IT-Defense 2025Presentations

Presentations – IT-DEFENSE 2025

20 Years of SAP Cybersecurity – Andreas Wiegenstein & Xu Jia

Most music bands publish some kind of “Best of” album once they have reached a certain age. Well, even though we are no music band, we have reached a certain age. This presentation is a roller coaster ride through different types of vulnerabilities that we have discovered in the SAP universe in the last 20 years. These vulnerabilities are closely linked to different SAP technologies and their design as well as the pitfalls they involve. If you think that SAP is “only a database”, you might be “SAPrised”.

This talk will be held in German.

Do Not Believe Everything You Think: on Fallacies and Other Confusions of our Brain – Prof. Dr. Martin Korte

This presentation sheds light on mechanisms of thinking and their biases and on how they can influence – and sometimes also distort – our decisions. Especially in relation to HR decisions – from hiring to evaluating and promoting people – we are required to base our decisions on criteria that are as objective as possible in terms of a selection of the best. This is why it is particularly worthwhile here to tackle the conscious and unconscious thought processes that could run counter to this demand.

In this presentation, Prof. Dr. Martin Korte will talk about the insights of neurobiology and explain how we can use this knowledge to improve our decisions in both our professional and private lives. He will explain how our brain works and describe the evolutive accidents that influence our thinking.

This talk will be held in German.

Hacker’s Perspective on New Risks: Revising the Cybersecurity Priorities for 2025 - Paula Januszkiewicz

The transformation is gaining momentum! Over the last tumultuous years, investments in digital transformation have been growing, with companies worldwide exploring its potential by introducing new technologies, approaches, and social changes. As more data than ever is put online, cybersecurity is now a major concern for everyone – large corporations, governments, and companies of all sizes. The transformation, however, also has its dark side. Thanks to it, hackers are able to exploit vulnerabilities in the infrastructure with even greater precision than before.

As the financial, operational, legal, and reputational implications of neglecting cybersecurity risks could be considerable, well-known analysis & protection methods should be developed and complemented.

During this presentation, the most serious risks of 2025 will be explored and explained. Paula Januszkiewicz will demonstrate how hackers and cybercriminals identify and exploit threats using the most up-to-date techniques so that you can observe them on your monitoring system and prevent them in the future. You will also become familiar with the most advanced phishing attacks, credential theft techniques, ransomware distribution methods, and ways of gaining access to vendor-controlled systems.

Join Paula to understand what is really possible in the year 2025. As the cyber transformation leads to better effectiveness of hackers' activities, there is no time to lose!

This talk will be held in English.

Vulnerablities in TETRA:BURST - Jos Wetzels

This talk will present details of the TETRA:BURST vulnerablities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure relying on secret cryptographic algorithms which have remained secret for over two decades but which we reverse-engineered and published in August 2023.

This secrecy has thwarted public security assessments and independent academic scrutiny of the protection that TETRA claims to provide. In this talk, we will discuss these cipher suites (TEA and TAA1 to be precise). As we will show, this security-through-obscurity has led to previously undisclosed flaws in Air Interface Encryption (AIE), authentication, and identity protection schemes going unnoticed and unaddressed, enabling both passive and active adversaries to intercept, manipulate, and inject TETRA network traffic.

This is particularly worrying for TETRA users in critical infrastructure, as found across the world at electric utilities, railways, and oil & gas. Here, the radio-based SCADA WAN networks (carrying protocols such as IEC-101/104, DNP3, or Modbus) typically cover large geographic areas and as such an SDR-equipped attacker residing outside the physical perimeter of a substation or plant could break into the TETRA network to drop themselves directly into the OT network. We will discuss several relevant attack scenarios on such TETRA SCADA networks as used at electric utilities and railways as well as corresponding hardening and mitigation advice.

In addition, we will provide a demonstration of such an attack scenario and discuss the new developments in TETRA security since our initial disclosures.

This talk will be held in English.

 

NIS-2, RCE and CRA - on Tour through the Jungle of Regulations - Dr. Christoph Wegener

A large number of regulatory requirements on a European level has seen the light of day in the last two years. The “directive on measures for a high common level of cybersecurity across the Union (NIS-2)”, the “directive on the resilience of critical entities (RCE)” and the “regulation on horizontal cybersecurity requirements for products with digital elements (CRA)” are currently particularly relevant in the context of information security.

Due to the typical complexity of these (EU) requirements, it is often difficult to find out whether one is affected by them, and the precise requirements and implementation deadlines are also often unknown. The presentation sheds light on this and provides answers to the questions typically asked by potentially affected entities: “Are we affected as an entity?”, “Which requirements do we now have to fulfill?” and “How much time do we have for this?”. In addition, the presentation shows which implementation guides exist – if there are any at all – and how to appropriately organize each step on the way to the goal.

This talk will be held in German.
 

How Big Is Our Cyber Risk? – Peter Wimmer & Stefan Koppold

Security experts have often heard this question being asked by boards of directors. When TRATON, Volkswagen Group’s truck branch, wanted to join a new group cyber risk insurance, it was necessary to create a precise calculation of the entire cyber risk for TRATON Group.

For this purpose, the risk, treasury and information security departments of TRATON developed an interdisciplinary approach for an aggregated monetary risk analysis. The evaluation of the overall risk – not only of the specific risks of an individual brand – shall take the following into account:

  • Ranges of risks need to be evaluated, i.e. not only singular scenarios but also average and extreme cases (those that make the headlines).
  • Dependencies with business units (e.g. production, logistics, legal and IT) need to be considered as well.

About 20 relevant cyber risk scenarios were identified in the areas of cyberattack, data security, business continuity and (being a company in the automotive sector) road security, which were analyzed for each main brand in 55 cases.

The impact of these scenarios on the entire group was then analyzed using Monte Carlo simulations and cumulative distribution functions.

Finally, a verifiable quantification of the group’s overall cyber risk and a realistic dimensioning for the deductible and the amount insured were developed. The procedure is explained in this presentation.

This talk will be held in German.
 

Vishing > Phishing: Initial Access Made Simple – Hagen Molzer

For some time now, it has been apparent that there is a shift from phishing to vishing (voice phishing) as a vector for the initial access phase in real attacks against companies. As a professional provider of simulations of such attacks in the form of red team exercises, we are also adapting to this trend. Phishing via email has long been one of the most popular attack vectors to gain initial access to an organization’s internal network. Being successful with this is getting more and more difficult due to the different technical and organizational measures on the part of our customers and because employees are increasingly aware of the risks from phishing via email. 

This is why we also increasingly often use vishing instead of phishing to achieve our goal. In this talk, we will explain the advantages of this alternative vector and outline one possible (and often alarmingly successful) procedure. We will also describe the technical infrastructure and common social engineering techniques we use to gain our “victim’s” trust and willingness to cooperate.

Finally, both technical and organizational countermeasures will be explained to reduce the risk that these types of attacks are successful.

This talk will be held in German.
 

Who Controls the Network, Controls the Universe – Nate Warfield

For some time now, it has been apparent that there is a shift from phishing to vishing (voice phishing) as a vector for the initial access phase in real attacks against companies. As a professional provider of simulations of such attacks in the form of red team exercises, we are also adapting to this trend. Phishing via email has long been one of the most popular attack vectors to gain initial access to an organization’s internal network. Being successful with this is getting more and more difficult due to the different technical and organizational measures on the part of our customers and because employees are increasingly aware of the risks from phishing via email. 

This is why we also increasingly often use vishing instead of phishing to achieve our goal. In this talk, we will explain the advantages of this alternative vector and outline one possible (and often alarmingly successful) procedure. We will also describe the technical infrastructure and common social engineering techniques we use to gain our “victim’s” trust and willingness to cooperate.

Finally, both technical and organizational countermeasures will be explained to reduce the risk that these types of attacks are successful.

This talk will be held in English.