20150204 state of cyber security in mexico public release

Asociación Latinoamericana de Profesionales en

Seguridad Informática A.C.

Cyber Security Webinar

February 5, 2015 www.alapsi.org 1

CYBER SECURITY

WEBINARCYBER SECURITY IN MEXICO: THE BIG PICTURE AND STATUS

5 February 2015

CYBER SECURITY WEBINAR

Guest Speakers





Agenda

•Cyber Security's Overview• Gonzalo Espinosa

•Privacy and Personal Data Protection• Manuel Mejías

•Information Security Management, Business Continuity

and Incident Response • Jorge Garibay





Cyber Security's Overview

Gonzalo Espinosa

Academy

Gov

PressPrivate Business

NGOs &

Society

ALAPSI AC & Cyber security

• Established in 1995, Mexico City

• 300+ Latin American Info Sec

Professionals• Belgium, Ecuador, Finland,

Mexico, Spain, USA

• Promotes knowledge• Improves skills• Nurtures experience





The Federal Government and cyber

security

• The National Development Plan 2013 – 2018 • Deep changes to Mexico in

• Security

• Productivity

• Quality of education and

• Prosperity

Defending networks and disrupting

criminal activity





Protecting from cyber threats

Investing in cyber security





References

http://es.slideshare.net/edgbargaye/mint-countries-mexico-indonesia-nigeria-and-turkey

Privacy and Personal Data Protection

Manuel Mejías





0. The big picture

01. Cyber-attacks • 02. Data breaches

03. Perception & Understanding

01. Cyber-attacks

• Research by foreign enterprises doing

business in Mexico:

• Mexico held worst place in cyber-attack resilience (201201)• http://www.bbc.co.uk/mundo/noticias/2012/01/120131_ciberataques_paises_mejor_peor_preparados_adz.shtml

• Mexico is target of a cyber-attack every 12 seconds (201404)• http://eleconomista.com.mx/tecnociencia/2014/04/20/mexico-sufre-12-ataques-ciberneticos-cada-segundo-0





01. Cyber-attacks

•Research by foreign enterprises doing business

in Mexico:

Mexican businesses neglect cyber-security (201406)http://eleconomista.com.mx/tecnociencia/2014/06/03/empresas-piensan-medias-seguridad-digital

Increase

2012 → 2013 | 113% • 2013 → 2014 | 300%

Distribution

Academic sector: 39% Public sector: 31%

Private sector: 26% Other entities: 4%

02. Data breaches

•Research by journalists in Mexican media:

Electoral database (INE, formerly IFE) (1999-2002)http://www.cronica.com.mx/notas/2003/65060.html

Other governmental databases: electoral, vehicle, "driver's

license", police (201004)http://www.eluniversal.com.mx/nacion/177126.html





02. Data breaches

•Research by journalists in Mexican media:Data breach at Liverpool, a major department store, third in

nation in issued credit cards

Analysis of disclosed documents (201501)http://www.ultimapalabra.mx/radiografia-del-hackeo-a-liverpool/

Monetary loss estimation at $100 million MXN (201501)http://www.elfinanciero.com.mx/empresas/hackeo-a-liverpool-podria-costarle-mas-de-100-mdp-estiman.html

Paradigm change: Businesses will be exposed!!

03. Perception & Understanding

•Research by foreign enterprises doing business

in Mexico:

1 in every 4 Mexicans distrust info-security industry (201410)http://www.elitinfraservices.com/index.php/netnews/531-1-de-cada-4-usuarios-mexicanos-no-creen-en-ciberamenazas

The rest does not even understand the problem because of age

and education





A. Public Sector

A1. Creation of normative instruments

A2. Federal government budget:

Intelligence

A1. Creation of normative

instruments•Laws & secondary regulations

1.Personal data protection, Public sector (LFTAIPG) 2002

2.Personal data protection, Private sector (LFPDPPP) 2010

3.Telecommunications (Mass surveillance chapter), Private

sector (LFTR) 2014

•Mandatory framework1.Governance · Strategy · Service delivery · Support

(MAAGTIC) 2010

2.Governance + Information security · Strategy · Service

delivery · Support (MAAGTIC-SI) 2011






Intelligence•Federal government budget - Intelligence

http://sipse.com/mexico/cisen-triplico-intervencion-comunicaciones-gobierno-pena-nieto-130054.html

http://eleconomista.com.mx/sociedad/2014/12/23/vigilancia-telefonica-cisen-crecio-2000-tres-anos



http://sipse.com/mexico/cisen-triplico-intervencion-comunicaciones-gobierno-pena-nieto-130054.html

http://eleconomista.com.mx/sociedad/2014/09/14/cisen-tendra-7616-mdp-2015

http://www.cisen.gob.mx/pdfs/doc_desclasificados/17_2008_PRESUPUESTO_DICIEMBRE_2006_JULIO_2008.pdf







http://sipse.com/mexico/presupuesto-cisen-nueva-tecnologia-mexico-grafica-111235.html

B. Private Sector

B1. R&D (startups)

B2. Compliance with personal data

protection





B1. R&D (startups)

•Hardware: Firewall technologies

•Software: Safe Web navigation for kids

•Core technologies1. Fraud detectionSuitable for financial institutions • One patent • Founders sold enterprise to another,

larger firm • One of its founders moved to Silicon Valley to open a venture capital firm

2. Software hygieneMethodology based on a paradigm that substantially differs from the traditional

detection paradigm • 8 patents • Able to stop data breaches in 3 of the 7 stages of

the Lockheed Martin cyber-attack kill chain model • Proven effectiveness by Swedish

and Spanish security experts

B2. Compliance with PDP

Secretaría de Economía (the Mexican ministry of

economy) Survey (2013):–5.1 million registered businesses | 0.2% are large

enterprises

27%

73%

Yes

No

53%45%

Electronic

Paper

Other





C. Academic Sector

C1. Info-security curriculum

C1. Info-security curriculum

•Incorporation of information security courses in

IT-related curricula:1. MASTERS and DIPLOMA level

Tec de Monterrey • Universidad Iberoamericana

2. BACHELOR level

UNAM





D. Social Sector

D1. Exercise of granted rights

D1. Exercise of granted rights

• Already exercising rights• Personal data protection, Public sector (LFTAIPG) 2002

• Incipient• Personal data protection, Private sector (LFPDPPP) 2010

• Not yet• Telecommunications (Mass surveillance chapter), Private

sector (LFTR) 2014





Information Security Management, Business Continuity and Incident Response Jorge Garibay

Information Security Management

• Current Situation

• Requirements

• Future





Business Continuity


• Requirements

• Future

Incident Response


• Requirements

• Future





CYBER SECURITY WEBINAR

Guest Speakers

CYBER SECURITY

WEBINARCYBER SECURITY IN MEXICO: THE BIG PICTURE AND STATUS

5 February 2015

20150204 state of cyber security in mexico public release

Education

cyber security webinarfebruary

cyber threatsinvesting

ataq latinoamericana

businessin mexico

mexico city

cyberattack resilience

cyberattacks research

data breachesresearch