When is a System Compromised?

In IT security, the question of when a system is considered compromised is all too often not a technical one, but rather a decision based on a risk assessment. This requires careful consideration and the best possible determination of the actual situation. This process goes far beyond the mere identification of technical indicators.

What Needs to be Done?

  1. Fact Finding: First, all available information must be gathered and analyzed. Depending on the system in question, this includes log files, network analyses, and system examinations. These data can provide insights into possible anomalies or irregularities that may indicate a potential compromise.
  2. Evaluation of Indicators: The identified anomalies and irregularities must then be assessed in their respective contexts. Not every incident is security-relevant, and not every security-relevant incident automatically means a compromise. It must be determined whether the indicators are consistent with known patterns of cyberattacks or security breaches. In this context, the experiences of the IT operations team are particularly important.
  3. Risk Assessment: Here, the potential risk of a compromise is weighed against the possible impacts. This assessment takes into account both the likelihood of an actual compromise and the potential consequences for business processes.
  4. Decision Making: Based on the risk assessment, a decision must be made as to whether a system is considered compromised. This decision not only takes into account the findings of the specific incident but must also be aligned with the organization’s risk tolerance.

The decision to consider a system compromised can have enormous implications. For example, if it involves a central directory service, this can have far-reaching consequences for the organization, including financial losses, damage to reputation, and legal consequences.

The compromise of a user client, even if the technical indicators are similar, would have a completely different impact. Therefore, it is crucial to base the decision on as solid a foundation as possible and a comprehensive assessment of all relevant factors.

The determination of a compromise is rarely a question of certainty, but rather a management decision that requires thorough analysis and assessment of all available information, taking into account the potential risks and consequences. This process should therefore not be (completely) delegated to IT operations. The resulting impacts on business processes must be made known to the executive level and ultimately borne by them.

ISMS leaders should keep a cool head and not be irritated by hastily expressed concepts of risk.

NIS-2: TeleTrusT vs. IT Planning Council

The NIS-2 Directive of the European Union will significantly increase the overall level of cybersecurity in the EU. The directive envisages an expansion of cybersecurity regulations to new sectors and institutions, aiming to improve the resilience and response capabilities of public and private entities, authorities, and ultimately the EU as a whole (https://digital-strategy.ec.europa.eu/).

The IT Planning Council, a steering committee that coordinates cooperation in the field of information technology between the federal and state governments in Germany, recently decided not to extend the scope of the NIS-2 Directive to include local public administration institutions and educational establishments (https://www.it-planungsrat.de/).

TeleTrusT, a leading German competence network for information security that unites members from various sectors such as industry, consulting, administration, and science, has now confronted this decision in an open letter. TeleTrusT is calling on the IT Planning Council to reconsider its decision on the limited implementation of the NIS-2 Directive (https://www.teletrust.de/).

While federal-level legislation is being developed to implement the NIS-2 Directive, it is the responsibility of the federal states to create or adapt their own IT security laws to also include institutions of public administration at the regional and local levels, as well as educational establishments.

The criticism from TeleTrusT and the co-signers of the open letter regarding the IT Planning Council’s decision to exclude certain institutions from the NIS-2 Directive is entirely justified.

In particular, municipalities and educational institutions should be included in the legal requirements for IT security to ensure a uniformly high level of IT security throughout Germany. The decision of the IT Planning Council to exclude these institutions could significantly hinder constructive participation in addressing the challenges of IT security.

On the other hand, the rejection of regulation, possibly also due to practical implementation difficulties, raises doubts about whether IT security could be effectively implemented on a voluntary basis without such regulation.

The Pocket-Sized Assessment: A Universal Guide for Effective Work

We all know complex challenges, regardless of the field we are currently in. To be prepared for complex tasks in everyday life, I present the „Pocket-Sized Task Framework“. This framework, with its mere seven simple steps, offers a holistic approach to tackling all kinds of challenges in a structured and planned manner.

  1. Define Goals and Scope
    Every task resolution should begin with a clear objective. What do I want or need to achieve? It’s also important not to forget about scoping. What area are we talking about? What is the specific subject of consideration? This first phase lays the foundation for successful task resolution and ensures a targeted approach.
  2. Identify Stakeholders
    Then, it’s essential to identify all relevant stakeholders. Who is affected? Who can provide input? It’s worthwhile to consider the different perspectives and needs of stakeholders to understand the motives behind their actions.
  3. Gather Information
    A problem can only be solved if one is fully informed about all significant aspects. Thorough information gathering can provide a realistic picture of the current situation. Depending on the specific case, this can be done through various means, such as technical audits to simple surveys of stakeholders. The more comprehensive the situation picture, the more likely one can find suitable measures that are tolerated by those affected in the next steps.
  4. Problem Analysis
    Only now do we turn to the problems. Based on the situation picture, potential risks and vulnerabilities – the problems – are to be examined. What are the current problems? How do they affect things? What obstacles exist? Which aspects make a life situation problematic? This part is not easy – but the advantage of this method is that the problem analysis is preceded by 3 steps that set the focus and ensure not to drift off-topic.
  5. Plan Measures
    Based on the problem analysis, concrete measures for remedy are to be developed. In this phase, the insights gained are transformed into practical steps for improvement and security.
  6. Implementation and Monitoring
    The best planning is useless without effective implementation and monitoring. This step ensures that the measures are carried out as planned.
  7. Lessons Learned
    Finally, the entire approach is evaluated. What worked? What could be improved? This framework is not a rigid tool – through continuous improvement, it can be adapted and individualized to one’s needs.

The Pocket-Sized Task Framework offers a structured yet flexible approach that is applicable to a wide variety of life situations across different fields. It enables you to engage in effective task resolution. This way, you can proactively meet challenges and continuously develop yourself and your skills.

Wishing You a Joyful Advent Season 2023

advent image

Dear Clients and Partners,

As the Advent season begins, I would like to take a moment to pause and extend my warmest wishes for a wonderful and peaceful time to all of you. This special time of the year reminds us of the importance of taking a moment to reflect, appreciating the small joys of life, and spending time with our loved ones.

The past year has been a period of challenges for many, but also a time of growth and learning. Again, we have seen how crucial adaptability, resilience, and strategic foresight are – not just in the business world but in our personal lives as well.

As I prepare for the festive season ahead, I want to express my gratitude for your trust and support. My success would not have been possible without you. I value every opportunity I had to support you this year and look forward to continuing my journey with you in the year to come.

May this Advent season be a time of tranquility, reflection, and joy for you. Enjoy the festive lights, the warm beverages, and the precious moments with your families and friends.

With heartfelt connection and best wishes for a beautiful Advent season,

Robert Krelle
Krelle Consulting