From analysis to implementation

IT Security consulting: cutting-edge IT security services for businesses

The complex networks that connect companies, customers, and suppliers around the world mean that demand for IT security solutions is growing. This can also be attributed to the increasing number of targeted attacks on IT systems and the enormous damage cybercrime can cause. With this in mind, it’s crucial that companies fully secure their IT landscape and subject their security measures to regular examinations.

Thanks to our decades of experience working with the particularly high security requirements in the aerospace industry, Lufthansa Industry Solutions is a top expert in the field of information security.

We offer cutting-edge IT security services – from analysis of security requirements to security concept development and to both the implementation and control of technical security solutions right up to carrying out Pentests. We are not a product reseller – our professional advice is always 100 percent independent.

Why is IT security important for companies?

Recent years have seen a marked increase in cybercriminality, especially in the manufacturing industry. This makes it all the more important that companies prepare accordingly: with up-to-date, comprehensive security solutions that continuously examine every area of their IT systems.

IT trends: Companies must be prepared to respond

  • Compliance with legal requirements for the implementation of established IT security standards should be maintained.
  • The Internet of Things (IoT) is also set to shape how IT structures develop in future.
  • The protection requirements of mobile communications are growing.
  • Mandatory data privacy requirements have been intensified by the GDPR.

Marked increase in cyberattacks on companies

The Internet of Things (IoT) and Industry 4.0 are developing and spreading at a rapid pace. As companies migrate to using mobile devices and smart technologies to handle their processes, the quantities of data and data interfaces are growing – as are the potential opportunities for cybercriminals to launch attacks. This development is reflected in the most recent situation assessment carried out by the Federal Office for Security in Information Technology.

Nevertheless, many companies still underestimate these cyber-risks – and the extent of the damage they could cause. For example, a server overload triggered by a DDoS attack could result in a total outage of a company’s in-house IT structures, bringing all business operations to a halt. Our tailored IT security concepts for companies therefore comprise regular inspections and updates for existing protective measures.

Elevated cyber-risks for industrial, automotive, transport, and logistics sectors

Due to their central importance, certain sectors of the economy are particularly at risk; as a result, they are subject to specific legal requirements, such as the IT Security Act (IT-SiG) and KRITIS regulations. That does not mean, however, that other sectors can rest easy: cybercriminality can affect companies of every size, in every sector.

The number of attempted attacks and security incidents has risen sharply in recent years, especially in areas which are already heavily networked, such as the automotive, industrial, transport, and logistics sectors. This has forced decision-makers to re-think their approach. While attacks were once a localized problem for the direct victims, as business sectors have become more closely interconnected, suppliers, partners, and customers have come to be affected. The resulting damage to corporate image, the costs of production losses, and liability risks all continue to rise. Appropriate protection for IT systems has therefore become a fundamental requirement for companies and the best possible investment protection for entire supply chains.

Which IT areas are most at risk?

Today, mobile and networkable devices are part of everyday operations for almost every company. This could be for internal and external communications, to create concepts and conduct accounting, in sales and distribution, for system maintenance, in the logistics chain, or in the form of “smart” security components. In addition, sensors and other intelligent technologies on production machines, IP cameras and data storage in the cloud, the latter of which is increasingly being used to make relevant information available to all concerned parties at any time and from anywhere. Rapid technological developments and the wide array of devices in use make it difficult for companies to maintain an overview of current IT risks – and implement the comprehensive IT protection required in response.

An additional driver of this development is the crisis caused by the Covid-19 pandemic, which has required many companies to resort to various forms of ad hoc digitalization.

What are the specific IT risks for companies?

For the first time, cyber incidents are the most significant business risk for companies worldwide. IT-related risks have knocked business downtime into second place, according to the 2020 Allianz Risk Barometer.

This is because companies are equipping their machinery with sensors, using social media, and saving data in the cloud: the consequence of this digitization is heightened IT security requirements.

Arming companies to repel a range of potential attacks, such as malware or DDoS attacks, requires extensive expertise to implement suitable protective measures that can achieve a high level of IT security.

LHIND – IT security consultancy and solutions

LHIND offers cutting-edge IT security services that cover all phases of a comprehensive security concept for businesses. The advice we provide is always accurate and 100% independent. Our security specialists will support you in:

IT security concept: Four core areas

  • IT security and privacy management: Risk-based security organization and control
  • IT security and privacy by design: Design and implementation of technical security measures
  • IT security and privacy audits: Independent examination of security guidelines and their operative implementation
  • Advanced cyber security: Offensive security

Our IT security services for your company

Our aim is to raise awareness of specific IT risks within your company and to help you to be proactive in managing them. With our risk-oriented, individual security concepts, we ensure you are as prepared as possible to respond to potential emergencies before they occur. Our operational security solutions – which we implement comprehensively and in accordance with applicable regulations – lay the required technical foundations for commercially appropriate protection. By conducting emergency simulations and regular audits, we continuously place your IT security under the microscope to examine it in detail. We simulate real attacks on your system in penetration tests and stand ready to provide immediate assistance if a genuine attack occurs.

IT security and privacy management

Any activity intended to increase information security can only be controlled effectively if it is embedded within a management system. The tasks of such a system include: monitoring the targeted use of available resources, identifying vulnerabilities, assessing risks, and presenting the success of established security measures in a transparent manner. These are not so much technological issues, rather they are organizational measures for which the owner of a business process should be responsible.

LHIND’s IT security experts will advise you on how best to organize and orchestrate your data protection and information security management systems. In particular, we offer assistance in designing, implementing and controlling established standards and other security-specific technical requirements at process level.

Core services relating to IT security & privacy management

  • IT risk management: IT risk strategy consulting, IT risk measurement and issue tracking, business impact analyses
  • ISMS consulting: Security quick assessments, implementation and optimization of information security management systems (ISMS), governance, risk & compliance (GRC) integration, maturity assessments and certification support, adoption of the role external information security officer (ISO)
  • KRITIS consulting: GAP-FIT analyses, sectoral KRITIS consulting
  • Special industry standards: Implementation consulting on specific industry standards, e.g. TISAX, PCI DSS, KAMaRISK, MaRISK VAIT or BAIT
  • Operational processes: Implementation and connection of operational processes, such as asset, vulnerability and patch management
  • Emergency and business continuity management: Preparation of GAP-FIT analyses related to business continuity management (BCM) standards, individual process modeling, development of emergency manuals, implementation of emergency exercises, execution of business impact analyses
  • Professional trainings: Company trainings, e.g. basics of the General Data Protection Regulation (GDPR) or security champion ramp-up
  • Privacy consulting: Carrying out data protection classifications, data protection audits, creating data protection concepts, implementing and optimizing data protection management systems (DSMS), adoption of the role external data protection officer

IT security and privacy by design

Businesses often only act once their systems have already been attacked and sensitive data potentially lost. Preventive technical protection measures can thwart an attack or make one so difficult that the attacker is spotted and stopped before any damage is done.

Attacks on businesses exploit a range of weaknesses – these range from application-specific vulnerabilities to the exposure of unprotected key material.

We will recommend solutions appropriate to the circumstances of your business, in particular for the following IT security sub-disciplines.

Core services relating to IT security & privacy by design

  • Digital trust: Design and optimization of public key infrastruktur (PKI) solutions, development of technical trust structures, credential management, multi-factor authentication
  • Digital identity: Consulting on identity, access and privileged access management
  • Cloud security: Cloud security strategy and policy management, cloud configuration consulting (especially MS Azure and AWS), consulting on cloud security monitoring
  • Security monitoring: Implementation of threat analyses, consulting for the design of security monitoring architectures, consulting as well as setup and optimization of SIEM & SOAR solutions, advanced persistent threat (APT) consulting & threat intelligence
  • Web security: Web security assessments, consulting of development teams, setup of build & deployment pipelines, implementation of single sign on & tracking solutions
  • Mobile security: Mobile device management, Android security, iOS security
  • IoT security: operational technology (OT) security, component assessments, OT in supply chains
  • Operational data privacy: Project-specific data protection consulting, implementation of the differential privacy method for depersonalization of mass data
  • Technical trainings: Company trainings, e.g. clean coding, secure coding and OWASP Top 10

IT security and privacy audits

The standards and security requirements currently in effect change just as much as the hardware and software we use – we will help you stay up to date in terms of IT security. Our customized security checks and IT architecture reviews will show you where updates are required. With individual privacy audits, we will support you in data protection and compliance, thus minimizing the risk of financial losses caused by attacks or sanctions and strengthening trust in your business in the long term.

Core services relating to IT security & privacy audits

Audits with security compliance focus

  • ISMS audits incl. maturity assessments
  • GAP-FIT analysis for KRITIS requirements
  • IT risk assessments
  • Security and privacy impact audits

Audits with technical focus

  • Architecture and code reviews for web- and client applications
  • Infrastructure & cloud configuration audits (incl. O365 and M365)
  • Architecture and code reviews for mobile apps
  • Architecture and code reviews for IoT solutions

Advanced Cybersecurity

Attack is the best form of defense: by simulating a cyber-attack, we can precisely identify vulnerabilities in your IT system. You gain an insight into critical components and tolerance ranges, as well as a realistic impression of the potential damage to your company. The results of the penetration test help us to protect your IT security even better against various forms of attack. Of course, in the event of a real emergency, we stand ready to support you – we’ll guide you quickly and efficiently through the measures you need to take to minimize the operational and financial losses.

Core services relating to advanced cybersecurity

Penetration testing

  • Webapplication/web service/API pentesting
  • Infrastructure & cloud pentesting
  • Mobile pentesting (iOS/Android)
  • RICH internet application/fat client pentesting & reverse engineering
  • Embedded device & IoT pentesting

Red teaming

  • Open source intelligence and social engineering
  • Physical security assessments
  • Multivariant technical penetration approaches on defined targets
  • Consulting to optimize the resilience of your IT environment

Other relevant areas of IT security

IT analysts estimate that, by the end of 2017, the number of networked devices totaled 8.4 billion – with this figure set to exceed 20 billion by 2020. The rapid growth in the number of networked devices is making IT security into a challenge: many IoT devices feature security defects due to their manufacturing, such as a lack of update functions, protocol weaknesses, or insecure data storage systems. These issues have been – and continue to be – exploited by cybercriminals. However, a lack of awareness among IoT users also harbors risks: for example, using weak passwords to govern administrator access or neglecting to install security updates. To ensure IoT security is effective, beyond devices and software, a company’s entire digital process needs to be analyzed and can be examined for weaknesses with the help of penetration tests.

Nowadays, cloud services have become standard for companies. Outsourcing IT operations to a cloud service provider is a convenient, cost-efficient measure – but also involves delegating aspects of IT security to an external provider. In many cases, cloud service providers are only responsible for the physical security of their computing center, the security of servers and basic network structures, and for certain basic applications and standard functions. What’s more, ensuring that cloud technologies are used securely is a responsibility usually given to end users, as are defining access rights and controlling identity management within the company. Legal security provisions also play a role for cloud security. To protect against cyberattacks, data losses, and server outages, but also to prevent liability claims, it is important that the duties and obligations of cloud security users and providers are contractually established in each specific case.

Despite the increasing complexity of technology, the level of security offered by mobile technologies is far from uniform and is often difficult to ascertain. On the one hand, many developers neglect vulnerabilities and patch management; on the other, many companies still lack an awareness of the IT risks inherent to apps and other software products. For IT security, regularly reviewing all mobile technologies used in a company for potential vulnerabilities and updating them as required is of decisive importance.

Threats to the IT security of a business arise from (selection)

Almost every piece of complex software contains code errors and security gaps that cybercriminals can exploit, such as to steal data or plant bots or other malware in IT systems.

Protective measures: Efficient vulnerability, patch, and lifecycle management, together with a transparent information policy from the software provider, can significantly reduce the risk of IT security gaps. Purchasing staff and system administrators should therefore ensure that they only implement software which is reviewed and updated regularly and which features transparent security standards.

Ransomware, DDoS attacks, APT attacks and many other forms of cybercriminality are based in large part on sophisticated malware. In most cases, the malware reaches a device as an email attachment, through downloads or apps, or in the form of fake program updates. While most devices feature virus protection, due to the rapid development of malware, it is often not possible to detect and protect against the full scope of such attacks.

Protective measures: As well as “classic” solutions, such as firewalls and anti-virus programs, IT security concepts for companies also need to include regular hardware and software inspections. In addition, the concept should integrate software users and teach them how to use IT systems securely and cautiously.

Ransomware is a malware variant that blocks hardware or encrypts user data to render devices unusable. Only once the ransom has been paid is the device unlocked for the user. Attacks can take a blanket approach, such as the WannaCry cryptoworm, or be targeted against a single company or organization.

Protective measures: It is possible to reduce the risk of an attack, such as by strategically segmenting a company network and implementing systematic patch management in order to eliminate vulnerabilities in the system at an early stage. A simulated cyberattack can help to provide a realistic picture of the risks and implement corresponding measures.

In a survey of around 600 IT experts, almost a third (31%) reported experiencing at least one ransomware attack in 2017. Only a tiny number of companies (3%) actually pay the ransom: the majority attempt to repel attacks with AV software or by restoring backups.

Source (in German):

DDoS (distributed denial-of-service) attacks intentionally trigger a server overload with the aim of partially or fully incapacitating a company’s IT structures. In most cases, such attacks are carried out using botnets, which can independently infect large numbers of devices with malware almost immediately. DDoS attacks are often associated with ransom demands.

Protective measures: As botnets are based on malware, classic security measures can be effective, such as systematic vulnerability analysis, regular software updates, strategic network segmentation, and increasing employees’ awareness of IT security risks. Beyond that, companies should consider specific DDoS-prevention solutions that can act quickly to divert traffic leading to an overload.

APTs (advanced persistent threats) are a wide-ranging data collection method. Traditionally, APTs have been used by news agencies; there are, however, growing indications that such methods are now being used for corporate espionage. APTs often infiltrate a system via software updates.

Protective measures: Basic protection from firewalls and anti-virus programs remains utterly essential. In addition, however, hardware and software in the network should be segmented and secured with access rights. User training sessions, regular audits to identify vulnerabilities, and an effective emergency strategy round off the security concept.

Find out more about the topics that matter for your sector

Want to learn more about the IT topics that matter to you? We can keep you up to date with the news from your sector on central issues such as Big Data, Industry 4.0, collaboration platforms and much more besides. We also offer personalized consultations – simply get in touch.