ict vulnerabilities

Prof. Dr. B. M. Hämmerli, [email protected]

EAPC / PFP Workshop

ICT Vulnerabilities

EAPC / PFP Workshop

Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli

Vulnerabilities

Whatever its cause, critical service disruption shall only occur infrequently impact only a small area have a short duration have only limited impact be a continuously managed & controlled process

EAPC / PFP Workshop


Vulnerabilities

Something is vulnerable, if it can be exploited by a threat A vulnerability is a “place” that is especially prone to threats where damage can easily occur / has serious consequences easily “accessed” / difficult to protect from where damage can spread

understand threats, and that threats can hook in vulnerabilities only understand vulnerabilities, and not well mitigated threats understand human intent, and its deliberated risk

EAPC / PFP Workshop


Vulnerabilities an Risks

Risk = Probability x Damage [$] I for each vulnerability

EAPC / PFP Workshop


ICT is a Local and a Global Issue

EAPC / PFP Workshop


Example 1: 150 Fiber connections are cut!

Angle Grinder, August 2005, Switzerland

Betondecke

Fiberkabel

ca. 250 Verbindungen

EAPC / PFP Workshop


Dependency and Vulnerability

Bancomat

POSTankautomat

kontoführende Banken

5400 Geldausgabe-Geräte bei Finanzinstituten

89‘000 POS-Terminals bei Kaufhäusern,Supermärkten,Tankstellen, etc.

EAPC / PFP Workshop


Day before Christmas 2000300 Billion SFr. per diem

EAPC / PFP Workshop


Impact of ICT Vulnerabilities on Banks

Kennzahlen 2005 - 321 Teilnehmer - 800‘000 Tx / Tag - 300 Mia. CHF / Spitzentag

remoteGateremoteGate

SIS

SWX

Postfinance

SNB

Service Büro

CLS Interbank- Produkte

Banken

Schweizerische Nationalbank

Börse Schweiz

BankenSega Intersettle

Continuous Linked

Settlement

EAPC / PFP Workshop


European CIIP R&D by Sector

0 1 2 3 4 5 6 7 8 9

4. Transportation

2. ICT services

8. Emergency/security services

1. Energy sector

9. Governmental services

5. Health care

10. High risk industries

3. Financial Services

6. Water management

7. Food management

EAPC / PFP Workshop


Expenses for Countermeasures

Expenses for IT Security III: Dollar Amount of Losses by Type

EAPC / PFP Workshop


Reported Incidents

Vulnerability Types vs. YearIntranet incidents are as well a topic of InfoSecViruses and malware are on place 2Mobile incidents grow rapidlyGenerally all incidents are decreasing. Cause is unclear. Might be it is good prevention.

EAPC / PFP Workshop


Some Facts about dealing with ICT Vulnerability

Computer Zeitung (D): In 2010 will 90% of US corporation have IT security outsourced.The incidents decrease, the complexity and the damage increase. The complexity of IT security is far beyond the capabilities of SME’s. The tendency for future will enlarge this gap. From DoD US study: The complexity of attacks will relevantly increase.Modern malware distributes itself within few minutes over the whole world. Which enterprise can build a service with an adequate reaction time ever day day and night? (Alternative scenario: Business Continuity Planning BCP) Actual Trend: More and more intranet user are involved in attacks. Intranet monitoring must absolutely be an additional topic to the existing perimeter security.With outstanding IT security corporations do not have Information security. Trend: holistic security. Common security management for all threats.The facts can be downloaded from: http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf

http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf

EAPC / PFP Workshop


Preparing for Incidents

EAPC / PFP Workshop


Questions

ict vulnerabilities

Documents