Cyber Security and the National Central Banks

991 views
757 views

Published on

F. Cecchi

Banca d'Italia

Published in: Technology, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
991
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cyber Security and the National Central Banks

  1. 1. Cyber Security and the National Central Banks CPEXPO Community Protection Genova, October 30th 2013 Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 1
  2. 2. AGENDA 1. Introduction 2. The Cyber Threat from a National Central Bank Perspective 3. The Cyber Crime Economy 4. Trend prediction 5. The Central Bank Response 6. Conclusion Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 2
  3. 3. 1. INTRODUCTION Changes in IT 1/2 • “Anytime, anywhere, any platform” access to systems • Open source platforms adopted in order to improve access to “best of breed” technology • “Time-to-market”: pressure for new systems/applications • Knowledge workers, big data e business intelligence • Social media Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 3
  4. 4. 1. INTRODUCTION Challenges for central banks • Increasing complexity in IT systems  larger attack surface • IT systems integrating different business lines  interdependences increase • External counterparties and service providers involved in business processes  appropriate trust model Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 4
  5. 5. 1. INTRODUCTION Issues to be tackled by security experts 1/2 • Can the IT continue to meet the needs of the business while maintaining an appropriate security level? – Not only preventive countermeasures: reactive controls • Are IT services and infrastructure protected from Cyber Threat? – The new threats must be assessed against Confidentiality, Integrity and Availability criteria having in mind the countermeasures in place • Are the business line aware of the new Cyber Threat risks? – Mitigation of perceived risks only Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 5
  6. 6. 1. INTRODUCTION Issues to be tackled by security experts 2/2 • Is the trust model still valid? – “Security control“ of counterparties and information services • Are all information flows under control? – “Control” of the unstructured flow (e.g. Social Media) • Do we spend too much or too little for the security of the information? – Return on Security Investment (e.g. ROSI approach) • What are the information I “do not know”? – We must be aware that countering Cyber Crime requires effort in gathering relevant information Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 6
  7. 7. 2. THE CYBER THREAT FROM A NATIONAL CENTRAL BANK PERSPECTIVE The attackers • • • • Who are the attackers? What are their motivations? What are their goals? What methods do they use? Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 7
  8. 8. 2. THE CYBER THREAT FROM A NATIONAL CENTRAL BANK PERSPECTIVE The motivations Attackers Motivations 1. Hactivists Anti-globalization, anti-capitalism 2. Terrorists Ideology, political change, power, money 3. Politically motivated Geo-political reasons, financial benefits 4. Criminal organizations Money, retaliation 5. Employees Retaliation, personal gain, coercion 6. Occasional Hackers Reputation, curiosity Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 8
  9. 9. 2. THE CYBER THREAT FROM A NATIONAL CENTRAL BANK PERSPECTIVE The goals and methods Goal of the Cyber Attack Method of the Cyber Attack 1. Web site defacement Web applications attacks 2. DoS / DDoS Botnets 3. Information theft Advanced Persistent threats (APT), Malware, Hacking, Social Engineering 4. Information leakage WikiLeaks, Social Media, Forum, Web Sites 5. Sabotage Disabling / Bypassing security systems 6. Intrusion Social Engineering, Malware, APT 7. Fraud Social Engineering, Hacking, Malware 8. Corruption Unreliable internal employees 9. Other illegal activities Abuse of resources Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 9
  10. 10. 3. THE CYBER CRIME ECONOMY • Cyber​​ Crime: hidden economy in good health and little affected by increased sensitivity to security: – $ 114 billion direct costs (Symantec, 2011) – $ 110 billion direct costs (Symantec, 2012) • Human Resources (hackers for hire) • Crime-as-a-service – "eBay”-style procurement of Cyber Attack services (viruses, k-loggers, etc.) – Electronic payments on the "BitCoin” model – On-demand Cyber Attacks • Goods Ware Malware (source code) « Exploit pack » (es. ZEUS) Malware installation Zero day exploit Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza price (USD) $100 – $100,000 $150 – $2,200 $6 – $150 (1,000 installations) $100,000 – $5,000,000 10
  11. 11. 4. TREND PREDICTION • More data leakages • More politically motivated operations • More professional malware (also on mobile devices) • More tailor-made exploit code and attacks • Less time for all of us to react Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 11
  12. 12. 5. THE CENTRAL BANK RESPONSE – 1/3 • Cyber Risk Governance – The management of Cyber Risk has been included in the operational risk management framework (ORM) – Cyber Risks have been often included in the corporate risk management framework (ERM) – The governance of Cyber Risk has been changing in order to speed up the processes of decision making and incident management • Risk Management – A gap analysis is in progress regarding the systems potentially vulnerable to an attack and the existing controls at business and IT level – The current trust model toward external counterparties is under assessment – Personnel involved in critical operations or dealing with sensitive information is subject to specific screening Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 12
  13. 13. 5. THE CENTRAL BANK RESPONSE – 2/3 • Business Continuity – The procedures to assess the extent of damage caused by an attack are speeded – The opportunity is considered to carry on business operations even with IT systems under attack – Communication processes are defined to re-establish an appropriate level of trust internally and with external counterparties • Awareness – Increase of Information Security training programs – The Central Bank senior management and the risk Committees are regularly informed about the risk situation – Increase of testing in Cyber Attack response plans Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 13
  14. 14. 5. THE CENTRAL BANK RESPONSE – 3/3 • Strengthening of security measures for critical applications and systems – Connections to un-trusted networks are limited – Privileged access to applications, data, operations is minimized • Reference to best practices issued by international organizations in the industry and / or government – Adoption of Cyber Resilience models issued by WEF, ISF, OECD is under evaluation Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 14
  15. 15. 6. CONCLUSION • The risk associated with Cyber Threat is not just an IT problem  responses should be coordinated with the other security teams (physical security, business continuity) • The attacks complexity increases  detection is increasingly linked to the recognition of abnormal behaviour • Cyber Attacks will tend to target the weakest link in the chain (e.g. social engineering) • The identity management and authentication functions must be strengthened • Information sharing and collaboration of like-minded institutions are becoming increasingly important Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 15
  16. 16. Servizio Innovazione e sviluppo informatico Divisione Architettura, infrastrutture e sicurezza 16

×