When is a System compromised?

In IT security, the question of when a system is considered “compromised” is less a technical issue and more a decision based on a risk assessment. This requires careful consideration and the most accurate possible determination of the actual initial situation and therefore goes far beyond simply reading off KPIs.

What needs to be done?

  1. Gathering facts: First of all, all available information must be collected and analyzed. Depending on the affected system, this includes log files, network analyses and system investigations. This data can provide information about possible anomalies or irregularities that may indicate a possible compromise.
  2. Evaluation of indicators: Detected anomalies and irregularities must then be evaluated in their respective context. Not every incident is security-relevant, and not every security-relevant incident automatically means a compromise. It should be determined whether the indicators match known patterns of cyber attacks or security breaches. In this context, the experience of the IT operations team is crucial. This is because investigations of this kind can only be carried out in a meaningful way if the relevant technical expertise is available. Otherwise, the involvement of an experienced forensics service provider should be considered.
  3. Risk assessment: The potential risk of a compromise is then weighed up against the possible impact. This assessment takes into account both the probability of an actual compromise and the possible consequences for the affected business processes.
  4. Decision-making: Based on the risk assessment, a decision must ultimately be made as to whether or not a system should be considered “at risk ”compromised. This decision not only takes into account the results of the specific incident, but must also be aligned with the organization’s risk acceptance criteria.

The decision to consider a system compromised is by no means trivial. If, for example, a central directory service is affected, this can have far-reaching consequences for an organization due to its high dependency on central business processes.

The situation would be different, for example, if only a single user client had been compromised. It is therefore crucial to create as complete a picture as possible of the actual situation.

In practice, this will not always be possible. The final outcome will rarely be a question of certainty, but rather a risk-based management decision. This process should not be (completely) delegated to IT operations.

The potential impact on business processes must be made known to the management level. And ultimately, they must decide how to proceed based on the options presented.

NIS-2: TeleTrusT vs. IT Planning Council

The NIS-2 Directive of the European Union will significantly increase the overall level of cybersecurity in the EU. The directive envisages an expansion of cybersecurity regulations to new sectors and institutions, aiming to improve the resilience and response capabilities of public and private entities, authorities, and ultimately the EU as a whole (https://digital-strategy.ec.europa.eu/).

The IT Planning Council, a steering committee that coordinates cooperation in the field of information technology between the federal and state governments in Germany, recently decided not to extend the scope of the NIS-2 Directive to include local public administration institutions and educational establishments (https://www.it-planungsrat.de/).

TeleTrusT, a leading German competence network for information security that unites members from various sectors such as industry, consulting, administration, and science, has now confronted this decision in an open letter. TeleTrusT is calling on the IT Planning Council to reconsider its decision on the limited implementation of the NIS-2 Directive (https://www.teletrust.de/).

While federal-level legislation is being developed to implement the NIS-2 Directive, it is the responsibility of the federal states to create or adapt their own IT security laws to also include institutions of public administration at the regional and local levels, as well as educational establishments.

The criticism from TeleTrusT and the co-signers of the open letter regarding the IT Planning Council’s decision to exclude certain institutions from the NIS-2 Directive is entirely justified.

In particular, municipalities and educational institutions should be included in the legal requirements for IT security to ensure a uniformly high level of IT security throughout Germany. The decision of the IT Planning Council to exclude these institutions could significantly hinder constructive participation in addressing the challenges of IT security.

On the other hand, the rejection of regulation, possibly also due to practical implementation difficulties, raises doubts about whether IT security could be effectively implemented on a voluntary basis without such regulation.

The Pocket-Sized Assessment: A Universal Guide for Effective Work

We all know complex challenges, regardless of the field we are currently in. To be prepared for complex tasks in everyday life, I present the „Pocket-Sized Task Framework“. This framework, with its mere seven simple steps, offers a holistic approach to tackling all kinds of challenges in a structured and planned manner.

  1. Define Goals and Scope
    Every task resolution should begin with a clear objective. What do I want or need to achieve? It’s also important not to forget about scoping. What area are we talking about? What is the specific subject of consideration? This first phase lays the foundation for successful task resolution and ensures a targeted approach.
  2. Identify Stakeholders
    Then, it’s essential to identify all relevant stakeholders. Who is affected? Who can provide input? It’s worthwhile to consider the different perspectives and needs of stakeholders to understand the motives behind their actions.
  3. Gather Information
    A problem can only be solved if one is fully informed about all significant aspects. Thorough information gathering can provide a realistic picture of the current situation. Depending on the specific case, this can be done through various means, such as technical audits to simple surveys of stakeholders. The more comprehensive the situation picture, the more likely one can find suitable measures that are tolerated by those affected in the next steps.
  4. Problem Analysis
    Only now do we turn to the problems. Based on the situation picture, potential risks and vulnerabilities – the problems – are to be examined. What are the current problems? How do they affect things? What obstacles exist? Which aspects make a life situation problematic? This part is not easy – but the advantage of this method is that the problem analysis is preceded by 3 steps that set the focus and ensure not to drift off-topic.
  5. Plan Measures
    Based on the problem analysis, concrete measures for remedy are to be developed. In this phase, the insights gained are transformed into practical steps for improvement and security.
  6. Implementation and Monitoring
    The best planning is useless without effective implementation and monitoring. This step ensures that the measures are carried out as planned.
  7. Lessons Learned
    Finally, the entire approach is evaluated. What worked? What could be improved? This framework is not a rigid tool – through continuous improvement, it can be adapted and individualized to one’s needs.

The Pocket-Sized Task Framework offers a structured yet flexible approach that is applicable to a wide variety of life situations across different fields. It enables you to engage in effective task resolution. This way, you can proactively meet challenges and continuously develop yourself and your skills.

Wishing You a Joyful Advent Season 2023

advent image


Dear Clients and Partners,

As the Advent season begins, I would like to take a moment to pause and extend my warmest wishes for a wonderful and peaceful time to all of you. This special time of the year reminds us of the importance of taking a moment to reflect, appreciating the small joys of life, and spending time with our loved ones.

The past year has been a period of challenges for many, but also a time of growth and learning. Again, we have seen how crucial adaptability, resilience, and strategic foresight are – not just in the business world but in our personal lives as well.

As I prepare for the festive season ahead, I want to express my gratitude for your trust and support. My success would not have been possible without you. I value every opportunity I had to support you this year and look forward to continuing my journey with you in the year to come.

May this Advent season be a time of tranquility, reflection, and joy for you. Enjoy the festive lights, the warm beverages, and the precious moments with your families and friends.

With heartfelt connection and best wishes for a beautiful Advent season,

Robert Krelle
Krelle Consulting