Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NSC42-egr-data-protection-gambling

20 views

Published on

The presentation describes the history of breaches and how to prevent security breaches in a digitally connected world.
The presentation was presented at EGR 2019 conference in London.

https://www.egrdatabriefing.com/agenda/speakers/386737

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

NSC42-egr-data-protection-gambling

  1. 1. The Casino cyber heist At EGR Data Briefing 2019 10 steps to master data protection
  2. 2. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Agenda About the author Conclusions & Take Away Q&A How do we get there in 10 steps The future T- @FrankSEC42 Target and ideal world How things have changed
  3. 3. www.nsc42.co.uk About the Author 3 Francesco Cipollone Founder – NSC42 LTD CISO Advisor Cybersecurity Cloud Expert. Public Speaker, researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Security is everybody’s job Security is a challenging field and as professional we are supposed to know a lot about everything T- @FrankSEC42
  4. 4. www.nsc42.co.uk How things have changed 4T- @FrankSEC42 Gambling has gone from physical to digital to mobile….what’s next ? What are the security implication of this evolution?
  5. 5. www.nsc42.co.uk Little bit of history 5 First Casino online 1994 1994 UK National Lotteries (Camelot) Multiplayer online gaming 1999 2015 UK Gambling 13.4£ billion UK Revenue 14.4£ billion 2018 2018 Worldwide Gambling Revenue $56.05 billion T- @FrankSEC42 Paddy Power 2013 2014 Sands Casino (Venetian/ Palazzo) Hard rock(1st) 2015 2016 Hard rock (2nd) Rama Resort Cowboy Casino (CA) North America (Fish Tank) Hard Rock (3rd) Graton Resort 2017 2018 Atrient (MGM) EOSBet Curacau Data Breach 2019
  6. 6. www.nsc42.co.uk Some numbers 6T- @FrankSEC42 Gambling revenue has growth at steady pace as well as adoption (32% some years) with a whopping 56$ bl. in 2018 and 14.4 bl. in UK alone Why Security? Lots of money and extensive attack surface usually attract people with bad intentions
  7. 7. www.nsc42.co.uk OLD challenges 7 What risk do you think exist in this digital landscape? T- @FrankSEC42 Despite the digital evolution fraud still exist, Image of gambling is under scrutiny, and money laundry is still a threat to licenses
  8. 8. www.nsc42.co.uk Change in Landscape 8 The Good • Focus for Cyber • New Tech • Community The Bad • Speed/Expert • New Tech • Increase Threats • Gambling Image The Ugly • Cloud Cyber threats • Money Laundering • Addiction of Youngs T- @FrankSEC42
  9. 9. www.nsc42.co.uk Ideal cybersecurity world 9 In an ideal cybersecurity world we would have infinite time, infinite resource to do things right, and all the boring chores would be automated T- @FrankSEC42
  10. 10. www.nsc42.co.uk How do we get there? 10 So how do we reach our dream security world? T- @FrankSEC42 Security is everybody’s job and problem Security involved earliest in the software pipeline
  11. 11. www.nsc42.co.uk Step 1 - Cloud Responsibilities 11 Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform T- @FrankSEC42 “Understand Shared Responsibility model Delegation and you’ll master cloud” Consider what are you are getting yourself into in a cloud migration. Cloud is not natively secure or insecure
  12. 12. www.nsc42.co.uk Step 2 – Cloud Patterns 12 - Hybrid vs cloud first - Traditional vs cloud controls - Logging and monitoring - Identity and access management T- @FrankSEC42 “There is no such a thing as free lunch… but leverage on patterns as starting point”
  13. 13. www.nsc42.co.uk Step 3 – Design Security 13T- @FrankSEC42 “How would expand the security team without expanding the team?” Train Software Engineers on security and you’ll have ‘free security resources’”
  14. 14. www.nsc42.co.uk Step 3 – Security for Everyone 14T- @FrankSEC42 In an ever changing environment how to enforce security? “Security is everyone’s job, but make it fun or no one will do it!”
  15. 15. www.nsc42.co.uk Step 4 – Security by Design 15T- @FrankSEC42 “So what would the software engineer do with the security hat on?” “gamification…remember to have fun when doing your job” How do we make threat security fun?”
  16. 16. www.nsc42.co.uk Step 5 – Security by Design 16T- @FrankSEC42 “What other tools are we missing in the black belt of security by design?” “ Privacy Impact assessment, Risk assessment, Fraud Modelling” “gamification…remember to have fun when doing your job”
  17. 17. www.nsc42.co.uk Step 6 - Enterprise Security 17T- @FrankSEC42 ”Application security makes the application perfect. Enterprise Security architecture give a different prospective ”
  18. 18. www.nsc42.co.uk Step 7 – Shift left in DEV 18T- @FrankSEC42 “Security as early as possible: Integrate security in the software development pipeline” Keep Threat or fraud model exercise concise and fun! Don’t overcomplicate
  19. 19. www.nsc42.co.uk Step 8 – Security in Test 19T- @FrankSEC42 “Security (Testing) as early as possible” Security testing as bug bounty program! Make it fun and rewarding
  20. 20. www.nsc42.co.uk Step 9 - DEV–SEC–OPS(BIZ) 20T- @FrankSEC42 What kind of animal is the DEV-SEC-OPS? Integrating Security Integrate security into the OPS team (and add a spark of BIZ) Security is everybody problem. Reward security effort with -> Low cost High reward
  21. 21. www.nsc42.co.uk Step 10 - DEVSECOPS 21T- @FrankSEC42 “Master the SEC in DEV-SEC-OPS by injecting the security function in all part of the process” DEV – SEC - OPS Sec Eng. APPSEC SEC OPS SEC Comp Automate Test Experiment CODE Self-Service Automation Detect Alert Contain Scan Monitor Improve
  22. 22. www.nsc42.co.uk The Future 22 “Cybersecurity due diligence will remain the same regardless of the technology chosen” T- @FrankSEC42
  23. 23. www.nsc42.co.uk Conclusions 23 Wrapping up, we’ve discussed - Evolution & Challenges - Ideal world and 10 step to reach it - What’s in the future Solid security strategy remembering the WHY of security T- @FrankSEC42 Security is everybody’s job
  24. 24. www.nsc42.co.uk Q&A 24T- @FrankSEC42
  25. 25. www.nsc42.co.uk Contacts 25 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY T- @FrankSEC42

×