In September 2023, the Internet Security Days (ISDs) once again attracted IT security experts, security managers and user companies to meet together at Phantasialand near Cologne, Germany.
Under the motto of “Backup for Tomorrow”, the ISDs invited participants to Phantasialand near Cologne on 21 and 22 September 2023. Around 250 participants on each day of the event had a choice of 40 exciting presentations and panel discussions. There were two parallel presentation tracks on four main topics: Achieving the State of the Art, Future Security, Digital Supply Chain Security and Connected Security.
“In order to maintain the security of the digitalisation of business and society, we now need the resources to keep pace with organised cybercrime via cybersecurity research,” stated eco Board Member Prof. Norbert Pohlmann in his opening speech; in this respect, he talked about how artificial intelligence is changing the cybersecurity landscape.
In his opening keynote, Wilfried Karl of ZITiS – Central Office for Information Technology in the Security Field concurred: “We have to make sure we don’t fall behind permanently in AI, but respond now to the professionalisation of cybercrime in order to remain digitally sovereign.” The shortage of skilled workers poses a major challenge in this regard.
The challenges of IT security are growing
Sebastian Schreiber from SySS GmbH showed how cyber attacks live in practice. Using smart thermostats, a web shop and other examples, he pointed out vulnerabilities in many IT systems. “If you neglect penetration tests, possibilities for manipulation are overlooked. Therefore, application tests are essential,” Schreiber said.
Scott Boyd from Cloudflare GmbH spoke of the difficulty of discovering threat data in the daily flood of data. In his keynote entitled, “Finding the Needle WITH the Haystack: Detecting Unknown Threats”, he outlined strategies for adaptively recognising threat data and uncovering unknown threats. What helps with this is machine learning – or, more precisely, Cloudflare’s well-trained engine; ultimately, 20 per cent of the Internet flows through the Cloudflare network.
Shaping the future more securely
Machine learning and artificial intelligence (AI) were also addressed by Patrick Grihn from nextindex, who spoke about applications of AI in the context of data protection and trade secrets. The EU’s AI Act is intended to regulate AI and classify the risk of AI. What challenges does this pose for companies? “It’s not a question of whether we use AI,” said Grihn, going on to say: “Every company has to deal with AI and needs guidelines on how to deal with data protection and trade secrets in this context.”
Standardisation and regulation were also discussed in the panel discussion on email authentication moderated by Michael Weirich, involving Peer Heinlein (Heinlein Support GmbH), Sebastian Kluth (Certified Senders Alliance), Jochen Meyer (MediaBEAM GmbH) and Björn Trappe (Laokoon SecurITy GmbH). The participants noted that, in addition to the measures that are already in place and being implemented, the human factor continues to be decisive when it comes to email security. This means that, at best, security measures should be conducted in a standardised manner by all players in order for them to function effectively.
Attorney-at-law Dr. Lutz Martin Keppeler had another regulatory topic on his agenda. He spoke about IT security law in supply chain security before and after the CRA (Cyber Resilience Act) and addressed specific features of IT law.
Thanks to long-standing member companies
Before the lunch break, eco’s Managing Director Alexander Rabe had the pleasure of honouring long-standing member companies of the eco Association. He invited representatives of q.beyond AG and toplink GmbH to take the stage. For 20 years now, both of these companies have been involved with the eco Association in shaping the Internet; it was therefore no surprise to see that they were awarded a certificate. Following on from this, ratiokontakt GmbH, who has been on board for 25 years, was also presented a certificate of thanks from the eco Association.
How do we want to be as a company, what demands do we have of ourselves? Dirk Kalinowski from AXA Versicherung AG explained the scope and possibilities of cyber insurance. Using case studies, he explained damage caused by cybercrime and how people can insure themselves against it.
Robert Macioszek from GasLINE then presented monitoring strategies. In order for the permanent observation of a system to be successful, rules must be followed: “No monitoring rule should be set up without a planned reaction.” At the same time, Olaf Pursche from SITS Germany Holding GmbH presented how Large Language Models such as ChatGPT can be used to create phishing emails and other malware. Although the software contains security measures, these can be circumvented. Pursche explained that: “AI won’t build digital nuclear bombs, but it can be used to develop new combinations, and at an extremely high speed.” Dr. Stefan Meier from Meier Computersysteme GmbH also spoke about the challenges of creating information security for small and medium-sized enterprises (SMEs). Furthermore, in his presentation, Thomas Wagner from Myra Security GmbH explained the different measures to be taken in the event of a DDoS incident and how preventive protective measures can help to reduce costs in the long term.
Under the title of “Artificial Intelligence – Gamechanger for Cybersecurity?”, the overall view was that: “We need new liability schemes”. This was discussed by Prof. Pohlmann in conversation with Ramin Karbalaie (NAIX GmbH), Sebastian Schreiber (SySS GmbH) and Dr. Arthur Schmidt (Federal Office for Information Security). This panel was moderated by Jamal Lammert (eco).
Peer Heinlein of Heinlein Support GmbH spoke about the protection of secrets in video conferences, in which numerous sensitive data are shared; following on from this, Dr. Michael Lemke of Huawei gave a presentation on vulnerability management.
IT security viewed from a scientific perspective
Daniel Haak, a scientific assistant at the Institute for Agile Software Development at Augsburg University of Applied Sciences, presented the research project HITSSSE (Higher IT Security through Secure Software Development), which is intended to help SMEs develop secure software. Among other goals, HITSSSE is intended to help protect assets by analysing code segments and checking them for potential vulnerabilities.
Anne Hennig from the Institute for Applied Informatics and Formal Description Methods (AIFB) at the Karlsruhe Institute of Technology (KIT) also presented a research project: INSPECTION identifies hacked websites that redirect to fake shops.
Research projects like these can help SMEs in particular to implement more cybersecurity. Such companies are often confronted with challenges, such as limited resources or a lack of IT specialists.
Highlight: Internet Security Night
The Internet Security Night proved just how much fun networking around IT security topics can be. In the Phantasialand STOCK’s event location, an industrial-chic ambience included a sumptuous BBQ buffet and chilled drinks. eco Board Member Klaus Landefeld was on hand to welcome the participants. Aside from many opportunities for networking and chats, a female DJ managed to got everyone to hit the dance floor.
The second day began with a highlight: Kai Pohle from the Schwarz Group gave insights into the protection of Europe’s largest retail group. He explained how the former pure trading group is shaping digitalisation within the company, has successfully established its own IT network, and is now itself offering IT services.
Manuel Atug from HiSolutions AG explained the role of cybersecurity in critical infrastructures (called KRITIS in Germany), which are highly relevant in times of political and military conflicts. Since sabotage of critical infrastructures and other factors are part of modern warfare, Atug stressed that: “We need to pursue cyber defence.” The resilience and security of KRITIS was also discussed in the subsequent panel with Emma Wehrwein (Gaia-X Federation Services), Manuel Atug (HiSolutions), Caroline Krohn (AG Sustainable Digitalisation) and Stephan Bock (Cloudflare GmbH), with this panel moderated by Ulrich Plate (nGENn GmbH).
What should be considered when selecting and combining firewalls? To illustrate this, Gregor Chroner from GTT demonstrated customer examples. On his part, Hans C. Wenner from the VDE Association dealt in his presentation with cybersecurity by design for medical technology. His focus was on health data sent via 6G in the network of nets. He provided tips on how the security level could be increased, for example, by means of artificial intelligence and blockchain.
In his presentation, Tarek Nemri from plusserver explained the opportunities and challenges regarding IT security in the cloud environment. Nemri highlighted that IT security should now be seen not only as a cost centre, but also as a business enabler. Nils Karn, Managing Director of the cybersecurity start-up Resilty, reported on the current state of cloud security. He cited challenges and tips for securing cloud infrastructures – for example, by means of the Mitigant service. Dr. Guido Frank, Federal Office for Information Security, spoke about how the secure configuration of TLS connections can be checked. Cloud security against the background of the EU Cyber Resilience and Cyber Security Act was also the topic of Christian Banse from Fraunhofer AISEC. Moving on, Jörg Peine-Paulsen spoke about the dangers of radicalisation and internal perpetrators. He presented various perpetrator profiles and, in his presentation, shed light on this taboo topic. He emphasised the strong sociological component of internal perpetrators: “Happy employees are ordinarily no internal perpetrators,” said Peine-Paulsen.
Attack surface is exploding
“Many organisations believe they have their IT architecture under control – but if you look more closely, the attack surface is exploding,” stated Dr. Silvia Knittl from PwC GmbH WPG. In her presentation on quantum computing, Dr. Heike Hagemeier also pointed out the risks in the field and recommended an early migration to post-quantum cryptography in order to remain resilient against these technologies. Dr. Rachid El Bansarkhani joined this topic and reported in the afternoon on how quantum computing and AI will significantly influence the field of security.
In the meantime, in their presentation, Chris Lichtenthäler and Benjamin Pieck from Esprit Europe demonstrated how IT and HR departments collaborate. Technological solutions can help address issues such as counteracting the shortage of skilled workers, but employees must also establish a heightened awareness of security. The focus at this interface is therefore on aspects such as digital collaboration, lifelong learning, as well as re-skilling and upskilling.
The event concluded with a panel discussion on Future Security: How will quantum computers and AI change our security world? Dr. Silvia Knittl (PWC), Dr. Mark Vinkovits (XUND Solutions), Dr. Rachid El Bansarkhani (QuantiCor Security) and Jörg Peine-Paulsen (Federal Ministry of the Interior, Building and Community) addressed this topic, which was moderated by Fabian Landa. “Security is often only tackled when it is too late,” commented Dr. Rachid Bansarkhani in the discussion.
Being well-prepared for the challenges of the future helps to shape digitalisation securely. To this end, ISDs 2023 made a significant contribution. Once again, we would like to thank our sponsors Cloudflare, Syss, Huawei, Myra, plusserver, Avast, the Cyber Security Cluster Bonn and the Federal City of Bonn. Our greatest thanks go to all our visitors who enriched the Internet Security Days with their know-how, contributions and questions – we look forward to seeing you at ISDs 2024!