Download - Reality of cybersecurity 11.4.2017
Reality of
Cybersecurity
slideshare.net/japijapi Aalto University
Cybersecurity
11.4.2017
Jari Pirhonen
Security Director
Samlink
# whoami
Jari Pirhonen
Security Director
CISSP, CISA, CSSLP, etc.
ISF Executive Board Member –www.securityforum.org
Chair and lecturer on AaltoPRO
Security Management and Digital
Security courses
CISO of the year 2017 (Finnish
Information Security Association)
Among the TOP-100 ICT-
influencers in Finland at 2014-
2016 (TIVI magazine)
20+ years of cybersecurity
experience11.4.2017JaPi 2
Samlink – www.samlink.fi
Finnish service provider for financial
sector
Full range of banking services
Owned by several Finnish banks
Net sales 99,4 M€
Operating profif 6,6 M€
Personnel 460
Agenda
Security objectives
State of the play
Security governance
3
Whenever someone tells you that there's a novel, easy, solution to security, it's either because they don't understand security or they're trying to sell you something that isn't going to work.-- Marcus Ranum
11.4.2017JaPi
Why cars have brakes?
11.4.2017JaPi 4
Digitalisation
Change in people behavior, business models
and market dynamics as enabled by
technology
Requirements: Speed, experimentation, data,
understanding users, ICT, right skills and
security.
Cybersecurity professionals must adapt on
agility, insecurity, risk tolerance, openness,
user oriented approach and continuous
change.
11.4.2017JaPi 5
Terminology – my view
ICT security refers to technical
countermeasures to protect data, IT-systems
and networks. Focus on technical solutions,
technical skills and security products.
Information security is the protection of
information from a wide range of threats in
order to ensure business continuity, minimize
business risk, and maximize return on
investments and business opportunities.
Focus on protecting organization’s people,
information, processes, services and brand.
Cybersecurity concentrates on critical
infrastructure, interconnectivity and citizens.
Focus on assuring the security of whole
networked society.
6
ICT security
Information security
Cyber security
Digital security Digital security emphasize security
implications because of digitalization,
automatisation, connectivity and IoT. Focus
on security’s adaptation on change and new
technology.
11.4.2017JaPi
Some security quality
attributes
711.4.2017JaPi
Sense of security
Resilience
Trustworthiness
Provability
Understandability
Safety
Privacy
Auditability
Deniability
Confidentiality
Integrity
Availability
Security drivers
WANT
Enable business, trust, quality, 24/7
11.4.2017JaPi
MUST
Regulation, compliance
FEAR
Risks, emergencies
8
Security is operational
environment dependent
11.4.2017JaPi 9
11.4.2017JaPi 10
A bank
Physical protection
Security cameras
Trusted employees
Access control
Activity monitoring
Security zones
Incident management
Alarm systems
11.4.2017JaPi
Physical protection
Security cameras
Trusted employees
Access control
Activity monitoring
Security zones
Incident management
Encryption
DDoS-protection
Firewalls, IDS/IPS
Log management, audit trail
Hardened systems, patching
Secure applications
Strong authentication
Secure datacenter facilities
Incident management
Backups
Secure architecture
11
An online bank
Alarm systems
Highly-available systems
System and change management
Agenda
Security objectives
State of the play
Security governance
1211.4.2017JaPi
The problem is: what you see
as problems aren't problems
and what you see as not
problems are problems and
you don't see this as a
problem.
-- @TheTweetOfGod
11.4.2017JaPi 13
Cyberinsecurity will
increase for a while…
Code is Law
11.4.2017JaPi 14
Source: ISF Threat Horizon 2018
What’s user’s responsibility?
11.4.2017JaPi 15
11.4.2017JaPi
Source: Alex Jordan, ISF
Fine as 4% of
annual turnover
Fine % of
annual profit
$3,000,000,000 87%
$3,000,000,000 200%
$75,000,000 100%
$190,000,000 40%
16
11.4.2017JaPi 17
Without security the costs of
digitalisation will migitate the
benefits
Source: Beyond Data Breaches: Global
Aggregations of Cyber Risk
Reality in financial sector
Single European Payments Area
Money transfers are dependent on common European systems
Bank’s IT systems are centralized in one country, system management in another country and customer services in several countries
New services, more competition, more regulation
Regulation: PSD2, PAD, AML, eIdas, GDPR,…
New payment methods (NFC, mobile)
Fintech-startups
Critical infrastructure dependencies
Electricity
Networks
Complex legacy systems
Human resources
JaPi 11.4.2017 18
11.4.2017JaPi
Partners
Branches
Core banking system
Online
bank Service
bus
19
Support systems
Integrations
Customers
Major threats based on impact
• Internet meltdown, failures in international connections
• Long, large-scale breaks
• Strikes, epidemic disease or pandemic (eg. birdflu)
Money doesn’t move without electricity and networks
Complicated legacy IT-systems require regular ”help of human hand”
Critical infrastructure providers need to be synchronized and transparent
Situational picture covering the whole industry and other CI providers is hard to get
JaPi 11.4.2017 20
11.4.2017JaPi 21
E-banking losses in Finland
2014-2016, phishing & malware
11.4.2017JaPi 22
Number of cases and combined losses 2014 2015 2016
Funds placed on hold and returned to
customer
352 cases
(218 648 €)
93 cases
(565 889 €)
99 cases
(989 076 €)
Funds have been lifted from the
account(s)
101 cases
(71 045 €)
54 cases
(312 111 €)
42 cases
(126 625 €)
Funds have been lifted from the
account(s) and reimbursed by the Bank
25 cases
(34 000 €)
43 cases
(84 411 €)
10 cases
(42 800 €)
Source: Finnish Financial Supervisory Authority
Agenda
Security objectives
State of the play
Security governance
2311.4.2017JaPi
It is not enough to do your
best; you must know what to
do, and then do your best.
-- W. Edwards Deming
Cybersecurity starts at the
top management
11.4.2017JaPi
Market share
Reputation
Legality
Audits
Fines
Financial loss
Data
confidentiality,
integrity,
availability
Employee
privacy
Customer trust
Brand
CEO CFO CIO CHRO CMO
Cybersecurity must be on the top management’s agenda
24
Source: IBM
What about CISO?
JaPi
Lähde: ISF
2511.4.2017
Define the focus of
security function
JaPi 11.4.2017 26
There is no cyber
security expert!
11.4.2017JaPi 27
Source: http://www.cyberdegrees.org/
Source: IT Security Essential Body of Knowledge
US Department of Homeland Security,
National Cyber Security Division
Ten fundamental
security steps
1. Management support and exemplary behavior
2. Assign a person who is responsible of security
management and development
3. Identify the critical assets and processes
4. Define security objectives and responsibilities
5. Basic security solutions and processes: tested
backups, patch management, malware protection,
network segmentation, firewall management, change
management
11.4.2017JaPi 28
6. Awareness training and support of personnel
7. Non disclosure agreements (NDA): key personnel,
partners, service providers
8. Require partners and service providers to
have and prove good security management
9. Have an incident management plan
10. Consider the whole environment:
People + processes + technology +
organization + supply chain
11.4.2017JaPi 29
Ten fundamental
security steps
Takeaways
Data and trust are the currencies of digital world.
Good (enough) security enables digitalisation.
Security professionals must embrace change, agility,
uncertainty and new technology.
Develop and demand secure applications.
Security is too important to be left
just to security experts.
11.4.2017JaPi 30