At our latest Security Summit on March 24th we had the company Sophie Marien, student Computer Science Engineering specialising in software security. Here is her account of the event:
Main lessons learning
- Security has made a shift from prevention to detection.
- All aspects are interconnected, making security a complex issue to deal with. Capability is the key and having higher capabilities can give more value to the business.
- To achieve a better security level, you need to think as a hacker. Try to find out how or what a hacker would do to get into a system. If you are always in defense you will never win the game. Be active in your defence.
- Having good security strategies does not mean that budgets will be allocated to security: Most (all) of the attending companies didn’t obtain an increase in budget for having a good security strategy. Some had a freezed budget and others even had a decrease in budget.
- Awareness is very important. Even if you have good security protection layers, spam filters, firewalls, a phishing mail opened by one of your employees or a usb stick is enough to infect a pc on the network and by that it can spread further.
- To perform well, you have to take security seriously, look ahead with your security strategy. Simplify your infrastructures: it will reduce the cost of security operations. Unify your security operations: security operations staff needs access to a wide range of information (for overview) and depth of information (for rapid triage and investigations).
- Be active in your defence, try to learn from your intruders: “catch” a virus an reverse engineer it.
Infrabel raised security awareness in 5 steps.
- They started by identifying 54 “information types” and made risk assessment, based on which a top 15 of information types with a high risk score.
- Next, the organisation’s methods for safety were used for risk analysis. An Information security board was installed, chaired by the head of safety and including the Chief Information Security Officer (CISO) and other ICT-members.
- EU and Belgian laws were also taken into account: laws and regulation are excellent drivers to create awareness.
- In a follow-up of the attacks in januari 2015, security was further increased.
- Finally, Infrabel also developed a strategic information security plan based on 7 domains and 26 actions. The 7 domains are the IT applications, the ICT end devices, the network, uniform controls, buildings, signaling and the human factor.
FCCU Insights (Federal Computer Crime Unit)
- Most (80%) of the victims (companies or individuals) don’t report about cyber crimes or are not aware that they became victims
- The awareness of cyber security is increasing but is not yet sufficient. One of the main problems is that it is not always clear to whom you have to make a complain.
- Besides financial motives, criminals are also increasingly driven by political and ideological motives.
- Also crime-as-a-service gives easy access to cybercrime with no need for technical skills and attracting traditional crime groups into the field of high-tech crime.
- The current government agreed to elaborate the cyber security strategy. The royal decree on Cyber Security Belgium formulates a challenging mission on different aspects of security.