Cybercrime and Cybersecurity (Managers)

00:16 What you just saw was the outbreak of WannaCry, an attack that began in May 2017 and quickly swept over the world.

00:24 Thousands - tens of thousands - of various companies and governments were affected back then, and the damage was in the billions.

00:33 What happened at the time? I hope you were not impacted.

00:37 In today's lecture, I'd want to talk about both cybercrime and cybersecurity.

00:42 How can I accomplish this? And for this, we will discuss the different sorts of attackers, as well as those responsible for WannaCry.

00:53 How can I then respond to these various forms of attacks in a targeted manner? What kinds of security measures are available? And I will give a hypothesis that you can use to go through these defensive measures systematically and choose the best ones for yourself and your company in a targeted manner. Finally, we will discuss how I may consistently assure security in my firm.

01:24 What types of attackers exist? Essentially, there are three types of attackers that can be classified into three levels based on their resources, expertise, and the resources they utilize to execute targeted assaults against corporations.

01:45 However, before that, there is a category of cybersecurity incidents that aren't targeted assaults, and I certainly have to examine these as well.

01:58 The possibility of not being assaulted at all does not exist.

02:01 This does not happen in real life.

02:03 Rather, there are many, hundreds of thousands, millions of various viruses out there that can infiltrate my organization by chance, infect my machine, and execute some acts, and I must definitely protect myself against them.

02:18 That means I'll need some kind of defense against these utterly random, untargeted strikes. However, I must also consider the attackers who may launch targeted attacks against my organization.

02:31 Is there ever a chance that these types of attacks may target me? Individuals who initiate targeted attacks against my organization constitute the first level, or category, with internal employees constituting the largest group.

02:47 That is, people who already work for me and who, for various reasons, such as being passed over for a promotion, etc., attack my firm and simply want to create harm.

03:00 Indeed, internal attackers are the most numerous group that I must guard against, and that, eventually, every firm must protect against, because they may be discovered everywhere. The second level consists of individuals who, in addition to individual attackers, can invest significantly more resources, both time and money, to launch targeted attacks against my company, and these are usually groups, criminal groups, mafia organizations, gangs, criminal gangs, who, for example, want to blackmail me.

03:37 That implies they can devote substantially more time and money to an assault, spy on me, and then, for example, blackmail me in a targeted manner.

03:47 There are a lot of them right now.

03:52 To protect against this instance, I obviously require many more resources than for the first level, based on the resources invested by the attackers.

04:01 But, in the case of a group of attackers capable of targeting any corporation, from little to large, the only variation is the amount of ransom demanded by these criminal organizations. WannaCry did just that.

04:17 It was a group of assailants; numerous persons did it.

04:21 They stole a few hundred thousand dollars while creating billions of dollars in collateral harm. However, I must take action against them, and in the instance of, say, WannaCry, the correct course of action would have been to constantly keep the firmware of my Windows systems, which were the vulnerabilities exploited, up to date.

04:44 And, as we discovered, many corporations, particularly larger ones, had not done so.

04:49 They hadn't done it for financial reasons; they hadn't updated some servers that were probably not that critical for a few years, and those servers were then encrypted, resulting in this massive collateral harm.

05:04 The third category of attackers is ultimately government organizations, intelligence agencies, or terrorist organizations, which use a very large number of resources - a lot of time, and also a lot of knowledge, to attack companies - to launch very targeted attacks against critical structures to shut them down, cause damage, or attack them during times of crisis, war, or terror act.

05:28 And obviously, such attacks do not target everyone.

05:32 A government spy agency is unlikely to target the baker around the block.

05:36 However, as we've seen in the past, key infrastructure or the German Bundestag might become the target of such attacks, which I must defend against.

05:45 How can I safeguard myself? How can I consider safety precautions? There is a model, a notion, that has long been realized in cybersecurity and is also applied there. The so-called defense-in-depth principle, on the other hand, is far older; it stems from military strategy and has been used for hundreds of years. It means, "I consider which combination of safety measures will provide a sufficient level of security because it is obvious that one single safety measure does not make sense." I require a combination of many items.

06:33 As an example, here is a city plan of my hometown of Leipzig, which demonstrates it really well, and I constantly attempt to convert it into today's digital environment.

06:45 The first thing I notice is that the city has a formidable wall that prevents anyone - attackers - from simply walking in.

06:56 This is the firewall in modern parlance.

07:00 Any package or communication can no longer simply enter or exit the company.

07:06 No, in this communication, people who wish to enter the city must pass via the gates, which are manned by guards who finally inspect all pedestrians.

07:16 Are they in possession of a passport? What exactly do they want? Are they permitted to enter my city? Is this communication permitted to enter or exit my organization? The verification: I divide my city into distinct zones that I can secure separately.

07:35 That means I have my own city, complete with a city wall.

07:39 Maybe I have the palace or the city hall, which are also fortified, and maybe I have another, extremely thick room in this city hall that contains the city treasury.

07:50 Yes, I have my normal company, the perimeter of my Company; I have the development department that has additional protection, and the crown jewels, my development results, plans, blueprints, recipes, et cetera, which I protect again through dedicated protected servers so that they are much harder to attack.

08:14 Segmentation of the network: It's also a good idea to have someone sitting on the city's highest tower merely watching what occurs, because there may be attackers lurking around anywhere in the city.

08:31 Is there anyone here? Is there a fire raging somewhere? I need to think of things like that so they can trigger targeted alarms that we can respond to as quickly and as timely as possible, so we can send a firefighting company or military there.

08:48 That is anomaly detection in the digital world.

08:52 I should monitor all communication and examine all data moving in and out.

08:59 Is everything normal, or is there anything out of the ordinary that I may look at? Not everything is either bad or evil.

09:07 On the contrary, 95 percent of all things, 95 percent of all anomalies that I observe have nothing to do with cybersecurity, but rather with technical faults, misconfigurations, damaged hardware, and so on, as well as bandwidth issues, which we definitely need to monitor in order to rectify.

09:27 I'll return to this later, but who is sitting at City Hall is ultimately crucial, if not the foundation of everything.

09:34 Who is in charge of our safety? Managers, CEOs, and mayors should think about my safety on a regular basis and, of course, ensure that the right security measures are adopted and implemented.

09:51 That is, we should put in place an ISMS, or information security management system, as well as a risk management system, depending on the various standards that may apply to me in my industry or in general.

10:05 ISO/IEC 27001, for example, is a critical basic risk management system.

10:13 Once I've put these security measures in place, the task is obviously not over.

10:19 I also need to continuously assess if these safeguards, these security measures, are indeed necessary.

10:25 Do they have any effect? Are they effective? Money is always the secondary requirement, which is a wonderful thing. Are they genuinely effective? Penetration tests, for example, are conducted by external companies who will then try to find weaknesses together with myself, with my company, in a targeted manner so that I can ultimately improve my security measures and also omit redundant security measures or perform new security measures.

10:54 And it's always a good idea to watch what's going on now, not just to verify the security measures - which will create a blind spot - but also to examine which communication activities are taking place in my firm in general.

11:07 Is there anything out of the ordinary happening on? It is also critical to examine this in the event of an emergency, which is obviously challenging in the digital age.

11:16 After all, if data is stolen, as in spying, it isn't lost; it was merely copied.

11:22 As a result, determining what actually occurred is not that simple.

11:25 I have an example that illustrates this really effectively, which is why I brought it. It's an Arduino chip that we discovered in a power plant, and the problem is that it clearly doesn't belong there, but the initial assumption, what actually happened - that is, in the first step, we examined to see what was on this chip? And, indeed, it contained a Trojan meant to spy on systems - yep, it was discovered in the control network, in the conductor network of the plant control.

11:57 That's what it was employed for; it has also moved to other systems, installing offshoot Trojans used for spying.

12:08 The obvious next question is, what happens next? What should we do? That's what we discovered when we evaluated the conversation and discovered that, fortunately, we were in the first step, the espionage phase.

12:22 That suggests it was obviously placed there recently and had first merely spread out to see what the network looked like.

12:30 It hadn't even been close to everywhere, which meant it hadn't begun to do anything awful. It simply hadn't been interacting with the outside world, let alone that someone had opened a backdoor through which someone might have seized control, but that would have been the purpose of the malware that had been planted on it.

12:52 You can react appropriately if you notice - and analyze - what happened there.

12:57 The affected servers were obviously cleaned up in this situation - cleansed through backups. The malware was eradicated, and security measures, particularly physical protection, were enhanced.

13:10 The assumption is that the chip was installed there by an external maintenance business, or by an employee of this maintenance company.

13:19 This was then sent forward, which is where the police come in, who then investigate it further. Now, how can I maintain security indefinitely? We also have a control loop concept that has been utilized for many decades for this - the management must organize safety - that is the first; that is the foundation.

13:45 Before I consider any technological steps, such as whether or not to utilize a firewall, I must first consider the actual risk, the security targets, and how I can meet them.

13:56 Should I meet with them? That is always the ultimate foundation.

14:00 In fact, however, this is occasionally done incorrectly; a firewall is erected, sometimes at significant expense, only to say, "OK, I'm safe." No, you are not; what is vital is the risk management system.

14:13 That implies I need to organize security; I need to be proactive, which involves the individual at the center of it all.

14:20 That means they need to be trained, informed on what to do and what to look out for, and so on. What should I do in the event of an emergency? Then, obviously, one important concept is to constantly watch, monitor, and observe whether any events, any security events, occur.

14:37 And, as previously stated, it's not just about cybersecurity; it's about anomalies in general. And, in fact, 95 percent of the things you see that you should respond to have nothing to do with cybersecurity, but are technical errors, misconfigurations, and bandwidth issues that I obviously need to control so that my production, my company, works the way it should - it needs to run efficiently.

15:03 That is, can this metric also ensure that my operations run efficiently and consistently? When I see anything, I must - react.

15:15 I must determine whether or not to react.

15:17 Has anyone reacted, or did this happen on its own? And occasionally, when it comes to complicated or really critical matters, when I suspect that my plans, my development plans, have been stolen, I need to investigate - really analyze - what really happened there.

15:38 That implies I might have to bring in the experts, who will then examine in a forensically conclusive manner what happened here, in order to ensure more security - or at least an equal degree of security - in the next iteration or year.

15:58 Some security measures are no longer required since they are redundant.

16:02 Some security measures should be strengthened.

16:07 I may also need to add new security measures from time to time, but I will never attain a sufficient level of security, 100 percent or otherwise, to assure reliable, efficient, and safe processes.

16:19 Thank you kindly.