Reality of cybersecurity 11.4.2017
Transcript of Reality of cybersecurity 11.4.2017
![Page 1: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/1.jpg)
Reality of
Cybersecurity
slideshare.net/japijapi Aalto University
Cybersecurity
11.4.2017
Jari Pirhonen
Security Director
Samlink
![Page 2: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/2.jpg)
# whoami
Jari Pirhonen
Security Director
CISSP, CISA, CSSLP, etc.
ISF Executive Board Member –www.securityforum.org
Chair and lecturer on AaltoPRO
Security Management and Digital
Security courses
CISO of the year 2017 (Finnish
Information Security Association)
Among the TOP-100 ICT-
influencers in Finland at 2014-
2016 (TIVI magazine)
20+ years of cybersecurity
experience11.4.2017JaPi 2
Samlink – www.samlink.fi
Finnish service provider for financial
sector
Full range of banking services
Owned by several Finnish banks
Net sales 99,4 M€
Operating profif 6,6 M€
Personnel 460
![Page 3: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/3.jpg)
Agenda
Security objectives
State of the play
Security governance
3
Whenever someone tells you that there's a novel, easy, solution to security, it's either because they don't understand security or they're trying to sell you something that isn't going to work.-- Marcus Ranum
11.4.2017JaPi
![Page 4: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/4.jpg)
Why cars have brakes?
11.4.2017JaPi 4
![Page 5: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/5.jpg)
Digitalisation
Change in people behavior, business models
and market dynamics as enabled by
technology
Requirements: Speed, experimentation, data,
understanding users, ICT, right skills and
security.
Cybersecurity professionals must adapt on
agility, insecurity, risk tolerance, openness,
user oriented approach and continuous
change.
11.4.2017JaPi 5
![Page 6: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/6.jpg)
Terminology – my view
ICT security refers to technical
countermeasures to protect data, IT-systems
and networks. Focus on technical solutions,
technical skills and security products.
Information security is the protection of
information from a wide range of threats in
order to ensure business continuity, minimize
business risk, and maximize return on
investments and business opportunities.
Focus on protecting organization’s people,
information, processes, services and brand.
Cybersecurity concentrates on critical
infrastructure, interconnectivity and citizens.
Focus on assuring the security of whole
networked society.
6
ICT security
Information security
Cyber security
Digital security Digital security emphasize security
implications because of digitalization,
automatisation, connectivity and IoT. Focus
on security’s adaptation on change and new
technology.
11.4.2017JaPi
![Page 7: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/7.jpg)
Some security quality
attributes
711.4.2017JaPi
Sense of security
Resilience
Trustworthiness
Provability
Understandability
Safety
Privacy
Auditability
Deniability
Confidentiality
Integrity
Availability
![Page 8: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/8.jpg)
Security drivers
WANT
Enable business, trust, quality, 24/7
11.4.2017JaPi
MUST
Regulation, compliance
FEAR
Risks, emergencies
8
![Page 9: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/9.jpg)
Security is operational
environment dependent
11.4.2017JaPi 9
![Page 10: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/10.jpg)
11.4.2017JaPi 10
A bank
Physical protection
Security cameras
Trusted employees
Access control
Activity monitoring
Security zones
Incident management
Alarm systems
![Page 11: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/11.jpg)
11.4.2017JaPi
Physical protection
Security cameras
Trusted employees
Access control
Activity monitoring
Security zones
Incident management
Encryption
DDoS-protection
Firewalls, IDS/IPS
Log management, audit trail
Hardened systems, patching
Secure applications
Strong authentication
Secure datacenter facilities
Incident management
Backups
Secure architecture
11
An online bank
Alarm systems
Highly-available systems
System and change management
![Page 12: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/12.jpg)
Agenda
Security objectives
State of the play
Security governance
1211.4.2017JaPi
The problem is: what you see
as problems aren't problems
and what you see as not
problems are problems and
you don't see this as a
problem.
-- @TheTweetOfGod
![Page 13: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/13.jpg)
11.4.2017JaPi 13
Cyberinsecurity will
increase for a while…
![Page 14: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/14.jpg)
Code is Law
11.4.2017JaPi 14
Source: ISF Threat Horizon 2018
![Page 15: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/15.jpg)
What’s user’s responsibility?
11.4.2017JaPi 15
![Page 16: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/16.jpg)
11.4.2017JaPi
Source: Alex Jordan, ISF
Fine as 4% of
annual turnover
Fine % of
annual profit
$3,000,000,000 87%
$3,000,000,000 200%
$75,000,000 100%
$190,000,000 40%
16
![Page 17: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/17.jpg)
11.4.2017JaPi 17
Without security the costs of
digitalisation will migitate the
benefits
Source: Beyond Data Breaches: Global
Aggregations of Cyber Risk
![Page 18: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/18.jpg)
Reality in financial sector
Single European Payments Area
Money transfers are dependent on common European systems
Bank’s IT systems are centralized in one country, system management in another country and customer services in several countries
New services, more competition, more regulation
Regulation: PSD2, PAD, AML, eIdas, GDPR,…
New payment methods (NFC, mobile)
Fintech-startups
Critical infrastructure dependencies
Electricity
Networks
Complex legacy systems
Human resources
JaPi 11.4.2017 18
![Page 19: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/19.jpg)
11.4.2017JaPi
Partners
Branches
Core banking system
Online
bank Service
bus
19
Support systems
Integrations
Customers
![Page 20: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/20.jpg)
Major threats based on impact
• Internet meltdown, failures in international connections
• Long, large-scale breaks
• Strikes, epidemic disease or pandemic (eg. birdflu)
Money doesn’t move without electricity and networks
Complicated legacy IT-systems require regular ”help of human hand”
Critical infrastructure providers need to be synchronized and transparent
Situational picture covering the whole industry and other CI providers is hard to get
JaPi 11.4.2017 20
![Page 21: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/21.jpg)
11.4.2017JaPi 21
![Page 22: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/22.jpg)
E-banking losses in Finland
2014-2016, phishing & malware
11.4.2017JaPi 22
Number of cases and combined losses 2014 2015 2016
Funds placed on hold and returned to
customer
352 cases
(218 648 €)
93 cases
(565 889 €)
99 cases
(989 076 €)
Funds have been lifted from the
account(s)
101 cases
(71 045 €)
54 cases
(312 111 €)
42 cases
(126 625 €)
Funds have been lifted from the
account(s) and reimbursed by the Bank
25 cases
(34 000 €)
43 cases
(84 411 €)
10 cases
(42 800 €)
Source: Finnish Financial Supervisory Authority
![Page 23: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/23.jpg)
Agenda
Security objectives
State of the play
Security governance
2311.4.2017JaPi
It is not enough to do your
best; you must know what to
do, and then do your best.
-- W. Edwards Deming
![Page 24: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/24.jpg)
Cybersecurity starts at the
top management
11.4.2017JaPi
Market share
Reputation
Legality
Audits
Fines
Financial loss
Data
confidentiality,
integrity,
availability
Employee
privacy
Customer trust
Brand
CEO CFO CIO CHRO CMO
Cybersecurity must be on the top management’s agenda
24
Source: IBM
![Page 25: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/25.jpg)
What about CISO?
JaPi
Lähde: ISF
2511.4.2017
![Page 26: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/26.jpg)
Define the focus of
security function
JaPi 11.4.2017 26
![Page 27: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/27.jpg)
There is no cyber
security expert!
11.4.2017JaPi 27
Source: http://www.cyberdegrees.org/
Source: IT Security Essential Body of Knowledge
US Department of Homeland Security,
National Cyber Security Division
![Page 28: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/28.jpg)
Ten fundamental
security steps
1. Management support and exemplary behavior
2. Assign a person who is responsible of security
management and development
3. Identify the critical assets and processes
4. Define security objectives and responsibilities
5. Basic security solutions and processes: tested
backups, patch management, malware protection,
network segmentation, firewall management, change
management
11.4.2017JaPi 28
![Page 29: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/29.jpg)
6. Awareness training and support of personnel
7. Non disclosure agreements (NDA): key personnel,
partners, service providers
8. Require partners and service providers to
have and prove good security management
9. Have an incident management plan
10. Consider the whole environment:
People + processes + technology +
organization + supply chain
11.4.2017JaPi 29
Ten fundamental
security steps
![Page 30: Reality of cybersecurity 11.4.2017](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6697b67f8b9ad4438b4a3b/html5/thumbnails/30.jpg)
Takeaways
Data and trust are the currencies of digital world.
Good (enough) security enables digitalisation.
Security professionals must embrace change, agility,
uncertainty and new technology.
Develop and demand secure applications.
Security is too important to be left
just to security experts.
11.4.2017JaPi 30