Certified EcoStep management system: b.r.m. has once again been certified in accordance with the EcoStep 5.1 management system for small and medium-sized enterprises. Starting in 2008, this is now the 15th and 16th year in a row that b.r.m. has been certified for its operating procedures and processes. For all management systems, the focus is on ensuring that tasks and activities are in line with the objectives and that operational processes run smoothly.

EcoStep is a practice-oriented alternative to the conventional ISO standards. Combined in one system, it uses the most important standard requirements of the following standards from an SME perspective:

• DIN EN ISO 9001:2015 Quality management
• DIN EN ISO 14001:2015 Environmental management
• DIN ISO 45001:2018 Occupational health and safety

With the help of the three aspects (quality, environmental protection and occupational health and safety), various process descriptions are possible, ranging from value creation processes to management processes. Development processes and other supporting processes are also recorded.

The EcoStep management system uncovers potential for reducing costs, implements controlling and key performance indicator systems to support management and increases legal certainty. Continuous improvement is one of the top priorities here. Not only the certification audit for the award of certification is important here, but also the continuous chain of internal adaptations and adjustment of existing processes to the new, changing circumstances of day-to-day business.

Our thanks go to the great cooperation with the certification body GUTcert. Mr. Markus Rossol from b.r.m. carried out the audit with Mr. Hauke Kreutzfeld from GUTcert.

The resulting potential for improvement is constantly being exploited and we are already looking forward to the next 2 years, after which it will once again be: certified management system according to EcoStep.

You can view our complete certificate here .

In our series "IT Review 2021", we look at the most interesting and dangerous IT security vulnerabilities of the past year, today: Zero-Day and Hafnium. 2021 was not a good year for IT security and shows once again that IT security must be seen as a continuous process. Defenses against attackers must be constantly refreshed, otherwise they will rot like an old unmanned castle wall.

The nightmare par excellence: zero-day and IT security

Software manufacturers usually act very quickly against known security vulnerabilities or have already identified the problem. A corresponding patch closes the security gap and the program can continue to be used for the time being. For this very reason, it is important to have and keep modern IT systems up to date. Continuous improvement is the key to stable and secure operation of IT systems.

However, a massive problem arises from a so-called "zero day". This term refers to the fact that the vulnerability exploited here has been known for zero days, at least to the manufacturer and the public. Therefore, there is no patch or workaround to close this gap. It was simply not known. The most sensational case of a zero-day exploit worldwide is certainly Stuxnet. Here, several zero-day vulnerabilities were used to disrupt production systems and execute unexpected commands.

Zero Day and hafnium, what happened?

At the beginning of March, a total of 4 relevant security flaws, i.e. "zero-days", were discovered on Microsoft Exchange servers. These were presumably used by the hacker group Hafnium to systematically scan and infiltrate thousands of Exchange servers. According to research, the aim was to install a "backdoor" in the systems, so it cannot be conclusively determined to what extent this vulnerability will have an impact in the future.

According to some estimates, Microsoft reacted more slowly than desired, but the exploited security gaps have been closed. Several security patches have ensured that the zero-day exploit is no longer usable.

Proper IT security means continuity

Proper, i.e. reliable IT security is a wish and promise of all those entrusted with IT systems. In addition to the standard technology, such as a firewall, there are also a number of conceptual points to consider. The magic triangle of cost, time and quality naturally also applies to this area of professional activity. With regard to the time factor in particular, it is immediately apparent that there can be no absolute state of security in a dynamic system. In the case of a zero-day exploit, the time component is distorted to such an extent that a correct (qualitative) response immediately generates high resource consumption. A good IT security policy therefore relies on continuous improvement and adaptation to a dynamic threat environment. Systems must not be operated unattended. Only taking action when something no longer works inevitably leads to disaster. Effective and efficient action is characterized by continuity. Please also read the statement by Dirk Arendt from Trend Micro.

March 20th marks the beginning of spring in the meteorological sense. Birds, bees and other insects will soon begin to roam our skies, but not only them. Drones or UAVs (unmanned aerial vehicles) have already become part of the airspace, not only as a hobby for RC enthusiasts, but also for the U-Space Service Provider b.r.m. .

The EASA has been working for some time on the cornerstones for coordinating civil drone aviation throughout the EU. To this end, the establishment of a new airspace, the so-called U-Space, is being prepared. Alongside other airspaces (such as the Gulf), U-Space is intended to enable manned and unmanned aviation to coexist.

U-Space - space for drones

A separate airspace just for drones is a difficult undertaking. After all, all aircraft have to land and take off, and any risk of collision must of course be avoided at an early stage, especially over conurbations. For this reason, the current concept of U-Space is designed to cause as little inconvenience as possible to other manned aircraft. The drones should register with a corresponding U-Space Service Provider (USSP) in the established U-Space and thus receive information on traffic information and other services that are necessary for safe operation. EASA is currently in the discovery phase in order to include transponder-free flight participants. Under the term iConspicuity, existing technologies such as ADS or Mobile are to be used to make every flight participant a conspicuity. This information can then be used to avoid a dangerous approach in advance.

What is a U-Space Service Provider?

The USSP (U-Space Service Provider) will be used at the interface between unmanned and manned space flight. It will provide various services to enable drone operators to navigate safely through U-Space. The core tasks will be the processing of "flight authorization" and "strategic de-confliction". Strategic de-confliction ensures that the submitted flight plan is checked for conflicts in the airspace.

There will of course be a service for registering the drones so that both the USSP and the authorities can access the status of the UAV. In addition to the relevant traffic information, consideration is also being given to which other services are useful for drone operators.

Outlook 2022 - What we can expect

Before the end of the first half of this year, the EASA intends to issue regulations on how the "iConspicuity" visualization of manned aircraft can be implemented in a meaningful way without introducing additional equipment or even a transponder requirement. We would then be a good deal closer to the permanent establishment of U-Space and civil drone traffic would already be within reach.

In the meantime, the UAS/UAV test center is being further expanded at the Oldenburg-Hatten airfield. Take a look at our current VTOL EGM project and visit the website of our project partner Optoprecision.

In our IT review for 2021, the security risks associated with Exchange servers - also known as "Proxyshell" - are a must. In this blog post, we describe what the ProxyShell vulnerability is all about and how companies can protect themselves against sudden security risks.

In the fall of 2021, the so-called ProxyShell vulnerability became known as a result of an enormous wave of attacks on unpatched Exchange servers (on-premise) versions 2013 to 2019. The Federal Administration's Computer Emergency Response Team (CERT-Bund for short) published an official security warning one day later. Fortunately, the vulnerability was quickly closed with a new patch released at short notice. However, it is questionable why this patch was only published after the vulnerability became known. Back in 2011, security researchers warned of a vulnerability on Exchange servers that could allegedly be hacked remotely by exploiting several security gaps. Furthermore, one should not rely on quick fixes for digital security risks - in the case of ProxyShell, almost 2000 servers were identified as vulnerable within 48 hours. Particularly risky: if your own server has been infected, even a subsequent patch would not help. In any case, the Exchange server should be checked for any attack patterns.

Exchange Server is Microsoft's e-mail and groupware server service. With an Exchange server, companies can organize their e-mail traffic and other tasks via a central interface. In contrast to the well-known email providers for private individuals, an Exchange server can be installed and used completely independently of foreign or third-party servers. Such an "in-house" solution is also interesting for companies due to the high data protection requirements that apply in Germany.

We at b.r.m. Technologie- und Managementberatung are the reliable, competent and regional IT service provider for companies in Bremen and the surrounding area. With us, you can be sure that the highest security standards are met, that your systems are always up to date and secure, and that you benefit from the advantages of energy-saving green IT. Please contact us for further information.

Windows is still the most widely used operating system in the world. Microsoft is now planning a major update in 2022 and will launch Windows 11 with many new features. Find out more about the pros and cons and the most important new features and functions of Windows 11 in this blog post.

New features in Windows 11

According to media reports, the taskbar and the widget panel have been revised. It should now be possible to make individual adjustments and install additional third-party widgets. 

The Cortana voice assistant will also only appear from Windows 11 onwards if the user expressly requests it. Until now, users have not been able to deactivate Microsoft's voice assistant. 

In addition, the Microsoft Outlook program is getting a major update - certainly one of the most popular e-mail programs. For those who prefer to use other programs, the Android apps that can be used on a Windows PC from Windows 11 onwards will be exciting. With this trick, Windows expands the number of potential applications for its users in no time at all. 

The new snap layouts, with which the screen can be divided into several areas to view several applications at a glance, ensure greater efficiency. 

Video conferences are now an essential part of our everyday lives - Windows 11 has also thought of this and offers a new button in the taskbar to quickly activate the mute function. This means you no longer have to search for the right video conference window.

Is Windows 11 worth it?

The question of whether and to what extent Windows 11 is worthwhile can only be answered after its release. Too many changes and features are only rumors so far and ultimately only real tests by independent users will show whether Windows 11 only brings advantages. In addition, users have very individual preferences when it comes to setting up and using their PCs - opinions on Windows 11 and its new functions could differ greatly. We look forward to the release of the next major update for Windows in summer 2022 and will then test and examine it in detail.

Are you looking for a competent and experienced partner for your IT? Contact us to find out more about how we can help you with your IT issues.

There are many providers of video conferencing and online meetings - b.r.m. has been offering a video conferencing solution that meets the highest data protection standards for several months now. In this blog post, you can find out why video conferencing tools are important and how the various providers differ.

The coronavirus pandemic has fundamentally changed our everyday lives in a short space of time. Professional and business life in particular had to react quickly to new regulations and requirements. Meetings and conferences could no longer be held on site and people had to work together from home. However, such crises must not paralyze everyday working life. That is why it is important to implement a secure and stable collaboration solution in the company. In addition to traditional coordination meetings, documents also need to be exchanged or processed in parallel. 

It is undisputed that a classic telephone call does not have the same effect in the long term. You have to be able to see the other person. So we need the opportunity to exchange ideas without direct contact and location restrictions - but with data protection and additional functions that make our work easier: the conference solution.

The major providers of such digital conferencing solutions are Zoom, Microsoft Teams, Skype, Skype for Business and Google Meet (formerly Google Hangout). Only Zoom and Skype for Business can be hosted on their own server - in other words, only here can a particularly high level of data protection be guaranteed. In addition to the option of hosting it yourself, Zoom also offers an extremely intuitive user interface. The costs and installation effort for Zoom are kept within limits. 

Of course, the other providers (Microsoft Teams, Google Meet) also have some (supposed) advantages, but data protection cannot be guaranteed here. Although the data is encrypted in transit (via the internet), it is decrypted on the server of the respective provider. The service provider therefore has complete control over this personal data - trust is an absolute prerequisite here. 

The big difference to the b.r.m. conference solution is the data storage. With us, the data is not decrypted on the server of the respective (American) provider, but is sent from the Internet with 265-bit AES encryption to the b.r.m. data center and are only decrypted there. This corresponds to "real" data protection without any problems of mistrust. In addition, Zoom is the first provider to work on "extended" end-2-end encryption so that data is not passed on to Facebook, for example. 

In summary, the b.r.m. Zoom video conferencing solution offers the ideal basic requirements for your company. The best user interface on the market is paired with the highest data protection promises (hosting on our own server in Bremen). An extensive range of functions, e.g. the option to exchange documents, makes day-to-day work easier. A manageable set-up and support effort as well as fair prices round off the offer. 

Please contact us for further information. 

As part of our review, we would like to look back at various major developments in IT in 2021. This blog post is about the Log4j/Log4Shell security vulnerability. 

Log4j/Log4Shell stands for a security vulnerability in the Java library that was discovered at the end of 2021. This vulnerability has received particular attention due to various warnings from public authorities. For example, the German Federal Office for Information Security (BSI) classified Log4j as an "extremely critical threat situation". This classification corresponds to the highest of the four possible levels for cyber security warnings. In addition, this Java library is used in a particularly large number of applications and the vulnerability can be exploited relatively easily.

As with all IT vulnerabilities, fixing the problem involves quickly and thoroughly identifying the error and installing the appropriate updates (which are intended to close the gap). This process has taken a long time due to the increasing complexity of digital applications.

After a few days, the problem was solved in most cases, but the concern and risk remains that in the meantime hackers have installed another backdoor through which the system could later be attacked. In such a case, the attack could no longer be linked to the Log4j/Log4Shell issue.

Today's world is digital and the future will be even more digital and technological. IT experts are therefore important and in demand. IT and digital technologies are the industry of the future. b.r.m. business resource management from Bremen offers training in IT.

When looking for a suitable apprenticeship, in addition to the question of a correspondingly high salary, there is no getting around the question of how future-proof that professional field is. For technology enthusiasts and IT, both questions can be answered very quickly and easily. Jobs in IT are more in demand than ever and are therefore extremely well paid - even before the pandemic. In the future, however, technical professions will become even more important. IT experts are the engineers and machines of the modern age - (almost) nothing works without them.

The statement that professions in IT will be in demand and needed in the long term is not just an assertion, but is repeatedly confirmed by experts and the media. Headhunters are on the lookout for good employees every day - and more and more of these are IT professions. However, these IT jobs are no less demanding - cloud applications and smart data analysis are now playing a prominent role. Cyber security is also becoming more important, as more and more digital offerings also increase the "digital risk". 

Both in technical professions and in other sectors, the fact that there are fewer and fewer skilled workers makes things even more difficult. IT experts do not always need to have studied for certain jobs. This makes it all the more important to offer appropriate training positions. b.r.m. business resource management from Bremen has been an expert in IT systems for decades, from efficient data centers to GDPR-compliant digital applications. Shortly after it was founded, b.r.m. began focusing on sustainability in IT. In the field of green IT (i.e. resource-saving data centers), b.r.m. is an absolute pioneer and has already received several national awards for this. 

We have summarized the four most promising IT professions below:

• The IT auditor

The task of this rather unknown working title is to monitor IT systems. An IT auditor checks the relevant infrastructures and systems in order to quickly identify weaknesses or implement optimizations. 

• The cyber security expert

Cyber security experts are responsible for the security of the constantly growing number of digital IT systems. In an emergency, they are the person who initiates countermeasures in the event of a (digital) attack.

• The software developer

Due to the ever-increasing number of possible applications for digital systems, the corresponding software must also be developed and programmed time and time again. Software developers enable us to make the benefits of digitalization tangible and usable.

• The network administrator

The need for IT experts is also demonstrated by the fact that there are (and must be) several equally important positions for the management of IT systems. The network administrator is an absolute expert in the administration of the various IT systems. They are responsible for ensuring that everyone involved can use the relevant applications without any problems.

Are you interested in training in IT? Then take a look at our job vacancies and become part of the IT experts from Bremen. We look forward to receiving your application.