CYBER SECURITY OF HARES, TORTOISES AND HEDGEHOGS ASIS 12th European Security Conference Gothenburg, April 15 th, 2013
HARE, TORTOISE, HEDGEHOG @ AESOP AND GRIMM http://en.wikipedia.org/wiki/the_tortoise_and_the_hare http://de.wikipedia.org/wiki/der_hase_und_der_igel
ATTACKERS BECOMING MORE AND MORE SOPHISTICATED drive-by attacks removable storage media Threats are becoming privacy single sign on mobile bandwidth increasingly complex Countless updates DDoS attacks Cloud Computing tablet computers 100,000 new Viruses per day vulnerabilities missing experts APPs internationalization malicious code Smartphone ABUSE complex software Hardware Trojans BYOD mobile botnets complex web applications mobile access time to market all IP network different operating systems complex Supply chain
CYBER ATTACKS ARE TAKING PLACE EVERY DAY MAIN REASONS: WEAK IMPLEMENTATIONS/MISSING PATCHES Gaming Industry IT-Security Industry Military Industry Online Shop Security Industry Social Network Internet Radio Online Dating Gov.Organization 100 mio. customer data records stolen, Network out of commission for a month Confidential details on the companies product family stolen Attack via VPN remote access system 24 mio. customer data records stolen Theft of internal and confidential customer documents (e.g., FBI/NSA) Theft of 6.5 mio. SHA1 password hashes Theft of 2.5 mio. MD5 password hashes Theft of 1.5 mio. password hashes Theft of contact details of experts
HOMEWORK HAS TO BE DONE EXTRA MILE IS NEEDED The The Extra Extra Mile Mile Fix the Basics Holistic Approach Business Business Focus Focus
FIX THE BASICS - OUR PRIORITIES FOR CYBER SECURITY SETTING THE SCENE WITH CYBER SECURITY INNOVATIONS Security by Design Privacy and Security Assessment (PSA) Fight against spam and botnets to protect our customers and our infrastructure (ABUSE) Protect our (externally accessible) systems through regular cyber-crash-tests Establishing processes for rapid patch management to all our systems Secure integration of new devices into IT landscapes (also in the BYOD context) Establishing security as an additional criteria for selection of suppliers
BUSINESS FOCUS - BE A SUCCESSFUL LEADER SECURE CONNECTED LIFE AND WORK FOR OUR CUSTOMERS Internal Customers rely on us because we have proven expertise we are problem-solving and not problem-creating we are aware of our different roles External Customers rely on us because we provide guidance and solutions to secure their data inform them frankly and directly about security issues security level is a criteria for product launch security is part of our DNA we take responsibility!
HOLISTIC APPROACH - CONVERGENCE OF SECURITY STAY OPEN-MINDED FOR THE BIGGER PICTURE Combined security forces and expertise Forget about silos Focus on sustainability and transparency Clear, transparent and reliable common rules Avoid Babylonian Confusion Security as Corporate Social Responsibility
THE EXTRA MILE - EARLY WARNING AND TRANSPARENCY OUR HONEY-NETWORK PROVIDES US WITH A REAL TIME VIEW 92 honey pot sensors learned 8,732,125 vulnerabilities within 3 years Up to 400,000 attacks per day a simulated Smartphone has been attacked more than 300,000 times in one year 330 of these attacks were successful, on average, almost one per day Worldwide there are currently almost one billion smartphones in use, think about the threat!
SHARING INFORMATION WHILE AN ATTACK IS HAPPENING WWW.SICHERHEITSTACHO.EU
TELEKOM IS THE MOST TRUSTED COMPANY WHICH COMPANY DO YOU THINK IS TRUSTWORTHY WHEN IT COMES TO THE HANDLING OF PERSONAL INFORMATION? 45% 27% 25% -44% 25% 23% 21% -56% 20% 19% 19% -60% 18% 18% 16% -73% 12% 10% -82% 8% Telekom Amazon Microsoft Vodafone Ebay Apple E-Plus Google Web.de O 2 GMX 1 & 1 Alice Yahoo Facebook Source: Security Report INSTITUT FÜR DEMOSKOPIE ALLENSBACH, Germany, June 2012
10+2 WAYS TO MITIGATE THE RISK 1 2 3 4 5 6 7 8 9 10 +1 +2 The risk of cyber attacks cannot be banned, but there are means to mitigate it. Tear down walls to create transparency. Be open-minded for collaboration (across boarders, industries and companies) and bundle the power. Create platforms for exchange (Cyber Security Summit 2012). Think outside the box (overarching test-centers, official security seals). Neighborhood watch is key to be successful (CERT-Community, SPOCs for rapid alerts). Accept shared responsibilities, e.g. between hard- and software suppliers. Invest in people and tools. Sensitization of employees. Sensitization of public (even the user as weakest link in cyber security has a shared responsibility). Accelerate innovation in Cyber Security, e.g. by cooperating with technology savvy start-up companies. Governments: Create / maintain reliable laws and rules. Governments: Countries should work closer together than ever before.
NO MATTER WHICH ONE WE ARE - LET S BE SMARTER! NO MATTER WHICH ONE WE ARE LET S BE SMARTER!
NO MATTER WHICH ONE WE ARE - LET S BE SMARTER! NO MATTER WHICH ONE WE ARE LET S BE SMARTER!
THANK YOU FOR YOUR ATTENTION! Deutsche Telekom Data Privacy and Data Security Report 2012 http://www.e-paper.telekom.com/epaper-data_privacy_and_data_security_2012/