The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 15-06

Safety vs. innovation?

What would the world be without inventions? Innovations such as a revolutionary payment app or a toilet with smartphone control are supposed to make our lives easier. In the digital silent toilet, however, control was via Bluetooth protocol with a stored fixed PIN - an easy game for hackers! What if it was an insulin pump worn on the body?
Raimund Genes, Trend Micro
June 21, 2015
Content:
It Security
avatar
This text has been automatically translated from German to English.

The smartphone app can be used to open and close the lid, flush, activate the bidet or switch on the fragrance spray by remote control.

Security was clearly not the decisive design criterion; the non-changeable Bluetooth PIN ("0000") can also be seen as a direct invitation to hackers.

Even if the potential financial damage is admittedly limited - even if someone operates the flush around the clock - and there is certainly no acute risk to human life here.

From the quiet room 2.0 to the car of the future...

But the fun stops when it comes to medical devices such as insulin pumps. There are many such examples - even in areas where attackers could cause considerable damage.

Just think of the automotive industry, where IT is becoming increasingly important. The focus is on innovation and entering the market as quickly as possible.

Security experts are often not part of the product teams responsible for such new solutions. As a result, not much attention is paid to security at the outset. Unfortunately, such decisions can also have significant negative consequences.

This is the case, for example, when new products arouse the interest of hackers - and when these hackers then come up against non-existent or very easy to overcome security hurdles.

...safety threatens to fall by the wayside

Such a tendency can also be observed in IT projects when innovations are introduced: The focus is on performance improvement, cost savings or process optimization - but there is less talk about what needs to be done and adapted in terms of security.

During the proof of concept, the main focus is then on whether the expectations of the innovation are met. Once the POC phase has been successfully completed and it is time to plan the introduction of the production servers, it is discovered that the company guidelines are not yet fully met because the innovation is still too new and the missing security features still need to be added in future releases.

Or, as described in some installation instructions, security components should not even be used on the new innovation due to performance losses.

In the field of tension between IT and business

And now? Wait or implement? This subsequently creates an area of tension between IT security, which rightly insists that internal guidelines must be adhered to because compromises in this area usually lead to damage very quickly, and the business department, which wants to introduce innovations as quickly as possible.

From a security perspective, the more business-critical the new innovation is, the more interesting it is for the attacker. Compromising on security here can have fatal consequences.

Incidentally, unlike toilet 2.0, which really exists in Japan, the "revolutionary payment app" mentioned above is part of an online game. Here, a company - fictitious, of course - is about to launch an app on the market, the advertising measures have started successfully, but security gaps or targeted attacks could jeopardize the project.

As CIO, the players have to make numerous decisions and solve problems during the final preparations for the planned market launch.

Try it out - at http://targetedattacks.trendmicro.com/ger the game "Targeted Attack - The Game" can be started free of charge. You do not have to disclose any personal information to start it.

avatar
Raimund Genes, Trend Micro

Raimund Genes was CTO at Trend Micro.


All articles of the author

Write a comment

AI enabler and automator

Items opts for Natuvion

Security: How to protect SAP systems effectively

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.