Fwd: Bildungsinitiative zur Rechenschaftspflicht bei Hyperkonnektivität
23 views
Skip to first unread message
Grant Ongers (OWASP)
Apr 1, 2023, 5:57:45 AM4/1/23
to Global-board, Andrew van der Stock, Dawn Aitken, Martin Knobloch
Fellow board members,
Below is a request from Martin for OWASP to support the Norddeutsche Bildungsstiftung in voicing the concerns about hyper-connectivity and how that impacts on privacy. I personally feel this is a good initiative to support and one I will be voting "Yes" to. As this is effectively OWASP taking a public stance on a matter it's something the board needs to consider, but the practicality of it is much closer to a co-marketing activity. To that end I've asked you all to read the original question, to look at the actual request and then to vote on the eVote I created for this purpose.
@Andrew van der Stock once the board has voted, assuming it's in the affirmative, could I ask that you liaise with Martin as to what they would like specifically and with @Dawn Aitken in her role in everything the Foundation does in co-marketing?
@Dawn Aitken as above, but also this will need to be recorded as part of the votes as well I think?
Best regards,
Grant
--
--
---------- Forwarded message ---------
From: Grant Ongers (OWASP) <grant....@owasp.org>
Date: Fri, 31 Mar 2023 at 10:50
Subject: Re: Bildungsinitiative zur Rechenschaftspflicht bei Hyperkonnektivität
To: Martin Knobloch <martin....@owasp.org>
Cc: Avi Douglen <avi.d...@owasp.org>
From: Grant Ongers (OWASP) <grant....@owasp.org>
Date: Fri, 31 Mar 2023 at 10:50
Subject: Re: Bildungsinitiative zur Rechenschaftspflicht bei Hyperkonnektivität
To: Martin Knobloch <martin....@owasp.org>
Cc: Avi Douglen <avi.d...@owasp.org>
Hi Martin,
The "non-material support" mentioned would be in the form of publicly supporting the initiative (agreeing to our name being mentioned in connection to it), boosting posts on the topic published by the Norddeutsche Bildungsstiftung (Northern Germany Educational Foundation - more or less) and perhaps contributing some posts of our own to get the message out there?
Best regards,
Grant
On Fri, 31 Mar 2023 at 10:24, Martin Knobloch <martin....@owasp.org> wrote:
Hello Martin,Hello Board-persons, ;)
Check out the request below. Is that something that OWASP would ideally support?<google translation>Cheers,-martinThe Norddeutsche Bildungsstiftung wants to present an education initiative [1] at the beginning of April, which should help to meet the challenges of hyper-connectivity in accordance with the rules. The Bundesverband IT-Sicherheit e.V. (TeleTrusT) has promised me its support. Other associations will follow.Would you/OWASP be interested in providing non-material support for this initiative? In this way you would not only contribute to IT security, but above all also inspire qualified staff for web security.
Thank you for your prompt response to my Xing message!As part of our initiative, we want-- write a regular blog,
-- Produce brochures
-- Conduct events
The goal is to raise awareness of the "hyperconnectivity" as well
to establish the associated risks/legal consequences.
This requires publicity: as long as not even that Business media reporting on "accountability" will
Those responsible in SMEs see no reason to act. Can I then add OWASP to the list of ideal supporters?
Thank you + greetings
Joachim<.google translation>---------- Forwarded message ---------
From: Martin Knobloch <martin....@owasp.org>
Date: Fri, Mar 31, 2023 at 11:18 AM
Subject: Fwd: Bildungsinitiative zur Rechenschaftspflicht bei Hyperkonnektivität
To: Dirk W <di...@owasp.org>, Bjoern Kimminich <bjoern.k...@owasp.org>, Tobias Glemser <tobias....@owasp.org>, Bastian Braun <bastia...@owasp.org>Hallo German Chapter Board,Schaut euch mal die Anfrage hier unten an. Ist das etwas, das der German Chapter ideell unterstützen würde?Die Norddeutsche Bildungsstiftung will Anfang April eine Bildungsinitiative [1] vorstellen, die dazu beitragen soll, die Herausforderungen der Hyperkonnektivität regelkonform zu bewältigen. Der Bundesverband IT-Sicherheit e.V. (TeleTrusT) hat mir seine Unterstützung zugesagt. Weitere Verbände werden folgen.Hätten Sie/OWASP Interesse, diese Initiative ideell zu unterstützen? Dadurch würden Sie nicht nur zur IT-sicherheit beitragen, sondern vor allem auch qualifiziertes Personal für die Web-Sicherheit begeistern.Gruss,-martin---------- Forwarded message ---------
From: Joachim Jakobs <j...@privatsphaere.org>
Date: Tue, Mar 28, 2023 at 3:01 PM
Subject: Bildungsinitiative zur Rechenschaftspflicht bei Hyperkonnektivität
To: <martin....@owasp.org>
Hallo Martin,
vielen Dank für Deine prompte Reaktion auf meine Xing-Nachricht!
Im Rahmen unserer Initiative wollen wir
-- einen regelmäßigen Blog verfassen,
-- Broschüren produzieren
-- Veranstaltungen durchführen
Das Ziel besteht darin, Bewusstsein für die "Hyperkonnektivität" sowie
die damit verbundenen Risiken/Rechtsfolgen herzustellen.
Dazu ist Öffentlichkeit notwendig: Solange noch nicht einmal die
Wirtschaftsmedien über die "Rechenschaftspflicht" berichten, wird die
VErantwortliche im KMU keinen Anlaß zum Handeln erkennen.
Ich darf die OWASP dann zur Liste der ideell Unterstützenden hinzufügen?
Vielen Dank + Gruß
Joachim
--
Joachim Jakobs 2048R/D5D1F6DD 2012-03-03
fon: +49-6233-1259.181 j...@privatsphaere.org
mob: +49-176-97325.333 j...@pr-profi.com
PGP: D5D1F6DD
 |
|
| |
|
Avi D (BoD & OWASP Israel)
Apr 1, 2023, 7:48:07 PM4/1/23
to Grant Ongers (OWASP), Global-board, Andrew van der Stock, Dawn Aitken, Martin Knobloch
Hi Grant,
While I would obviously support this initiative, I do not believe the Board needs to vote on every co-marketing effort. This we can leave up to Andrew / Dawn / etc.
If the question is about taking a public stance, then this would make sense only if the stance was in any way controversial, no? Security and privacy are important, literally our purpose, don’t think it needs a vote.
Avi D
Grant
|
--
|
|
|
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CADVP%2BdMzL7CC_mvTt0h6qYMS%2BL4V3-3akvAE0r6w7rot_8rJGA%40mail.gmail.com.
Bil Corry
Apr 1, 2023, 9:48:35 PM4/1/23
to Grant Ongers (OWASP), Global-board, Andrew van der Stock, Dawn Aitken, Martin Knobloch
What is meant by "hyper-connectivity" and what are the security and privacy concerns? The link leads to a login page:
- Bil
--
Martin Knobloch
Apr 2, 2023, 3:06:30 AM4/2/23
to Bil Corry, Grant Ongers (OWASP), Global-board, Andrew van der Stock, Dawn Aitken
Stands for 'hyper connected'
It's about the privacy concern regarding data exchange between application / systems / companies.
Who is responsible, what are the consequences. All of that.
-martin
Bil Corry
Apr 2, 2023, 2:29:30 PM4/2/23
to Martin Knobloch, Grant Ongers (OWASP), Global-board, Andrew van der Stock, Dawn Aitken
Is there a new threat to security and privacy being addressed? Or are they raising awareness of pre-existing issues?
Are they calling on a ban for hyperconnectivity? Or new legislation to regulate it? Or just awareness that connecting your toaster to your home network increases the attack surface?
I'm not opposed to a co-marketing effort, but I think we'd want to see the actual messaging before allowing the OWASP brand to be attached to it.
- Bil
Martin Knobloch
Apr 3, 2023, 4:15:49 AM4/3/23
to Bil Corry, Grant Ongers (OWASP), Global-board, Andrew van der Stock, Dawn Aitken
As below :
"As part of our initiative, we want
-- write a regular blog,
-- Produce brochures
-- Conduct events
The goal is to raise awareness of the "hyperconnectivity" as well
to establish the associated risks/legal consequences"
It's to raise awareness and educate about the risk.
Cheers,
-martin
Grant Ongers (OWASP)
Apr 3, 2023, 4:57:35 AM4/3/23
to Avi D (BoD & OWASP Israel), Global-board, Andrew van der Stock, Dawn Aitken, Martin Knobloch
Hey Avi,
As this is about committing OWASP to support some efforts (stand behind an ideal) I thought it best to bring it to the board. While Andrew and Dawn would normally deal with co-marketing things, this does feel like an idealistic support rather than a simple commercial one. I do think that the actions following it are definitely operational however.
Bil, this is not exactly a new threat but rather expressing concerns with the growing trend. The login page would take you to a post in German on the topic (you do have to register to gain access to the post) by Joachim Jacobs, apparently a freelance journalist. The post follows thanks to a Google translation of same.
<---
Norddeutsche Bildungsstiftung wants to inspire chambers and associations for a 'system of networked security'
Mirko Knappe, Board Member of the Norddeutsche Bildungsstiftung (NBS) states : "With the digitalization and automation of the world, enormous opportunities are opening up for the German economy ; however, these opportunities are offset by risks and legal consequences . We want the associations from politics, business, administration and theInspiring education for sustainable digitization . As a result , the associations should encourage their members to act responsibly ."
Knappe believes it is possible that blind people with smart implants will one day be able to see again , lame people will be able to walk again and deaf people will be able to hear again . Or in industry : Vehicles on water, on land and in the air could not only be manufactured fully automatically , but alsonor transport their owner autonomously from A to B. And artificial intelligence could ensure that energy is used sparingly -- for example by ensuring that the energy from solar cells and wind turbines is always available at exactly the place where there are a particularly large number of electricity consumers .
For Knappe , there is a risk that such a vehicle will make a mistake by even a millimeter or a second , or even be maliciously attacked . For Knappe, " scenarios are conceivable that have a catastrophic effect on the lives of the vehicle occupants affected and the economicexistence of those responsible " .
Breaches of duty could result in fines, damages and criminal investigations. And the responsible persons could not only infringe duties themselves -- they would also be liable for mistakes made by employees " in - house" and by their processors . Such mistakes could occur when planning,developing , setting up, managing or using software .
Therefore be
-- End- to -end encryptions
-- Multi-factor authentication (MFA) for remote access
-- Email filtering and web security
-- Secured, encrypted and tested backups
-- Privileged access management (PAM)
-- Endpoint -Detection and response ( EDR) --
Patch and vulnerability management
-- Incident response plans
--Cybersecurity Awareness Training
-- Phishing Testing
-- Remote Desktop Protocol ( RDP) Securing --
Logging and Monitoring --
Cyber Risk Management
in the supply chain, in manufacturing , in trade and in application .
The individual measures would have to be documented in a data protection management system : The legislator requires data protection according to the "state of the art" (SdT) -- SdT for data protection management systems is the 'standard data protection model' (SDM). The person responsible is liable for the proof of this level of protection . She has that _Thanks to " accountability" , for Knappe the "core of European data protection": "Has any association ever informed its members about accountability ?" asks squire.
After such information -- so he hopes -- those responsible would ensure that resilience would become the central goal of any software development , that weaknesses would be permanently sought and that these would be plugged as quickly as possible . If public and private institutions of all sectorsand size have developed such an SDM for our own data processing , we would have -- so we hoped -- a " system of networked security".
However, the ACTUAL seems to be moving away from this TARGET instead of approaching it: "The number and bandwidth of networked devices is growing exponentially; while those responsible are still careless , the attackers are using the technical possibilities to the max to attack human andto automatically abuse technical weaknesses . If we don't close this digital divide , digitization will not be successful ," Knappe is convinced .
In the age of future hyper-connectivity , only those companies that could meet their accountability requirements could -- according to Knappe -- be successful . In the opinion of the supervisory authorities , free software is particularly well suited to this , as it ensures complete transparency in data processing .
The independent state center for data protection in Schleswig-Holstein goes one step further: "In areas that are known to be sensitive , such as central structures for communication services (e.g. messenger, telephone, outgoing server for e -mail), it would be difficult without the use of open source , away from the security and the
data protection-compliant implementation . "
And the Federal Commissioner for Data Protection believes [3] to recognize an "anchor of trust in digitization" in this technology :
"Open source is not a dogma. Of course , all data protection requirements can also be met with proprietary software . However , the inherent transparency of open source leadstypically to easier and possibly better traceability of privacy compliance . So open source has the potential to become a real anchor of trust in digitization ."
Knappe's conclusion: "
We want to raise awareness of the importance of this trust and the security of operating systems, software for office communication and electronic mail : Anyone who cannot guarantee this will scare away their customers and risk their economic existence. If freeSoftware can ensure trust particularly well , those responsible should understand that! "
If the infrastructure is secure, the next step must be to ensure secure authentication of those affected : Secure passwords are becoming longer and longer in view of technical developments : " No one can remember that anymore ," says Knappe. Therefore, "a piece of hardware" is required, which theUser certifies who she is. In the next step , the user must be enabled to electronically sign and cryptographically encrypt their mail .
To this end, the NBS wants to offer training courses , produce brochures and run a regular blog to sensitize current staff and make a contribution to digital sustainability . However, the youngsters are also particularly important :
"Pupils should experience digitization as positive -- if the school administration loses their data or third parties display any inappropriate content in virtual school lessons, that is not positive but possibly disturbing , " Knappe fears and concludes : " Schools must encourage the next generation to do soenable them to deal appropriately with the risks . A high school graduate should be able to explain the terms risk management and data protection impact assessment . Graduates of science and humanities courses should be able to deal with the respective risks of their subject and be able to carry out data protection impact assessments .This is the only way they can start their professional careers responsibly ."
Thus the NBS hopes for support from associations from politics, economy, administration -- as well as science, research and teaching -- precisely the "spearheads" of future prosperity are particularly often confronted with risks ; methods for limiting them would also have to be developed there first .
To finance this initiative, Knappe is hoping for investments from companies that want to make money with secure digitization ; In addition , the addressees should first decide whether they would like to contribute 10,000 , 5,000 or 1,000 euros in order to become a "gold", "silver" or "bronze" sponsor ."Anyone who supports our initiative emphasizes that data protection and security are part of the company's goals -- that is the prerequisite for being able to retain current staff and win future ones ," says Knappe.
Mirko Knappe, Board Member of the Norddeutsche Bildungsstiftung (NBS) states : "With the digitalization and automation of the world, enormous opportunities are opening up for the German economy ; however, these opportunities are offset by risks and legal consequences . We want the associations from politics, business, administration and theInspiring education for sustainable digitization . As a result , the associations should encourage their members to act responsibly ."
Knappe believes it is possible that blind people with smart implants will one day be able to see again , lame people will be able to walk again and deaf people will be able to hear again . Or in industry : Vehicles on water, on land and in the air could not only be manufactured fully automatically , but alsonor transport their owner autonomously from A to B. And artificial intelligence could ensure that energy is used sparingly -- for example by ensuring that the energy from solar cells and wind turbines is always available at exactly the place where there are a particularly large number of electricity consumers .
For Knappe , there is a risk that such a vehicle will make a mistake by even a millimeter or a second , or even be maliciously attacked . For Knappe, " scenarios are conceivable that have a catastrophic effect on the lives of the vehicle occupants affected and the economicexistence of those responsible " .
Breaches of duty could result in fines, damages and criminal investigations. And the responsible persons could not only infringe duties themselves -- they would also be liable for mistakes made by employees " in - house" and by their processors . Such mistakes could occur when planning,developing , setting up, managing or using software .
Therefore be
-- End- to -end encryptions
-- Multi-factor authentication (MFA) for remote access
-- Email filtering and web security
-- Secured, encrypted and tested backups
-- Privileged access management (PAM)
-- Endpoint -Detection and response ( EDR) --
Patch and vulnerability management
-- Incident response plans
--Cybersecurity Awareness Training
-- Phishing Testing
-- Remote Desktop Protocol ( RDP) Securing --
Logging and Monitoring --
Cyber Risk Management
in the supply chain, in manufacturing , in trade and in application .
The individual measures would have to be documented in a data protection management system : The legislator requires data protection according to the "state of the art" (SdT) -- SdT for data protection management systems is the 'standard data protection model' (SDM). The person responsible is liable for the proof of this level of protection . She has that _Thanks to " accountability" , for Knappe the "core of European data protection": "Has any association ever informed its members about accountability ?" asks squire.
After such information -- so he hopes -- those responsible would ensure that resilience would become the central goal of any software development , that weaknesses would be permanently sought and that these would be plugged as quickly as possible . If public and private institutions of all sectorsand size have developed such an SDM for our own data processing , we would have -- so we hoped -- a " system of networked security".
However, the ACTUAL seems to be moving away from this TARGET instead of approaching it: "The number and bandwidth of networked devices is growing exponentially; while those responsible are still careless , the attackers are using the technical possibilities to the max to attack human andto automatically abuse technical weaknesses . If we don't close this digital divide , digitization will not be successful ," Knappe is convinced .
In the age of future hyper-connectivity , only those companies that could meet their accountability requirements could -- according to Knappe -- be successful . In the opinion of the supervisory authorities , free software is particularly well suited to this , as it ensures complete transparency in data processing .
The independent state center for data protection in Schleswig-Holstein goes one step further: "In areas that are known to be sensitive , such as central structures for communication services (e.g. messenger, telephone, outgoing server for e -mail), it would be difficult without the use of open source , away from the security and the
data protection-compliant implementation . "
And the Federal Commissioner for Data Protection believes [3] to recognize an "anchor of trust in digitization" in this technology :
"Open source is not a dogma. Of course , all data protection requirements can also be met with proprietary software . However , the inherent transparency of open source leadstypically to easier and possibly better traceability of privacy compliance . So open source has the potential to become a real anchor of trust in digitization ."
Knappe's conclusion: "
We want to raise awareness of the importance of this trust and the security of operating systems, software for office communication and electronic mail : Anyone who cannot guarantee this will scare away their customers and risk their economic existence. If freeSoftware can ensure trust particularly well , those responsible should understand that! "
If the infrastructure is secure, the next step must be to ensure secure authentication of those affected : Secure passwords are becoming longer and longer in view of technical developments : " No one can remember that anymore ," says Knappe. Therefore, "a piece of hardware" is required, which theUser certifies who she is. In the next step , the user must be enabled to electronically sign and cryptographically encrypt their mail .
To this end, the NBS wants to offer training courses , produce brochures and run a regular blog to sensitize current staff and make a contribution to digital sustainability . However, the youngsters are also particularly important :
"Pupils should experience digitization as positive -- if the school administration loses their data or third parties display any inappropriate content in virtual school lessons, that is not positive but possibly disturbing , " Knappe fears and concludes : " Schools must encourage the next generation to do soenable them to deal appropriately with the risks . A high school graduate should be able to explain the terms risk management and data protection impact assessment . Graduates of science and humanities courses should be able to deal with the respective risks of their subject and be able to carry out data protection impact assessments .This is the only way they can start their professional careers responsibly ."
Thus the NBS hopes for support from associations from politics, economy, administration -- as well as science, research and teaching -- precisely the "spearheads" of future prosperity are particularly often confronted with risks ; methods for limiting them would also have to be developed there first .
To finance this initiative, Knappe is hoping for investments from companies that want to make money with secure digitization ; In addition , the addressees should first decide whether they would like to contribute 10,000 , 5,000 or 1,000 euros in order to become a "gold", "silver" or "bronze" sponsor ."Anyone who supports our initiative emphasizes that data protection and security are part of the company's goals -- that is the prerequisite for being able to retain current staff and win future ones ," says Knappe.
--->
Best regards,
Grant
|
Andrew van der Stock
Apr 12, 2023, 3:47:55 PM4/12/23
to Grant Ongers (OWASP), Avi D (BoD & OWASP Israel), Global-board, Dawn Aitken, Martin Knobloch
Hi folks,
If you want us to consider co-marketing, please log tickets at Request Co-marketing Event - Non-funding Request Service Desk - Jira Service Management (atlassian.net)
That way, they don't get lost, and we can reach out for more information in the right way. The Board doesn't really need to be involved in these decisions, as we approve nearly all of them given sufficient time before the event, and as long as it's also beneficial for OWASP or OWASP's mission.
thanks,
Andrew
Reply all
Reply to author
Forward
0 new messages