Download as PDF - Secunet

The IT Security Report by
Issue 1 | 2013
Partnership for Security
in Cyberspace
Alliance for Cyber Security
as a central information platform
Increased Security for
Passengers – including
online
Nicolas Hunloh, Team Leader
Internet, Düsseldorf Int. Airport
Automation is the Way
Forward for Border Control
secunet eGates securely manage
increasing passenger numbers at
national borders
Electronic management
of classified items without
discontinuity of media
SINA Workflow for security and
compliance with regulations

The IT Security Report by
Content
National
03 Local High-Quality IT Products
for Local Users
04 Partnership for Security in Cyberspace –
Alliance for Cyber Security as a central
information platform
06 German Justice Plays it Safe
08 Increased Security for Passengers –
including online
10 Challenges for PKI Systems
in Vehicles
International
14 Automation is the Way Forward for
Border Control
Technologies & Solutions
16 Electronic management of
classifi ed items without discontinuity
of media
09 Hackerstory #2
Budget and Production Pressures
as Risk Factors
12 Preventive security #1
FIFA World Cup Shoots Holes in IT System
17 News in Brief
secunet on Twitter, Xing and LinkedIn /
New Agreement with National Government
on IT Security Services / New Appointment
at the BSI
18 Events
Dear Readers,
irrespective of whether we operate in the public or private sector, we are
all doing business more and more in cyber space; we are thus increasingly
dependent on the secure and uninterrupted functioning of digital information
and communication technologies. If we are to maintain security of information,
data and processes on a permanent basis, we must continuously adapt to
the shifting level and nature of the threat posed by hackers and the methods
they employ. The detailed exchange of information and experiences between
industry, government agencies and experts not only facilitates a high degree
of transparency but also makes the job of prevention easier for us all. One
of the platforms for such exchanges is the Allianz für Cyber-Sicherheit (Alliance
for Cyber Security) founded by the German Federal Offi ce for Information
Security (BSI) and the Federal Association for Information Technology,
Telecommunications and New Media (BITKOM). We spoke with Dr Hartmut
Isselhorst from BSI about the aims and objectives of the Alliance.
Here at secunet, we also intend to place the exchange of ideas with our
customers on a more direct footing; consequently, we have undertaken an
internal restructuring designed to make us more fl exible in the way we cater
for your needs, aspirations and demands. We will thus be able to respond
more effi ciently and quickly to current developments in the cyber world and to
offer you, our customers, optimum proactive and innovative support as you
rise to future challenges and implement new projects.
- Our Public Sector (formerly High Security and Government Division) advises
clients from the public sector and the defence industry both here in
Germany and abroad, proposing current products and services that can
be combined for specifi c circumstances as well as customised security
solutions. These are fully compatible with any modern administration, they
are capable of handling jobs at the highest level and they comply with highsecurity
specifi cations for the protection of classifi ed information.
- Our Business Sector (formerly Business Security and Automotive Security
Division) helps private business clients to fully exploit the potential of increased
digitisation and the associated electronic mapping of business processes,
and also to securely map intelligent networks, mobile applications,
IT-based control of production/logistics operations and the digitisation
of transport and traffi c systems.
The areas in which we excel and our achievements to date are a matter of
record. We now present some of the latest developments in this edition of
secuview.
I hope you enjoy reading our magazine.
Best wishes
19 Dates
Dr Rainer Baumgart
02 » 1 | 2013

National
Local High-Quality
IT Products for Local Users
IT security technology ‘Made in Germany’ is being supplied
direct to government agencies around the country
Following the successful piloting of the federal government
IT investment programme in 2010, the German Federal Office
for Information Security (BSI) launched a follow-up project –
‘Sondertatbestand’ – in 2012. The purpose of this is to support
government agencies by simplifying the procurement process
for IT security solutions, including the SINA range of products.
This ensures not only that all data is optimally protected
but also that cryptographic systems approved for the NfD
(RESTRICTED) classification become more widely established.
classified
information
Within the framework of the Sondertatbestand project, participating
agencies received products at no extra expense for
- interface control
- hard disk encryption
- encryption of mobile storage media
- encrypted USB flash devices
- securing mobile scenarios
The use of a SINA workstation makes it easy for authorities to
securely access both unclassified and RESTRICTED data at
any time and from any location, whether the operator is away
on business or ‘teleworking’ from home.
RESTRICTED
Support close at hand
SINA experts from secunet provided support to the various
government IT departments in implementation, installation
and on-site training. secunet support is then on call around
the clock, seven days a week. It is a tremendous advantage
when the experts are just a phone call away.
When there is a total loss of IT service, it is important that
response times are short and the correct action is taken. For
this reason, the Sondertatbestand project also includes a
security consultancy element. secunet supports the participating
agencies in complying with the criteria of the federal
government action plan known as ‘UP-Bund’. This includes
in particular measures to improve information security and the
development of a continuity management plan.
The BSI has conceived the Sondertatbestand project as a way
of making IT expertise available to individual authorities conveniently
and without impacting on their budget. In this way,
applicants procure internationally competitive products from
national suppliers. And in any case, the German encryption
industry enjoys a high reputation around the world. The evidence
for this is in the many national and international projects
that make use of encryption products from Germany.
More information:
Dirk Mangelmann
dirk.mangelmann@secunet.com
1 | 2013 « 03

National
Partnership for Security in
Cyberspace – Alliance for
Cyber Security as a central
information platform
An Interview with Dr Hartmut Isselhorst of the BSI
on the Alliance for Cyber Security
secuview: The new Alliance for Cyber
Security was founded by the BSI (German
Federal Office for Information
Security) and BITKOM at the annual
CeBIT trade show in March 2012. What
was the reason for setting up such an
organisation
Dr Hartmut Isselhorst: Internet technologies
in recent years have led to
major advances in the IT and telecommunications
industry. Indeed, information
technology has penetrated virtually
all areas of our lives and every sector of
the economy, making them an integral
part of cyberspace today. As a result,
value-added processes in the ‘real
world’ are inextricably linked to the virtual
world and are barely conceivable
today without it. The challenge of
making cyberspace more secure can
now only be met through the combined
efforts of business and industry, academia
and the government. The Alliance
for Cyber Security reflects this need for
cooperation and serves as a platform
for the exchange of knowledge and
expertise in the field. Indeed, lasting
security can only be achieved if we
continually revise our strategies for
preventing, recognising and responding
to security threats and the evolving
methods of cyber criminals.
secuview: The Alliance’s members include
partners and members. How
many companies joined the Alliance in
2012, and what are the main reasons for
which individuals and business partners
seek membership
Dr Hartmut Isselhorst: We received
an overwhelmingly positive response
to the Alliance for Cyber Security, even
„The Alliance offers a variety of
services, including issuing warnings
about current cyber threats,
identifying best practices, unifying
industry standards and providing
security solutions for systems
currently in use.“
during the pilot phase. Since then, other
noteworthy cyber security experts have
joined our ranks, meaning that more
than 200 companies and organisations –
including 50 of partners – were active
members of the Alliance for Cyber Security
at the beginning of 2013.
The Alliance offers a variety of services,
including issuing warnings about current
cyber threats, identifying best practices,
unifying industry standards and
providing security solutions for systems
currently in use, as well as providing
general recommendations on the se-
Dr Hartmut Isselhorst,
man in charge at the
Department of Cyber
Security of the BSI
cure use of IT components. In addition
to the above, the BSI publishes up-todate
information regarding the ongoing
security situation in cyberspace, thus
enabling institutions to modify their
activities accordingly. In order for this
information to be as complete as possible,
partners and individual members
in the Alliance are also encouraged to
report their own knowledge and findings
regarding cyber attacks to the BSI.
Finally, alongside acting as a central hub
for information distribution, the Alliance
seeks to promote direct knowledge
exchanges in smaller groups such as in
regional and industrial working groups
or informal meetings.
secuview: What security threats do you
expect to emerge over the next few
years, and what measures will the Alliance
be implementing to counter them
Dr Hartmut Isselhorst: The growing
trend of using information services on
the move is going to have a knock-on
04 » 1 | 2013

National
effect on cyberspace security threats.
Smartphones and tablets are now established
internet terminals, and their
position in the market has been
strengthened by their integration into
corporate IT systems – both formally
and through BYOD policies. This has increased
the attraction of these devices
to cyber criminals and malware developers.
The topic of ‘mobile malware’ will
therefore remain on the agenda for the
foreseeable future.
Other
organisations
The Alliance for Cyber Security was established in March 2012 by the
Federal Office for Information Security (BSI) and BITKOM. This joint
initiative acts as a platform for the sharing of information and experiences
in the general area of cyber threats. At the international level,
it promotes cross-border collaboration with other Alliance partners.
BSI
Government
agencies
Multipliers
Businesses
We are also preparing for attacks and
attempted attacks against specific companies
or institutions. Cyberspace is an
attractive point of attack for criminals because
it provides easy access to potential
targets and a myriad of opportunities
for deception, as well as an incredibly
diverse range of vulnerabilities which
can be exploited. We expect hackers
to draw on their experiences of launching
targeted attacks in recent years to
further improve their methods and carry
out increasingly sophisticated attacks.
We are also anticipating some positive
developments, however. Indeed, whilst
companies are still very reticent to disclose
information about cyber attacks
on their own systems, the BSI is increasingly
hearing from companies willing to
share their experiences in small groups.
If this trend continues, it will most certainly
help to raise user awareness and
provide a more complete picture of the
current security situation, thus serving
to boost cyberspace’s ‘immune system’
over the long term.
secuview: Nowadays, the entire world
is connected via the internet, and so attacks
can be carried out from far beyond
our national borders. Will the BSI also be
working with the Alliance to contact and
exchange information with other groups
internationally
Dr Hartmut Isselhorst: The international
exchange of knowledge and expertise
is indispensable when it comes to cyber
security. Within the Alliance for Cyber
Operators
of critical
infrastructures
Partners
Security, this is achieved not only
through the BSI’s various international
partnerships, but also through the crossborder
activities of the Alliance’s partner
companies. The knowledge and expertise
gained through this international cooperation
contributes a great deal to the
„In light of the overwhelmingly
positive feedback received from
companies involved in the Alliance
for Cyber Security in 2012, we
intend to continue implementing
and building upon the organisation’s
activities in 2013.“
Alliance’s work and is always analysed
and shared in such a way that it benefits
all members as much as possible.
In practical terms, the Alliance for Cyber
Security’s partners and key communicators
can also contribute by upholding
knowledge exchange between the Alliance
and international groups or initiatives
abroad.
secuview: One final question: What’s
next for the Alliance in 2013
Dr Hartmut Isselhorst: In light of the
overwhelmingly positive feedback received
from companies involved in the
Alliance for Cyber Security in 2012, we
Other
institutions of
particular interest to
the state (INSI)
intend to continue implementing and
building upon the organisation’s activities
in 2013. In my view, it is important
to always keep in mind the expectations
that are communicated to the BSI in the
course of major events and private discussions.
This is why we will be organising
more industry-specific events for
various target groups in 2013 – to raise
awareness of cyber security issues on
the one hand, and to maintain a direct
dialogue with and between companies
on the other. We have started the ball
rolling this year with the first ever Cyber
Security Day for members of the Alliance
in January. In February, this event has
been followed by a major conference
in partnership with the logistics industry
and knowledge exchange across
different sector. We also have several
other events in the pipeline. In addition
to the above, I am very much looking
forward to the numerous contributions
recently announced by our partners
which will create significant added value
for all of the Alliance for Cyber Security’s
members.
secunet is a partner company in
the Alliance for Cyber Security
and draws on the extensive
knowledge and expertise of its
IT security specialists to support
the organisation’s members.
1 | 2013 « 05

National
German Justice
Plays it Safe
secunet connects Bavaria to S.A.F.E.
central registry
The introduction of mandatory electronic commercial
registration in 2007 coincided with the launch of a new communication
infrastructure in the German judicial system. The
opportunity of having direct access to courts and authorities
via EGVP proved hugely popular right from the start; in fact,
projected user numbers were far exceeded after only three
months in operation. Because everyone registering as an
EGVP user is assigned a unique mailbox address by the identity
management system and this data must be constantly
replicated to all other active EGVPs in the system, the registration
service is of paramount importance.
What is EGVP
The electronic legal and administrative mailbox, in Germany known as
EGVP (Elektronisches Gerichts- und Verwaltungspostfach), can be used
by courts and government authorities in communication with each other
as well as with other parties to certain judicial proceedings (e. g. lawyers,
notaries, businesses and private citizens) for the safe, legal and effi cient
transmission of messages, documents and pleadings in the OSCI format
(Online Services Computer Interface). EGVP automatically encrypts the
entire data exchange. Messages can also have fi les attached and, if
necessary, bear an electronic signature. This speeds up legal processes,
and all parties benefi t from the increased effi ciency. No wonder then that
more than 40,000 parties to proceedings in all 16 federal states and in
most federal courts in Germany are making use of the EGVP, a trend that
is even expected to grow further.
Separation of registration process
from EGVP: S.A.F.E.
In order to be optimally positioned in the future in terms of
performance and interfaces, the Bund-Länder-Kommission
für Datenverarbeitung und Rationalisierung in der Justiz (Joint
Federal and State Commission for Data Processing and Rationalisation
in Judicial Processes) has prescribed the architecture
of a federated identity management system for the
German judiciary. This goes by the name of ‘Secure Access
to Federated E Justice / E Government’, or S.A.F.E. for short.
The underlying idea is essentially straightforward: the ‘Identity
Providers’ which are spread out over a number of different
domains are combined on a single platform and are addressed
via standard interfaces. The so-called ‘Trust Domain’ (TD) is
the central structuring element. This consists of a set of services
and service users that co-exist in a mutual trust relationship.
It ensures a unified communications infrastructure
within the justice system that operates across federal state
boundaries.
06 » 1 | 2013

National
Bavaria creates own Trust Domain
Up to now, there has been a centralised S.A.F.E. identity
management system operating from the data centre in North
Rhine-Westphalia, which is responsible for
the mailboxes of user parties in all the
federal states. Bavaria has now become
the first German federal state to set up
its own trust domain which is operated
in its own data centre. This means that
the management of Bavarian identities
takes place regionally, thus
restoring data sovereignty.
sources that store information about the digital identities
of users and their operational role. secunet also took on the
task of integrating the technical basis – the Oracle Identity
Management Suite – into the existing infrastructure.
Flexible and fit for the future
The Bavarian justice system is already in a position to communicate
confidentially via S.A.F.E. in such administrative
areas as the central register of wills or the electronic land
registry. Thanks to its open and highly scalable architecture,
many more administrative procedures, citizen portals and
e-government services will follow in the near future.
In this matter the Bavarian justice
relied on comprehensive assistance
from secunet, the IT security
experts have provided
organisational and technical
support to the IT officers of
the Bavarian judiciary who
are based at the Munich
Higher Regional Court
in the planning, design
and implementation of
the S.A.F.E. compliant
trust domain ‘Justiz
Bayern’. This involved
the analysis of the
administrative procedures
and of the
user groups that are
to be integrated in
the preliminary stage
as well as the analysis
and evaluation of the data
More information:
Norbert Müller
norbert.mueller@secunet.com
1 | 2013 « 07

National
Increased Security
for Passengers –
including online
Nicolas Hunloh, Team Leader Internet,
Düsseldorf International Airport
The air transport hub of Flughafen Düsseldorf handles over
20 million passengers per year, making it the largest airport
in North Rhine-Westphalia. 70 airlines operate here, serving
more than 190 destinations. Located in one of Europe’s
strongest-performing economic regions, with 18 million
people living within a radius of 100 kilometres, Düsseldorf
International plays a key role in fulfilling the mobility needs of
private individuals and businesses in the federal state of North
Rhine-Westphalia and the south-east of the Netherlands.
Furthermore, as the largest single employer in Düsseldorf
with a workforce of around 19,700, the airport has a major
impact on the jobs market in NRW.
As traffic has increased over recent years, the corporate
website has had to adapt and grow to meet the demands
of passengers as well as
those who are picking
them up from the airport
and other target groups.
These users visit the site to
check flight times,
to find out about
local conditions,
to reserve parking
spaces, to retrieve
general information
about the airport,
and much more
besides. The website
is thus a main
point of contact for
By undertaking regular
security checks, including
around 11 million
its online platforms,
users per year.
Düsseldorf airport
upholds consistently high
security standards.
Various extranets
provide B2B partners
and customers
with helpful
tools. Data that is
stored there requires
secure protection.
Flughafen
Düsseldorf GmbH
therefore took the
decision in 2012
to submit its main
corporate website
as well as those
of its subsidiaries
to an extensive security check. Their
search for a professional, flexible and
reliable service provider quickly brought
them to secunet.
For the operator, it is particularly important
that the standards which are
rigorously adhered to in the everyday
working environment of the airport’s offline sector (where
security is at a premium) apply equally to its website. Because
even data on passengers and partners requires the protection
of a highly secure and efficient infrastructure against
externally launched attempts to gain unauthorised access.
The secunet team therefore set about identifying potential
vulnerabilities using a detailed penetration test and applying
recognised standards with particular reference to OWASP
Top 10 2012. In order to avoid overloading the server infrastructure
during the procedure, the tests were conducted
during the low-traffic period between 11pm and 6am.
08 » 1 | 2013

News in Brief
HACKERSTORY #2
Budget and
Production Pressures
as Risk Factors
In many companies, security has become an integral part
of the production process. In the course of penetration tests,
secunet nonetheless continues to identify critical vulnerabilities
in internal systems that threaten the organisation’s
security and, in the worst-case scenario, its most vital
functions.
In subsequent discussions with the relevant system administrators,
it will usually transpire that the vulnerabilities
have already been recognised, though not necessarily their
potential impact. These vulnerabilities are consciously
accepted, since the affected system is directly involved in
critical business processes and not every company has a
sophisticated staging process whereby changes can be
tested on multiple pre-production systems. The decisionmakers
are confronted with a dilemma: in order to increase
system security, a temporary reduction in functionality has
to be accepted. Subsequent corrective measures – if at all
feasible – result in correspondingly high costs. Yet failure to
take the necessary action could ultimately lead to substantially
higher costs.
The results were then presented in the form of a detailed
report, with measures identified for optimisation then being
implemented within a short time by the specialist departments
of Flughafen Düsseldorf GmbH and its service providers.
At the same time, the company used the project to
introduce new mandatory security standards at all levels.
Flughafen Düsseldorf GmbH has expressed its intention to
call on secunet’s anti-hacking expertise in future.
However, if IT security teams are involved at the planning
phase of a new application, these problems can at least be
minimised. If, at an early stage, IT security is considered
of equal importance to functionality, this can obviate the
need for complex re-designs or bug fixing in the finished
product.
More information:
Dirk Reimers
dirk.reimers@secunet.com
More information:
Christian Reichardt
christian.reichardt@secunet.com
IN THE NEXT ISSUE:
The Trojan Mouse
1 | 2013 « 09

National
Challenges for PKI Systems
in Vehicles
Conventional solutions are not enough
Because of the special nature of the clients
(vehicles, charging infrastructure, traffic
signals etc) which – unlike the computers in
the company network – are not constantly
reachable and which to some extent have
much longer life cycles, they make specific
requirements of their PKI systems that do
not apply to most company PKIs. Similarly,
specifications for Car2Car communication or
Plug&Charge in the case of e-mobility define
precisely what a PKI is expected to do.
PKI systems have long been an established feature of inhouse
networks and the internet. Based on asymmetric cryptography,
authentication mechanisms have been created with
which more people work than you might imagine. Whether for
online banking, remote login to the corporate network from a
home office or even the new German national identity card, a
PKI working away in the background is generally responsible
for secure communication.
More recently, various applications requiring a PKI have been
introduced in vehicles:
- digital tachographs
- securing diagnostic access and information consistent
with Euro 5 and Euro 6
- securing onboard flashware for vehicle programming
- securing TeleX services such as remote diagnostics and
programming
- internet in the vehicle
- Car2Car communication
- Plug&Charge for e-mobility
For example, procedures and processes
must be introduced to take into account
the fact that parts of the PKI system may
be available for online communication only
on an intermittent basis. The distribution of
revocation information is just one example of
this problem. In a PKI for Car2Car or Car2X
communication, the number of subscribers can rise exponentially.
There will be hundreds of CA systems and millions of
vehicles all around the world that have to be supplied with key
material and certificates, and at the same time, data privacy
protection legislation will require that each vehicle is equipped
with several hundreds or even thousands of certificates.
Car manufacturers may already be aware of some of these
problems as a result of similar issues with their own company
PKIs for employee badges or SSL certificates for web
services. Nevertheless, these new special cases present them
with unprecedented challenges in the management of cryptographic
keys and certificates that cannot be resolved with the
already established processes of introduced PKI systems and
therefore require new approaches to the issue of PKI.
More information:
Andreas Ziska
andreas.ziska@secunet.com
10 » 1 | 2013

National
What a PKI does
PKI involves more than just technology; it is also a question of infrastructure and
processes. At the heart of the matter is key management, with the complete lifecycle
of cryptographic keys and/or certifi cates. The main tasks to be performed
by a PKI are:
Key generation – determination of algorithms, the type of key generation
(central as opposed to decentralised) and the processes for certifi cation of the
public key as well as the identifi cation data of the certifi cate holder.
Key distribution / Directory – the distribution of public keys and/or certifi -
cates takes place via directory services such as LDAP. For the assignment of
private keys, secure distribution paths or media are used.
Blocking management / Revocation – for revoking a certifi cate (in case of
a lost key or loss of confi dence), technical mechanisms such as revocation
lists (CRLs) or online services (OCSP) are used. The CA operator receives the
revocation requests, reviews and authorises them, revokes the certifi cate and
publishes the revocation information.
Key recovery / Destruction – by means of key recovery, data can be read and
verifi ed even if key material has been lost. In addition, old or invalid key material
is securely deleted.
Key exchange (root, CA, client) – appropriate processes (e. g. online provisioning,
the replacement of a secure element or mobile with NFC technology)
specifi cally ensure the secure exchange of the public root and CA keys. There
must be safeguards against a hacker insinuating his own root keys.
Blocking management /
Revocation (CRL / OCSP)
Key recovery /
Destruction
Key generation
Key distribution /
Directory
Key exchange
(root, CA, client)
Example of an eMob PKI complying with ISO 15118
eMob Root CA
Already established because of
the applicable standardisation
regulations for smart metering
in Germany
optional
optional
EV OEM
Root CA
Energy supplier
Root CA
Charging supplier
Root CA
Meter
Root CA
Daimler
BMW
AUDI RWE EnBW e.on A B
C
A
B
C
Vehicle certificates Contract certificates Charging station certificates SmartMeter certificates
The companies named here have been chosen as examples only. This should not
be taken as an indication of which ones will eventually appear under eMob Root CA.
1 | 2013 « 11

National
PREVENTIVE SECURITY #1
Preventive security is in this respect a key concept: specific organisational, infrastructural, technical and
staffing strategies that are tailored to individual circumstances and to constructing a defence that kicks
in before something bad happens. In subsequent issues of secuview, you can read interesting and sometimes
even amusing case studies (anonymised, of course) compiled by our secunet experts.
FIFA World Cup
Shoots Holes in
IT System
Directives from above defeat even the best
technical defences
There are many IT systems that, technically speaking, are well
protected. But unfortunately, these too fall victim to elementary
attacks because individually appropriate organisational
processes have not been implemented or upheld.
“How could they overcome the formidable barriers that we
now have in place The way they were bypassed makes us
look like amateurs!” Unfortunately, this quote is genuine and
the circumstances that permitted this successful IT attack are
by no means exceptional. The technology and the administrators
really were high calibre. The problem lay entirely elsewhere.
The vulnerability was caused by the instruction issued
by a senior executive to allow certain IT services during the
World Cup so that he could follow games live on his PC.
Although the administrators expressly advised of the associated
security risks, the desire of this senior person to watch
the matches live at work obviously outweighed the concerns
of the lower-ranking technical staff. The expert in this case –
i. e. the system administrator – had no recourse against the
decision.
This real-life scenario is by no means exceptional. secunet
is often called out to deal with emergencies that have been
caused by the absence of organisational security measures.
In the case cited above, a clearly defined and auditable documented
process that gave the administrator suitable veto
rights would have helped to uphold the high level of security
afforded by the systems in place. It would then have been
possible to take secure and responsible action, overriding the
personal preferences of the boss.
Security must be integral to
corporate culture
Experience has shown that, although many government agencies
and private businesses have put appropriate security
measures in place, these are not upheld rigorously due to the
organisational aspects of information security. At the same
time, however, there is no shortage of standards and best
practices to provide support here. For example, the IT security
management standards typified by the ISO 27000 family and
those implemented in accordance with BSI baseline protection
or the recommendations of ITIL (IT Infrastructure Library) and
COBIT (Control Objectives for Information and Related Technology).
secunet experts with many years of experience are
available to support any appropriate customisation or tailored
implementation.
More information:
René Seydel
rene.seydel@secunet.com
IN THE NEXT ISSUE:
Well confi gured – one click for enhanced security
12 » 1 | 2013

Neben dem Beruf zum
Bachelor & Master
Bachelor-Abschlüsse:
Europäische BWL (B.A.)
Wirtschaftspsychologie (B.A.)
Finance & Mangement (B.Sc.)
Logistikmanagement (B.Sc.)
Wirtschaftsrecht (LL.B.)
Master-Abschlüsse:
Wirtschaftspsychologie (M.Sc.)
Business Coaching &
Change Management (M.A.)
MBA
Hochschulkurse mit Zertifikat
Jetzt
4 Wochen
kostenlos
testen!
Jederzeit starten
Freie Zeiteinteilung
Ortsunabhängig per Fernstudium
Jetzt informieren:
www.Euro-FH.de 0800 / 33 44 377
(gebührenfrei)
Infos anfordern:
600 AA

International
Automation is the Way
Forward for Border Control
secunet eGates securely manage increasing passenger numbers at national borders
Globalisation has led to a steady increase in private and professional
mobility. Short-haul flights have become an attractive
alternative to travelling by train or car. For airports, this means
that more and more passengers have to be cleared on arrival.
The International Air Transport Association (IATA) estimates
that, in 2013, the milestone of three billion passengers worldwide
will be exceeded. 1 This development poses multiple challenges
for airports, as passengers should not be expected to
wait in unreasonably long queues to pass through the security
gate or border control. At the same time, security considerations
must under no circumstances be compromised as the
threat of terrorism remains acute
The solution lies in biometric data
A good option for managing increased passenger volume
at borders is to provide electronic control gates – so-called
‘Automated Border Control Systems’ or eGates for short.
Utilising the biometric data stored in electronic travel documents
(e.g. the digitised facial image of the traveller),
eGates allow partial automation of border control
processes whilst retaining the same high level of
security: When the passport is placed on the document
reader, its electronic and optical security features
are checked and the biometric data is read.
Passengers authorised to use the system can then
step into the eGate. Here, a camera integrated into
the exit door automatically takes a photo of the
traveller’s face. This data is then compared to the
passport-picture read before. If the biometric data
matches, the passenger is cleared to pass, i. e. to
cross the border.
As the ePassport is read and the
passenger’s face is scanned, the
same data is also displayed on
the immigration control officer’s
monitor.
The process offers significant benefits to all parties
involved: on the one hand, it reduces queuing time for
passengers and airport operators benefit from optimised
passenger flows; on the other hand, border
police officers get valuable support without losing
control over the process.
1
See http://www.iata.org/pressroom/facts_figures/Documents/
economic-outlook-media-day-dec2012.pdf
14 » 1 | 2013

International
secunet’s face recognition
technology
makes use of a smart
camera integrated
into the exit door.
Adaptive LED lights
provide optimum
levels of illumination.
secunet eGates
are already in
operational use
as part of the
EasyPASS and
EasyGO projects.
Pioneering work to provide
sustainable solutions
As a pioneer in this field, secunet was commissioned in late
2007 by the German Federal Office for Information Security
(BSI) to take on the design and implementation of the
EasyPASS eGate solution at Frankfurt Airport. Following its
successful operational launch, the secunet experts have made
it available for use with the new German ID card. This has not
only set the benchmark for the future design of immigration
control systems at German airports but has also convinced
the Czech border police: going by the name of EasyGO, the
automated border control system was implemented at Prague’s
Vaclav Havel airport in late 2012, and after only a twelve-month
pilot period, it has been incorporated into day-to-day operation
and has even been extended.
The evident advantages and positive experience of automated
border control have won over airport operators and border
police in equal measure. Experts agree that the trend in
coming years at national and international airports will be
towards further automation of border control. Years of experience
coupled with the ‘Made in Germany’ label – perceived
around the world as a hallmark of quality – mean that secunet
eGates are set to play a crucial role.
More information:
Georg Hasse
georg.hasse@secunet.com
What makes the solution from
secunet so unique
The decisive USP of eGate solutions from secunet is the modu-
lar approach: The unique flexibility of this complex system is
made possible by secunet biomiddle, a software that acts as
an intermediary between client applications and the various
biometric technologies. Due to this original components can
be updated at any time and further devices can be added.
The Automated Border Control System sets standards in other
ways; for example, the BSI acting as an independent body
has verified its security and reliability. Furthermore, the system
is characterised by exceptional user-friendliness. The entire
process is adapted to the natural flow of the passengers who
are given clear step-by-step guidance as they pass through
the system. High acceptance and rapid, straightforward processing
are thus guaranteed.
The benefi ts of
secunet eGates at a glance
Secure
- BSI-approved security and reliability of the system by means of
- Testing of the optical and electronic security features
- Biometric comparison at a high level of security
- Monitoring by immigration control offi cers
Economical
- Airports are able to process a higher volume of passengers
through the same physical area
- Investment protected thanks to modular and standard
architecture of the overall system
Fast
- Conventional immigration controls are relieved by partial
automation and thereby accelerated
- Travellers are guided intuitively through the gate, thus reducing
the length of queues
1 | 2013 « 15

Technologies & Solutions
Electronic management of classified
information without discontinuity of media
SINA Workflow for security and compliance with regulations
Anyone who has experience of working with classified
electronic data and processes is familiar with
the dilemma of complying with VSA (the national
regulations governing classified information) while
still coping with the job in hand. This conflict has
increased steadily over recent years, because
the existing regulations were originally conceived
for an age in which everything was committed to
paper. But rapidly increasing information flows
have long since made electronic processing indispensable,
and there are currently no software
systems which have been approved and are sufficiently
productive to be used for VSA-compliant
processing.
SINA Workflow represents a comprehensive, VSA-compliant
solution to the aforementioned dilemma:
- The compilation, processing and distribution of classified
data takes place without any discontinuity of media
- Unlike other solutions, SINA workflow does not merely
address individual aspects of VSA
- There is a logical, cryptographically secured enforcement
of the ‘Need to Know’ principle
- Uncontrolled outflow of classified data is prevented
- Every activity that VSA requires to be verified is securely
logged to legal audit standard
SINA Workflow comprises central registry, control and storage
systems as well as remote clients based on the SINA
Workstation.
The complete lifecycle of classified documents and operations
is mapped, so that a user is supported and guided
through the system right from the start. The creation of a draft
classified document takes place within a SINA Workflowspecific
session on a SINA Workstation. When the draft of the
classified item is registered, it is encrypted and saved to a
Using
SINA Workstation
for classified
information
central location. From that point onwards, other contributors
can be allowed access to the draft classified document. In this
way, SINA Workflow guarantees VSA-compliant processing of
classified documents within a group and also offers support
for addenda and co-signing processes. After the completion
and registration of the finalised item, the classified document
itself can then be distributed. Classified documents can, of
course, also be printed or exported.
In addition to supporting users, SINA Workflow also assists
system administrators, e.g. by automatically keeping a log, or
by generating an inventory of classified documents.
Work is in progress with a German federal government office
on the prototypical installation and integration of SINA Workflow
into the existing network infrastructure.
More information:
Peter Janitz
peter.janitz@secunet.com
SINA Workflow is able to map the entire lifecycle
of classified documents and processes.
This now facilitates electronic, VSA-compliant
processing of classified information.
Subscribe to secuview
Would you like to receive secuview on a regular basis, free of charge
Please choose between the print and electronic versions and subscribe at https://www.secunet.com/en/the-company/it-security-report-secuview.
There you can also change your preference or unsubscribe.
Illustrations: Cover People: plainpicture/OJO; S. 3 (Ordner), 6, 7, 12: shutterstock.com; Airport Düsseldorf S. 8 - 9: Andreas Wiese; S. 10: iStockphoto.com;
S. 19: EUROFORUM Deutschland SE. Others: secunet.
16 » 1 | 2013

News in Brief
secunet on Twitter, Xing and LinkedIn
Social media have not only changed
the way we interact with each other as
individuals but have also become an essential
means of communication in the
business world. In 2012, we extended
our online presence to Twitter, Xing and
LinkedIn, aiming to use these media
to increase our availability to secunet
customers and partners, and to explore
with them the issues of the moment surrounding
IT security.
Via our corporate profiles on the Xing
and LinkedIn business platforms, we
offer existing and future customers as
well as potential recruits to our ranks a
quick and convenient way of getting in
touch with us.
Professional associations and the German
Federal Chancellery have long had
their own presence here. We are now
using our Twitter page – @secunet_AG –
to inform our customers and other interested
users about the latest developments
in the world of IT security. We go
beyond relaying news from and about
our own company, picking up on a wide
range of IT security issues as these
affect the private and public sectors. We
publish up-to-the-minute alerts on current
security vulnerabilities and engage
in a fruitful exchange of views and opinions
with the online communities.
Visit our website at www.secunet.com
and follow us on Twitter at @secunet_AG
This QR code will
take you directly to
our Twitter page:
http://www.twitter.com/
secunet_AG
New Federal Framework
Agreement on IT Security
Services
New Appointment
at the
BSI
Since August 2012, federal authorities
have been able to call on secunet to
provide IT security services under the
terms of two new framework agreements
with the German Federal Office
for Information Security (BSI). In association
with HiSolutions AG, secunet was
once again successful in its bid for the
contract to supply IT security consulting
services to the German federal government.
The new agreements cover general
consulting services for IT security
in federal authorities, consultancy in the
field of e-government tasks and projects,
the implementation of security
audits and reviews, and the drafting of
IT security and emergency concepts.
secunet will further be supporting the
federal government in the performance
of security analyses designed to identify
and resolve vulnerabilities in IT systems
and processes. More information can
be found on the federal government’s
online procurement portal Kaufhaus
des Bundes at https://www.kd-bund.de
(NB: access only with certificate) and
on the federal government intranet at
http://kdb.intranet.bund.de.
More information:
Dirk Ossenbrüggen
dirk.ossenbrueggen@secunet.com
Federal Office
for Information Security
With effect from 1st January 2013,
Andreas Könen is the new Vice-President
of the BSI. His predecessor in the
office, Horst Flätgen, has moved to the
Federal Ministry of Finance. Könen’s
previous role was as Director of Advice
and Coordination. In previous years,
he held responsibility for the areas of
Coordination and Control as well as
Security in Applications and Critical
Infrastructures. The new man in charge
at the Department of Advice and Coordination
is Horst Samsel.
Imprint
Editor
secunet Security Networks AG
Kronprinzenstraße 30
45128 Essen, Germany
www.secunet.com
Responsible in terms of the
press law: Christine Skropke,
christine.skropke@secunet.com
Chief Editor: Claudia Roers,
claudia.roers@secunet.com
Chief Conception & Design
Dominik Maoro,
dominik.maoro@secunet.com
Design
www.knoerrich-marketing.de
Copyright: © secunet Security Networks AG. All rights reserved. All contents and structures are copyright protected. All and any use not
expressly permitted by copyright law requires prior written permission.
1 | 2013 « 17

Events
Lively exchange of views at it-sa
Cornelia Rogall-Grothe (Federal Government Commissioner
for Information Technology and Secretary of State in the Ministry
of the Interior) joined Franz Josef Pschierer (Bavarian State
Government Commissioner for Information Technology and
State Secretary of the Bavarian Ministry of Finance) in a visit to
the secunet stand at the it-sa trade fair held in October 2012.
Cornelia Rogall-Grothe
deep in discussion
with secunet CEO
Dr Rainer Baumgart
(second from left)
IT Summit Working Group 4 visits secunet
Dr Karsten Ottenberg, Federal Interior Minister Dr Hans-Peter Friedrich,
Dr Rainer Baumgart and Prof Dr Claudia Eckert (l to r)
In the context of the IT Summit in Essen, German Interior Minister
Hans-Peter Friedrich visited secunet on 12th November
2012. Together with Dr Karsten Ottenberg (G&D), he chaired
the meeting of the Working Group 4 on ‘Trust, Privacy and
Security on the Internet’. The title of event at the company’s
premises in Kronprinzenstrasse was ‘Cybersicherheit in
Deutschland gestalten’ (Shaping Cyber Security in Germany).
More than 100 participants and members of the press were
in attendance to discuss the topic with the Minister of the
Interior, BSI President Michael Hange, Professor Claudia
Eckert (TU Munich and Fraunhofer AISEC), Reinhard Clemens
(Deutsche Telekom), Dr Rainer Baumgart and Dr Karsten
Ottenberg.
Always online – always secure
The IT Security on Board workshop in Munich last October
was an opportunity for experts to compare notes on recent
developments and implications for the future in e-mobility
and Car-2-Car technology. Standards and methods by which
vehicle IT security can be evaluated and the need for protection
can be determined were also major themes of the
presentations and of the lively conversations and discussions
that followed. The secunet live hacking demo met with particular
interest; some of the participants immediately took a
critical look at their own phones when they learned about the
sophistication of attacks currently being made on iPhones and
Android devices.
Experts swap ideas at biometrics conference
secunet in London:
The biometrics trade
fair was characterised
by interesting discussions
and new ideas.
From 29th to 31st October, biometrics experts from around
the world attended the aptly named ‘biometrics’ trade fair
in London. In the context of the conference and exhibition,
there was a lively exchange of views on hot topics, the latest
developments and current biometric practice. In a series of
interesting discussions, secunet experts set various balls
rolling and also returned to base with new ideas and issues
to resolve.
secunet ACU in Tokyo
Last October, representatives from secunet attended the
FTF Freescale conference in Tokyo. They joined our partners
from OpenSynergy at their stand to show off a demo unit of
the secunet Application Control Unit (ACU), which is almost
ready to go into series production. Where communication
from external networks does not comply with the rules specified,
the ACU prevents this from reaching the on-board electrical
system. In this way, the ACU enables open networked
infotainment applications. At the same time, valuable assets
such as operational security are safeguarded.
18 » 1 | 2013

Dates
SINA meets the Secretary of Defence
February until
June 2013
Participants at the Handelsblatt conference on ‘Security
Policy and the Defence Industry’ had a chance to hear
the views of Defence Minister de Maizière on the dialogue
between society, politics, military and economy. As one of
the conference sponsors, secunet was invited to present its
SINA product portfolio.
SINA presentation at NATO Symposium
SINA made its debut appearance on our own exhibition
stand at the NIAS symposium held in the Belgian city of Mons
last September.
SINA in Rome
12 - 14 Feb 2013
» Security Document World /
Prague, Czech Republic
17 - 21 Feb 2013 » IDEX / Abu Dhabi, UAE
25 Feb -
1 March 2013
» RSA Conference /
San Francisco, USA
5 - 9 March 2013 » CeBIT / Hannover
12 April 2013
» Workshop
‚IT Security on Board‘ /
Munich
23 - 25 April 2013 » Infosecurity Europe / London, UK
24 - 25 April 2013
» AFCEA exhibition /
Bonn-Bad Godesberg
7 May 2013 » SINA User Day / Berlin
SINA on tour in Warsaw
Johan Hesse
of secunet
presenting SINA
solutions to the
international
audience.
AFCEA TechNet International took place in Rome last October
under the patronage of Italian Defence Minister Giampaolo
Di Paola. The event was well attended by representatives
from various NATO countries and from the NCIA (NATO Communications
and Information Agency) who were fascinated by
the demonstrations of SINA solutions at the secunet stand.
In October 2012, all of the international SINA reseller partners
gathered in Warsaw to exchange information and experiences,
to listen to a series of presentations and to engage
in some general networking.
14 - 16 May 2013
» 13 th Deutscher IT-Sicherheitskongress
/ Bonn-Bad Godesberg
21 - 23 May 2013 » Security Document World /
London, UK
15 May 2013 » General Annual Meeting
secunet /
Essen, Castle of Borbeck
15 - 16 May 2013 » Datenschutzkongress /
Berlin
5 and » SINA User Day /
6 June 2013 Bonn
Would you like to arrange an appointment with us
Then send an e-mail to events@secunet.com.
1 | 2013 « 19

Caution! Insecure Structure!
Customized IT security provides a solid foundation for your success.
Protect your most important assets. IT security is essential for a stable
IT infrastructure and for all processes. secunet is your trump card: Our
vision and expertise will help you achieve even the most demanding IT
security solutions.
www.secunet.com
IT security partner of the
Federal Republic of Germany