The document summarizes the state of cybersecurity in Switzerland. It finds that most major Swiss banks, insurance companies, and pharmaceutical firms have implemented key security headers, though some banks' e-banking sites are still lacking protections. Data leaks have exposed millions of records from Swiss financial and insurance firms. Overall, Switzerland has strong cybersecurity practices but some sectors like cantonal banks could still strengthen their online defenses.

1. BinaryEdge.io
Be Ready. Be Safe. Be Secure.
The State of Web Security
in Switzerland

2. AGENDA
Who am I?
What do we do?
Switzerland and Cybersecurity
Headers
Dataleaks affecting Switzerland
Data exposed

3. WHO AM I?
Tiago Henriques
Tiago is the CEO and Data necromancer at
BinaryEdge however he gets to meddle in the
intersection of data science and cybersecurity
by providing his team with lovely problems that
they solve on a daily basis.

4. WHAT DO WE DO?
VNC
RDP
Files People
Social
Company
registration
internal
external
Phone
Email
Linked urls
BGP
AS
Whois
AS membership
AS peer
List of IPs
Shared
infrastructure
Co-hosted
sites
Contact
Geolocation
Office
locations
Social
networks
Phone
portscan
dns
torrents
Screenshots
Web
Services
http https
Users
AppsFiles
Peers Torrent name
Banners
Image
Classifier
Vulnerabilities
200
Ports scanned
per month
>120 million
IPs with services
> 1.5 billion
Events generated
per month
DATA POINTS
metadata
Photos
Family&friends
Behaviour
Likes
Topics
Search
News
Forums
Sub-reddits
Domains
AXFR
MX records
Webserver
Framework
Headers
Cookies
Certificate
Configuration
Authorities
Entities
OCR
SW
ip address
url address
SMB

5. WHAT DO WE DO?
balgan@DESKTOP-PAGM894 /cygdrive/d/270m domains/cctld_lists
$ head ch.csv
google.ch
uploadable.ch
eztv.ch
projectfreetv.ch
blick.ch
ricardo.ch
watchseries-online.ch
20min.ch
cokeandpopcorn.ch
bluewin.ch
balgan@DESKTOP-PAGM894 /cygdrive/d/270m domains/cctld_lists
$ cat ch.csv | wc -l
1533995

6. SWITZERLAND AND CYBERSECURITY
INSURANCEBANKING PHARMA

7. SWITZERLAND AND CYBERSECURITY

8. Source: https://securityheaders.io
SERVER
STRICT-TRANSPORT-SECURITY
X-FRAME-OPTIONS
X-CONTENT-TYPE-OPTIONS
X-XSS-PROTECTION
CONTENT-SECURITY-POLICY
PUBLIC-KEY-PINS
This Server header seems to advertise the software being run on the server but you can
remove or change this value.
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens
your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjack-
ing.
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and
forces it to stick with the declared content-type. The only valid value for this header is
“X-Content-Type-Options: nosniff!”.
X-XSS-Protection sets the configuration for the cross-site scripting filters built into most
browsers. The best configuration is “X-XSS-Protection: 1; mode=block”.
Content-Security-Policy is an effective measure to protect your site from XSS attacks. By wh-
itelisting sources of approved content, you can prevent the browser from loading malicious
assets. Analyse this policy in more detail.
HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates.
By whitelisting only the identities that the browser should trust, your users are protected in
the event of a certificate authority is compromised. Analyse this policity in more detail.
HEADERS

9. Most Common Server Headers (top20)
HEADERS

10. 0 35,00017,5008,750 26,250
Strict-Transport-Security
X-XSS-Protection
Content-Security-Policy
(report + enforced)
Public-key-Pins
(report + enforced)
X-Content-Type-Options
X-Frame-Options
32,687
31,552
20,220
16,444
1,282
210
Most Common Security Headers in Switzerland
HEADERS

11. BANKS - WEBSITES
UBS.COM
CREDIT-SUISSE.COM
JULIUSBAER.COM
POSTFINANCE.CH
BANKCOOP.CH
FALCONPB.COM
X-frame-
options
Strict-Transport-
Security
X-Content-
Type-Options
Content-Security-
Policy
Public-Key-
Pins
X-XSS-
Protection
SECURITY HEADER
DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER
RAIFFEISEN.CH
HEADERS

12. HEADERS
BANKS - E-BANKING
UBS.COM
CREDIT-SUISSE.COM
JULIUSBAER.COM
POSTFINANCE.CH
BANKCOOP.CH
FALCONPB.COM
X-frame-
options
Strict-Transport-
Security
X-Content-
Type-Options
Content-Security-
Policy
Public-Key-
Pins
X-XSS-
Protection
SECURITY HEADER
DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER
RAIFFEISEN.CH

13. BANKS - E-BANKING
UBS.COM
CREDIT-SUISSE.COM
JULIUSBAER.COM
POSTFINANCE.CH
BANKCOOP.CH
FALCONPB.COM
X-frame-
options
Strict-Transport-
Security
X-Content-
Type-Options
Content-Security-
Policy
Public-Key-
Pins
X-XSS-
Protection
SECURITY HEADER
DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER
RAIFFEISEN.CH
THIS IS HARD TO DO RIGHT!
HEADERS

14. https://www.troyhunt.com/how-chromes-buggy-content-security-policy-implementation-cost-me-money/
HEADERS

15. CANTONAL BANKS CYBER COMPETITION - E-BANKING
ZÜRCHER (ZKB.CH)
VAUDOISE (BCV.CH)
BASLER (BKB.CH)
LUZERNER (LUKB.CH)
ST.GALLER (SGKB.CH)
BERNER (BEKB.CH)
X-frame-
options
Strict-Transport-
Security
X-Content-
Type-Options
Content-Security-
Policy
Public-Key-
Pins
X-XSS-
Protection
SECURITY HEADER
DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER
HEADERS

16. INSURANCE COMPANIES
ZURICH FINANCIAL SERVICES
SWISS RE
WINTERTHUR GROUP
SWISS LIFE
BALOISE
HELVETIA PATRIA
X-frame-
options
Strict-Transport-
Security
X-Content-
Type-Options
Content-Security-
Policy
Public-Key-
Pins
X-XSS-
Protection
SECURITY HEADER
DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER
HEADERS
INVALID CONFIGURATION
SUVA
GROUPE ALLIANZ (SUISSE)
LA MOBILIERE
VAUDOISE ASSURANCES

17. PHARMACEUTICAL/CHEMICAL COMPANIES
NOVARTIS
ROCHE
SYNGENTA
CLARIANT
CIBA
X-frame-
options
Strict-Transport-
Security
X-Content-
Type-Options
Content-Security-
Policy
Public-Key-
Pins
X-XSS-
Protection
SECURITY HEADER
HEADERS
DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

18. aerzte-zh.ch/
HEADERS
8
7
3
3
3
X-FRAME-OPTIONS
X-XSS-PROTECTION
STRICT-TRANSPORT-SECURITY
CONTENT-SECURITY-POLICY
PUBLIC-KEY-PINS
X-CONTENT-TYPE-OPTIONS
0
130 DOCTOR WEBSITES

19. DATA LEAKS
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

20. DATA LEAKS AFFECTING SWITZERLAND
UBS
26,763
Credit Suisse
14,262
Julius Bär
765
Zürcher
Kantonalbank
505
Raiffeisen
442
Banque
Cantonale
Vaudoise
375
PostFinance
352
Falcon
Private Bank
64
St. Galler
Kantonalbank
56
Luzerner
Kantonalbank
50
Berner
Kantonalbank
47
Basler
Kantonalbank
41
Bank Coop
31
BANKS

21. DATA LEAKS AFFECTING SWITZERLAND
INSURANCE COMPANIES
Zurich
Financial
Services
2,753
Swiss Re
2,883
Winterthur
Group
554
Swiss Life
507
Baloise
414
Helvetia
Patria
239
Suva
230
Groupe Allianz
(Suisse)
6
La Mobiliere
0
Vaudoise
Assurances
228

22. DATA LEAKS AFFECTING SWITZERLAND
PHARMACEUTICAL/CHEMICAL COMPANIES
Novartis
19,872
Roche
17,708
Syngenta
6,409
Clariant
0
Ciba
676
31

23. DATA LEAKS AFFECTING SWITZERLAND

24. DATA EXPOSEDDATA EXPOSED

25. DATA EXPOSEDDATA EXPOSED

26. DATA EXPOSEDDATA EXPOSED

27. DATA EXPOSEDDATA EXPOSED

28. DATA EXPOSEDDATA EXPOSED
Big DataTechnologies
Changes in amount of data exposed on the internetMongoDB Memcached Redis 2TB
644.3TB
Aug 2015 Jan 2016 July 2016
724.7TB 627.7TB
13.2TB
11.3TB
710.9TB 12.0TB
598.7TB 27.5TB 1.5TB
1.8TB
619.8TB

29. DATA EXPOSEDDATA EXPOSED

30. BE READY. BE SAFE. BE SECURE.
www.binaryedge.io
CONTIGENCY THREAT SAFE IRRELEVANT