{"id":4769,"date":"2022-07-08T22:37:39","date_gmt":"2022-07-08T20:37:39","guid":{"rendered":"https:\/\/www.sec4you.com\/?p=4769"},"modified":"2022-11-06T10:05:24","modified_gmt":"2022-11-06T09:05:24","slug":"information-security-risk-survey-for-27001-and-tisax","status":"publish","type":"post","link":"https:\/\/www.sec4you.com\/en\/information-security-risk-survey-for-27001-and-tisax\/","title":{"rendered":"Infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk sur\u00advey for 27001 and&nbsp;<span class=\"caps\">TISAX<\/span>\u00ae"},"content":{"rendered":"<p><\/p><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-background-position:left top;--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-margin-top:0px;--awb-margin-bottom:0px;--awb-flex-wrap:wrap;\"><div class=\"fusion-builder-row fusion-row\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_1 1_1 fusion-one-full fusion-column-first fusion-column-last\" style=\"--awb-bg-size:cover;width:100%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-column-wrapper-legacy\"><div class=\"fusion-text fusion-text-1\"><p>Due to the rapidly incre\u00adasing thre\u00adats to an <span class=\"caps\">IT<\/span> ope\u00adra\u00adti\u00adon, every com\u00adpa\u00adny should sur\u00advey and eva\u00adlua\u00adte the rele\u00advant <span class=\"caps\">IT<\/span> thre\u00adats with regard to infor\u00adma\u00adti\u00adon secu\u00adri\u00adty. Howe\u00adver, the sel\u00adec\u00adtion of thre\u00adats for the pri\u00adma\u00adry Info\u00adSec pro\u00adtec\u00adtion goals con\u00adfi\u00adden\u00adtia\u00adli\u00adty, inte\u00adgri\u00adty and avai\u00adla\u00adbi\u00adli\u00adty is very com\u00adplex, becau\u00adse the\u00adre are no simp\u00adle thre\u00adat lists, espe\u00adci\u00adal\u00adly for small and medi\u00adum-sized enterprises.<\/p>\n<p><span class=\"caps\">SEC4YOU<\/span> has taken on this task and crea\u00adted the <span class=\"caps\">SEC4YOU<\/span> Infor\u00adma\u00adti\u00adon Secu\u00adri\u00adty Thre\u00adat List 2022. In this artic\u00adle, the most important thre\u00adats are pre\u00adsen\u00adted and explai\u00adned. Rea\u00adders will get a sound over\u00adview of which thre\u00adats you should have secu\u00adred your com\u00adpa\u00adny against, as the\u00adse are now beco\u00adming a rea\u00adli\u00adty for com\u00adpa\u00adnies on an almost dai\u00adly&nbsp;basis.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-1 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top-small:0px;--awb-margin-right-small:0px;--awb-margin-bottom-small:20px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;--minFontSize:20;line-height:1.45;\">What does an infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk assess\u00adment accomplish?<\/h3><\/div><div class=\"fusion-text fusion-text-2\"><p>In addi\u00adti\u00adon to the pre\u00adven\u00adti\u00adon of signi\u00adfi\u00adcant to exis\u00adtence-threa\u00adtening eco\u00adno\u00admic and intan\u00adgi\u00adble dama\u00adges, an infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk assess\u00adment sup\u00adports the sel\u00adec\u00adtion of sui\u00adta\u00adble Info\u00adSec mea\u00adsu\u00adres that are requi\u00adred to pro\u00adtect the com\u00adpa\u00adny from the dan\u00adgers. If you ope\u00adra\u00adte an <span class=\"caps\">ISMS<\/span> accor\u00adding to <span class=\"caps\">ISO<\/span> 27001 or <span class=\"caps\">TISAX<\/span>\u00ae, the com\u00adpa\u00adny must pro\u00advi\u00adde docu\u00admen\u00adted evi\u00addence of the com\u00adple\u00adte risk assess\u00adment, inclu\u00adding the risk method, the assess\u00adment cri\u00adte\u00adria and the assessment.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-2 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top-small:0px;--awb-margin-right-small:0px;--awb-margin-bottom-small:20px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;--minFontSize:20;line-height:1.45;\">Sources of infor\u00adma\u00adti\u00adon secu\u00adri\u00adty threats<\/h3><\/div><div class=\"fusion-text fusion-text-3\" style=\"--awb-content-alignment:left;\"><p>The fol\u00adlo\u00adwing sources were used as the basis for the <span class=\"caps\">SEC4YOU<\/span> Infor\u00adma\u00adti\u00adon Secu\u00adri\u00adty Thre\u00adat List&nbsp;2022:<\/p>\n<\/div><div class=\"fusion-clearfix\"><\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-2 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\"><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1289.6px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-1 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"text-align:right;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-1 hover-type-none\"><img decoding=\"async\" width=\"251\" height=\"350\" title=\"BSI Ele\u00admen\u00adta\u00adre Gef\u00e4hrdungen_Preview\" src=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/BSI-Elementare-Gefaehrdungen_Preview.png\" alt class=\"img-responsive wp-image-4445\" srcset=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/BSI-Elementare-Gefaehrdungen_Preview-200x279.png 200w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/BSI-Elementare-Gefaehrdungen_Preview.png 251w\" sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 251px\"><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-2 fusion_builder_column_3_4 3_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:75%;--awb-margin-top-large:0px;--awb-spacing-right-large:2.56%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:2.56%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-4\"><p>The 47 <strong>Ele\u00admen\u00adta\u00adry Thre\u00adats<\/strong> of the Ger\u00adman Fede\u00adral Office for Infor\u00adma\u00adti\u00adon Secu\u00adri\u00adty (<span class=\"caps\">BSI<\/span>).<\/p>\n<p>A very clas\u00adsic list that lists a varie\u00adty of ele\u00admen\u00adta\u00adry thre\u00adats and deals inten\u00adsi\u00adve\u00adly with the aspects of sabotage\/terror and espio\u00adna\u00adge. Unfort\u00adu\u00adna\u00adte\u00adly, this publi\u00adca\u00adti\u00adon does not ade\u00adqua\u00adte\u00adly assess modern cyber\u00adat\u00adtack vectors.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-3 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\"><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1289.6px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-3 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"text-align:right;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-2 hover-type-none\"><img decoding=\"async\" width=\"251\" height=\"350\" title=\"enisa Thre\u00adat Land\u00adscape 2021_Preview\" src=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/enisa-Threath-Landscape-2021_Preview.png\" alt class=\"img-responsive wp-image-4446\" srcset=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/enisa-Threath-Landscape-2021_Preview-200x279.png 200w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/enisa-Threath-Landscape-2021_Preview.png 251w\" sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 251px\"><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-4 fusion_builder_column_3_4 3_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:75%;--awb-margin-top-large:0px;--awb-spacing-right-large:2.56%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:2.56%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-5\"><p><strong><span class=\"caps\">ENISA<\/span> Thre\u00adat Land\u00adscape&nbsp;2021<\/strong><\/p>\n<p>A valuable infor\u00adma\u00adti\u00adon secu\u00adri\u00adty assess\u00adment by the Euro\u00adpean Cyber\u00adse\u00adcu\u00adri\u00adty Agen\u00adcy that ana\u00adly\u00adzes cyber\u00adse\u00adcu\u00adri\u00adty trends on 115 pages, describ\u00ading the nine most signi\u00adfi\u00adcant thre\u00adats and pro\u00advi\u00adding detail\u00aded recom\u00admen\u00adda\u00adti\u00adons on how to avo\u00adid&nbsp;them.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-4 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\"><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1289.6px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-5 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"text-align:right;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-3 hover-type-none\"><img decoding=\"async\" width=\"251\" height=\"350\" title=\"Cyberedge 2022 Cyber\u00adth\u00adre\u00adat Defen\u00adse Report_Preview\" src=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Cyberedge-2022-Cyberthreat-Defense-Report_Preview.png\" alt class=\"img-responsive wp-image-4447\" srcset=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Cyberedge-2022-Cyberthreat-Defense-Report_Preview-200x279.png 200w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Cyberedge-2022-Cyberthreat-Defense-Report_Preview.png 251w\" sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 251px\"><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-6 fusion_builder_column_3_4 3_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:75%;--awb-margin-top-large:0px;--awb-spacing-right-large:2.56%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:2.56%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-6\"><p><strong>2022 Cyber\u00adth\u00adre\u00adat Defen\u00adse Report<\/strong> by CyberEdge Group<\/p>\n<p>This report high\u00adlights tech\u00adno\u00adlo\u00adgies and their resi\u00adli\u00adence to cyber\u00adth\u00adre\u00adats, in addi\u00adti\u00adon the report pro\u00advi\u00addes an excel\u00adlent assess\u00adment of 12 cyber\u00adth\u00adre\u00adats that no risk assess\u00adment should be without.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-5 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\"><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1289.6px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-7 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-title title fusion-title-3 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top-small:0px;--awb-margin-right-small:0px;--awb-margin-bottom-small:20px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;--minFontSize:20;line-height:1.45;\">Clear distinc\u00adtion bet\u00adween hazard, mea\u00adsu\u00adre, effect and effec\u00adti\u00adve\u00adness&nbsp;test<\/h3><\/div><div class=\"fusion-text fusion-text-7\"><p>In an infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk assess\u00adment, the <span class=\"caps\">CISO<\/span> is requi\u00adred to actual\u00adly assess the threats\/hazards and only later deter\u00admi\u00adne the action and its poten\u00adti\u00adal impact, here using a sim\u00adpli\u00adfied prac\u00adti\u00adcal exam\u00adp\u00adle of \u201cmal\u00adwa\u00adre\u201d to delinea\u00adte the&nbsp;terms:<\/p>\n<ul>\n<li><strong>Thre\u00adat:<\/strong> The risk that the com\u00adpa\u00adny will be infec\u00adted by malware.<\/li>\n<li><strong>Mea\u00adsu\u00adre:<\/strong>\n<ul>\n<li>Full-covera\u00adge mal\u00adwa\u00adre pro\u00adtec\u00adtion soft\u00adware on all end\u00adpoints with ven\u00addor&nbsp;A.<\/li>\n<li>Peri\u00adme\u00adter gate\u00adway pro\u00adtec\u00adtion and upload fil\u00adters with manu\u00adfac\u00adtu\u00adrer&nbsp;B<\/li>\n<li>Regu\u00adlar test\u00ading of inter\u00adnal and exter\u00adnal ser\u00advices for weak points (vul\u00adnerabi\u00adli\u00adties)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Effect of the mea\u00adsu\u00adre (the defi\u00adni\u00adti\u00adon of effec\u00adti\u00adve\u00adness targets):<\/strong>\n<ul>\n<li>Mal\u00adwa\u00adre from the source Inter\u00adnet and e\u2011mail is relia\u00adbly detec\u00adted at the gateway.<\/li>\n<li>Mal\u00adwa\u00adre from the source <span class=\"caps\">USB<\/span> sticks and end-to-end encrypt\u00aded emails is relia\u00adbly detec\u00adted at the end device.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Effec\u00adti\u00adve\u00adness testing:<\/strong>\n<ul>\n<li>Is the\u00adre any indi\u00adca\u00adti\u00adon that mal\u00adwa\u00adre is not relia\u00adbly detec\u00adted at the gate\u00adway, upload fil\u00adters or end devices?<\/li>\n<li>Is mal\u00adwa\u00adre also detec\u00adted in encrypt\u00aded connections?<\/li>\n<li>If the effec\u00adti\u00adve\u00adness test shows that the mea\u00adsu\u00adres are not effec\u00adti\u00adve, the mea\u00adsu\u00adres must be opti\u00admi\u00adzed or expanded.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><div class=\"fusion-image-element \" style=\"--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-4 hover-type-none\"><a href=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung.png\" class=\"fusion-lightbox\" data-rel=\"iLightbox[532d260fa01a63977c6]\" data-title=\"Gef\u00e4hr\u00addung-Risi\u00adko\u00adana\u00adly\u00adse-Mass\u00adnah\u00adme-Wir\u00adkun\u00adg_\u00adder Massnahme-Wirksamkeitspr\u00fcfung\" title=\"Gef\u00e4hr\u00addung-Risi\u00adko\u00adana\u00adly\u00adse-Mass\u00adnah\u00adme-Wir\u00adkun\u00adg_\u00adder Massnahme-Wirksamkeitspr\u00fcfung\"><img decoding=\"async\" width=\"1111\" height=\"415\" src=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung.png\" alt class=\"img-responsive wp-image-4448\" srcset=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung-200x75.png 200w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung-400x149.png 400w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung-600x224.png 600w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung-800x299.png 800w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdung-Risikoanalyse-Massnahme-Wirkung_der-Massnahme-Wirksamkeitspruefung.png 1111w\" sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 1111px\"><\/a><\/span><\/div><div class=\"fusion-title title fusion-title-4 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top-small:0px;--awb-margin-right-small:0px;--awb-margin-bottom-small:20px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;--minFontSize:20;line-height:1.45;\">The <span class=\"caps\">SEC4YOU<\/span> Methodology<\/h3><\/div><div class=\"fusion-text fusion-text-8\"><p>CyberEdge 2022 Cyber\u00adth\u00adre\u00adat Defen\u00adse Report lis\u00adted and prio\u00adri\u00adti\u00adzed. You can iden\u00adti\u00adfy the <strong>prio\u00adri\u00adty<\/strong> of a thre\u00adat by the red flag in the chart&nbsp;below.<\/p>\n<p>We then clas\u00adsi\u00adfied the thre\u00adats into the fol\u00adlo\u00adwing <strong>cate\u00adgo\u00adries<\/strong>: Ele\u00admen\u00adtal, Data Loss, Sup\u00adpli\u00ader Cau\u00adse, Terror\/Insider\/Sabotage\/Espionage, Orga\u00adniza\u00adtio\u00adnal Error, Cyberattack.<\/p>\n<p>We then<strong> fil\u00adte\u00adred<\/strong> the prio\u00adri\u00adti\u00adzed thre\u00adats from all 3 sources, but remo\u00adved the terror\/insider\/sabotage\/espionage cate\u00adgo\u00adry becau\u00adse it is not very rele\u00advant to a majo\u00adri\u00adty of companies.<\/p>\n<\/div><div class=\"fusion-image-element \" style=\"--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-5 hover-type-none\"><a href=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge.png\" class=\"fusion-lightbox\" data-rel=\"iLightbox[94ddc915938236b9158]\" data-caption=\"Gef\u00e4hrdungen zusammengefasst nach BSI - ENISA - CyberEdge\" data-title=\"Gef\u00e4hr\u00addun\u00adgen zusam\u00admen\u00adge\u00adfasst nach <span class=&quot;caps&quot;>BSI<\/span> \u2014 <span class=&quot;caps&quot;>ENISA<\/span> \u2014 CyberEdge\" title=\"Gef\u00e4hr\u00addun\u00adgen zusam\u00admen\u00adge\u00adfasst nach <span class=&quot;caps&quot;>BSI<\/span> \u2014 <span class=&quot;caps&quot;>ENISA<\/span> \u2014 CyberEdge\"><img decoding=\"async\" width=\"3440\" height=\"2366\" src=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge.png\" alt class=\"img-responsive wp-image-4449\" srcset=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge-200x138.png 200w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge-400x275.png 400w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge-600x413.png 600w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge-800x550.png 800w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge-1200x825.png 1200w, https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/Gefaehrdungen-zusammengefasst-nach-BSI-ENISA-CyberEdge.png 3440w\" sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 3440px\"><\/a><\/span><\/div><div class=\"fusion-title title fusion-title-5 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top-small:0px;--awb-margin-right-small:0px;--awb-margin-bottom-small:20px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;--minFontSize:20;line-height:1.45;\">The result: The <span class=\"caps\">SEC4YOU<\/span> Infor\u00adma\u00adti\u00adon Secu\u00adri\u00adty Thre\u00adat List&nbsp;2022<\/h3><\/div><div class=\"fusion-text fusion-text-9\"><p>The fol\u00adlo\u00adwing 17 thre\u00adats were deve\u00adlo\u00adped as the most signi\u00adfi\u00adcant thre\u00adats to <span class=\"caps\">IT<\/span> operations:<\/p>\n<p><strong>Ele\u00admen\u00adtal<\/strong><\/p>\n<p>1. Fire and other physical\/technical disasters<\/p>\n<p><strong>Data loss<\/strong><\/p>\n<p>2. Loss of infor\u00adma\u00adti\u00adon to unaut\u00adho\u00adri\u00adzed par\u00adties (phy\u00adsi\u00adcal and electronic)<\/p>\n<p>3. Loss of data due to lack of redundancy\/backup<\/p>\n<p><strong>Sup\u00adpli\u00ader&nbsp;Cause<\/strong><\/p>\n<p>4. Attack through the sup\u00adpli\u00ader&nbsp;chain<\/p>\n<p><strong>Orga\u00adniza\u00adtio\u00adnal&nbsp;error<\/strong><\/p>\n<p>5. Expo\u00adsure due to errors or misconfiguration<\/p>\n<p>6. Lack of planning<\/p>\n<p><strong>Cyber attacks<\/strong><\/p>\n<p>7. Ran\u00adsom\u00adwa\u00adre<\/p>\n<p>8. Mal\u00adwa\u00adre<\/p>\n<p>9. Misu\u00adse or hijack\u00ading of user&nbsp;IDs<\/p>\n<p>10. Cryp\u00adto\u00adjack\u00ading<\/p>\n<p>11. Social engi\u00adnee\u00adring \/ phis\u00adhing \/ spear phis\u00adhing \/ other e\u2011mail attacks<\/p>\n<p>12. Attacks on&nbsp;data<\/p>\n<p>13. Attacks on data avai\u00adla\u00adbi\u00adli\u00adty incl. DoS\/DDoS<\/p>\n<p>14. Tar\u00adge\u00adted attacks (APTs)<\/p>\n<p>15. Attacks on <span class=\"caps\">SSL<\/span> encryption<\/p>\n<p>16. Attacks on web appli\u00adca\u00adti\u00adons (<span class=\"caps\">OWASP<\/span> Top&nbsp;10)<\/p>\n<p>17. Zero-day attacks<\/p>\n<\/div><div class=\"fusion-title title fusion-title-6 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top-small:0px;--awb-margin-right-small:0px;--awb-margin-bottom-small:20px;--awb-margin-left-small:0px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;--minFontSize:20;line-height:1.45;\">Expl\u00adana\u00adti\u00adon of the thre\u00adat&nbsp;list<\/h3><\/div><div class=\"fusion-text fusion-text-10\"><p>As part of the infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk assess\u00adment, eva\u00adlua\u00adte the thre\u00adat list with the asset groups and iden\u00adti\u00adfy exis\u00adting and addi\u00adtio\u00adnal\u00adly requi\u00adred tech\u00adni\u00adcal and orga\u00adniza\u00adtio\u00adnal mea\u00adsu\u00adres. Use the expl\u00adana\u00adti\u00adons below to app\u00adly a risk assess\u00adment by impact and pro\u00adba\u00adbi\u00adli\u00adty of occurrence.<\/p>\n<p>1. Fire and other physical\/technical disasters.<\/p>\n<p>This is about natu\u00adral dis\u00adas\u00adters and local ele\u00admen\u00adtal hazards such as fire or water that can des\u00adtroy <span class=\"caps\">IT<\/span> infra\u00adstruc\u00adtures. Howe\u00adver, tech\u00adni\u00adcal defects in ser\u00adver rooms or in cri\u00adti\u00adcal <span class=\"caps\">IT<\/span> ser\u00advices that com\u00adple\u00adte\u00adly inter\u00adrupt <span class=\"caps\">IT<\/span> ope\u00adra\u00adti\u00adons are also cover\u00aded. Whe\u00adther flood, fire or fire\u00adfight\u00ading foam des\u00adtroys the ser\u00adver rack, ensu\u00adre red\u00adun\u00addan\u00adci\u00ades and mul\u00adti\u00adple data sto\u00adrage in&nbsp;time.<\/p>\n<p>2. Loss of infor\u00adma\u00adti\u00adon to unaut\u00adho\u00adri\u00adzed per\u00adsons (phy\u00adsi\u00adcal and electronic)<\/p>\n<p>This thre\u00adat is about the infor\u00adma\u00adti\u00adon its\u00adelf. Howe\u00adver, it does not mat\u00adter whe\u00adther an unaut\u00adho\u00adri\u00adzed per\u00adson ste\u00adals it as paper docu\u00adments or it is copied elec\u00adtro\u00adni\u00adcal\u00adly via remo\u00adte access.&nbsp; The com\u00adpa\u00adny-cri\u00adti\u00adcal infor\u00adma\u00adti\u00adon in the hands of a com\u00adpe\u00adti\u00adtor or the loss of repu\u00adta\u00adti\u00adon can cau\u00adse las\u00adting dama\u00adge to the company.<\/p>\n<p>3. Data loss due to lack of redundancy\/backup<\/p>\n<p>If cri\u00adti\u00adcal <span class=\"caps\">IT<\/span> ser\u00advices are not desi\u00adgned red\u00adun\u00addant\u00adly (inclu\u00adding sto\u00adrage, vir\u00adtua\u00adliza\u00adti\u00adon plat\u00adforms, domain con\u00adtrol\u00adlers, direc\u00adto\u00adry ser\u00advices, <span class=\"caps\">DNS<\/span> ser\u00advers, web ser\u00advices), data loss can occur. Data loss can be cau\u00adsed by hard\u00adware defects, con\u00adfi\u00adgu\u00adra\u00adti\u00adon errors or sim\u00adply human error. In the end, a pro\u00adfes\u00adsio\u00adnal\u00adly plan\u00adned and regu\u00adlar\u00adly tes\u00adted back\u00adup solu\u00adti\u00adon helps pre\u00advent data&nbsp;loss.<\/p>\n<p>4. Attack via the sup\u00adp\u00adly&nbsp;chain<\/p>\n<p>In the \u201csup\u00adp\u00adly chain attack\u201d, the trust bet\u00adween a (lar\u00adge) sup\u00adpli\u00ader and its cus\u00adto\u00admers is abu\u00adsed. Here, atta\u00adckers can com\u00adpro\u00admi\u00adse the data and sys\u00adtems of one (or many) com\u00adpa\u00adnies via remo\u00adte access set up or cre\u00adden\u00adti\u00adals or keys stored with the sup\u00adpli\u00ader. In the past, howe\u00adver, a lar\u00adge pro\u00adpor\u00adti\u00adon of attacks were car\u00adri\u00aded out via com\u00adpro\u00admi\u00adsed soft\u00adware from indi\u00advi\u00addu\u00adal sup\u00adpli\u00aders, whe\u00adre hackers were able to place tar\u00adge\u00adted attack methods in sup\u00adpo\u00adsedly trust\u00adwor\u00adt\u00adhy soft\u00adware updates.<\/p>\n<p>5. Risk due to errors or misconfiguration<\/p>\n<p>Ser\u00advers and <span class=\"caps\">IT<\/span> ser\u00advices are con\u00adfi\u00adgu\u00adred dif\u00adfer\u00adent\u00adly and some\u00adti\u00admes inse\u00adcu\u00adre\u00adly, espe\u00adci\u00adal\u00adly due to a lack of con\u00adfi\u00adgu\u00adra\u00adti\u00adon spe\u00adci\u00adfi\u00adca\u00adti\u00adons (har\u00addening gui\u00adde\u00adlines, con\u00adfi\u00adgu\u00adra\u00adti\u00adon base\u00adlines) and a lack of auto\u00adma\u00adti\u00adon. Also, sub\u00adse\u00adquent secu\u00adri\u00adty-rele\u00advant con\u00adfi\u00adgu\u00adra\u00adti\u00adon adjus\u00adt\u00adments are often not imple\u00admen\u00adted by the <span class=\"caps\">IT<\/span> teams of com\u00adpa\u00adnies. Unfort\u00adu\u00adna\u00adte\u00adly, all too often soft\u00adware or ser\u00advices are put into ope\u00adra\u00adti\u00adon with the default con\u00adfi\u00adgu\u00adra\u00adti\u00adons and default access data, which can be easi\u00adly exploi\u00adted by attackers.<\/p>\n<p>6. Lack of planning<\/p>\n<p>Poor\u00adly plan\u00adned <span class=\"caps\">IT<\/span> infra\u00adstruc\u00adtures, impro\u00adper main\u00adten\u00adan\u00adce and repair pro\u00adces\u00adses, unde\u00adre\u00adsti\u00adma\u00adted <span class=\"caps\">IT<\/span> migra\u00adti\u00adons, pro\u00adcu\u00adre\u00adment of <span class=\"caps\">IT<\/span> sys\u00adtems with ina\u00adde\u00adqua\u00adte secu\u00adri\u00adty fea\u00adtures, poor resour\u00adce plan\u00adning, lack of spa\u00adre parts, and even out\u00adda\u00adted trans\u00adfer pro\u00adto\u00adcols can all be tra\u00adced back to a lack of plan\u00adning and poor pro\u00adject manage\u00adment. Only through ear\u00adly con\u00adside\u00adra\u00adti\u00adon of infor\u00adma\u00adti\u00adon secu\u00adri\u00adty and strin\u00adgent plan\u00adning manage\u00adment are infor\u00adma\u00adti\u00adon secu\u00adri\u00adty-rele\u00advant pro\u00adjects unco\u00adver\u00aded and can be plan\u00adned and imple\u00admen\u00adted accor\u00adding to criticality.<\/p>\n<p>7. Ran\u00adsom\u00adwa\u00adre<\/p>\n<p>Is a spe\u00adcial type of devious attack in which atta\u00adckers encrypt cor\u00adpo\u00adra\u00adte data and demand a ran\u00adsom to make the data acces\u00adsi\u00adble again. Some\u00adti\u00admes the atta\u00adckers also ste\u00adal the data and demand pay\u00adments so that the data is not sent to aut\u00adho\u00adri\u00adties, com\u00adpe\u00adti\u00adtors or the public. Phis\u00adhing emails and remo\u00adte desk\u00adtop pro\u00adto\u00adcol (<span class=\"caps\">RDP<\/span>) con\u00adnec\u00adtions top the list of ent\u00adry points for ransomware.<\/p>\n<p>8. Mal\u00adwa\u00adre<\/p>\n<p>Mal\u00adwa\u00adre is the umbrel\u00adla term for soft\u00adware, firm\u00adware or code that mali\u00adcious\u00adly affects the con\u00adfi\u00adden\u00adtia\u00adli\u00adty, inte\u00adgri\u00adty or avai\u00adla\u00adbi\u00adli\u00adty of sys\u00adtems. Sub\u00adty\u00adpes include viru\u00ads\u00ades, worms, Tro\u00adjan hor\u00adses, RATs (remo\u00adte access tools), and code infec\u00adtions of sys\u00adtems. Some spy\u00adwa\u00adre and adware also count as mal\u00adwa\u00adre. Good mal\u00adwa\u00adre pro\u00adtec\u00adtion with run\u00adtime beha\u00advi\u00ador ana\u00adly\u00adsis on all sys\u00adtems (cli\u00adents, ser\u00advers, gate\u00adways) helps to con\u00adtain the infec\u00adtion and spread of mal\u00adwa\u00adre. Instal\u00adla\u00adti\u00adon of soft\u00adware and dri\u00advers by users on end devices should be mas\u00adsi\u00adve\u00adly restricted.<\/p>\n<p>9. Misu\u00adse or take\u00adover of user&nbsp;IDs<\/p>\n<p>In the case of misu\u00adse of user IDs or iden\u00adti\u00adty theft, the atta\u00adcker fakes the iden\u00adti\u00adty of a per\u00adson in order to act on their behalf. This is par\u00adti\u00adcu\u00adlar\u00adly easy to do by hack\u00ading email accounts and then taking over other ser\u00advices via email-based pass\u00adword reset pro\u00adce\u00addu\u00adres. Strong pass\u00adwords with addi\u00adtio\u00adnal two-fac\u00adtor authen\u00adti\u00adca\u00adti\u00adon are the best pro\u00adtec\u00adtion against this thre\u00adat. At the same time, com\u00adpa\u00adnies need to edu\u00adca\u00adte users via secu\u00adri\u00adty awa\u00adre\u00adness cam\u00adpaigns about the use of uni\u00adque pass\u00adwords and the dan\u00adger of phis\u00adhing attacks.<\/p>\n<p>10. Cryp\u00adto\u00adjack\u00ading<\/p>\n<p>The idea of cryp\u00adto-mining on strong hard\u00adware is not new, but it beco\u00admes a crime to use the com\u00adpu\u00adting power and elec\u00adtri\u00adci\u00adty of a vic\u00adtim. This equal\u00adly affects end devices and also ser\u00advers, which are infec\u00adted and exploi\u00adted by atta\u00adckers. Occa\u00adsio\u00adnal\u00adly, soft\u00adware manu\u00adfac\u00adtu\u00adr\u00aders have also attempt\u00aded to incor\u00adpo\u00adra\u00adte cor\u00adre\u00adspon\u00adding mining ser\u00advices into their soft\u00adware and plug-ins, arguing this with the free use of the soft\u00adware and dis\u00adgu\u00adi\u00adsing it in a long&nbsp;<span class=\"caps\">EULA<\/span>.<\/p>\n<p>11. Social engi\u00adnee\u00adring \/ phis\u00adhing \/ spear phis\u00adhing \/ other e\u2011mail attacks<\/p>\n<p>The vari\u00adance of thre\u00adats through social engi\u00adnee\u00adring is lar\u00adge and includes pis\u00adhing, spear phis\u00adhing, whai\u00adling, smis\u00adhing, vis\u00adhing and in the future cer\u00adtain\u00adly also video phis\u00adhing with deep fake tech\u00adno\u00adlo\u00adgy. The infec\u00adtion medi\u00adum e\u2011mail still plays the most important role. &nbsp;Com\u00adpa\u00adnies are requi\u00adred to train all employees in the per\u00adfi\u00addious methods of social engi\u00adnee\u00adring attacks using cur\u00adrent examp\u00adles and their pos\u00adsi\u00adble effects in regu\u00adlar secu\u00adri\u00adty awa\u00adre\u00adness cam\u00adpaigns and man\u00adda\u00adto\u00adry trai\u00adning courses.<\/p>\n<p>12. Attacks on&nbsp;data<\/p>\n<p>The dan\u00adgers posed by attacks on data include unaut\u00adho\u00adri\u00adzed access, unwan\u00adted publi\u00adca\u00adti\u00adon, fal\u00adse report\u00ading \/ mis\u00adin\u00adfor\u00adma\u00adti\u00adon, dis\u00adin\u00adfor\u00adma\u00adti\u00adon (deli\u00adbera\u00adte\u00adly pro\u00advi\u00adding fal\u00adse infor\u00adma\u00adti\u00adon for the pur\u00adpo\u00adse of decep\u00adti\u00adon). Often refer\u00adred to as a data breach \/ data leak, the\u00adse inci\u00addents always refer to the publi\u00adca\u00adti\u00adon of sen\u00adsi\u00adti\u00adve, con\u00adfi\u00adden\u00adti\u00adal or pro\u00adprie\u00adta\u00adry data in an untrus\u00adted envi\u00adron\u00adment. Par\u00adti\u00adcu\u00adlar cri\u00adti\u00adcal\u00adi\u00adty ari\u00adses when the data breach invol\u00adves per\u00adso\u00adnal data as defi\u00adned by the <span class=\"caps\">GDPR<\/span>. Then the com\u00adpa\u00adny must report this data breach to the authority.<\/p>\n<p>13. Attack against data avai\u00adla\u00adbi\u00adli\u00adty incl. DoS\/DDoS.<\/p>\n<p>Attacks against data avai\u00adla\u00adbi\u00adli\u00adty focus on two attack methods: dis\u00adtri\u00adbu\u00adted deni\u00adal of ser\u00advice (DDoS) and attacks on web ser\u00advices. A DoS\/DDoS attack com\u00adple\u00adte\u00adly blocks cri\u00adti\u00adcal cor\u00adpo\u00adra\u00adte <span class=\"caps\">IT<\/span> ser\u00advices, which can be the Inter\u00adnet uplink, email ser\u00adver ser\u00advices, remo\u00adte office con\u00adnec\u00adtions or any other ser\u00advices such as online sales. Web-based attacks usual\u00adly address data inte\u00adgri\u00adty and avai\u00adla\u00adbi\u00adli\u00adty. Here, even incon\u00adspi\u00adcuous web ser\u00advices can be abu\u00adsed for mal\u00adwa\u00adre dis\u00adtri\u00adbu\u00adti\u00adon or web form data theft through mani\u00adpu\u00adla\u00adted web&nbsp;links.<\/p>\n<p>14. Tar\u00adge\u00adted attacks (APTs)<\/p>\n<p>The big dif\u00adfe\u00adrence bet\u00adween a \u201cnor\u00admal\u201d hack\u00ading attack on an infra\u00adstruc\u00adtu\u00adre and an Advan\u00adced Per\u00adsis\u00adtent Thre\u00adat (<span class=\"caps\">APT<\/span>) is that <span class=\"caps\">APT<\/span> attacks are high\u00adly tar\u00adge\u00adted and car\u00adri\u00aded out with a high level of effort. To this end, the atta\u00adckers some\u00adti\u00admes spend weeks rese\u00adar\u00adching employee respon\u00adsi\u00adbi\u00adli\u00adties and exis\u00adting cus\u00adto\u00admer and sup\u00adpli\u00ader rela\u00adti\u00adonships befo\u00adre the attack is laun\u00adched. Cus\u00adto\u00admi\u00adzed mal\u00adwa\u00adre is also often deve\u00adlo\u00adped for an <span class=\"caps\">APT<\/span> attack, which is not detec\u00adted by com\u00admer\u00adci\u00adal\u00adly available mal\u00adwa\u00adre pro\u00adtec\u00adtion pro\u00adgrams. <span class=\"caps\">APT<\/span> attacks are often pri\u00adma\u00adri\u00adly desi\u00adgned for long-term spy\u00ading on the vic\u00adtims (Link <span class=\"caps\">WIKI<\/span>: Indus\u00adtri\u00adal espionage).<\/p>\n<p>15. Attacks on <span class=\"caps\">SSL<\/span> encryption<\/p>\n<p>Attacks on <span class=\"caps\">SSL<\/span> encryp\u00adti\u00adon are con\u00adcer\u00adned on the one hand with the dan\u00adger posed by self-signed cer\u00adti\u00adfi\u00adca\u00adtes, which can be easi\u00adly atta\u00adcked via man-in-the-midd\u00adle, and on the other hand with out\u00adda\u00adted, inse\u00adcu\u00adre cryp\u00adto\u00adgra\u00adphic algo\u00adrith\u00adms and key lengths that do not pro\u00advi\u00adde suf\u00adfi\u00adci\u00adent pro\u00adtec\u00adtion for trans\u00admis\u00adsi\u00adon pro\u00adto\u00adcols. The use of Open\u00adS\u00adSL in appli\u00adca\u00adti\u00adons and web ser\u00advices in par\u00adti\u00adcu\u00adlar poses grea\u00adter risks, sin\u00adce Open\u00adS\u00adSL vul\u00adnerabi\u00adli\u00adties (see Heart\u00adbleed, Pood\u00adle) are exten\u00adsi\u00adve\u00adly docu\u00admen\u00adted and atta\u00adckers imme\u00addia\u00adte\u00adly try to exploit them.<\/p>\n<p>16. Attack\u00ading Web Appli\u00adca\u00adti\u00adons (<span class=\"caps\">OWASP<\/span> Top&nbsp;10)<\/p>\n<p>Do you deve\u00adlop web appli\u00adca\u00adti\u00adons yours\u00adelf? Then you should know the Open Web Appli\u00adca\u00adti\u00adon Secu\u00adri\u00adty Pro\u00adjec\u00adt\u2019s top 10 thre\u00adats for this type of appli\u00adca\u00adti\u00adon: <span class=\"caps\">A1<\/span>:2021 \u2014 Bro\u00adken Access Con\u00adtrol, <span class=\"caps\">A2<\/span>:2021 \u2014 Cryp\u00adto\u00adgra\u00adphic Fail\u00adures, <span class=\"caps\">A3<\/span>:2021 \u2014 Injec\u00adtion, <span class=\"caps\">A4<\/span>:2021 \u2014 Inse\u00adcu\u00adre Design, <span class=\"caps\">A5<\/span>:2021 \u2014 Secu\u00adri\u00adty Mis\u00adcon\u00adfi\u00adgu\u00adra\u00adti\u00adon, <span class=\"caps\">A6<\/span>:2021 \u2014 Vul\u00adnerable and Out\u00adda\u00adted Com\u00adpon\u00adents, <span class=\"caps\">A7<\/span>:2021 \u2014 Iden\u00adti\u00adfi\u00adca\u00adti\u00adon and Authen\u00adti\u00adca\u00adti\u00adon Fail\u00adures, <span class=\"caps\">A8<\/span>:2021 \u2014 Soft\u00adware and Data Inte\u00adgri\u00adty Fail\u00adures, <span class=\"caps\">A9<\/span>:2021 \u2014 Secu\u00adri\u00adty Log\u00adging and Moni\u00adto\u00adring Fail\u00adures, <span class=\"caps\">A10<\/span>:2021 \u2014 Ser\u00adver-Side Request Forgery.<br>\nUnfort\u00adu\u00adna\u00adte\u00adly, new or exis\u00adting web appli\u00adca\u00adti\u00adons are not regu\u00adlar\u00adly scan\u00adned for the\u00adse thre\u00adats, making it far too easy for hackers to hijack web apps and harm the enterprise.<\/p>\n<p>17. Zero-Day Attacks<\/p>\n<p>In prin\u00adci\u00adple, a zero-day vul\u00adnerabi\u00adli\u00adty is one of many vul\u00adnerabi\u00adli\u00adties that are dis\u00adco\u00adver\u00aded, but the dif\u00adfe\u00adrence is that the\u00adre is not yet a patch or hot\u00adfix for the vul\u00adnerabi\u00adli\u00adty. In the ear\u00adly pha\u00adse of a zero-day vul\u00adnerabi\u00adli\u00adty, the\u00adre is often no solid infor\u00adma\u00adti\u00adon about the ext\u00adent and impact of the vul\u00adnerabi\u00adli\u00adty. Com\u00adpa\u00adnies are requi\u00adred to iden\u00adti\u00adfy such zero-day vul\u00adnerabi\u00adli\u00adties at an ear\u00adly stage. This requi\u00adres a relia\u00adble zero-day infor\u00adma\u00adti\u00adon source and a quick assess\u00adment of whe\u00adther affec\u00adted ser\u00advices are used in the company.<\/p>\n<\/div><div class=\"fusion-separator fusion-full-width-sep\" style=\"align-self: center;margin-left: auto;margin-right: auto;margin-top:20px;margin-bottom:20px;width:100%;\"><div class=\"fusion-separator-border sep-single sep-solid\" style=\"--awb-height:20px;--awb-amount:20px;border-color:#e0dede;border-top-width:1px;\"><\/div><\/div><div class=\"fusion-text fusion-text-11\"><p>Clas\u00adsi\u00adfi\u00adca\u00adti\u00adon: <span class=\"caps\">TLP<\/span>&nbsp;White<br>\nCrea\u00adtor: Andre\u00adas Schus\u00adter, <span class=\"caps\">SEC4YOU<\/span><br>\nVer\u00adsi\u00adon: 1.0<br>\nDate: 8.7.2022<\/p>\n<\/div><div class=\"fusion-separator fusion-full-width-sep\" style=\"align-self: center;margin-left: auto;margin-right: auto;margin-top:20px;margin-bottom:20px;width:100%;\"><div class=\"fusion-separator-border sep-single sep-solid\" style=\"--awb-height:20px;--awb-amount:20px;border-color:#e0dede;border-top-width:1px;\"><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":3,"featured_media":4450,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[196],"tags":[],"class_list":["post-4769","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Information security risk survey for 27001 and TISAX\u00ae - SEC4YOU<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Information security risk survey for 27001 and TISAX\u00ae - SEC4YOU\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/\" \/>\n<meta property=\"og:site_name\" content=\"SEC4YOU\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-08T20:37:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-06T09:05:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/SEC4YOU_Gefaehrdungsliste_2022.png\" \/>\n\t<meta property=\"og:image:width\" content=\"848\" \/>\n\t<meta property=\"og:image:height\" content=\"566\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Andreas Schuster\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andreas Schuster\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/\"},\"author\":{\"name\":\"Andreas Schuster\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/#\\\/schema\\\/person\\\/b14cd48925626f5f693479b828fbc025\"},\"headline\":\"Infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk sur\u00advey for 27001 and&nbsp;TISAX\u00ae\",\"datePublished\":\"2022-07-08T20:37:39+00:00\",\"dateModified\":\"2022-11-06T09:05:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/\"},\"wordCount\":8494,\"image\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.sec4you.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/SEC4YOU_Gefaehrdungsliste_2022.png\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/\",\"url\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/\",\"name\":\"Information security risk survey for 27001 and TISAX\u00ae - SEC4YOU\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.sec4you.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/SEC4YOU_Gefaehrdungsliste_2022.png\",\"datePublished\":\"2022-07-08T20:37:39+00:00\",\"dateModified\":\"2022-11-06T09:05:24+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/#\\\/schema\\\/person\\\/b14cd48925626f5f693479b828fbc025\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.sec4you.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/SEC4YOU_Gefaehrdungsliste_2022.png\",\"contentUrl\":\"https:\\\/\\\/www.sec4you.com\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/SEC4YOU_Gefaehrdungsliste_2022.png\",\"width\":848,\"height\":566,\"caption\":\"SEC4YOU Gef\u00e4hrdungsliste 2022\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/information-security-risk-survey-for-27001-and-tisax\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.sec4you.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Information security risk survey for 27001 and TISAX\u00ae\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/#website\",\"url\":\"https:\\\/\\\/www.sec4you.com\\\/\",\"name\":\"SEC4YOU\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.sec4you.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.sec4you.com\\\/#\\\/schema\\\/person\\\/b14cd48925626f5f693479b828fbc025\",\"name\":\"Andreas Schuster\",\"description\":\"Als Experte f\u00fcr Informationssicherheit \\\/ Informationssicherheits-Managementsysteme (ISMS), IT-Sicherheit, Authentifizierung, sowie PKI und Verschl\u00fcsselung verf\u00fcgt er \u00fcber mehr als 20 Jahre technische Erfahrung in Serverinfrastruktur sowie Unternehmensnetzwerkarchitektur. Seine ausgezeichneten Kenntnisse in ISO 27001 und ISA 6 \\\/ TISAX erm\u00f6glichen es ihm, Kunden in NIS-2 Umsetzungen und bei InfoSec Zertifizierungsprozessen effektiv zu unterst\u00fctzen. Zudem ist er hervorragend mit europ\u00e4ischen Zertifizierungsstellen vernetzt.\",\"sameAs\":[\"https:\\\/\\\/Verschl\u00fcsselt.IT\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/andreas-schuster-3885b18\\\/\"],\"url\":\"https:\\\/\\\/www.sec4you.com\\\/en\\\/author\\\/aschuster4you\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Information security risk survey for 27001 and TISAX\u00ae - SEC4YOU","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/","og_locale":"en_US","og_type":"article","og_title":"Information security risk survey for 27001 and TISAX\u00ae - SEC4YOU","og_url":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/","og_site_name":"SEC4YOU","article_published_time":"2022-07-08T20:37:39+00:00","article_modified_time":"2022-11-06T09:05:24+00:00","og_image":[{"width":848,"height":566,"url":"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/SEC4YOU_Gefaehrdungsliste_2022.png","type":"image\/png"}],"author":"Andreas Schuster","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Andreas Schuster","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#article","isPartOf":{"@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/"},"author":{"name":"Andreas Schuster","@id":"https:\/\/www.sec4you.com\/#\/schema\/person\/b14cd48925626f5f693479b828fbc025"},"headline":"Infor\u00adma\u00adti\u00adon secu\u00adri\u00adty risk sur\u00advey for 27001 and&nbsp;TISAX\u00ae","datePublished":"2022-07-08T20:37:39+00:00","dateModified":"2022-11-06T09:05:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/"},"wordCount":8494,"image":{"@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#primaryimage"},"thumbnailUrl":"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/SEC4YOU_Gefaehrdungsliste_2022.png","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/","url":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/","name":"Information security risk survey for 27001 and TISAX\u00ae - SEC4YOU","isPartOf":{"@id":"https:\/\/www.sec4you.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#primaryimage"},"image":{"@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#primaryimage"},"thumbnailUrl":"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/SEC4YOU_Gefaehrdungsliste_2022.png","datePublished":"2022-07-08T20:37:39+00:00","dateModified":"2022-11-06T09:05:24+00:00","author":{"@id":"https:\/\/www.sec4you.com\/#\/schema\/person\/b14cd48925626f5f693479b828fbc025"},"breadcrumb":{"@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#primaryimage","url":"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/SEC4YOU_Gefaehrdungsliste_2022.png","contentUrl":"https:\/\/www.sec4you.com\/wp-content\/uploads\/2022\/07\/SEC4YOU_Gefaehrdungsliste_2022.png","width":848,"height":566,"caption":"SEC4YOU Gef\u00e4hrdungsliste 2022"},{"@type":"BreadcrumbList","@id":"https:\/\/www.sec4you.com\/information-security-risk-survey-for-27001-and-tisax\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.sec4you.com\/en\/"},{"@type":"ListItem","position":2,"name":"Information security risk survey for 27001 and TISAX\u00ae"}]},{"@type":"WebSite","@id":"https:\/\/www.sec4you.com\/#website","url":"https:\/\/www.sec4you.com\/","name":"SEC4YOU","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.sec4you.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.sec4you.com\/#\/schema\/person\/b14cd48925626f5f693479b828fbc025","name":"Andreas Schuster","description":"Als Experte f\u00fcr Informationssicherheit \/ Informationssicherheits-Managementsysteme (ISMS), IT-Sicherheit, Authentifizierung, sowie PKI und Verschl\u00fcsselung verf\u00fcgt er \u00fcber mehr als 20 Jahre technische Erfahrung in Serverinfrastruktur sowie Unternehmensnetzwerkarchitektur. Seine ausgezeichneten Kenntnisse in ISO 27001 und ISA 6 \/ TISAX erm\u00f6glichen es ihm, Kunden in NIS-2 Umsetzungen und bei InfoSec Zertifizierungsprozessen effektiv zu unterst\u00fctzen. Zudem ist er hervorragend mit europ\u00e4ischen Zertifizierungsstellen vernetzt.","sameAs":["https:\/\/Verschl\u00fcsselt.IT","https:\/\/www.linkedin.com\/in\/andreas-schuster-3885b18\/"],"url":"https:\/\/www.sec4you.com\/en\/author\/aschuster4you\/"}]}},"_links":{"self":[{"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/posts\/4769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/comments?post=4769"}],"version-history":[{"count":4,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/posts\/4769\/revisions"}],"predecessor-version":[{"id":4773,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/posts\/4769\/revisions\/4773"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/media\/4450"}],"wp:attachment":[{"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/media?parent=4769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/categories?post=4769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sec4you.com\/en\/wp-json\/wp\/v2\/tags?post=4769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}