{"id":7102,"date":"2023-07-31T09:11:21","date_gmt":"2023-07-31T07:11:21","guid":{"rendered":"https:\/\/a1.group\/?page_id=7102"},"modified":"2024-12-18T11:28:49","modified_gmt":"2024-12-18T10:28:49","slug":"information-security","status":"publish","type":"page","link":"https:\/\/a1.group\/security\/information-security\/","title":{"rendered":"Information Security"},"content":{"rendered":"\n
\n\t
\n\n\t\t\t\n\t\t<\/div>\n\t\n\t<\/div><\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t
<\/a>Home<\/a><\/span><\/div>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t

\n\tInformation Security<\/strong><\/strong><\/strong><\/h2>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t

\n\tThe network operators of the A1 Group form part of the critical infrastructure in all countries. The Group is aware of the special responsibility that this entails. The company is therefore involved in
initiatives beyond the extent required by law to continuously improve security.

Since 2020, A1 in Austria is an operator of essential services within the meaning of the Netz- und
Informationssystemsicherheitsgesetz (Austrian Network and Information System Security Act \u2013 NIS). Since then, A1 in Austria has been subject to the obligation to report security incidents to the NIS authority and to comply with security precautions and their regulations of the telecommunications sector. In 2023, A1 provided complete proof of the implementation of these security requirements to the NIS authority and thus successfully completed the security audit.

In accordance with the NIS, companies subject to the act must carry out a risk assessment for their suppliers. A1\u2019s supplier audit is based on the standard Cyber Risk Rating procedure from Cyber Trust Austria. As A1 in Austria is also a supplier for other companies subject to the NIS, the company itself has committed to complying with Cyber Trust Austria\u2019s quality criteria. This is reinforced by being awarded the \u201cCyber Trust Austrian Gold Label\u201d, evidence that customers covered by the NIS can place their trust in A1 as an audited NIS supplier.

The network operators of the A1 Group work closely with the respective authorities to continuously improve cybersecurity. They share relevant security information through the A1-CERT (Computer Emergency Response Team), which is also a member of the national CERT association ATC (Austrian Trust Circle). Security expertise is shared within the A1 Group and at conferences domestically and abroad. In 2023, A1-CERT became a member of the global organization FIRST (Forum of Incident Response and Security Teams), confirming the professionalism and high level of maturity of A1-CERT.

To ensure that services such as cloud services or new working models (home or mobile office, agile teams, remote operation & support, etc.) can continue to be developed and put into operation reliably and securely, the Group-wide harmonization of security requirements is taking place in the form of state-of-the-art standards and guidelines for information security. A special focus is placed on risk prevention in critical and important network elements. The A1 Group is guided by the international IT standards for security technologies (ISO 27001).

The function of Chief Security Officer (CISO) was created in the A1 Group to coordinate security policies and technologies within the A1 Group.<\/p>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t

\n\tInformation Security Organisation<\/strong><\/h2>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t
\n\n\t\t\t\n\t\t\t\t\t\t\n\t\t<\/picture>\n\t\n\t<\/div>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t

\n\tSecurity initiatives <\/strong><\/strong><\/h2>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t

\n\tParticular attention is paid to the promotion of young talent in the field of cybersecurity. Every year, professional interns are given the opportunity to experience the challenges of a critical infrastructure company in practice. In addition, A1 in Austria has once again sponsored the “Austrian Cyber Security Challenge” (Austria’s largest hacker competition) in 2024. These competitions aim to promote young cyber talents and encourage them to pursue a career in data protection.<\/p>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t\n\t\n\t\tProactive fight against surging cybercrime: DDoS attacks (Distributed Denial of Service)\t\t
\n\t\t\t<\/g><\/defs><\/svg>\t\t<\/div>\n\t<\/button>\n\t\n\t\t
\n\t\t\t\n
\n\n\t\n\t\t\t

\n\tIn 2022, A1 Group recorded a decrease in so-called DDoS attacks. These aim to overload servers with malicious network traffic. A1\u2019s automatic DDoS defence intercepts almost all such attacks. In all markets where A1 is present, local companies offer their customers automatic DDoS protection.<\/p>\t<\/div>\n\n\t\t<\/div>\n\t<\/section>\n<\/div>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t\n\t\n\t\tRansomware\t\t
\n\t\t\t<\/g><\/defs><\/svg>\t\t<\/div>\n\t<\/button>\n\t\n\t\t
\n\t\t\t\n
\n\n\t\n\t\t\t

\n\tIt is widely known that malware \u2013 also known as viruses \u2013 can infect and damage computers. A1 offers business customers professional ICT services that effectively mitigate the impact of ransomware attacks on their business. Secure configurations and procedures within the ICT infrastructure can reduce the likelihood of such attacks. A consistently applied backup service and contingency plan makes sure that customers can recover from a ransomware attack as quickly as possible.<\/p>\t<\/div>\n\n\t\t<\/div>\n\t<\/section>\n<\/div>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t\n\t\n\t\tFluBot\t\t
\n\t\t\t<\/g><\/defs><\/svg>\t\t<\/div>\n\t<\/button>\n\t\n\t\t
\n\t\t\t\n
\n\n\t\n\t\t\t

\n\tThe \u201cFluBot\u201d malware attacks mobile phones to access its victims\u2019 personal data. A1 offers mobile customers a security solution that protects them from accessing known malicious websites. This prevents customers from accidentally downloading the FluBot code from the Internet. Europol was able to dismantle the FluBot network in May 2022.<\/p>\t<\/div>\n\n\t\t<\/div>\n\t<\/section>\n<\/div>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t

\n\tStaff awareness and training<\/strong><\/strong><\/strong><\/h2>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t

\n\tIn order to sensitise and train all A1 employees on information security, there are company-wide e-learning and in-depth training for the individual departments as well as regular contributions in an internal social interaction tool.<\/p>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t

\n\tResponsible Disclosure<\/strong><\/h2>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t

\n\tThe security of our systems and products is of highest priority for us. Despite all the effort we put in our services, there is still the chance of vulnerabilities, which we are not aware of. If you find a vulnerability, we would be grateful if you notify us.
\u00a0
Please be compliant with the following conditions:<\/strong>

1. You can exploit the vulnerability for demonstration purpose, but this should not lead to service outages (DoS) as well as the manipulation or loss of data. The purpose of the demonstration should show the attack vector and should not cause any damage.
2. Do not share gathered information with third parties.
3. These areas\/fields are not part of the responsible disclosure process:
– Physical security
– Social engineering
– Distributed Denial of Service (DDoS) attacks
– Spam & Phishing
– Exploiting vulnerabilities on systems which are dedicated to our customers
4. Please make sure to provide enough information so that we can reproduce the issue. A short description including a problem description and the URL\/IP of the affected system should be sufficient.

What we will do:<\/strong>

1. We will not press any legal charges caused by demonstrating the vulnerability. The prerequisite is that you comply with the conditions above.
2. We will not share your data with third parties without your consent. Our correspondence will be treated as confidential.
3. We will keep you updated on the resolution of the vulnerability.

This text is based on content from Floor Terra (responsibledisclosure.nl<\/a>).
\u00a0
Contact details:<\/strong>

E-Mail:\u00a0responsible.disclosure(at)a1.group<\/a>
PGP Key ID:\u00a0C451 95B3 EB90 8ADB CDD2 982C 8F52 2AE8 1AE8 85B2

Note:
This mail address shall only be used to submit vulnerabilities.<\/p>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t

\n\t\t\t
\n\t\t\t\t

\n\tCertificates<\/strong><\/strong><\/strong><\/h2>\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\n\n\n\n\t\n\t\t\t
\n\t\t\t
\n\t\t\t\t
\n\t\n\t