GSTOOL

from Wikipedia, the free encyclopedia
GSTOOL
Basic data

developer Federal Office for Security in Information Technology
Publishing year 1998
Current  version 4.8
(June 2013)
operating system Windows
category IT security
License proprietary
German speaking Yes
GSTOOL on the BSI website

The GSTOOL of the Federal Office for Information Security (BSI) is a database application for creating security concepts based on the IT-Grundschutz methodology . The GSTOOL appeared in 1998, four years after the publication of the IT Baseline Protection Manual . The purchase is free for public institutions (direct federal, state and local government).

history

Version 2.0 was created by CSC Ploenzke . Versions 1.0 and 2.0 were Java applications. The InterBase relational database system from Borland was used as the database system .

Versions 3.0 to 4.7 of the GSTOOL were developed by Sopra Steria Consulting on behalf of the BSI. These versions were developed using the programming languages Visual Basic Classic 6.0 and Visual C ++ . The GSTOOL was delivered with the Microsoft SQL Server from version 3.0 .

The development of version 4.1 (published May 2007) was supported by Bayer Business Services and the Center for Information Processing and Information Technology (ZIVIT). Version 4.5, published in February 2008, contained the BSI standard 100-3 (risk analysis based on IT-Grundschutz) as an essential extension. The development of version 4.6 was supported by the Niederrhein University of Applied Sciences . Version 4.7 was again supported by ZIVIT .

In December 2008 the company Persicon labs GmbH was commissioned to develop the GSTOOL 5.0. Above all, the new version should be able to be used as a web client regardless of the platform. The originally planned year of publication was 2010. On the IT basic protection day in October 2011, the BSI named April 1, 2012 as the publication date of the final version. After the BSI announced at the 4th IT Basic Protection Day 2012 at it-sa in Nuremberg that the GSTOOL 5.0 had been returned to the manufacturer for repair due to serious defects, the BSI's quality requirements for the 1st IT Basic Protection Day 2013 could not be met . As a result, the release of version 5.0 has been postponed indefinitely.

The further development of the GSTOOL was discontinued due to a lack of economic efficiency. Version 4.x was sold until December 31, 2014, support was given until the end of 2016.

Performance characteristics

Technical

  • Support of the following BSI standards:
    • BSI Standard 100-1: Management Systems for Information Security
    • BSI Standard 100-2: IT Baseline Protection Procedure
    • BSI Standard 100-3: Risk analysis based on IT-Grundschutz
  • Acquisition of target objects (IT systems, applications, networks, etc.) for structural analysis
  • Gather additional information about target objects
  • Modeling and layer model according to IT-Grundschutz
  • ISO / IEC-27001 certificate based on IT-Grundschutz
  • Determination of protection requirements
  • Reporting
  • Evaluation of the cost estimates in reports
  • Revision support
  • Versioning of user-defined metadata (modules, measures and threats)
  • Management of several independent work areas

Technically

  • Management of several security concepts in one tool
  • Network capability
  • Multi-user capability through rights and roles concept
  • Bilingualism: German / English (with the option of including other language versions)
  • History management at field level
  • Simple update of the metadata base via the Internet
  • Import function for data from the previous version
  • Export of partial work areas when there is no network connection
  • Report function through approx. 50 predefined reports
  • Encryption of user-specific data for exports (file encryption)

No encryption

The encryption function based on Chiasmus , which was included up to version 4.7, was removed in version 4.8 because it was broken. The BSI advises against its use. Nonetheless, security researchers were threatened with legal consequences if they published details of the security gap, since according to the BSI this could only be discovered by means of reverse engineering and this constitutes a copyright infringement .

literature

  • User manual [1] (approx. 400 pages, PDF)
  • Implementing IT-Grundschutz with GSTOOL by Frederick Humpert (2005, 445 pages, ISBN 978-3-446-22984-6 )
  • CSC study: GSTOOL Quo Vadis? "Alternatives to the GSTool" [2]

Additional tools for creating security concepts based on IT-Grundschutz

Individual evidence

  1. 3rd IT-Grundschutz Day 2011 for the GSTOOL of the BSI. (No longer available online.) BSI , October 12, 2011, formerly in the original ; Retrieved March 18, 2013 .  ( Page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Toter Link / www.bsi.bund.de  
  2. Holger Schildt: News from IT-Grundschutz. (No longer available online.) BSI , February 27, 2013, formerly in the original ; Retrieved March 18, 2013 .  ( Page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Toter Link / www.bsi.bund.de  
  3. Volker Briegleb: BSI refuses acceptance of GSTOOL 5.0. iX , March 16, 2013, accessed March 18, 2013 .
  4. BSI discontinues development of GSTOOL 5.0. Retrieved September 25, 2013 .
  5. a b BSI - IT-Grundschutz Tools - Home. In: www.bsi.bund.de. Retrieved September 16, 2017 .
  6. Jan Schejbal: Advisory: Insecure encryption at GSTOOL , September 11, 2013
  7. Jan Schejbal: How the BSI “protects” our data. A rant about the vulnerability in GSTOOL. , September 11, 2013
  8. Hanno Böck: GSTool: BSI threatens security researchers , Golem.de, September 11, 2013

Web links