Tag Archive for: Open Source

Greenbone AG

Availability of CVE Vulnerability Data in Greenbone Products

Greenbone AG has been consistently committed to an independent and resilient supply chain for the provision of vulnerability data for many years. Against the background of current discussions on the financing and sustainability of the CVE programme of the US organisation MITRE, we would like to inform you about our measures to ensure the continuous provision of important information about vulnerabilities in IT systems.

Since 1999, the CVE system has formed the central basis for the clear identification and classification of security vulnerabilities in IT. Funding for the central CVE database is currently secured by the US government until April 2026. Against this background, Greenbone took structural measures at an early stage to become less dependent on individual data sources.

With our OPENVAS brand, Greenbone is one of the world’s leading open source providers in the IT security ecosystem. We make an active contribution to the development of sustainable, decentralised infrastructures for the provision of vulnerability information – and are already focusing on future-proof concepts that effectively protect our customers from security risks.

Our sovereign data approach includes the following measures, among others:

  • Broad source diversification: Our Systems and our security research team monitor a large number of international information sources in order to be able to react promptly to new threats independently of the official CVE process – even if there is no official CVE entry yet.
  • Integration of alternative databases: We integrate independent vulnerability catalogues such as the European Vulnerability Database (EUVD) into our systems in order to create a stable and geographically diversified information basis.
  • Promotion of open standards: We actively support the dissemination of the CSAF standard (Common Security Advisory Framework), which enables the decentralised and federated distribution of vulnerability information.

These measures ensure that our customers retain unrestricted access to up-to-date vulnerability information, even in the event of changes in the international data ecosystem. This ensures that your IT systems remain fully protected in the future.

Greenbone stands for independent, sovereign and future-proof weak-point supply – even in a changing geopolitical environment.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone 2024 Review: A Very Good Year with Growth Everywhere

Also in its 16th year, the Osnabrück-based expert and market leader in Open Source Vulnerability Management has kept growing, both in employees, customers, partners and last not least on this blog.

After doubling our workforce over the last two years, we at Greenbone are looking proudly at 143 employees, most of them work remotely. This growth brought about many new contributions, and of course many company events, unique development talks and a people lead concept with cross feedback as a major step forward in developing leadership culture. Inspired by happiness surveys, Greenbone will keep on growing and is a great employer. Have you applied yet?

Greenbone Threat Report

So, it’s no wonder that also this blog benefited from the growth and introduced a successful new format: Every month, we are now presenting with the Threat Report a monthly deep dive into the news and atrocities of vulnerability management, mitigation and new threats on the radar of our customers (and anybody interested in security). We started this series in March 2024 and have published 10 thorough blog reports so far. Find all of them here, and the last update here.

Endangered: Ivanti, Fortinet, Exchange, Confluence…

Apart from that, we could report on several crucial vulnerabilities. From Juniper and Ivanti to Fortinet, from problems in Microsoft Exchange and Sharepoint to Atlassians knowledge management Confluence: our experts provided helpful insights for nearly all customers.

Of course our blog reported on CrowdStrike and how it only took 62 minutes for a security provider to become a massive threat. We wrote about the never-ending dangers from Chinese hackers, DOS attacks, automated mass attacks, severe SSH key problems and featured in-depth analysis and papers, for example on the costs of cyber attacks.

Growing challenges: cyber threats and new legislation

In five blog posts we explained threat levels and specific vulnerability risks in branches affected hard by common vulnerabilities: For example, SMEs are investing more in security, Helsinki schools have been attacked and of course public administration networks are under special threat, as is practically anything in health care – says the BSI (Bundesamt für Sicherheit in der Informationstechnik), the German Federal Office for Information Security. Especially the latter two branches, not only among our customers, will also have benefited from the many posts we published on regulations – like CSAF (Common Security Advisory Framework) and the many updates on the slowly ongoing and interrupted (in Germany) progress of NIS2 (Network and Information Security).

All-year Topic NIS2

The NIS Directive in its second edition was a topic that has been and will be on the watchlist of Greenbone and our customers. Since the European Union decided on the second „Directive on Security of Network and Information Systems“ NIS, many member states have applied regulations that clarify how companies have to implement it. Only in Germany that took a little longer and – due to the fall of the government late in the year – has not been finished. Nevertheless, all the information and plans are available, there’s even a test from the BSI that allows you to check whether your networks are affected and need immediate action.

Greenbone Goes Green: ISO 14001

We wrote about sustainability and the great success Greenbone made with achieving the ISO 14001 certificate. Our CMO Elmar Geese shared his thoughts on the future of clouds and the breaking of their hype cycle. He also took part in a panel on artificial intelligence, and our products now integrate additional BSI basic and CIS guidelines to protect your office software.

New Products: Major Release 24.10, Greenbone Basic, Feed-Updates

But 2024 brought also many updates and news on our products: Greenbone’s vulnerability management got several improvements and updates, with a new video to explain vulnerability management in 12 minutes. In July, our new scan engine Notus received Support for Amazon’s Red-Hat-Linux variant dominating Amazon Web Services. Later in 2024 Greenbone both announced a new major version of its Enterprise Appliance (24.10) and a completely new product targeted at small and medium size businesses called “Greenbone Basic”. Ready to try?

But maybe you want to read about how Greenbone leads the competition of vulnerability scanners in our benchmark or find out what your Key Performance Indicators for vulnerability management products are.

Congresses and Events: Our Highlights of the Year 

If you want to meet us, you’ll find a growing amount of opportunities … worldwide, also showed in our blog: we also reported almost live from the other side of the globe, where Greenbone had a presence at the Singapore International Cyber Week. This conference was not only one of the major IT security events in Asia, but also one in a long list of business fairs that Greenbone attended: Public IT Security (PITS) in Berlin, the it-sa in Nuremberg or the Potsdam Conference for National Security are just a few to name.

Thank You and Happy Holidays!

So, obviously, also our 16th year was a good one, “a very good year” and thus we would like to take this opportunity to thank all customers, partners and the community again: Without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Enterprise Products Lead all Network Vulnerability Scanners

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Bar chart from the 2024 benchmark for network vulnerability scanners: Greenbone Enterprise achieves the highest values with 78% availability and 61% accuracy

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Contact Test Now Buy Here Back to Overview

/by
Elmar Geese

“Only 62 minutes”: From security provider to security problem

“Your company can be ruined in just 62 minutes”: This is how the security provider Crowdstrike advertises. Now the US manufacturer has itself caused an estimated multi-billion-dollar loss due to a faulty product update – at breakneck speed.

On 19 July at 04:09 (UTC), the security specialist CrowdStrike distributed a driver update for its Falcon software for Windows PCs and servers. Just 159 minutes later, at 06:48 UTC, Google Compute Engine reported the problem, which “only” affected certain Windows computers and servers running CrowdStrike Falcon software.

Almost five per cent of global air traffic was unceremoniously paralysed as a result, and 5,000 flights had to be cancelled. Supermarkets from Germany to New Zealand had to close because the checkout systems failed. A third of all Japanese MacDonalds branches closed their doors at short notice. Among the US authorities affected were the Department of Homeland Security, NASA, the Federal Trade Commission, the National Nuclear Security Administration and the Department of Justice. In the UK, even most doctors’ surgeries were affected.

The problem

The incident points to a burning problem: the centralisation of services and the increasing networking of the IT systems behind them makes us vulnerable. If one service provider in the digital supply chain is affected, the entire chain can break, leading to large-scale outages. As a result, the Microsoft Azure cloud was also affected, with thousands of virtual servers unsuccessfully attempting to restart. Prominent people affected reacted quite clearly. Elon Musk, for example, wants to ban CloudStrike products from all his systems.

More alarming, however, is the fact that security software is being used in areas for which it is not intended. Although the manufacturer advertises quite drastically about the threat posed by third parties, it accepts no responsibility for the problems that its own products can cause and their consequential damage. CrowdStrike expressly advises against using the solutions in critical areas in its terms and conditions. It literally states – and in capital letters: “THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT.”

The question of liability

Not suitable for critical infrastructures, but often used there: How can this happen? Negligent errors with major damage, but no liability on the part of the manufacturer: How can this be?

In the context of open source, it is often incorrectly argued that the question of liability in the event of malfunctions and risks is unresolved, even though most manufacturers who place open source on the market with their products do provide a warranty.

We can do a lot to make things better by tackling the problems caused by poor quality and dependence on individual large manufacturers. Of course, an open source supply chain is viewed critically, and that’s a good thing. But it has clear advantages over a proprietary supply chain. The incident is a striking example of this. It is easy to prevent an open source company from rolling out a scheduled update in which basic components simply do not work by using appropriate toolchains, and this is what happens.

The consequences

So what can we learn from this disaster and what are the next steps to take? Here are some suggestions:

  1. improve quality: The best lever to put pressure on manufacturers is to increase the motivation for quality via stricter liability. The Cyber Resilience Act (CRA) offers initial approaches here.
  2. Safety first: In this case, this rule relates primarily to the technical approach to product development. Deeply intervening in customer systems is controversial in terms of security. Many customers reject this, but those affected obviously do not (yet). They have now suffered the damage. There are alternatives, which are also based on open source.
  3. use software only as intended: If a manufacturer advises against use in a critical environment, then this is not just a phrase in the general terms and conditions, but a reason for exclusion.
  4. centralisation with a sense of proportion: There are advantages and disadvantages to centralising the digital supply chain that need to be weighed up against each other. When dependency meets a lack of trustworthiness, risks and damage arise. User authorities and companies then stand helplessly in the queue, without alternatives and without their own sovereignty.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Vulnerability management in 12 minutes

Why is Greenbone not a security provider like any other? How did Greenbone come about and what impact does Greenbone’s long history have on the quality of its vulnerability scanners and the security of its customers? The new video “Demystify Greenbone” provides answers to these questions in an twelve-minute overview. It shows why experts need […]

Read more
/by
Markus Feilner

“Security crises are like earthquakes” – Greenbone CEO Jan-Oliver Wagner at the PITS Congress 2024

“Support for early crisis detection” was the topic of a high-profile panel on the second day of this year’s PITS Congress. On stage: Greenbone CEO Jan-Oliver Wagner together with other experts from the Federal Criminal Police Office, the German Armed Forces, the Association of Municipal IT Service Providers VITAKO and the Federal Office for Information Security.

Panel discussion at the PITS Congress 2024 on the topic of early crisis detection with Greenbone CEO Dr. Jan-Oliver Wagner and representatives from the BSI, Bundeswehr, BKA and VITAKO.

Once again this year, Behörden Spiegel organized its popular conference on Public IT Security (PITS). Hundreds of security experts gathered at the renowned Hotel Adlon in Berlin for two days of forums, presentations and an exhibition of IT security companies. In 2024, the motto of the event was “Security Performance Management” – and so it was only natural that Greenbone, as a leading provider of vulnerability management, was also invited (as in 2023), for example in the panel on early crisis detection, which Greenbone CEO Dr. Jan-Oliver Wagner opened with a keynote speech.

In his presentation, Jan-Oliver Wagner explained his view on strategic crisis detection, talking about the typical “earthquakes” and the two most important components: Knowing where vulnerabilities are, and providing technologies to address them.

Greenbone has built up this expertise over many years, also making it vailable to the public, in open source, always working together with important players on the market. For example, contacts with the German Federal Office for Information Security (BSI) were there right from the start: “The BSI already had the topic of vulnerability management on its radar when IT security was still limited to firewalls and antiviruses,” Wagner is praising the BSI, the German government’s central authority for IT security.

Today, the importance of two factors is clear: “Every organization must know how and where it is vulnerable, know its own response capabilities and has to keep working on improving them continuously. Cyber threats are like earthquakes. We can’t prevent them, we can only prepare for them and respond to them in the best possible way.”

“A crisis has often happened long before the news break”

According to Jan-Oliver Wagner’s definition, the constant cyber threat evolves into a veritable “crisis” when, for example, a threat “hits a society, economy or nation where many organizations have a lot of vulnerabilities and a low ability to react quickly. Speed is very important. You have to be faster than the attack happens.” The other participants on the panel also addressed this and used the term “getting ahead of the wave”.

The crisis is often already there long before it is mentioned in the news, individual organizations need to protect themselves and prepare themselves so that they can react to unknown situations on a daily basis. “A cyber nation supports organizations and the nation by providing the means to achieve this state,” says Jan-Oliver Wagner.

Differences between the military and local authorities

Major General Dr Michael Färber, Head of Planning and Digitalization, Cyber & Information Space Command, explained the Bundeswehr’s perspective: According to him, a crisis occurs when the measures and options for responding are no longer sufficient. “Then something develops into a crisis.”

From the perspective of small cities and similar local authorities, however, the picture is different, according to Katrin Giebel, Head of VITAKO, the Federal Association of Municipal IT Service Providers. “80 percent of administrative services take place at the municipal level. Riots would already occur when the vehicle registration is not available.” Cities and municipalities keep being hit hard by cyber attacks, and crises start much earlier here: “For us, threats are almost the same as a crisis.”

Massive negligence in organizations is frightening, says BSI

The BSI, on the other hand, defines a “crisis” as when an individual organization is unable or no longer able to solve a problem on its own. Dr Dirk Häger, Head of the Operational Cyber Security Department at the BSI: “As soon as two departments are affected, the crisis team convenes. For us, a crisis exists as soon as we cannot solve a problem with the standard organization.” This is giving a crucial role to those employees who decide whether to call together a meeting or not. “You just reach a point where you agree: now we need the crisis team.”

Something that Häger finds very frightening, however, is how long successful attacks continue to take place after crises have actually already been resolved, for example in view of the events surrounding the Log4j vulnerability. “We put a lot of effort into this, especially at the beginning. The Log4j crisis was over, but many organizations were still vulnerable and had inadequate response capabilities. But nobody investigates it anymore,” complains the head of department from the BSI.

How to increase the speed of response?

Asked by moderator Dr. Eva-Charlotte Proll, editor-in-chief and publisher at Behörden Spiegel, what would help in view of these insights, he describes the typical procedure and decision-making process in the current, exemplary checkpoint incident: “Whether something is a crisis or not is expert knowledge. In this case, it was a flaw that was initiated and exploited by state actors.” Action was needed at the latest when the checkpoint backdoor was beginning to be exploited by other (non-state) attackers. Knowledge of this specific threat situation is also of key importance for those affected.

Also Jan Oliver Wagner once again emphasized the importance of the knowledge factor. Often the threat situation is not being discussed appropriately. At the beginning of 2024, for example, an important US authority (NIST) reduced the amount of information in its vulnerability database – a critical situation for every vulnerability management provider and their customers. Furthermore, the fact that NIST is still not defined as a critical infrastructure shows that action is needed.

The information provided by NIST is central to the National Cyber Defense Center’s ability to create a situational picture as well, agrees Färber. This also applies to cooperation with the industry: several large companies “boast that they can deliver exploit lists to their customers within five minutes. We can improve on that, too.”

Carsten Meywirth, Head of Department at the BKA, emphasized the differences between state and criminal attacks, also using the example of the supply chain attack on Solarwinds. Criminal attackers often have little interest in causing a crisis because too much media attention might jeopardize their potential financial returns. And security authorities need to stay ahead of the wave – which requires intelligence and the potential to disrupt the attackers’ infrastructure.

BKA: International cooperation

According to Major General Färber, Germany is always among the top 4 countries in terms of attacks. The USA is always in first place, but states like Germany end up in the attackers’ dragnets so massively simply because of their economy’s size. This is what makes outstanding international cooperation in investigating and hunting down perpetrators so important. “Especially the cooperation of Germany, the USA and the Netherlands is indeed very successful, but the data sprints with the Five Eyes countries (USA, UK, Australia, Canada and New Zealand) are also of fundamental importance, because that is where intelligence findings come to the table, are being shared and compared. “Successful identification of perpetrators is usually impossible without such alliances,” says Michael Färber. But Germany is well positioned with its relevant organizations: “We have significantly greater redundancy than others, and that is a major asset in this fight.” In the exemplary “Operation Endgame“, a cooperation between the security authorities and the private sector launched by the FBI, the full power of these structures is now becoming apparent. “We must and will continue to expand this.”

“We need an emergency number for local authorities in IT crises”

Getting ahead of the situation like this is still a dream of the future for the municipalities. They are heavily reliant on inter-federal support and a culture of cooperation in general. An up-to-date picture of the situation is “absolutely important” for them, Katrin Giebel from VITAKO reports. As a representative of the municipal IT service providers, she is very familiar with many critical situations and the needs of the municipalities – from staff shortages to a lack of expertise or an emergency number for IT crises that is still missing today. Such a hotline would not only be helpful, but it would also correspond to the definition from Wagner’s introductory presentation: “A cyber nation protects itself by helping companies to protect themselves.”

BSI: prevention is the most important thing

Even if the BSI does not see itself in a position to fulfil such a requirement on its own, this decentralized way of thinking has always been internalized. But whether the BSI should be developed into a central office in this sense is something that needs to be discussed first, explains Dirk Häger from the BSI. “But prevention is much more important. Anyone who puts an unsecured system online today will quickly be hacked. The threat is there. We must be able to fend it off. And that is exactly what prevention is.”

Wagner adds that information is key to this. And distributing information is definitely a task for the state, which is where he sees the existing organizations in the perfect role.

Sponsor wall of the PITS Congress 2024 with logos of leading IT security companies such as Greenbone, Cisco, HP and other partners from government and industry.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

NIS2: From impending doom to effective measures

Winter is coming: The motto of House Stark from the series “Game of Thrones” indicates the approach of an undefined disaster. One could also surmise something similar when reading many articles that are intended to set the mood for the upcoming NIS2 Implementation Act (NIS2UmsuCG). Is NIS2 a roller of ice and fire that will bury the entire European IT landscape and from which only those who attend one of the countless webinars and follow all the advice can save themselves?

NIS2 as such is merely a directive issued by the EU. It is intended to ensure the IT security of operators of important and critical infrastructures, which may not yet be optimal, and to increase cyber resilience. Based on this directive, the member states are now called upon to create a corresponding law that transposes this directive into national law.

What is to be protected?

The NIS Directive was introduced by the EU back in 2016 to protect industries and service providers relevant to society from attacks in the cybersphere. This regulation contains binding requirements for the protection of IT structures in companies that operate as critical infrastructure (KRITIS) operators. These are companies that play an indispensable role within society because they operate in areas such as healthcare services, energy supply and transport. In other words, areas where deliberately caused disruptions or failures can lead to catastrophic situations – raise your hand if your household is equipped to survive a power outage lasting several days with all its consequences…

As digitalisation continues to advance, the EU had to create a follow-up regulation (NIS2), which on the one hand places stricter requirements on information security, but on the other hand also covers a larger group of companies that are “important” or “particularly important” for society. These companies are now required to fulfil certain standards in information security.

Although the NIS2 Directive was already adopted in December 2022, the member states have until 17 October 2024 to pass a corresponding implementing law. Germany will probably not make it by then. Nevertheless, there is no reason to sit back. The NIS2UmsuCG is coming, and with it increased demands on the IT security of many companies and institutions.

Who needs to act now?

Companies from four groups are affected. Firstly, there are the particularly important organisations with 250 or more employees or an annual turnover of 50 million euros and a balance sheet total of 43 million euros or more. A company that fulfils these criteria and is active in one of the following sectors: energy, transport, finance/insurance, health, water/sewage, IT and telecommunications or space is particularly important.

In addition, there are the important organisations with 50 or more employees or a turnover of 10 million euros and a balance sheet total of 10 million euros. If a company fulfils these criteria and is active in one of the following sectors: postal/courier, chemicals, research, manufacturing (medical/diagnostics, IT, electrical, optical, mechanical engineering, automotive/parts, vehicle construction), digital services (marketplaces, search engines, social networks), food (wholesale, production, processing) or waste disposal (waste management), it is considered important.

In addition to particularly important and important facilities, there are also critical facilities, which continue to be defined by the KRITIS methodology. Federal facilities are also regulated.

What needs to be done?

In concrete terms, this means that all affected companies and institutions, regardless of whether they are “particularly important” or “important”, must fulfil a series of requirements and obligations that leave little room for interpretation and must therefore be strictly observed. Action must be taken in the following areas:

Risk management

Affected companies are obliged to introduce comprehensive risk management. In addition to access control, multi-factor authentication and single sign-on (SSO), this also includes training and incident management as well as an ISMS and risk analyses. This also includes vulnerability management and the use of vulnerability and compliance scans.

Reporting obligations

All companies are obliged to report “significant security incidents”: these must be reported to the BSI reporting centre immediately, but within 24 hours at the latest. Further updates must be made within 72 hours and 30 days.

Registration

Companies are obliged to determine for themselves whether they are affected by the NIS2 legislation and to register themselves within a period of three months. Important: Nobody tells a company that it falls under the NIS2 regulation and must register. The responsibility lies solely with the individual companies and their directors.

Evidence

It is not enough to simply take the specified precautions; appropriate evidence must also be provided. Important and particularly important facilities will be inspected by the BSI on a random basis, and appropriate documentation must be submitted. KRITIS facilities will be inspected on a regular basis every three years.

Duty to inform

In future, it will no longer be possible to sweep security incidents under the carpet. The BSI will be authorised to issue instructions to inform customers about security incidents. The BSI will also be authorised to issue instructions on informing the public about security incidents.

Governance

Managing directors are obliged to approve risk management measures. Training on the topic will also become mandatory. Particularly serious: Managing directors are personally liable with their private assets for breaches of duty.

Sanctions

In the past, companies occasionally preferred to accept the vague possibility of a fine rather than making concrete investments in cyber security measures, as the fine seemed quite acceptable. NIS2 now counters this with new offences and in some cases drastically increased fines. This is further exacerbated by the personal liability of managing directors.

As can be seen, the expected NIS2 implementation law is a complex structure that covers many areas and whose requirements can rarely be covered by a single solution.

What measures should be taken as soon as possible?

Continuously scan your IT systems for vulnerabilities. This will uncover, prioritise and document security gaps as quickly as possible. Thanks to regular scans and detailed reports, you create the basis for documenting the development of the security of your IT infrastructure. At the same time, you fulfil your obligation to provide evidence and are well prepared in the event of an audit.

On request, experts can take over the complete operation of vulnerability management in your company. This also includes services such as web application pentesting, which specifically identifies vulnerabilities in web applications. This covers an important area in the NIS2 catalogue of requirements and fulfils the requirements of § 30 (risk management measures).

Conclusion

There is no single, all-encompassing measure that will immediately make you fully NIS2-compliant. Rather, there are a number of different measures that, taken together, provide a good basis. One component of this is vulnerability management with Greenbone. If you keep this in mind and put the right building blocks in place in good time, you will be on the safe side as an IT manager. And winter can come.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Protection of Office Suites: Greenbone Integrates Additional BSI Basic and CIS Guidelines

The IT-Grundschutz-Compendium of the Federal Office for Information Security (BSI) has, in recent years, provided clear guidelines for users of Microsoft Office. Since April 2024, Greenbone’s enterprise products have integrated tests to verify whether a company is implementing these instructions. The BSI guidelines are aligned with the Center for Internet Security (CIS) guidelines.

In the section “APP:Applications 1.1. Office Products” the BSI specifies the “requirements for the functionality of Office product components.” The goal is to protect the data processed and used by the Office software. While Microsoft Office is likely the primary reference due to its widespread market penetration, the model behind the BSI guidelines aims to apply to any office product “that is locally installed and used to view, edit, or create documents, excluding email applications.”

BSI Guidelines

The module explicitly builds on the requirements of the “APP.6 General Software” component and refers to the modules “APP.5.3 General Email Client,” “APP.4.3 Relational Databases,” and “OPS.2.2 Cloud Usage,” although it expressly does not consider these.

The BSI identifies three main threats to Office suites:

  • Lack of customization of Office products to the institution’s needs
  • Malicious content in Office documents
  • Loss of integrity of Office documents

The components listed in the BSI IT-Grundschutz-Compendium include 16 points, some of which have since been removed. Greenbone has developed several hundred tests, primarily addressing five of the basic requirements, including “Secure opening of documents from external sources” (APP.1.1. A3) and “Use of encryption and digital signatures” listed in APP.1.1. A15. The BSI specifies:

“All documents obtained from external sources MUST be checked for malware before being opened. All file formats deemed problematic and all unnecessary within the institution MUST be banned. If possible, they SHOULD be blocked. Technical measures SHOULD enforce that documents from external sources are checked.”

Regarding encryption, it states: “Data with increased protection requirements SHOULD only be stored or transmitted in encrypted form. Before using an encryption method integrated into an Office product, it SHOULD be checked whether it offers sufficient protection. Additionally, a method SHOULD be used that allows macros and documents to be digitally signed.”

CIS Guidelines Enhance Basic Protection

In addition to the requirements listed in the BSI Basic Protection Manual, the CIS Benchmark from the Center for Internet Security (CIS) for Microsoft Office includes further and more specific suggestions for securing Microsoft products. The CIS guidelines are developed by a community of security experts and represent a consensus-based best practice collection for Microsoft Office.

As one of the first and only vulnerability management providers, Greenbone now offers tests on security-relevant features mentioned in the CIS guidelines, uniting CIS and BSI instructions in numerous, sometimes in-depth tests, such as on ActiveX Control Initialization in Microsoft Office. The Greenbone Vulnerability Management tests whether this switch is set to “enabled”, but also many other settings, for example, whether “Always prevent untrusted Microsoft Query files from opening” is set to “Enabled” among many others.

Many tests focus on external content, integrating macros, and whether and how these external contents are signed, verifiable, and thus trustworthy or not, and whether administrators have done their homework in configuring Microsoft Office. According to the BSI, one of the most significant threats (and the first mentioned) is the lack of adaptation of Office products to the reality and the business processes in the company. Greenbone’s new tests ensure efficient compliance with regulations, making it harder for attackers and malware to establish a foothold and cause damage in the company.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

PITS 2024 Public IT Security

Save the date: The “German Congress for IT and Cyber Security in Government and Administration” (June 12 to 13, 2024) provides information on current trends, strategies and solutions in IT security.

In the main program: “IT support for early crisis detection” (Moderation: Dr. Eva-Charlotte Proll, Editor-in-Chief and Publisher, Behörden Spiegel).

Participants:

  • Dr. Jan-Oliver Wagner, Chief Executive Officer Greenbone
  • Carsten Meywirth, Head of the Cybercrime Division, Federal Criminal Police Office
  • Generalmajor Dr. Michael Färber, Head of Planning and Digitization, Cyber & Information Space Command
  • Katrin Giebel, Branch Manager, VITAKO Bundesverband kommunaler IT-Dienstleister e.V.
  • Dr. Dirk Häger, Head of the Operational Cybersecurity Department, Federal Office for Information Security (BSI)

Where? Berlin, Hotel Adlon Kempinski, Unter den Linden 77
When? 13.06.2024; 9:40 a.m.

Vulnerabilities in IT systems are increasingly being exploited by malicious attackers. You can protect your IT systems with vulnerability management. Visit us in our lounge at stand 44 – we look forward to seeing you!

Registration: https://www.public-it-security.de/anmeldung/

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

The Confluence of Open Source and Cybersecurity in companies: Insights from Greenbone at #OSXP2023 in Paris

International panel discussion on effective cybersecurity at #OSXP2023

At the esteemed #OSXP2023 event, that took place in Paris, our participation in the “Cybersécurité et open source” roundtable brought forward critical discussions on improving cybersecurity in companies. The panel, including distinguished experts from the academic and governmental sectors, delved into strategies and points of vigilance essential for robust cybersecurity.

Panel discussion at the Open Source Experience 2023 in Paris on 'Cybersécurité et open source' with international experts and audience.

1. The Mindset of Security

Security by Design: A Leadership Commitment

  • The panel emphasized the importance of incorporating security from the initial stages of development. This approach requires a commitment from the top management to prioritize security in all business operations.

A Mentality Focused on Secure and Protected Solutions

  • Companies must cultivate a culture where security is an integral part of the thinking process, aiming to deliver solutions that are inherently secure and protected.

2. Implementing Key Processes

Adherence to Standards and Automation

  • The importance of adhering to established cybersecurity standards was underscored, with a recommendation to automate processes wherever possible to ensure consistency and efficiency.

No Deployment Without Security Compliance

  • It was strongly advised that no deployments or actions should proceed without meeting the necessary security requirements.

3. Resources: Empowering Teams and Enhancing Vigilance

Dedicated Security Teams and Training

  • Having specialized security teams and conducting regular training sessions were identified as crucial for maintaining a high level of security awareness and preparedness.

Vigilance as a Continuous Effort

  • Continuous vigilance was highlighted as a key resource, ensuring that security measures are always up-to-date and effective.

4. Essential Tools and Technologies

Mandatory Multi-Factor Authentication (MFA)

  • Implementing MFA as a compulsory measure we recommend enhancing account security significantly.

Vulnerability Scanners and Dependance Management

  • Utilizing vulnerability scanners and managing dependencies and configurations were suggested as vital tools. While platforms like GitHub Enterprise may be costly, they offer comprehensive solutions for these needs.

Conclusion: Education, Awareness, and the Use of Open-Source Tools

In conclusion, the panel at #OSXP2023, including our expert Corentin Bardin, a cyber security specialist and pen tester, highlighted the importance of continuous education and staying updated in the rapidly evolving cybersecurity landscape. They advocated for the use of open-source tools to bolster security measures.

The key takeaway from the discussion is the commitment to offering secure services. It’s not just about the tools and processes; it’s about the mindset and ongoing effort to stay vigilant and informed.


Contact Free Trial Buy Here Back to Overview

/by