This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.
Accept CookiesMore InfoReject CookiesWe may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
You can read about our cookies and privacy settings in detail on our Privacy Policy Page.
Datenschutzerklärung
Direct Integration of Compliance Policies via the Greenbone Security Feed
BlogWith the help of compliance policies, a company can check whether all components integrated in the system meet the required specifications. The increasing digitalization and the associated growth of new technologies create opportunities, but also risks. For this reason, the demands on compliance are increasing as well. With GOS 20.08, all compliance policies were made available via the Greenbone Security Feed and four new compliance policies were added: TLS-Map, BSI TR-03116: Part 4, Huawei Datacom Product Security Configuration Audit Guide and Windows 10 Security Hardening.
What is a compliance policy anyway?
In addition to legal requirements, companies and public authorities often have their own guidelines that must be met for the secure configuration of a system. The aim is to ensure the information security of the company or authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.
All specifications and guidelines that are necessary for this are summarized in one document to form a policy.
Based on the individual criteria of the guidelines, Greenbone Networks develops vulnerability tests – roughly speaking: one criterion results in one vulnerability test. Greenbone Networks combines these tests into a scan configuration.
Such scan configurations, which reflect policies of companies or authorities, are called Compliance Policies.
Example: a company releases a security policy with the following requirements:
Greenbone Networks develops a vulnerability test for each of the requirements, which checks whether the respective condition is fulfilled.
The three tests are then combined into a compliance policy that a user of the Greenbone solutions can choose when performing a vulnerability test. During the scan, it is checked whether the conditions mentioned above are met on the target system.
New: distribution of compliance policies via the Greenbone Security Feed
Starting with GOS 20.08, all standard scan configurations, reports formats, port lists, and compliance policies of Greenbone Networks are distributed via the Greenbone Security Feed.
Among other things, this allows the publication and distribution of scan configurations for current, hot vulnerability tests. In the past, these were published as XML files for manual download on the Greenbone download website and had to be imported by the users themselves – which was very tedious and left room for mistakes, making a quick application hardly possible.
But this is not the only advantage. It also makes troubleshooting much easier and faster for the customer: objects can be updated and, if necessary, fixed for all setups with a single feed update.
In addition to this innovation, the Greenbone Security Feed has been extended by some important compliance policies.
More Compliance Policies in the Greenbone Security Feed
Four new compliance policies were added to the Greenbone Security Feed in the 4th quarter 2020:
About the Special Scan Configuration TLS-Map
Note: TLS-Map is a scan configuration for special scans that are different from vulnerability scans. For reasons of simplicity, this special scan configuration is listed in this article along with the compliance policies.
The special scan configuration TLS-Map is helpful wherever secure communication over the Internet is required. TLS – short for Transport Layer Security – is a protocol for the secure transmission of data on the Internet. It is the successor of SSL – Secure Sockets Layer – which is why both protocols are still often used synonymously today. However, all SSL versions and TLS versions prior to version 1.2 have been outdated since 2020 at the latest and are therefore insecure.
The largest area of application for TLS is data transfer via the World Wide Web (WWW), for example between a web browser as the client and a server such as www.greenbone.net. Other areas of application are in e-mail traffic and in the transfer of files via File Transport Protocol (FTP).
The special scan configuration TLS-Map checks whether the required TLS version is available on the target system and whether the required encryption algorithms – so-called ciphers – are offered.
About the Compliance Policy BSI TR-03116: Part 4
The Technical Guideline BSI TR-03116 Cryptographic Requirements for Federal Projects from the Federal Office for Information Security (BSI) is used for Federal Government projects. This means that if a federal project should be implemented, this guideline must be fulfilled. It consists of 5 parts in total:
The compliance policy, which Greenbone Network has developed accordingly, checks whether the contents of the fourth part of the policy are fulfilled. This part contains requirements for communication procedures.
The compliance policy BSI TR-03116: Part 4 in the Greenbone Security Feed tests the three main requirements – minimum TLS version as well as necessary and not legitimate ciphers – of the technical guideline.
About the Compliance Policy Huawei Datacom Product Security Configuration Audit Guide
Compliance policies for Huawei solutions have been part of the Greenbone Security Feed for quite some time.
Greenbone Networks had already developed compliance policies for the following two solutions:
Related compliance Policy: EulerOS Linux Security Configuration
Related compliance policy: GaussDB 100 V300R001C00 Security Hardening Guide
With a compliance policy for Huawei Datacom, a product category that also includes routers and switches with their own operating system, a third compliance policy for solutions developed by Huawei is added now.
For all three products – Huawei Datacom, EulerOS and GaussDB – there are security configurations that were specified by Huawei. Based on these configurations, Greenbone Networks has developed compliance policies which check the compliance with those security configurations. The different compliance policies are always applied if the corresponding solution is available on the target system.
For Huawei Datacom, Huawei distributes the Huawei Datacom Product Security Configuration Audit Guide. The associated, newly developed compliance policy tests, for example, whether the correct versions of SSH and SNMP are available on the target system.
About the Compliance Policy Windows 10 Security Hardening
The compliance policy Windows 10 Security Hardening includes vulnerability tests to evaluate the hardening of Windows 10 according to industry standards.
Among other things, the compliance policy checks different password specifications such as age, length and complexity of the password, specifications for the assignments of user rights, and requirements for different system devices.
Even faster integration of compliance policies with GOS 20.08
As digitalization continues, compliance requirements are growing in companies of all sizes and in all industries.
Through the direct integration of compliance policies via the Greenbone Security Feed and the inclusion of new compliance policies, the testing of target systems is even more efficient, easier and quicker, thus increasing the protection of the IT infrastructure without the need for special compliance know-how. Of course, we continue to work on new compliance policies on an ongoing basis. So be curious!
New study reveals what cyber resilient organisations do differently
BlogAs the world of technology grows ever more complex and cybercriminals become more aggressive and exploitative in their tactics, those in positions of responsibility can no longer rely on the traditional IT security protection wall around their corporate networks to ward off cyber threats. Sooner or later an attacker will find a way in and from there it is a matter of containing the damage as much as possible and maintaining core business processes in order to continue providing customers with products and services. These practices are not sustainable and for us at Greenbone, the future of IT security is cyber resilience.
Cyber resilience is on everyone’s lips – the media, businesses, manufacturers and even governments are talking about this successor to classic IT security with increasing intensity. But what exactly is cyber resilience? How can it be implemented? What distinguishes organisations that are already resistant to cyberattacks? We at Greenbone got to the bottom of these questions with a large-scale global study alongside Frost & Sullivan. The results are now available in a report which you can read here. Below we look at the key objectives and findings of the study:
Core mission of the study: identify resilience characteristics
We have been working intensively in the field of cyber resilience for several years, but what makes it so important? What challenges do organisations in different industries face? Which best practices should the follow? We looked for the answers to these questions as part of the study with Frost & Sullivan. Indeed, one of our main objectives was to identify particularly resilient organisations and analyse what distinguishes them from less resilient ones. In this way, we hope to offer companies concrete recommendations that they can act on in order to make their operations more resilient. We’ll also use what we’ve learned to further develop our proven vulnerability management technology, which we have recently started offering as a managed service.
Discovery of major data leak in the healthcare sector changed focus of the research
The report pays special attention to those organisations that form part of the Critical National Infrastructure (CNI), from water and energy to finance and healthcare. In the event of a cyberattack, CNI organisations have to take into consideration not only economic losses and reputational damage, but they also have to look at how it will impact wider society and, in extreme cases, if human lives are at risk. For example, if medical equipment is compromised or the power supply to a hospital fails, the knock-on effects could be disastrous. We therefore wanted to enhance the study with real-life examples from the CNI sectors.
As we were searching for examples, we revealed something much larger than we could have imagined: a huge data leak in the healthcare sector, with millions of patient records and associated medical images were freely accessible via a weakness in the PACS (Picture Archiving and Communication Systems) servers. No programming or coding knowledge was necessary to access what included complete medical histories with personal data such as the patient’s name, date of birth, and the attending physician, fully visible.
This discovery was so significant, we couldn’t possibly ignore it. We quickly shifted our focus to help restrict free access to this patient data as quickly as possible, working alongside authorities and IT security specialists around the globe. In cooperation with Bayerischer Rundfunk in Germany and the US investigative platform ProPublica, we helped explain the true extent of the problem. So far we have been very successful in removing access to this patent data, yet some 400 PACS systems are still connected to the Internet, making the patient data stored on them accessible to everyone. For this reason, we continue to maintain close contact with the relevant authorities. Our report on the patient data leak can be downloaded here.
A few key findings
In addition to our work in the healthcare sector, we also reviewed organisations from the energy, finance, telecommunications, transport and water sectors in the report. In total, we surveyed 370 organisations with an average of 13,500 employees from the five largest economies in the world: the United States, the United Kingdom, France, Japan and Germany. From this wide-ranging perspective, we were able to obtain answers to our core questions as well as some other interesting findings:
US companies are at the forefront of cyber resilience:
On average, only 36% of the organisations surveyed were highly cyber resilient. The USA scored highest with 50%, European companies came in around the average, and Japanese organisations were at the lowest end of the scale with only 22%.
Transport sector least resistant to cyberattacks:
Across all the countries surveyed, financial and telecoms organisations (46%) were best equipped against cyberattacks. They were followed by the water (36%), health (34%) and energy (32%) sectors, yet only 22% of transport organisations have achieved a high level of cyber resilience.
Understanding business processes is more important than budget considerations:
Whilst it’s true that the cyber resilient organisations we identified have on average a larger profit turnover and a higher IT budget, the detailed analysis in the study revealed that this is by no means decisive. What we discovered is that a fundamental understanding of the business processes and an awareness of business-critical digital resources play a far more crucial role in organisations being cyber resilient.
Eleven characteristics that distinguish cyber resilient organisations:
In our study we were able to identify three groups of characteristics that increase the cyber resilience of organisations by a factor of two, three and six. From this, we developed a “roadmap” with which organisations can increase their level of IT maturity and create a high level of cyber resilience.
You can download the Exec Summary and request for complete report, including the roadmap here: https://www.greenbone.net/en/businessrisk/
The Path To Cyber Resilience
BlogHow to become cyber resilient
In a world of growing digital complexity, and as technology becomes more ingrained in our everyday lives, hackers and cybercriminals have sought to take advantage of the situation, aggressively going after new vulnerabilities and flaws that have arisen out of this widening sphere of technological adoption. The likes of Advanced Persistent Threats and ransomware attacks have grown in sophistication and frequency, as has the damage they have caused to organisations and individuals alike.
As a result of these new attack vectors, and as organisations grow to rely on technology to keep varied operations running, IT and business leaders have sought to find a new way to protect themselves. This is where cyber resilience plays a crucial part.
A new type of cybersecurity
The term ‘cyber resilience’ is relatively new – for us, it means that organisations are still able to function and deliver their business services even when facing an adverse cyber incident. Many organisations seek to become cyber resilient yet many of them are falling behind. This is what we learned in our recent report, conducted alongside Frost & Sullivan, which found that only 36% of organisations across six key industries in the US, UK, Germany, France and Japan are considered to be highly cyber resilient.
The report also revealed that understanding what your key business assets are is more important than budgetary considerations. Whilst certainly the cyber resilient organisations we identified tended to have an higher IT budget, the study revealed that this is by no means the final word. In fact, we discovered that having a fundamental understanding and an awareness of business-critical assets plays a far more crucial role in organisations being cyber resilient.
Indeed, our core objective with this report was to identify resilient characteristics so that we can offer companies concrete recommendations about how they can go about becoming more cyber resilient. This in turn will help us develop our proven vulnerability management technology, which we have recently started offering as a managed service.
You can read the results in the full 52-page report here: Business Risk & Cyber Resilience