Information Security Essentials: Ethical Hacking, Cyber Risk Checks and DORA

Show Notes

In this episode of Integrity Insights, host Filip Brokes is joined by two seasoned experts to discuss information security, an increasingly crucial issue impacting businesses and institutions globally.

Filip speaks with Annette Farrenkopf, Information Security Officer at Berlin Risk Advisors, and Christian Stehle, Founder and Managing Director of MindBytes, an IT security company based in Germany.

Annette shares her career journey from managing an advertising agency to spearheading information security and data protection at Berlin Risk. She explains information security through its three fundamental principles: confidentiality, integrity, and availability. Emphasising the risks of financial loss, reputational damage, and potential harm from compromised data, Annette highlights the growing necessity for robust security measures, citing a recent KPMG study indicating over one-third of German companies suffered from cybercrime incidents between 2023 and 2024.

Christian introduces MindBytes and describes its services, specialising in penetration testing and red teaming—ethical hacking practices aimed at proactively identifying vulnerabilities before malicious actors exploit them. He elaborates on the difference between these methods and underscores the critical role of open-source intelligence (OSINT) in preparing and executing realistic cyber-attacks to test organisations’ defences.

The episode also explores the EU’s Digital Operational Resilience Act (DORA), implemented in January 2025, highlighting its impact on financial entities and their tech service providers. Annette provides insights into DORA’s significance for the financial sector, while Christian emphasizes the necessity of such regulatory frameworks in an increasingly interconnected digital landscape.

Key topics covered in this episode:

• Understanding information security and its importance
• Ethical hacking: penetration testing vs. red teaming
• Utilising OSINT for security assessments
• Impact of the Digital Operational Resilience Act (DORA) on financial entities and technology providers

Tune in to gain valuable insights from experts navigating the complex landscape of information security.

Host: Filip Brokes Guests: Annette Farrenkopf (Berlin Risk Advisors),  Christian Stehle (MindBytes)

Produced by Berlin Risk 

Connect with Us:

• LinkedIn: https://www.linkedin.com/showcase/integrity-insights/?viewAsMember=true
• Berlin Risk Linkedin: https://www.linkedin.com/company/berlinrisk/?viewAsMember=true
• Website: https://berlinrisk.com/

Chapters

• 1:15: Meet Annette: From advertising to information security at Berlin Risk
• 4:20: Introducing Christian: Founding MindBytes and ethical hacking
• 8:30: Understanding information security: Confidentiality, integrity, and availability
• 13:50: Why information security matters to both companies and individuals
• 16:45: Ethical hacking: Penetration testing and red teaming explained
• 20:25: OSINT and dark web: Sources used in offensive security assessments
• 24:30: Introducing DORA: EU regulation and its impact

Transcript

Hello, dear listeners. Welcome to the latest episode of Integrity Insights. After having published an episode on cybercrime, uh, this latest episode is dedicated to the subject of information security. To discuss this topic, I invited Berlin RISC's own chief operating officer and more importantly, information security officer, Anette Farenkopf.

Alongside her, I also spoke to Christian Stähle, the founder and managing partner of the German IT security company MindBytes. We cover subjects such as ethical hacking. penetration testing, cyber risk checks, the EU's recently implemented Digital Operational Resilience Act, known as DORA, and much more. I hope you enjoy this conversation. 

All right, Anete, Christian, welcome on the podcast.  Thanks Philip. Thanks for having us.  My pleasure. Uh, so beef. Um, I mentioned this in the intro. We have had, uh, an entire episode on cybercrime relatively recently, or specifically on Russia based ransomware groups, ransomware criminal groups, but cybercrime is just a subset of a much more Much broader category, namely information security.

And this is the subject of growing relevance. And I'm very happy that we are joined by two experts in the field on the subject. So let's start with, uh, maybe you Anete,  uh, you have been the information security officer at Berlin Risk since 2019.  Uh, can you maybe tell us in the beginning how exactly you  landed in this position?

And yeah, what's, what's your, what's your story?  Yeah. Um,  thanks again, Philip. It's really nice, uh, um, to be a part of that podcast. Um, I was a managing partner at an agency, uh, advertising agency actually from 2009 until 2019. So, and, um, in this position, I was responsible for both data protection and information security.

So that's, uh, how it started.  And, uh, when I came to Berlin RISC as a chief operations officer, it again was my responsibility about topics, data protection, information security. And then we actually,  um, were, um,  or a client, a potential client, um, asked us  to, to have an information security management system in place.

You know, and then we just, and it became my task and, um, I worked on that, um, together with Till Wiedemann, the, uh, senior partner at Bollen RISC, uh, responsible for, for the IT.  And it took us about a year and a half to set it up. Um, uh, but, uh, yeah, we created that. We set up this, uh, proper information security management system and got certified. 

Very nice. And, uh, and you, Christian, you are the founder and managing director of MindBytes, uh, which is a Germany based IT security company. Uh, what, what can you tell us about yourself and the, and the company?  Yeah. So we were founded in October, 2023. So now we are nearly one and a half years old.  And also the founding process is interesting.

I would say we were. Working together at our last company, that's me and two other co founders. And we noticed that we have some ideas that we want to implement. Uh, let's say a bit much more ideas that were actually implemented  and we said, yeah, why not do it our own way? Let's start our own company. And we basically locked ourselves in an Airbnb for a whole weekend. 

And this goal of the goal of this activity was that we find out what each of us wants in terms of founding an own company. And we talked it through and basically we said we don't leave this apartment until we have an answer.  And yeah, well, now we're here.  We put a lot of thought behind it. This Airbnb maneuver took place in March and like a few months later in October, we, we funded ourselves.

We are specialized on something called penetration testing and red teaming.  Those are not very descriptive terms,  a bit better description is like ethical hacking, but, um. Maybe a bit more of that later.  That sounds, by the way, Christian, like the classic, uh, us, uh, startup story. Like  you look into your look, look in yourself in your friend's garage.

And, uh,  yeah, very nice. Um, so the. This is extremely broad subject. So obviously we won't be able to, uh, get into all details of this, but, uh, maybe I will go back to you, Anete. Uh, what is it like, how would you describe in most simple terms, the, uh, this, uh, this, uh, Domain of information security.  And yeah, why should, why should anyone care about this?

Um, information security is the practice of protecting information and data in your company or institution.  And why does this information or data need to be protected? Um, probably because it is confidential. So this is the confidentiality aspect of information security.  Confidential information and data can be contractual data, personal data.

Financial data, but also information about new products or innovations and, uh, for obvious reasons, competitors would love to have access to this information.  So, it's really necessary to secure  your information from unauthorized access use or disclosure, for instance.  Um, another reason why information and data needs to be protected is, um, Because this information data should not be amended by unauthorized people.

That's the integrity aspect of information security.  Um, and why that? Um, think of personal data, health data. You might have a  personal health profile in which your blood type can be found.  If someone  Changes the blood type in this profile and you have an accident and you need blood. This can be life threatening, you know, to get the wrong type of blood. 

And, uh, the third aspect, main aspect of information security actually is, um, the availability of data. Information and data  you need to have access to in order to work properly. Or to offer your service  and, um,  so it's really important to ensure access to information data that is essential to, for the company or institution to achieve its objectives and to make sure that confidentiality, integrity and availability are guaranteed, you take measures, technical, operational.

And personal, um, measures. And you asked, um, also, why is information security important? Well, uh, loss, misuse, encryption of information data, potentially, actually most often, lead to financial damages, reputational damages, liability for damages to third parties. In 2004, 24, KPMG published a study, which is called E crime in the German economy, and it states that in Germany, more than one in three companies, actually 35 percent of all companies had been the victim of computer crime in 2023 and 2024. 

And in view of the developments of recent years and the. constantly increasing number of types of malware, for example, or the possibilities for attacks using AI. It can be assumed that the number, the already high number of cyber attacks and information security incidents will continue to rise. And that's why information security is so important.

Christian, I don't know if you wanted to, you wanted to add something to that? Yeah, maybe to add a bit on the, why should anyone care about it? I think everyone. Has something that they value and they have some sort of information that they value and they need to protect. This can be either companies, of course, but also I think private persons also have sensitive information.

For example, think about your online banking account. Think about your identity. Like if someone were to steal your identity or like documents, ID cards, and they can do things like impersonate you online by contracts. Um, Or  register for something or like even steal your identity to, you know, commit crimes and then it falls back to you.

So I think anyone should care because I think anyone, everyone has something that they need to protect or that they value and that is related to it.  So basically, not, not, not just companies, but also like individuals, right? That's what I think. Yes.  And so Christian, you already alluded to this in the, in the intro that your company mind bite, mind bites, you focus primarily on a so called offensive security or ethical hacking.

Can you, uh, can we kind of describe this in a little more detail? Yep. So basically the very high level idea is that we hack the customer. However, the customer gives us this task and the idea is that we find vulnerability and weaknesses  before actual attackers do. So when an attacker comes, all the, you know, open doors or windows are closed. 

And this is a bit more like a special terms are called penetration testing and red teaming. We use techniques that attackers use. And we find vulnerabilities, uncover them. We can build proof of concepts and for example, show the customer, Hey, this attack actually works. We can abuse this. We can elevate our rights and we can take over your entire company. 

For example, ransomware is one, one highly requested scenario in the sense that you can. Have the possibility to encrypt all data and  like mount the company's functionality. And we do it  to find the vulnerabilities and then explain the customer what are the vulnerabilities and so the customer can close them or fix them. 

And how does it, how does it actually like the, you know, the end result? How does it look like when you, when you present this information to the client, is it some like a written report or how does it look like?  So the result is a report. This is what stays and contains all the information we do a prioritized  list of problems.

We called it findings. We think in findings like one finding is one very specific problem. For example, you have the system that you didn't pitch for like five years. Now it has a vulnerability. That's an example of a finding. And in our report, we give you a prioritization. So you know which one is the most critical and which one.

You should fix right now.  And which is a bit for, for the longterm. And all these findings are described, like, what's the problem? How did we exploit it? How did we find it? And also what is the recommendation? How do you fix it? In the case of the example that I just gave you, it's just, okay. Update your system.

However, our findings can also be on a more conceptual level. For example, if a system or if a network is like not.  segregated at all. Like every system can reach each other system. Then that's, that's a finding in our case, because you should definitely isolate some critical service from regular clients, which are more exposed to the internet. 

And then it's more, more conceptual thing. Like we can say, okay, implement a network segmentation. So this is, uh, the. The topic of the findings and in the report, like we always do a presentation of the report. We also offer some management presentation to put it down to a very high level because what we do in the end is like highly technical.

We.  We use like techniques that attackers use, like right now, this is like, um, cutting edge or state of the art and you need to be able to understand a lot of topics. And this is highly technical what we do, and we need to put it in a form where people or the customers can, can use it. Actually, they can see, okay, this is the problem.

Maybe the attack is very complex, but the solution is maybe not so complex. And how do you actually, I wonder, like, how do you actually know, I mean, you said that you try to use the most state of the art kind of  techniques. How do you know, you know, what is the most current, like, do you spend a lot of time, I don't know, on the Russian dark web, like researching or how does this work?

Actually, it's more in the clear web. You don't need to go on the dark sides. Yes, we have a lot of certifications and courses and dedicated time for research where we, like, need to stay on top and we have a lot of information channels. Where we get to know, okay, so this new exploit dropped, what's the problem?

How can you use it? How can you prevent it?  Uh, and Christian, just to go back to what you said before, I found interesting. Those, you use those two terms pentesting and red teaming, which is something that kind of sounds like a, it's coming out of call of duty. Can you, can you explain like what? Those terms are like,  I would go like, uh, one more step back and, um, talk a little about the prioritization.

Um, because I also, I also think this is the name of the game in today's world. You have so many different systems. You have so many different dependencies. You cannot overlook everything in every possible detail. So you need to prioritize your it and. What we do in this prioritization where we try to help is like a finding we look at okay What is the possible damage if it's successfully exploited  and the second part is how possible is it to exploit it?

Is it very easy to exploit it? Is it public available information that this exploit is happening? Can I abuse it from the internet or do I need to gain access first to an internal system and all these factors and they go into the  Rating of a finding basically, and that's why we put a strong focus on this prioritization.

It's a, it's very, I agree completely with that. Um, to elaborate a bit on the pentesting versus red teaming.  So in a pentest, we tell everyone that needs to know that the test is happening. We have a very short timeframe.  So that we can conduct the tests time efficiently  in a sense that we don't need to try to stay under the radar.

That's the key difference to red teaming. In a red teaming,  we get a task, for example, break in or.  Simulate a ransomware attack by, you know, encrypt some files without actually causing a disturbance or, you know, you have critical systems like the CRM, the ERP, some databases where all the customer information is lying.

And in a red teaming, we try to gain  unnoticed access, or we try to gain, uh, achieve our goals without getting noticed. And so the key differences in a red teaming.  Not every person on the customer side knows that we are covering mainly just some high level executives, for example, just a CEO, maybe one head of IT security or something,  but the people defending their, their IT, they don't know that an attack is coming and we try to be very silent and not trigger any alarms.

This works mainly by going slowly and much more targeted. For example, uh, you said, uh, social engineering, that's also what we do in such red teamings.  For example, phishing assessments where we write emails or call people, or we drop USB sticks on a parking lot. And before we try to put the target groups together and make them as small as possible, because we don't want to cause a lot of noise, that's what we call it.

So pet testing, very time efficient. We don't need to slow down because it doesn't matter if we trigger some alerts or some, some defenders. And on a red teaming, it's like very. Um, time stretched, it's not necessary that you are like working every day, eight hours on the project. It's like, sometimes you just write yours, you send your, your baits out, you're fishing and then you wait a bit.

If someone actually takes the, takes the bait. So that's the main difference.  All right. That makes sense. And then one more question about mind bites. I saw on the web, on your website that you conduct also OSINT  open, open, open source investigations on to try to identify the weaknesses, uh, about a company. 

Can you tell us, because this is also like kind of what we also do at Berlin Risk, but I wonder what what are the sources of information that you look at and what are you like usually interested in?  So we are looking on a lot of different places. That's  not helpful answer. So one source is social media, obviously.

For example, LinkedIn, like people love to say, I work at this company in this position at this location. So what we can gain is their names and their position. And that's what I said when we conduct targeted assessments. So for example, if I want to target, for example, the HR people, then I can find very easily in most of the cases who works in HR and I have their names. 

We also do look for more technical public information. For example, if you provide services on the internet, most of the time you have some public IP addresses registered and we can find that and corresponding systems in this range. We can find them as well. We can also find if you provide SSL certificates, you need to.

Um, give, give a name for the system basically. And what we do is we look at a huge databases where certificates have been registered and we see a lot of times that, uh, the information that we gain is like internal system names, internal domain names, and so we can find more services and more maybe hidden, um, available services. 

And how much time, how much time do you usually spend on this?  That's very depending. Like usually it's like one or two weeks, you gain a lot of information. And if we want to use this information to build up a text, that's what we do. For example, in the, in the red teaming, um, then it's a bit more time to verify the information if the LinkedIn profile is, you know, up to date or yeah. 

Um, what you mentioned earlier, you said also, do we look in the dark web? Uh, yes, for, for this part, uh, we also look in the dark web. For example, we, we look at something called data breaches. Um, imagine if you register at a website and this website gets hacked and  sometimes or most of the times these hackers published, uh, the credentials from this website, from all users. 

And now what happens if some employees use the same username password for. A specific website outside their company as they do inside company. And then like all of a sudden you gain access to a, to a company account by just looking at public information. And I say public in quotes because it's a bit, a bit harder to find, but it is public after all, I would say. 

And, um, it actually works. And a lot of people or like some, some  breaches happen this way because like some employee uses the same password on another service. It's just an.  And as it does internally, and so attackers have access to internal IT basically with a user account. It's fascinating. Um, and Anetad, do you, do you usually have the experience that your, the clients, your clients, do they usually come? 

You know, after they have been attacked and then they realized, okay, this is actually, you know, very costly and we need to do something about this. Or do, do, do people or companies come prior to that because they have, you know, been, I don't know, enlightened by some friends or how does, how does it usually work? 

In my experience, in the past, companies only took action after something had happened to them or to a partner or a similar company. It was like a wake up call. It was, so to speak, proof that something could happen also to them. But things obviously change.  Recently, and from the experience as a provider of the cyber risk check, um, I will get back to that, um, in a minute, companies obviously become more aware of the threats and the potential damage of cyber crimes or other information data security incidents and want to protect themselves before anything happens. 

In Germany, the German Bundesamt für Sicherheit in der Informationstechnik, BSE, The Federal Office for Information Security plays an important role in information security, providing news, documents, and tools for individuals and companies, and led by BSE, a consortium of various institutions and experts work together.

Um, um, for several months and the result of this work is a document, the so called DEAN SPEC 27076,  IT security consulting for small and micro enterprises, um, and the cyber risk check, which is based on, on it.  Um, and this enables SMEs to receive standardized consulting from IT service providers. And the consulting is specifically tailored to their needs. 

Berlin Risk Advisors actually is a registered consultant. So we are authorized to carry out the cyber risk check. And what do we do in detail? We conduct, conduct an interview with a company about their information security. We look at 27 requirements from six, uh, different areas  and check, um,  If the company fulfills them  and, um, so, uh, as a result, the company receives a report that among other things contains the number of points and a recommendation for action for each requirement that has not been met and, um, um,  amongst the requirements or the X aspects we look at our, um,  operational organizational things, um, um, Is the topic of awareness, such as is management, uh, is information security a management task, um, do you have the capacities for the topic, um,  is there a training, a policy, an emergency plan, do you have NEAs?

Stuff like that, but also technical requirements and measures such as backups and how do you ensure that your heart and software is up to date, which is extremely important in order to always be prepared for current attacks and vulnerabilities. Um, and companies often tell me we do not have, uh,  the money.

Or the capacities to implement, um, an information security management system. And I understand that. And then I always recommend the cyber risk check because it's a low threshold approach. It doesn't cost much. But however, um, in the cyber risk check. key aspects are examined that have proven to ensure good basic protection.

So I really I highly recommend it. Christian, I have the impression that you want to add something to that.  I think it makes sense to test like we see testing as a reality check. You know, you have all these concepts and all these ideas what should be the case like there should be a system preventing you from downloading malware.

But Does it actually work? So it's a bit depending on the level of the customer, but I think some, some rough tests can be done and should be done because what some, like, I don't know, some, some person thinks is the reality and what is actually the reality is maybe different, you know, so. I think it makes sense.

Um, I have a question for for this checks. What is your experience? How are the customers who do these checks? How are they they rated? Is it like, okay, they are total beginners and they did nothing? Or do you see a trend where nowadays most most aspects are actually covered by everyone? Or is it like super mixed?

It's really super mixed. Yeah. It's, um, I mean, we have companies, uh, with, uh, where, with a lot of technical, operational, infrastructural, uh, measures in place. And then we have others that don't have anything, kind of,  really, right? And, uh, but, um, what I experience is that all of them really appreciate This check because the ones who have a lot of measures feel kind of, yeah, they, they see, okay, we do have a lot of things and we can just, um, take a look at the further, uh, further measures, things we really, you know, optimization and the ones that don't have anything, they really know where to start.

And that's, um, yeah, I, I really appreciate that. I think I would highly recommend that.  Okay. I think I will have to steer this conversation to our last point, which is, I think actually it's more connected to, to this kind of level of sophistication that the company sort of have. We have, um,  uh, on 17th of January this year, the European Union's, uh, digital operational resilience act known as DORA came into force. 

Obliging financial entities to implement robust information, uh, risk management processes. Again, this is a very, uh, big, uh, topic that you could discuss for, for, for a very long time. So just from, you know, on a very high level, could you maybe annotate? First, can you explain to our listeners who exactly is in scope of the regulation and what are the type of measures that they need to implement? 

With the Digital Operational Resilience Act, that's what DORA means. The EU has created a framework to strengthen the financial sector's protective measures against increasing cyber risks.  DORA is aligned with other EU regulations to promote a comprehensive approach to cyber security and resilience in the European Union. 

Um, DORA is a regulation that applies directly in all European member states and it has been applicable since January  17th this year.  In Europe, uh, DORA actually applies to more than twenty two Thousand financial entities such as banks, um, insurance companies, investment firms, payment institutions,  but also, um, it applies to ICT, third party service providers, and ICT stands for information and communications technology, um, operation operating within the EU as well as the ICT infrastructure supporting them from outside the EU.

So the framework's aim actually is to ensure that financial entities as well as their ICT third party service providers can maintain resilient operations. through severe operational disruption caused by cyber security and information and communication technology issues. And why is it so important that the DORA or DORA not only applies to financial entities, but also to ICT third party service providers? 

Yeah, it's because the financial sector increasingly depends on technology and on tech companies.  So if they are, Um, the victim, the target of, uh, cyber attack and something happens, it's a catastrophe for the financial sector because of this, uh, dependence.  And, uh, as far as I can see, MindBytes,  Christian is, um, an ICT third party service provider.

So how does DORA affect you, affect MindBytes? Christian, what would you like to add as a ICT third party service provider? Yes, I completely agree. And I also say it makes completely sense. Like, if you remember maybe the SolarWinds hack, if a company gets compromised, which In turn has access to much other many other companies, then it's like a distribution of access, you know, so makes a lot of sense to me.

And I think it's, it's a good thing. And we will see how it's, uh, how, how the finance sector evolves. Now, so it's a, it's a, there's really a lot going on in this, in this fear. And, uh,  I recommend everyone to, uh, Take a closer look. I will thank at this stage, uh, you Annette and Christian for joining our podcast.