1 Cybersecurity: Strategies, principles, and risk assessment methods Gustavo A. Santana Torrellas Consultoria Sector Financiero PwC

2 We are living in dangerous times Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

3 We are living in dangerous times Desktops, laptops, tablets, smartphones (everything connected to Internet) -> Wild Wild Web Growing numbers of security incidents: numbers double every year Bugs, flaws, vulnerabilities, exploits Break-ins, (D)DoS attacks, viruses, bots, Trojan horses, spyware, worms, spam Social engineering attacks: false URLs, phony sites, phishing, hoaxes Cyber-crime, cyber-vandalism, cyber-terrorism, cyber-safety threats like in real life (theft, fraud, destruction, etc.) Who are the enemies? Joy-riders, script kiddies, malicious hackers (organized), cyber-criminals (well organized) y cyber-terrorists (very well but really well organized) Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

4 Cybersecurity? Merriam-Webster dictionary –measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack –Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity. Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

5 Cybersecurity vs Information security Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

6 Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

7 What is (computer) security? 1.Security is enforcing a policy that describes rules for accessing resources* –resource is data, –devices, –the system itself (i.e. its availability) 2.Security is a system property, not a feature 3.Security is part of reliability * Building Secure Software J. Viega, G. McGraw Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

8 Security needs / Cybersecurity objectives Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB Elements of common understanding of security: –confidentiality (risk of disclosure) –integrity (data altered  data worthless) –authentication (who is the person, server, software etc.) Also: –authorization (what is that person allowed to do) –privacy (controlling one’s personal information) –anonymity (remaining unidentified to others) –non-repudiation (user can’t deny having taken an action) –availability (service is available as desired and designed) –audit (having traces of actions in separate systems/places) INTEGRITY authenticity AVAILABILITY access CONFIDENTIALITY disclosure INTEGRITY authenticity AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose

9 Global Environment in Cybercrime Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB Is a reality and is permanent…the actors, threats and techniques are dynamics Malware in the POS Counterfeit Credit Cards On Line Fraud sending trojans in emails System Hijack trough the web Phishing emails Phishing emails

10 Cybercrime Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

11 We are not Cyber Structured Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

12 Cybercrime, cyber attacks – Core motivations Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

13 Impacts of Cyber Crime Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB Lost Financial Assets Stolen Intellectual Property Business Disruption Stolen Customer Information Damaged Reputation How much do you invest in Marketing?... You will loss all your invest and expense much more with damaged reputation

14 Cybersecurity Strategies Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

15 Cyber Security is not only CISO / CIO work… Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

16 Cybersecurity principles Understand what you are trying to protect Understand the threat(s) you are trying to protect against –Also, costs and risks Be prepared to establish trust by telling people how you do it Assume that the bad guys are at least as clever as you are! Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

17 Cybersecurity risk assessment method Good News… we know how to handle Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB 80-90% can be solved by using best practices and standards Focus on Enterprise Education so companies understand total financial cyber risk Include all company in the Cyber Risk Framework

18 Cybersecurity risk assessment methods Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

19 Cybersecurity risk assessment methods Crystal Ball: In the Year 2025 PAST, PRESENT Cyber security is a young and immature field The attackers are more innovative than defenders Defenders are mired in FUD (fear, uncertainty and doubt) and fairy tales Attack back is illegal or classified FUTURE Cyber security will become a scientific discipline Cyber security will be application and technology centric Cyber security will never be “solved” but will be “managed” Attack back will be a integral part of cyber security Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

20 Cybersecurity risk assessment methods The KPIs are categorized per objective: Key objective 1: Developing cyberdefence policy and capabilities Key objective 2: Achieving cyber resilience: develop capabilities and efficient cooperation within public and private sector Key objective 3: Reduce cybercrime Key Objective 4: Develop the industrial and technological resources for cybersecurity Key objective 5: Secure critical information infrastructure Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

21 Why cybersecurity risk assessment is difficult to achieve? Security in computer systems – even harder: –great complexity –dependency on the Operating System, File System, network, physical access etc. Software/system security is difficult to measure –function a() is 30% more secure than function b() ? –there are no security metrics How to test security? Deadline pressure Clients don’t demand security … and can’t sue a vendor Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

22 Common Cybersecurity Vulnerabilities & Consequences There are numerous vulnerabilities in the cyber domain. These vulnerabilities span from the extremely basic to the extremely technical. The table shows common cyber vulnerabilities and their associated impacts. Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

23 Common Cybersecurity Vulnerabilities Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

24 Key Security Initiatives Key technology initiatives –Cryptographic methods and systems –System emerging technologies –Security management and assurance Other Executive Priorities –Cloud Computing –Citizen Facing Authentication –Automated Security Configuration Compliance Determination Industry/Security Community Initiatives –Product Assurance –Government-wide Security Controls and Processes Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB

25 Questions Cybersecurity: Strategies, principles and risk assessment methods XV Tech day AMIB