Reality of

Cybersecurity

slideshare.net/japijapi Aalto University

Cybersecurity

11.4.2017

Jari Pirhonen

Security Director

Samlink

# whoami

Jari Pirhonen

Security Director

CISSP, CISA, CSSLP, etc.

ISF Executive Board Member –www.securityforum.org

Chair and lecturer on AaltoPRO

Security Management and Digital

Security courses

CISO of the year 2017 (Finnish

Information Security Association)

Among the TOP-100 ICT-

influencers in Finland at 2014-

2016 (TIVI magazine)

20+ years of cybersecurity

experience11.4.2017JaPi 2

Samlink – www.samlink.fi

Finnish service provider for financial

sector

Full range of banking services

Owned by several Finnish banks

Net sales 99,4 M€

Operating profif 6,6 M€

Personnel 460

Agenda

Security objectives

State of the play

Security governance

3

Whenever someone tells you that there's a novel, easy, solution to security, it's either because they don't understand security or they're trying to sell you something that isn't going to work.-- Marcus Ranum

11.4.2017JaPi

Why cars have brakes?

11.4.2017JaPi 4

Digitalisation

Change in people behavior, business models

and market dynamics as enabled by

technology

Requirements: Speed, experimentation, data,

understanding users, ICT, right skills and

security.

Cybersecurity professionals must adapt on

agility, insecurity, risk tolerance, openness,

user oriented approach and continuous

change.

11.4.2017JaPi 5

Terminology – my view

ICT security refers to technical

countermeasures to protect data, IT-systems

and networks. Focus on technical solutions,

technical skills and security products.

Information security is the protection of

information from a wide range of threats in

order to ensure business continuity, minimize

business risk, and maximize return on

investments and business opportunities.

Focus on protecting organization’s people,

information, processes, services and brand.

Cybersecurity concentrates on critical

infrastructure, interconnectivity and citizens.

Focus on assuring the security of whole

networked society.

6

ICT security

Information security

Cyber security

Digital security Digital security emphasize security

implications because of digitalization,

automatisation, connectivity and IoT. Focus

on security’s adaptation on change and new

technology.

11.4.2017JaPi

Some security quality

attributes

711.4.2017JaPi

Sense of security

Resilience

Trustworthiness

Provability

Understandability

Safety

Privacy

Auditability

Deniability

Confidentiality

Integrity

Availability

Security drivers

WANT

Enable business, trust, quality, 24/7

11.4.2017JaPi

MUST

Regulation, compliance

FEAR

Risks, emergencies

8

Security is operational

environment dependent

11.4.2017JaPi 9

11.4.2017JaPi 10

A bank

Physical protection

Security cameras

Trusted employees

Access control

Activity monitoring

Security zones

Incident management

Alarm systems

11.4.2017JaPi

Physical protection

Security cameras

Trusted employees

Access control

Activity monitoring

Security zones

Incident management

Encryption

DDoS-protection

Firewalls, IDS/IPS

Log management, audit trail

Hardened systems, patching

Secure applications

Strong authentication

Secure datacenter facilities

Incident management

Backups

Secure architecture

11

An online bank

Alarm systems

Highly-available systems

System and change management

Agenda

Security objectives

State of the play

Security governance

1211.4.2017JaPi

The problem is: what you see

as problems aren't problems

and what you see as not

problems are problems and

you don't see this as a

problem.

-- @TheTweetOfGod

11.4.2017JaPi 13

Cyberinsecurity will

increase for a while…

Code is Law

11.4.2017JaPi 14

Source: ISF Threat Horizon 2018

What’s user’s responsibility?

11.4.2017JaPi 15

11.4.2017JaPi

Source: Alex Jordan, ISF

Fine as 4% of

annual turnover

Fine % of

annual profit

$3,000,000,000 87%

$3,000,000,000 200%

$75,000,000 100%

$190,000,000 40%

16

11.4.2017JaPi 17

Without security the costs of

digitalisation will migitate the

benefits

Source: Beyond Data Breaches: Global

Aggregations of Cyber Risk

Reality in financial sector

Single European Payments Area

Money transfers are dependent on common European systems

Bank’s IT systems are centralized in one country, system management in another country and customer services in several countries

New services, more competition, more regulation

Regulation: PSD2, PAD, AML, eIdas, GDPR,…

New payment methods (NFC, mobile)

Fintech-startups

Critical infrastructure dependencies

Electricity

Networks

Complex legacy systems

Human resources

JaPi 11.4.2017 18

11.4.2017JaPi

Partners

Branches

Core banking system

Online

bank Service

bus

19

Support systems

Integrations

Customers

Major threats based on impact

• Internet meltdown, failures in international connections

• Long, large-scale breaks

• Strikes, epidemic disease or pandemic (eg. birdflu)

Money doesn’t move without electricity and networks

Complicated legacy IT-systems require regular ”help of human hand”

Critical infrastructure providers need to be synchronized and transparent

Situational picture covering the whole industry and other CI providers is hard to get

JaPi 11.4.2017 20

11.4.2017JaPi 21

E-banking losses in Finland

2014-2016, phishing & malware

11.4.2017JaPi 22

Number of cases and combined losses 2014 2015 2016

Funds placed on hold and returned to

customer

352 cases

(218 648 €)

93 cases

(565 889 €)

99 cases

(989 076 €)

Funds have been lifted from the

account(s)

101 cases

(71 045 €)

54 cases

(312 111 €)

42 cases

(126 625 €)

Funds have been lifted from the

account(s) and reimbursed by the Bank

25 cases

(34 000 €)

43 cases

(84 411 €)

10 cases

(42 800 €)

Source: Finnish Financial Supervisory Authority

Agenda

Security objectives

State of the play

Security governance

2311.4.2017JaPi

It is not enough to do your

best; you must know what to

do, and then do your best.

-- W. Edwards Deming

Cybersecurity starts at the

top management

11.4.2017JaPi

Market share

Reputation

Legality

Audits

Fines

Financial loss

Data

confidentiality,

integrity,

availability

Employee

privacy

Customer trust

Brand

CEO CFO CIO CHRO CMO

Cybersecurity must be on the top management’s agenda

24

Source: IBM

What about CISO?

JaPi

Lähde: ISF

2511.4.2017

Define the focus of

security function

JaPi 11.4.2017 26

There is no cyber

security expert!

11.4.2017JaPi 27

Source: http://www.cyberdegrees.org/

Source: IT Security Essential Body of Knowledge

US Department of Homeland Security,

National Cyber Security Division

Ten fundamental

security steps

1. Management support and exemplary behavior

2. Assign a person who is responsible of security

management and development

3. Identify the critical assets and processes

4. Define security objectives and responsibilities

5. Basic security solutions and processes: tested

backups, patch management, malware protection,

network segmentation, firewall management, change

management

11.4.2017JaPi 28

6. Awareness training and support of personnel

7. Non disclosure agreements (NDA): key personnel,

partners, service providers

8. Require partners and service providers to

have and prove good security management

9. Have an incident management plan

10. Consider the whole environment:

People + processes + technology +

organization + supply chain

11.4.2017JaPi 29

Ten fundamental

security steps

Takeaways

Data and trust are the currencies of digital world.

Good (enough) security enables digitalisation.

Security professionals must embrace change, agility,

uncertainty and new technology.

Develop and demand secure applications.

Security is too important to be left

just to security experts.

11.4.2017JaPi 30