarily Mean Secure: Gaps in Security at Large Companies 107
10.8 The ``Made in Germany´´ Stamp of Quality 107
10.9 Companies Want the Cloud - But Securely 108
References 109
11: Cybersecurity - What's Next? 111
11.1 The Motives of Attackers Are Becoming More Malicious with Each Passing Generation 111
11.2 Cybersecurity - The Sleeping Giant in the Company 116
11.3 What Will Protect Us? 118
11.4 Conclusion 121
References 121
12: Conclusion 123
12.1 The Internet Has Become Ubiquitous 123
12.2 Good Internet, Bad Internet 124
12.3 Cyberhare vs. Cybertortoise 124
12.4 Simple and Secure Is the Motto 126
References 127
Appendix 128
Eleven Rules for a Secure Internet of Things (IoT) 128
The Magenta Security Portfolio 129
Technical Literature 129
Practical Report from the Graduates 131
Practical Projects as the Focus of Instruction 131
Virtual Detective Work as Final Module Assignment 132
Cyber Security Professional Training for Jobs of the Future 132
Glossary 134