Security systems of the

future
CPN_ADMIN
FEB 15, 2012



A security system that senses one's evil intentions and sounds an
alarm?Possible? Not so far, of course, but who knows what the future has in
storefor us. According to industry experts, we're in for some big surprises
thathave the potential make our lives easier, safer, more productive and
moreenjoyable.

Earlier this year, in the S&VC Security Technology Review series on

burglarand fire alarms, we introduced some fundamental concepts applying to
bothhardwired and wireless security systems. In this article we'll take both
awhimsical (and yet realistic) look into what benefits the 21st century mayhold
for residential and commercial protective systems. If you've missedany part of
the Security Technology Review series, then you might find thebackground it
provided to be useful in your reading of this article. If so,you may wish to refer
to the February, April, August and October issues ofS&VC.

Past and presentFor anyone involved with alarm systems for more than a few
years, it is nottoo difficult to remember when a control panel was just a simple
metal boxwith a couple of relays, a built-in keyswitch and a cheap ammeter
used tocheck the integrity of the protective circuits. This simple apparatus
waspowered solely by dry cells, which, in time, would assume the
supportingrole of standby battery when commercial AC was eventually used
for power.Soon after, it became possible to locate the built-in keyswitch
remotely ona wall plate and replace the ammeter by an adjoining "go/no go"
indicatorlamp. With the increasing demand for multiple zones of
protection,entry/exit delays, bell time-outs and remote alarm reporting,
separate modules addressing these concerns not only found their way into
many manufacturers'catalogs, but they also added significantly to the cost and
complexity ofmany installations.

By the late 1970s, solid state components governed the operation of

manyalarm panels that now provided power supplies using rechargeable
batteries.Integrated circuits enabled manufacturers to use less space and
include thefeatures heretofore found only in add-on modules. This resulted
insignificant cost reductions that were passed on to the user -- includingon-
board digital communicators capable of quickly and accurately
reportingalarms to a monitoring station.

By the early 1980s, affordable microprocessors provided the

greatestbreakthrough in control panel design, managing parameters like
delays, zonecharacteristics, user access codes and alarm reporting formats --
all ofwhich fell under software control and could be more varied and
easilyselected.

As the PC (personal computer) became more popular, these parameters

couldbe programmed into alarm systems from the comfort and convenience of
thedealer's office and, via a modem, the resulting configuration could
bedownloaded to the remote installation and uploaded later for
inspection,modification and troubleshooting, if required.

Wireless technology using supervision was soon improved enough to

beincorporated into control panels, and hybrid designs -- using bothhardwired
and wireless detection -- became popular, making installationsfaster, easier
and more profitable for the dealer.
Soon, alphanumeric keypads were developed, displaying both queries
andphrases, and they permitted, more than ever before, a higher degree
ofcommunication between the system and its users. Around this
time,affordable multiplexing technology allowed dozens of zones to share
asimple wire run while each maintained its unique characteristics
andidentification. High-end panels eventually incorporated voice
synthesizersthat allowed the system to "speak" to its users, leading to
telephoneinterfacing and making the operation of security systems not only
easier,but also more inviting. With it came the ability to use any touch-
tonephone (whether on or off premises, including cellular) as a keypad
toobtain information about the installation (for example whether or not it
isarmed and whether or not the alarm had been triggered and if so,
where)and, if required, to issue commands for bypassing faulted zones and
arminga disarmed system.

Using its built-in clock, new technology made it possible for securitysystems to
support programmed schedules, allowing commercial systems to armand
disarm themselves automatically at predetermined times. Byincorporating Line
Carrier (e.g. X-10) technology, household appliances,such as coffee makers,
lamps, fans, and office apparatus, such as copiers,computers and lighting,
could be similarly controlled as well. From acellular phone, a residential user
could turn on an air conditioner andhave coffee ready prior to getting home
from work -- all under the auspicesof the security system.

The present and the futureSo much for the present. What and where is the
next advance? Actually, it'salready here, but may not be so obvious. It's
known as system integration.To understand it, a change in thinking is
required. No longer is thecontrol panel merely a part of a burglar or fire alarm
system -- it has thepotential to be at the core of an integrated system into
which wirelessdetection, access control, lighting/appliance control and CCTV
may also bea part. In fact, recent technology has made it possible for the
alarm panelto become the processing and control center for all of these
multiplesecurity functions. As such, it makes good sense both technically
andeconomically for manufacturers of security systems to provide a
standardinterface having compatibility with common alarm equipment and all
of acustomer's other security-related functions. Because the keypad is used
ona daily basis, it can remain the focal point of such an integrated systemand
can be employed in related tasks. To illustrate, an access controlsystem using
typical card readers can be tied into the alarm system.Designated doors,
always armed, could be momentarily disarmed when thoseauthorized to do
so, enter (or leave) an area using their card. Similarly,the alarm panel can be
called upon to trigger cameras and recorders inresponse to unauthorized
entries into specific areas. A simple bus, easilywired to different parts of a
building, provides a convenient connectionpoint for whatever contacts,
modules, keypads, accessories, or otherequipment may be desirable for
interfacing with the security system.

The future holds many surprises for us. Selected technologies

andphilosophies, now in their infancy, will surely be a part of the
securitysystems manufactured in the next century. Here are but a few.

Biometric technologyWhile seemingly out of a science fiction movie, biometric

systems storedata on a selected human characteristic unique to each
individualauthorized to use the system. When an individual needs access to
an area,the same characteristics are scanned and compared with those
already in thedatabase; a match grants them entry. Presently, biometric
systems storedata on either hand geometry or attributes of the iris and retina.
Systemslike these, while largely unfamiliar to the general public, are already
inuse in limited applications and may be the common means of access
control,ATM and credit card verification in the world of tomorrow. Because of
thepotentially foolproof nature of these systems, it was the U.S.
governmentwho underwrote much of the research and development costs,
initially forfingerprint identification in the early 1970s. Today, in addition to
hand,iris and retinal scanning, work is being done in the areas of voiceprinting
and signature verification.

Wireless data transmissionAlthough wireless voice transmission has been

around for ages, it has neverbeen more evident -- as confirmed by the millions
of cellular phones thathave now become a commodity. The transmission of
data without wires,however, is also becoming more visible to the public.
Wireless tracking ofdeliveries, popularized by the United Parcel Service, is a
prime examplehow up-to-the-moment information about deliverables can be
instantlysupplied to the public. Today, field service personnel can interrogate
acentral database about the location of a part or subassembly, and
requestimmediate delivery -- all without wires and without having to make
multiplephone calls. Vending machines can broadcast their status to a
centralcomputer when they are running out of soda, candy or change, as
canelectric meters, if they're interfaced to transmit their customer's
monthlypower usage.

In terms of its effects on future security, wireless data transmission willallow

buses, taxis and even car services to transmit their locations tonearby tracking
centers periodically and automatically. Electronicmonitoring equipment in
ambulances will remotely access a patient's filesand supply updates on his
current conditions to the intended hospital.Security systems, while currently
being able to use radio to transmit alarmdata to a central station, will also
transmit camera images andconversations taking place at the time of an
intrusion.

False alarm preventionFalse alarms have always been a concern for the
security industry. Whilethe vast majority of alarm systems do their jobs quite
well, the sounds offalse alarms disturb neighborhoods and may unnecessarily
dispatch policeand emergency services. There are many reasons why false
alarms occur, thechief among them are user errors, malfunctioning or poorly
designedequipment and inadequate or questionable installation
techniques.Nonetheless, to conform to SIA's (the Security Industry
Association)recommendations for deterring false alarms, virtually all future
alarmcontrol systems will be equipped with programmable features like these:

* Swingers" (multiple alarms from the same point due to a malfunction) willbe
restricted to only a certain number within any armed period.

* Smoke detectors will have to be electronically "verified" before they

canactually generate an alarm.

* The ability to "cross zone" will be available, allowing two or morerelated

zones to be "ANDed", thus requiring simultaneous trips before analarm will
occur.

* A delay before an alarm communication must be available to permituser-

caused alarms to be aborted before they reach the central station.

* Audible and visual indications must be available during the entry andexit
delay periods, to alert users to conform to the system's
operatingrequirements.

Automatic self-testingMany alarm controls will have an automatic

maintenance provision, whichwill perform periodic checks on itself and many
of its components. A bustest, for example, will allow the system to verify the
connections and theoperation of all its keypads and expansion modules. The
resultingdisplayable and printable reports will point to potential problems
whichmay be caused by faulty wiring, poor connections or component
degradation.Early detection of this type is valuable in eliminating the potential
forfalse alarms and major problems later on.
Intelligent motion detectorsThe most popular of all motion detectors, the PIR
is basically a simpledevice that is designed to recognize significant changes in
the infraredenergy within an area and report it as an intrusion. Although PIRs
havebeen markedly improved since their mass acceptance around 1980, they
stillhave their limitations in terms of detection range and incidences of
falsealarms. The movement of pets in an unattended home has always been
a majorconcern of alarm installers and a potential cause of unwanted alarms
inPIRs -- in spite of measures taken to the contrary. PIRs of the future
willlikely have an on-board database containing the digitized equivalents
ofactual and anticipated patterns of human movement. Whenever changes in
IRenergy are detected, the pattern will be digitized and compared to those
inthe database. Patterns matching human movement will cause the unit to
trip;other patterns, although detected, will be rejected, substantially
reducingfalse alarms.

Graphic displaysBoth homes and businesses will have LCD panels connected
to their securitysystems capable of displaying the layout of the premises with
highresolution graphics in both two- and three-dimensional views. Points
orareas having faulted zones, prior alarms and/or bypasses, will be
clearlyvisible and can be acknowledged and even corrected by a simple touch
(alongwith the entry of a valid user code) of the display. Such displays
couldalso furnish a log about previous alarms, prior uses of the system,
likelycauses of false activations, corrective actions taken and so forth.

Home automation/home integrationHome automation technology is already

adding new dimensions andopportunities for security system integration. As
costs drop, as acceptanceand awareness grow, and as new construction
incorporates this technologyinto its design, more and more of us will enjoy the
benefits of having homesecurity integrated with household scheduling and
controls. All of thefollowing will be possible:
* Voice Activation: Once an individual's voice patterns and
uniquecharacteristics are memorized by the system, it will be possible
toconverse with a security system and obtain any necessary information
byexpressing queries and commands without the need for a keypad.

* Robotic Systems: Using artificial intelligence, future systems

willautomatically learn a family's behavior patterns and adjust
itselfaccordingly, without the need for programming. Security
componentsintegrated into such a system will similarly benefit as they are
armed anddisarmed automatically, while making accommodations for those
still onpremises.

Fiber opticsFor many years, fiber optics has been a medium of transmission
used by thecommunications industries to convey audio, video and data.
Onedistinguishing advantage of fiber optic transmission is its immunity
toelectronic noise caused by lightning, RFI (radio frequency interference)and
EMI (electromagnetic interference). Fiber optics may soon find its wayinto the
detection and signaling circuits of security systems in many homesand
businesses, relegating interference-caused false alarms to a thing ofthe past.

Security and the InternetWe've already read how communication over the
Internet has saved lives,sometimes well into far reaches of the world when the
concerns of caringindividuals have triggered the mobilization of emergency
services. Becauseof the technology built into the Internet, information about
alarms,including video and audio components, may be routed not only to the
CentralStation, but also directly to agencies created to store such information
--possibly providing a means for identification of individual faces,
criminalpatterns, and behavior.

The future brings with it many conceivable changes and improvements in

thearea of security, although they won't be without their growing pains,
bothtechnically and otherwise. Our best wishes to all of you for a
HappyHoliday Season.

Ways to Enhance Data Security

The world of cybersecurity is progressing at a huge speed and in at the same time,
improvements in technologies are becoming increasingly better at assisting the hackers
and cyber-criminals to exploit data security loopholes. The constant increasing graph of
cybersecurity attacks are a major concern for internet users and business organizations.
And they should be!

One recent example of the growing scale of such attacks is the recent ransomware
attack known as WannaCry. It was one of the largest attacks in recent years affecting a
large number of businesses all over the world. Here's where the question arises; 'why
have both large and small businesses been affected and influenced by this attack?'. It
seems like the world is starting to see that increased security measures are not just a
matter of protecting data, but in protecting data, we are protecting the very infrastructure
of our business.

There are many ways organizations can protect their business from cyber-attacks. The
article is from a PrivacyEnd post which outlines several measures including; updated
software, improved technologies, skilled employees and pre-planned precautionary
measures.

I have extracted the five suggestions from the PrivacyEnd article that I wish to explore in
more depth to provide you with recommendations and tips for enhancing your
organization's data security.

Limit Data Access

Most of the organizations give privileged access to their sensitive data to a number of
employees and insiders. Think about who in your organization has access to sensitive
customer data? Can you identify everyone's access rights? Most company executives
are unaware of the details about individual employees who have access to data and
why they access it. This is a huge risk to data loss, theft and hacking.
This means it is necessary for businesses to limit the data access. Organization's
should determine what an employee needs access to and ensure they have access to
only what they need. Not anything else. These all limitations could help organizations to
manage their data more efficiently and ensure it is being safeguarded from theft or loss.

According to Dircks, Bomgar CEO,

With the continuation of high-profile data breaches, many of which

were caused by compromised privileged access and credentials, it’s
crucial that organizations control, manage, and monitor privileged
access to their networks to mitigate that risk. The findings of this
report tell us that many companies can’t adequately manage the risk
related to privileged access. Insider breaches, whether malicious or
unintentional, have the potential to go undetected for weeks, months,
or even years – causing devastating damage to a company.
Identify Sensitive Data
For companies, it is really important to be aware of where their most important data and
sensitive business information lies. This will ensure you have the right information and
allocate more resources to protecting your most sensitive and crucial assets.

Although sensitive business data is only probably around 5-10% of your total business
data, a data compromise involving sensitive or personal data could result in an
immense loss of reputation and revenue to a company. If we go back to access
management and rights, we should be putting more strict measures on sensitive data
over other business data.

Pre-Planned Data Security Policy

When looking at the operations and processes needed to mitigate a cyber-attack, an
important step is to prepare a list of security measures and data security policies. This
sort of plan by an organizations could help significantly in critical situation and times of
incident response. Through policies, you can immediately react in order to prevent
extreme impacts of a cyber-attack.
As with access management and rights, employee access could be identified easily and
you would remain aware of which users in your organization could have potentially been
breached. It's important to remember that a policy and process plan is only as good as
it's last revision. Technology, industry regulation and best practice is always changing.
Someone therefore needs to own this policy and process guide and always look at new
ways of updating it to keep it relevant.

Strong and Different Passwords for Every

Department
Sensitive data in an organization should be locked away with strong passwords. Making
stronger passwords is necessary for fighting a number of password hacking tools that
are easy to get on the market. Try ensuring that there are a combination of different
characters including alphabets, numbers, symbols and other capital letters.

Additionally, using the same passwords for different programs and access is also a risk.
Once your password is cracked, a hacker will try the same password on all major
accounts you own.

Therefore, organizations should keep unique passwords for all employees as well as
the departments. This can be easily managed using a password manager tool and
ensuring that all employees receive proper data security training and password tips.

Where possible, it is also advised that multi-factor authentication is used. Adding

another step to a password login means another step that hackers need to crack,
making the hack much more unlikely and difficult. Some good examples of multi-factor
authentication include biometrics, push notifications to phones, smartcards and token
authentication.

Regular Data Backup and Update

Last on the list of important data security measures is having regular security checks
and data backups. For an unexpected attack or data breach, it is really helpful to have
an organization back up their data. To have a successful business, you must keep a
habit of automatic or manual data backup on a weekly or daily basis.
 In addition, the data should be protected through updated software and
efficient antivirus tools. However, to attain this, you must have progressive and efficient
IT department. Make sure you are hiring someone with the right skills who you can trust
to do the job properly.

Conclusion
Becoming a successful business is a difficult task, but sustaining yourself is much more
challenging. In today’s world of immense cybersecurity risks it is really important for you
to be pre-equipped with the security tools and privacy enhancements that are needed to
safeguard your most valuable asset - your data.

en ways to prevent insider

security threats
 1


From your CEO to your mail clerk, insiders can do more damage than
outside attackers. Learn how to develop and mitigate a system against
insider security threats.








This article can also be found in the Premium Editorial Download: Information Security magazine: Chain of
command: Inside Prudential's security management program

David Bianco
The unmasking of insider Robert Philip Hanssen as a Russian spy taught the
FBI a harsh lesson that most organizations have yet to learn: There's great
danger from those we trust the most.

We've gotten pretty good at protecting our perimeters, but most of us do a

less-than-adequate job protecting our enterprises from employees (current
and former), business partners, contractors, interns and even customers.
While most of our attention is focused on Internet-based attacks, insiders
cause the vast majority of security incidents and can do the most damage. It
makes sense: They have intimate knowledge of our network layouts,
applications, staff and business practices.

Institutional laxity invites insider problems. In a revealing report in August, the

Department of Justice's Office of the Inspector General cites not Hanssen's
brilliance as a spy, but rather the bureau's failure to implement and enforce
strong insider security procedures as a prime reason for the his success over
20 years.

The FBI isn't unique on this score. Insiders are typically subject to very few
controls -- organizations tend to rely on trust rather than any sort of technical
or procedural countermeasures. The result can be sabotaged systems,
destroyed data, stolen credit card information, etc. The DOJ's list of computer
intrusion cases is a litany of inside jobs. Consider just a few:

 A worker in GTE's Network Service Support Center in Tampa, Fla., wiped

data and caused more than $200,000 in damage.

 A computer programmer for North Carolina-based Lance Corp., angered

over a demotion, planted a logic bomb that took field sales reps' computers
offline for days.

 A pair of Chase Manhattan Bank employees stole credit card numbers,

which they used to steal nearly $100,000.
Your organization could be next. What can you do about it? We offer 10 tips to
help you develop and implement an insider threat mitigation strategy. Some
may be complex and costly over the long haul, but others simply involve
reviewing your processes and policies and applying best practices. The main
point is to turn your infosecurity radar inward.

1. Security Policy First

At a minimum, your security policy should include procedures to prevent and
detect misuse, as well as guidelines for conducting insider investigations. It
should spell out the potential consequences of misuse.

Start by reading through your existing security policies, especially those

regarding incident handling. Rework sections that rely on trusting insiders. For
example, your incident-handling plan shouldn't require your team to contact
the administrator of a suspect system to gain access -- he or she may be the
culprit.

Next, make sure that your policy details the limits on access to and
dissemination of personal data about your employees, temps and others who
might be targets of investigations. Mishandling this data can have severe
consequences, including legal action. Specify who is allowed to access what
data, under which circumstances, and with whom they are allowed to share
this information.

Finally, to protect the organization from allegations of unfair or unequally

applied penalties, make sure your security policy spells out the consequences
of misusing company resources.

2. Don't Neglect Physical Security

Regardless of whether you "own" physical security, consider it your number
one priority. Simply keeping people away from your critical infrastructure is
enough to prevent most insider incidents.
Consider what happened to Red Dot Corp., a Seattle-area heating and
cooling company, where two janitors combed through garbage cans, desks
and filing cabinets, stealing employee and customer personal information.
They obtained fraudulent credit cards and illegally accessed bank accounts,
stealing tens of thousands of dollars before they were arrested this past July.

Make sure all your employees have at least one lockable drawer in their desk or file cabinet
for securing sensitive information.

Isolate high-value systems in restricted areas, and apply tight access control.
You may be tempted to rely on key cards -- they're flexible and inexpensive --
but they're only single-factor authentication, and can be lost, stolen or
borrowed. The audit log may show that Alice entered the computer room at
10:03:34 a.m., but what if it was really Bob using her key?

Two-factor authentication -- for example, using a PIN and a key card -- to

augment key cards will thwart card thieves, but obliging employees will still
loan their cards and PINs to colleagues.

Consider biometric authentication. Finger-print scanners and similar devices

are popular, albeit expensive choices.

But securing your computer systems isn't enough. Thieves, or overly curious
colleagues, will grab sensitive information from unsecured "hard copy" --
printouts, CD-ROMs, etc. Make sure all your employees have at least one
lockable drawer in their desk or file cabinet for securing sensitive information.

3. Screen New Hires

In general, the more time you spend investigating an applicant's background,
the better. If your organization considers background checks too time
consuming, consider outsourcing. A background check will cost anywhere
from $50 to $200 -- a small price to pay to find out exactly what sort of person
you're hiring.
Background checks don't always tell the whole story, however. For example, a
typical check might verify the applicant's current address, but would fail to
reveal that someone living at the same address is a known con artist or a
disgruntled ex-employee. Services such as Systems Research &
Development's NORA (Non-Obvious Relationship Awareness) can find such
relationships. By combining information from seemingly unrelated corporate
databases, NORA can perform personnel checks -- on employees,
subcontractors and vendors -- as well as prospective hires.

4. Use Strong Authentication

Passwords are passé. Password-cracking technology is quite advanced, and
stronger passwords spawn forests of Post-it notes on monitors. And many
employees share passwords.

The alternatives are expensive, and general deployment is beyond the means
of most organizations. For example, fingerprint scanners cost $100-$250 per
station. A more cost-effective compromise is to apply strong multifactor
authentication only to particularly sensitive applications or systems, such as
HR or accounting.

If you do deploy multifactor authentication-combining user ID/password with

tokens, smart cards or fingerprint readers, etc. -- be aware that these methods
may not plug all the holes. Once your session is established, a knowledgeable
insider may be able to spoof new transactions under your name, or simply use
your computer while you've stepped away. Windows stations can be set to
lock out users after a fixed period of inactivity and require re-authentication.

5. Secure Your Desktops

You can't depend on users to be responsible for all their configurations, but if
you're using Microsoft's Active Directory service, you can use group policies to
lock down desktops across your enterprise.
Group policies allow a security manager to set configuration details for the OS
and its components (Internet Explorer, Windows Media Player, etc), as well as
other apps. For example, you can change the settings for each of IE's security
zones, enforce the use of your organization's content filtering Internet proxy,
and even forbid the use of unsigned third-party macros in MS Office apps.
Windows itself comes with a number of sample template files, and more are
available from Microsoft's Web site or from the Windows or Office Resource
Kits. In addition, make sure access rights to network folders are applied on a
strict need-only basis.

6. Segment LANs
Host- or network-based intrusion detection systems deserve a prominent
place on the roster of your internal defenses, but finding good monitoring
points can be challenging.

Host-based systems usually deploy agents, but network-based systems rely

on LAN sniffers. Monitoring a single Internet connection is easy, but finding
good locations -- "choke points" -- inside often-chaotic LANs can be more
difficult. Ideally, you'd have one sniffer for each LAN segment. In a large
network, this is unwieldy, impractical and will probably overwhelm you with
worthless alerts.

A better tack is to treat your LAN as a series of enclaves, each of which

comprises its own zone of trust, segregated by firewalls at the point where
each connects with the corporate backbone.

7. Plug Information Leaks

Sensitive information can flow out of your organization through e-mail, printed
copies, instant messaging or by people simply talking about things they
should keep to themselves. Combine security policy and technology to stanch
the bleeding.
First, make sure your policy details restrictions on disseminating confidential
data.

Technology can help, starting with the IDSes. Scan your business plan for
unique phrases that you wouldn't expect to find anywhere else and configure
your IDS to alert you whenever it sees these telltale snippets on the network.

E-mail firewalls, such as CipherTrust's IronMail and Tumbleweed

Communication's MMS, can scan the full text of all outgoing e-mail.

Vidius' PortAuthority, applys a digital signature to each protected document

and blocks access based on user-generated policy.

Digital rights management tools, such as SealedMedia and Authentica's

Recall series of products, restrict distribution of documents by assigning
access rights and permissions.

8. Investigate Anomalous Activities

You probably collect reams of log data from your Internet-facing servers: Unix
syslogs, Windows event logs, firewall logs, IDS alerts, AV reports, dialup
access logs or any of a number of other different audit trails. But what about
your internal LAN?

Unlike external attackers, insiders generally aren't careful about covering their
tracks. "It's as if the attacker doesn't expect to be caught. Generally, none of
the insider attacks we have seen were difficult to investigate," says Peter
Vestergaard of Danish security consultancy Protego. "The biggest problem
has been that companies don't have sufficient logging. In one case, almost no
one knew that logging on a nondomain controller NT/Win2K server is disabled
by default. Therefore, little or no log material was available."

Before jumping on the bandwagon, make sure you know what tools are available to you and
what constitutes legal monitoring in your jurisdiction.
Once you've got the log files, you're left with the often-difficult task of sorting
through them for suspicious activity. "In all the noise, it's hard to identify a
particular person trying to get information on the network," says an
infosecurity officer for a large U.S. insurance and financial services company,
who requested anonymity. His company uses a home-brewed analysis engine
that combines information from several different logs and looks for
questionable patterns.

If you have the money, network forensic analysis tools (NFATs), such
as Computer Associates' Unicenter Network Forensics and Sandstorm
Enterprise's NetIntercept, can analyze the flow of information throughout your
network.

9. Refocus Perimeter Tools and Strategies

By applying your perimeter tools to the inside of your network, you can greatly
increase your security posture, often at little cost. Step one is internal
patching. You wouldn't dream of putting unpatched Web or e-mail servers on
the public Internet, so why should you settle for them on your LAN?

Step two is securing hosts by eliminating unused services and locking down
configurations.

Once you've got the basics covered, you can add more external tools to your
internal repertoire. If you're already using VA tools for your Internet-facing
services, scan your internal network for very little additional cost. Begin by
scanning your most critical servers, like internal e-mail, Web and directory
servers, then prioritize other systems and scan them in order.

10. Monitor for Misuse

Your security may require direct employee monitoring -- from video cameras
to keystroke logging. Research suggests that as many as one-third of all
employers perform such monitoring to some degree.
Before jumping on the bandwagon, though, make sure you know what tools
are available to you and what constitutes legal monitoring in your jurisdiction.

Web content filters are useful tools, since they can be set to block
pornography, competitors' Web sites and hacker tool repositories, all of which
figure prominently in common insider incidents. In general, you can safely
employ these as a matter of policy for all your workers.

If you need more detailed information about what specific employees are
doing, you must exercise a bit more discretion, but you still have plenty of
options. Two products that are best-suited to enterprise security are Webroot
Software's WinGuardian and Enigma Spyware Group's iSpyNOW. They offer
keystroke recording, application activity and window title logging, URL visit
history and more. WinGuardian can schedule regular screen shots, and
iSpyNOW can log file system events.

Examples of Online
Cybersecurity Threats
Computer Viruses
Perhaps the most well-known computer security threat, a computer virus is a program written to alter
the way a computer operates, without the permission or knowledge of the user. A virus replicates
and executes itself, usually doing damage to your computer in the process.
Carefully evaluating free software, downloads from peer-to-peer file sharing sites, and emails from
unknown senders are crucial to avoiding viruses. Most web browsers today have security settings
which can be ramped up for optimum defense against online threats. But, as we'll say again and
again in this post, the single most-effective way of fending off viruses is up-to-date antivirus
software from a reputable provider.
Learn more about how to combat computer virus threats and stay safe online.
Spyware Threats
A serious computer security threat, spyware is any program that monitors your online activities or
installs programs without your consent for profit or to capture personal information. We’ve amassed
a wealth of knowledge that will help you combat spyware threats and stay safe online.
While many users won't want to hear it, reading terms and conditions is a good way to build an
understanding of how your activity is tracked online. And of course, if a company you don't recognize
is advertising for a deal that seems too good to be true, be sure you have an internet security
solution in place and click with caution.
We’ve amassed a wealth of knowledge that will help you combat spyware threats- learn more about
the dangers of spyware and stay safer online

Hackers and Predators

People, not computers, create computer security threats and malware. Hackers and predators are
programmers who victimize others for their own gain by breaking into computer systems to steal,
change, or destroy information as a form of cyber-terrorism. These online predators can compromise
credit card information, lock you out of your data, and steal your identity. As you may have
guessed, online security tools with identity theft protection are one of the most effective ways to
protect yourself from this brand of cybercriminal.
What scams are hackers using lately? Learn more about the dangers of hacking how to combat
protect yourself against dangerous malware attacks online.

Phishing
Masquerading as a trustworthy person or business, phishers attempt to steal sensitive financial or
personal information through fraudulent email or instant messages. Phishing attacks are some of the
most successful methods for cybercriminals looking to pull off a data breach. Antivirus solutions with
identity theft protection can be "taught" to recognize phishing threats in fractions of a second.
How can you tell the difference between a legitimate message and a phishing scam? Educate
yourself on the latest tricks and scams.

How to Protect Data from Cyber Threats

January 18, 2018 | By Thilak
Anyone who uses a computer, a smartphone or any other mobile device would need to think seriously about
protecting data. Computers and such devices naturally have lots of data stored in them- documents, pictures,
banking passwords, credit card data, notes, emails etc. There are always chances that anyone using a system,
smartphone or a mobile device could knowingly or unknowingly end up making such data vulnerable. The
data could be stolen by hackers who could attack the system/device using malware. Similarly, if a
smartphone/mobile device is lost or gets stolen, the data in it could fall into wrong hands and get misused,
causing damages to the user. Hence, it’s always advisable to practice data protectionrecommendations, which
is much more than just having a free antivirus installed on the system/device. Here’s a look at the best
practices that could help protect data from cyber threats.
Ensure that the antivirus software is updated regularly
Having an antivirus program installed isn’t enough, it’s important that the antivirus is regularly updated.
Otherwise, it won’t be effective. It’s the updated version of the antivirus that’s needed to protect a
system/device against latest threats and vulnerabilities. Thus, it’s important that the antivirus- free antivirusor
paid- is updated regularly.
Update OS and other software regularly
The operating system that you use and the many other software applications that you’d be using need to be
updated regularly to prevent vulnerabilities and to protect data. It’s to be remembered that the WannaCry
ransomware, which spread globally and caused much damage, had infected systems that hadn’t updated the
Windows 7 OS. It’s also advisable to enable automatic updates so that it happens regularly without fail.
Do proper password management
Proper password management is key to securing systems/devices and protecting data. Ensure that everything is
password protected and that all passwords are strong ones- ideally a mix of alphabets, numbers and special
characters and not easy to guess. Similarly, it’s always good if the same or similar passwords are not used for
different accounts or files. There should also be a practice of changing the password at regular intervals.
Use firewall and other security software
Using best firewall is vital to securing systems and data; firewalls work as protecting shields between a system
and the internet and helps a lot in blocking hacks and data breaches. Similarly, all necessary internet security
software need to be used, based on the specific requirements.
Avoid untrusted Wi-Fi connections
Avoiding public, untrusted Wi-Fi connections would be good as far as protecting data is concerned. Hackers
can easily use a public, unsecured Wi-Fi network to gain entry into any system or device connected to the
network and then get away with all the data in the system/device. This could include login credentials of social
media profile, bank account logins, credit card data etc.
Avoid surfing untrusted websites
It’s always best to avoid visiting prohibited sites or websites without HTTPS. Such sites could expose a
system/device to malware and cyber criminals, which could eventually lead to data breaches.
Have data backup, update it regularly
This is one of the most important things to be done. Keep a backup of all data, especially sensitive and critical
data. This could help when there is a crash following a cyber attack and also when a device is lost or gets
stolen. The backup can be done on an external hard drive, portable storage device or the cloud. It’s also
important that the backup is regularly updated.
Use effective data recovery software
In the worst case scenario, if a data breach happens, it’s always good to have a data recovery software. There
are many brands available, but ensure that the one chosen could help recover the data completely and safely.

INTRODUCTION Currently, smartphones are the preferred device for web browsing, emailing, using
social media and making purchases. Due to their size, smartphones are easily carried in people’s
pockets, purses or briefcases. Unfortunately, the popularity of smartphones is a breeding ground
for cyber attackers. Operating systems on smartphones do not contain security software to
protect data. For example, traditional security software found in personal S Full Article Available
Online at: Intellectbase and EBSCOhost │ JISTP is indexed with Cabell’s, JournalSeek, etc. JOURNAL OF
INFORMATION SYSTEMS T ECHNOLOGY & PLANNING Journal Homepage:
www.intellectbase.org/journals.php │ ©2012 Published by Intellectbase International Consortium, USA

J. Wright, M. E. Dawson Jr. and M. Omar JISTP - Volume 5, Issue 14 (2012), pp. 40-60 41 computers
(PCs), such as firewalls, antivirus, and encryption, is not currently available in smartphones
(Ruggiero, 2011). In addition to this, mobile phone operating systems are not frequently updated
like their PC counterparts. Cyber attackers can use this gap in security to their advantage. An example of
this gap in security is seen in the 2011 Valentine’s Day attack. Cyber-attackers dispersed a mobile
picture-sharing application that covertly sent premium-rate text messages from a user’s mobile phone
(Ruggiero, 2011). Thus, this example illustrates the importance of having a security policy for mobile
phones. Social Networking and Electronic Commerce (E-Commerce) Applications Many people rely on
their smartphones to do numerous activities, like sending emails, storing contact information,
passwords and other sensitive data. In addition to this, smartphones are the device of choice when it
comes to social networking; thus, mobile applications for social networking sites (Facebook, Twitter,
Google+) are another loophole for cyber attackers to gain personal data from unsuspecting users
(Ruggiero, 2011). Social networking sites are host to a surplus of personal data. That is why malicious
applications that use social networking sites to steal data yield severe consequences. Recently, M-
Commerce or “mobile e-commerce” has gained popularity in our society. Many smartphone users
can now conduct monetary transactions, such as buying goods and applications (apps), redeeming
coupons and tickets, banking and processing point-of-sale payments (Ruggiero, 2011). Again, all of
these smartphone functions are convenient for the user but advantageous for malicious cyber
attackers. Ultimately, there is a niche in technology for cyber security software that is specifically
designed for the mobile operating system. Hypothetical Consequences of Cyber Attacks on
Smartphones The consequences of a cyber attack on a smartphone can be just as detrimental, or even
more detrimental than an attack on a PC. According to Patrick Traynor, a researcher and assistant
professor at the Georgia Tech School of Computer Science, mobile apps rely on the browser to operate
(Traynor, Ahamad, Alperovitch, Conti, & Davis, 2012). As a result of this, more Web-based attacks
on smartphones will increase throughout the year. Traynor also states that IT professionals, computer
scientists and engineers still need to explore the variations between mobile and traditional desktop
browsers to fully understand how to prevent cyber attacks(Traynor, Ahamad, Alperovitch, Conti, &
Davis, 2012). Challenges With a Mobile Browser One cyber security challenge for mobile devices is the
screen size. For example, web address bars (which appear once the user clicks on the browser app)
disappear after a few seconds on a smartphone because of the small screen size (Traynor, Ahamad,
Alperovitch, Conti, & Davis, 2012). This is usually the first-line of defense for cyber security.
Checking the Uniform Resource Locator (URL) of a website is the first way users can insure that
they are at a legitimate website. Moreover, SSL certificates for a website are usually more difficult to
find on a mobile phone browser (Traynor, Ahamad, Alperovitch, Conti, & Davis, 2012). This adds
another gap in security for smartphones. Furthermore, the touch-screen attribute of mobile

Cyber Security and Mobile Threats: The Need for Antivirus Applications for Smart Phones 42 phones
can be cause for concern when dealing with cyber attackers. Traynor states that the way elements are
placed on a page and users’ actions are all opportunities to implant an attack. An illustration of
this is seen when an attacker creates an attractive display content (i.e. an advertisement for an app or
a link to a social media app) in which the malicious link is carefully hidden underneath a
legitimate image. Unfortunately, once the user clicks the image they can be redirected to the
malicious content via the link (Traynor, Ahamad, Alperovitch, Conti, & Davis, 2012). Common
Mobile Device OS – iOS and Linux Apple debuted iOS, or iPhone OS, in 2007, with the inception of the
iPhone to the cell phone market (Barrera & Van Oorschot, 2011). Presently, the iOS platform not only
runs on iPhone but also iPod Touch and iPad (Barrera & Van Oorschot, 2011). Apple developers
specifically write apps to run on all iOS devices. Apple’s iOS popularity stems from an easy user
interface, including “onscreen interactive menus, 2D and 3D graphics, location services, and core
OS functionality such as threads and network sockets” (Barrera & Van Oorschot, 2011). Apple utilizes
various techniques to ensure that the security and quality of their applications are not compromised by
malicious cyber attackers. Unlike Android’s OS, iOS prevents third-party apps from accessing external
data by utilizing a “sandbox mechanism” (Barrera & Van Oorschot, 2011). This mechanism
employs policy files that restrict access to certain device features and data (Barrera & Van Oorschot,
2011). App developers use registered Application Programming Interface (APIs) to restrict apps from
accessing protected resources (Barrera & Van Oorschot, 2011). Finally, Apple approves every iOS app
developers create. The approval process has not been published by Apple, however it is believed that
“the company employs both automated and manual verification of submitted apps” (Barrera & Van
Oorschot, 2011). Once Apple approves a potential app, Apple “digitally signs it and releases it” to the
App Store (Barrera & Van Oorschot, 2011). Ultimately, Apple has the final say pertaining to which apps
are available for download in the App Store – “apps that Apple hasn’t digitally signed can’t run on the
device” (Barrera & Van Oorschot, 2011). Linux is a Unix like Operating System (OS) that is built on the
Linux kernel developed by Linus Torvalds with thousands of software engineers. As of 2012 there are
over two hundred active Linux distributions. The majority of the kernel and associated packages are free
and OSS. This type of software provides a license which allows users the right to use, copy, study,
change, and improve the software as the source code is made available. Providing source code allows
developers or engineers to understand the inner workings of development. Imagine being able to study
Mac or Windows by viewing all the source code to replicate similar developments. This exercise is
great for a developer to learn low level coding techniques, design, integration, and implementation. This
is also a great method for penetration testing with the ability to test all available back doors within the
software. In terms of associated cost the majority of Linux distributions are free. However some
distributions require a cost for updates or assistance that related to specific needs such as OS

J. Wright, M. E. Dawson Jr. and M. Omar JISTP - Volume 5, Issue 14 (2012), pp. 40-60 43 modifications
for server hosting. In software, there is a packet management system that automates the process
of installing, configuring, upgrading, and removing software packages from an OS. In the Linux OS
builds the most common packet management systems are Debian, Red Hat Package Manager
(RPM), Knoppix, and netpkg. The most popular Linux distributions for mobile use are Android IOS
and Ubuntu. Malware Attacks on Smartphone OS Along with this, malware that targets smartphone
operating systems is constantly evolving. An example of this is seen with “Zeus-in-the-Mobile” (ZitMo), a
specific form of malware common to the Android operating system. ZitMo targeted Android users’
bank apps; it attempted to bypass the banking two-factor authentication, steal credentials and gain
access to users’ bank accounts, and ultimately money (Traynor, Ahamad, Alperovitch, Conti, & Davis,
2012). This is just one form of cyber attacks that IT professionals are trying to prevent from occurring.
Lastly, it is believed that mobile devices will be the new vector for targeting network and critical systems
(Traynor, Ahamad, Alperovitch, Conti, & Davis, 2012). According to the report, smartphones are
an excellent way to spread malware because phones are great storage devices. A hypothetical
example of a cyber attack against a company’s network is seen when malware is implanted in a
smartphone. For example, a clever cyber attacker can write code to remotely control wireless
connectivity technology and plant malware on the mobile phone. If that same phone is connected to a
corporate network, i.e. the user is charging the phone on the company’s computer; the malware can
now attack the company’s network. IT professionals want to prevent attacks like that from occurring
because the economic consequences of such an event would be catastrophic. Ultimately, it is imperative
that a national security standard is created for mobile devices in order to protect personal data. The
Android Platform According to Shabtai, Fledel, Kanonov, Elovici, Dolev & Glezer (2010), Android is an
open-source application execution environment that includes an operating system, application
framework, and core applications. Android was designed and released originally by Android Inc. to
provide a user-friendly, open, and easy-to-use mobile-based development environment. This open-
source mobile development framework is user-centric because it provides a variety of developments,
tools, and features. However, this open-development feature also poses challenges to securing
sensitive user data and protecting users from malicious attacks, such as phishing applications that are
usually sent to users to trick them into providing their financial information and credentials while
accessing malicious websites that look the same as the legitimate banking sites. The Android
operating system was first released in October, 2008 by T-Mobile 1G, and soon major
telecommunications companies (such as T-Mobile) in both the U.S. and Europe adopted it because of its
rich capabilities exemplified by core applications (i.e., email, web browsing, and MMS), entertainment
features, and services, such as camera and Bluetooth. This has also led to Android’s popularity
amongst developers due to the open-source nature of Android,

Cyber Security and Mobile Threats: The Need for Antivirus Applications for Smart Phones 44 which
offers the capability of developing and programming rich applications at the lowest level of Android’s
operating system. Since its initial release in 2008, Android has undergone many releases, the last being
Android 2.2; this latest version of the Android platform brings many new and existing features and
technologies to make both users and developers productive. Some of the new services and
applications included in the new version aim at increasing speed (CPU is about 2-5 times faster),
performance, and browsing (using version 8 engine that provides 2-3 times faster java script heavy page
load). This new version also offers improved security features by allowing users to unlock their
device using a password policy and the ability to wipe data from devices in case of theft or loss. The
Android Security Model Android is a multi-process system where each application (and parts of the
system) runs its own process. The standard Linux facilities enforce security between applications
and the system at the process level; those applications are assigned by users and group IDs.
Applications are restricted in what they can perform by a permission mechanism, called
permission labels, that uses an access control to control what applications can be performed. This
permission mechanism is fine-grained in that it even controls what operations a particular process can
perform (Shabtai et al., 2010). The permission labels are part of a security policy that is used to restrict
access to each component within an application. Android uses security policies to determine whether to
grant or deny permissions to applications installed on Android OS. Those security policies suffer from
shortcomings in that they cannot specify to which application rights or permissions are given
because they rely on users and the operating system to make that guess. They are therefore taking
the risk of permitting applications with malicious intentions to access confidential data on the phone.
Ongtang, McLaughlin, Enck, and McDaniel (2009 ) best described this security shortcoming by their
hypothetical example of “PayPal service built on Android. Applications such as browsers, email
clients, software marketplaces, music players, etc. use the PayPal service to purchase goods. The
PayPal service in this case is an application that asserts permissions that must be granted to the other
applications that use its interfaces” (Ontang, McLaughlin, Enck, & McDaniel, 2009). In this
hypothetical scenario, it is unknown whether the PayPal application is legitimate or not because
there is no way to determine whether this is the actual PayPal service application or another malicious
program. Again, Android lacks security measures to determine and enforce how, when, where, and to
whom permissions are granted. Android’s Permissions Android uses permission mechanisms to
determine what users are allowed to do in applications; this is achieved via the manifest
permission that grants permissions to applications independently, which in turn, allows applications
to run independently from each other as well as from the operating system. This could be a good
security feature since the operations run by one application cannot interfere or otherwise impact
operations within other applications. For example, users sending email messages will not be allowed (by
default) to

J. Wright, M. E. Dawson Jr. and M. Omar JISTP - Volume 5, Issue 14 (2012), pp. 40-60 45 perform any
operation within an application (such as reading a file from another application) that could adversely
impact the email application. Applications achieve that using the “sandbox” concept, where each
application is given the basic functions needed to run its own process; however, if the sandbox does not
provide the needed functions to run a process, then the application can interfere with the operations of
another process and request the needed functions to run a process. This capability of allowing
applications to request permissions outside of their sandbox capabilities could be harmful to
Android smartphones because it opens a window of opportunity for malware to exploit the privilege of
accessing sensitive data on Android handsets and thus install malicious software (Vennon, 2010).

The Cyber Threat: A Seminar/Workshop for Business Management What You Need to Know to Do What
You Have to Do This is a one-day seminar that gives business managers a sound introduction to the
realities of the threats of cyberattacks. It provides them with an understanding of what such attacks
mean to business and what they can do to support prevention, detection and, most important, business
recovery should such an attack occur. The class combines lecture with hands-on exercises. It focuses on
the organizational and cultural measures that will lead to a more secure business environment and
mitigation of the impact of cyberattacks. Intended audience: Business Managers, Financial Executives,
Risk Managers, Internal Auditors, Security Professionals, Legal Counsel Learning objectives: Participants
in this seminar will learn:  How the reality of cyberattacks fits into their business models  How
cyberattacks occur and what can be done to stop them  The pros and cons of cybersecurity products in
the marketplace  Organization and governance of cybersecurity  Building a culture of cybersecurity 
How to detect and recover from a cyberattack Seminar outline: A. Cyberattacks – Myth and Reality a.
Different types of attack and response b. The scope of the problem c. Effects on business d. Shortfalls of
existing organizational preparations B. How the Threat of Cyberattacks Can Be Mitigated a. Basic Do’s
and Don’ts b. Safeguards in place c. Potential weaknesses d. Secure architecture e. Attack vectors C.
Solutions in the Marketplace a. Cybersecurity products b. Insurance D. Organization and Governance a.
Board of Directors b. Computer Emergency Response Team (CERT) c. Crisis Management Team (CMT) d.
Information Security e. Business Continuity Management f. IT functions g. Business functions h.
Workshop exercise E. Building a Culture of Cybersecurity a. Top Management’s role b. Creating a
Cybersecurity Culture c. Workshop exercise F. Cyberattack Detection a. Human factors i. Training and
attentiveness ii. Presumption of a hostile environment iii. Dealing with false alarms b. Recognizing an
attack is under way i. Signature recognition ii. Anomaly detection c. Heuristics d. Alerts, alarms and
triggers i. Unusual volume ii. Slow response times iii. Unanticipated changes to software e. Statistical
models G. Cyberattack recovery a. Resources i. Trusted images ii. Clean storage environment iii.
Recovery environment 1. Recovery in place 2. Standalone environment b. Planning i. Planning variables
ii. Recovery timing c. Recovery steps d. Workshop exercise H. Conclusion Seminar logistics: This is a one-
day seminar/workshop (8 CPE hours). Because of t
FinSAC:(Cyber-(Security/Preparedness(Seminar( Summary:( Concluding(Remarks
F.#Montes*Negret,#FinSAC,#Coordinator The# two*day#
“Regional#Seminar#on#Cyber*#Preparedness”#held#at# the#Austrian#Federal#Ministry#of#
Finance#(MoF)#on#May#18*19,# 2015# brought# to#Vienna#65#Sr.# officials# from# the#central#
banks#and# supervisory# agencies# and# ministries# of# finance# from# the# region,# as# well# as#
international# experts# from# leading# consulting# firms,# international# banks,# EU# institutions#
(Europol,# European# Central# Bank,# European# Commission,# and# the# European# Banking#
Authority)# and# the# World# Bank.# The# program# (attached)# was# open# by# the# Mr.# Harald#
Waiglein,# Director# General# of# Economic# Policy,# Austrian#Federal#Ministry#of#Finance.# The#
seminar# had# three# main# purposes:# (1)# to( raise( awareness,( (2)# to( bring( a( regional(
perspective(on(cyber-security,(and((3)#to(address(the( issue(of(cyber-threats( from(a(stability(
perspective:( (1) Raising( awareness regarding# the# risks,# reputational# and# systemic# costs,# and#
the# complexity# of# cyber*risks# faced# by# banks# and# non*bank# financial# institutions# (NBFIS),
calling# for#action#within# central# banks#and# regulatory#agencies#and# beyond#(governments#
and# other# stakeholders)# to# confront# them,# starting# by# examining# approaches# followed# by#
countries#with#experience#in#the#field#(e.g.#UK,#USA,#or#Estonia),#that#can#play#a#critical#role#
not#only#in#the#protection#of#confidential#information,#but#also#in#the#speed#of#recovery#from#
attacks;# (2) Bringing( a( regional( perspective( on( cyber-security# from# # the# countries# of# Europe#
and#
Central#Asia#(ECA)#based##on#a#regional#survey#of#14#countries#(based#on#FinSAC’s#Working#
Paper### 2),#making# clear# that# no# country#is#immune# from# cyber*threats# and# flag# two#
key#
factors:#(a)#that#security#threats#do#not#follow#the#regulatory#perimeter#and#that#protective#
measures#and#information#about#cyber*attacks#weakens#as#long#as#we#move#away# from#IT#
departments# and# from# central# banks;# and# (b)# that#we# are# confronted# not# only#with# an#
IT# issue,#but#a#governance#issue,#which#must#be#dealt#by#
the#Board#of#Directors#of#banks#and# NBFIs;# (3) Addressing( the( issue( of( cyber- threats( from( a(
stability( perspective by looking# at# the#
importance#of#protecting#key#aspects#of#a#countries’#financial#market#infrastructures#(FMIs).#
Day(1: In#his#welcoming#remarks,#Mr.#Waiglein,#aptly#reminded# the#audience# that#one#of#
the#most#recent#
banking#crisis#in#an#EU#country#in#the#region#and#a#run#on#bank#deposits#was#precipitated#by#
an#e* mail#sent#by#one#of#
the#parties#in#a#dispute.#So#in#an#environment#of#extreme#interconnectedness#
news#disseminate#very#fast#and#can#cause#havoc#in#a#few#hours,#putting,#for#justified#and#unju
stified# reasons,#a#party#or#a#banking#system#at#risk.#Extreme#caution,#a#q questions# pointed#
to# the# importance# of# continuing# the# good# work# IT# Departments# are# doing# but#
also#increasing# the#investment#in# training# and# education.# From# an#infrastructure# perspective#
the# importance# of# redundant# capacity# of# FMIs,# particularly# payment# systems,# was#
highlighted.# However,# the# answers# especially# emphasized# the# governance# and#
cyber*preparedness,# including#
quick#and#smart#communication#policies,#are#key#issues.#It#seems#clear#from#the#responses#rece
ived#
that#risks#do#not#end#where#the#walls#of#central#banks#and#supervisors#end.#Although#it#is#imp
ortant# to# emphasize# cyber*risks# as# key# operational# risks# for# the# functioning# of# a# market#
economy,# it# is#
important#to#step#up#the#collection#and#exchange#of#information#among#multiple#stake*holders#
and# the#importance#of#private*public#partnerships. The# presentation# of# Europol# highlighted#
the# challenges# and# achievements# as# regards# law enforcement# in# the# field# of# cybercrime.#
Europol# expects# an# increase# in# the# size,# scope# and#
sophistication#of#cyber#threats#and#the#emergence#of#new#attack#vectors,#posing#new#challenge
s#for# law# enforcement# in# the# near# term# (2015*16).# Direct# attacks# against# financial#
institutions# will# increase# and# well*structured# and# globally# active# Organized# Criminal#
Groups# will# continue# to# dominate#payment#card#fraud#in#the#EU.# The# International#
Chamber# of# Commerce# (ICC)# informed# about# the# newly# issued# Cyber# Security# Guide# for#
Business# aimed# at# making# its# members# (about# 6# million)# of# 90# National# Committees#
aware#of#the#risks#and#offer#them#a#guide#to#mitigate#their#cyber#risks.#ICC#believes#that#coop
eration#
of#businesses#and#the#public#sector#is#essential#to#mitigate#cyber#risk#in#society#and#that#busin
esses# of#all#sizes#need# to#develop#and#nurture#key#organizational#capabilities#
to#manage#cyber#security.# The#European#Commission#introduced# their#proposal#
for#a#Directive#on#Network#and# Information#
Security#(NIS),#which#is#currently#under#negotiation#between#Council,#the#European#Parliament,#
and#
the#European#Commission#and#will#also#affect#the#financial#sector.#A#regulatory#initiative,#launch
ed#
in#2013#by#the#European#Commission,#contains#legal#measures#and#incentives#aiming#at#making
#the# EU's# online# environment# secure# and# strengthening# preparedness,# cross*border#
cooperation# and# information# exchange.# The# Directive# proposes# steps# to# the# system#
operators# of# critical#
infrastructures#to#manage#security#risks#and#report#serious#cyber#incidents#with#significant#impac
t# to# competent# authorities. The# International# Telecommunication# Union# (ITU)# brought#
important# information# of# the# United# Nations’# initiatives# under# implementation.# ITU’s#
Global# Cybersecurity# Agenda# (GCA)# is# designed# for# cooperation# and# efficiency,# encouraging#
collaboration# with# and#
between#all#relevant#partners,#and#building#on#existing#initiatives#to#avoid#duplicating#efforts.#G
CA# builds# upon# five# pillars:# Legal# Measures,# Technical# and# Procedural# Measures,#
Organizational#
Structure,#Capacity#Building,#and#International#Cooperation.#Based#on#these#areas#the#ITU#publis
hed# the# Global# Cybersecurity# Index# (GCI),# which# aims# to# measure# the# level# of#
commitment# of# each#
nation#in#cybersecurity.#Finally,#ITU#referred#to#National#Initiatives#(NIs)#under#development.#
ITU’s# global# overview# was# followed# by# deep*dives# into# the# strategies# of# two# select#
country# cybersecurity# strategies,# namely# Austria# and# Estonia.# Estonia# is# a# highly#
digitalized# economy,# in# which# 99.8%# of# bank#
transactions#are#effected#electronically,#introduced#a# national#e*ID#in# 2002,# and# introduced#
voting# via# internet# 2005.# After# falling# victim# of# a# major# cyber*attack,# Estonia# introduced#
a# Cyber# Security# Strategy# in# 2008,# which# was# refined# in# 2014.# Due# to# the# fact# that#
government#services#depend#heavily# on#private#
sector#providers,#Estonia#considers#cybersecurity# as#a#joint#private#and#public#sector#effort.#
The#discussion#moved#to#what#are#major#international#banks#and#financial#infrastructures#are#d
oing# in# this#area# to#confront# the#challenges.#The#cases#of#Citi,#CLS#Bank#
International,#MasterCard,#and# EBA# Clearing# and# their# diverse# sets# of# risks# and# responses#
were# discussed# in# detail# (see# presentations).# EBA# Clearing,# for# example,# is# considering#
the# introduction# of# a# separate# ‘cyber resilience# framework’,# which# would# enable# us# to#
create# a# specific# cyber# threat# model,# asses# the# current# level# of# cyber# resilience# of# all#
relevant# stakeholders.# MasterCard# is# subject# to# biannual# reviews# by# the# Federal# Financial#
Institution# Examination# Council# (FFIEC)# and# performs# external# penetration#quarterly.# DAY#2:
The# second# day# emphasizes# systemic# nature# of# cyber*threats# focusing# on# the# threats# to#
the# FMI.#
One#of#the#many#highlights#of#the#second#day,#was#an#outstanding#panel#session#led#by#Mr.#M
assimo# Cirasino,#Practice#Manager# from# the#World#Bank,#with# three#panelists# from#
the#European#Central# Bank,# the# US# Federal# Reserve# System,# and# Banca# d’Italia# in# which#
cyber*threats# to# FMIs# were# examined# largely# from# a# central# banking# perspective,#
focusing# on# the# centralization# of# risks,# the#
lack#of#payment#alternatives#sand#the#search#for#systemic#solutions#to#the#systemic#risks#faced.
#The# participants# became# aware# of#the# CPMI# report# on# Cyber# Resilience# and# detailed#
aspects,#like#the#
importance#of#maintaining#settlement#finality,#highest#reliability#in#processing,#business#continuity
# and# fast# recovery# (aiming# for# a# two*hour# recovery# after# a# major# successful#
attack/event),# and# a# resilient# market# infrastructure# (resistant,# reliable# and# flexible# with#
the# concept# of# cyber*agility).# One# of# the# participants# emphasized# the# importance# of#
following# a# zero*trust# approach# and# the# importance#of#simplicity,#not# fighting#
the#prior#war.#Cyber*preparedness#is#a# team#sport#in#which# cooperation#(not#trust) are#critical.
Cyber*security# threats# to# the# financial#industry#were# the# topics#explored#by# the#speaker#
from# the#
European#Banking#Association#and#UniCredit#Bank#Austria,#in#which#active#defense,#communicati
on# and# training# play# an# important# role.# The# Global# LEI# Foundation# (GLEIF),# which# serves#
as# the# operational# arm# of# the# Global# Legal# Entity# Identifier# System# (GLEIS)# and# supports#
on# a# not*for* profit# basis# the# implementation# and# use# of# the# Legal# Entity# Identifier# (LEI)#
for# legally# distinct# entities#that#engage#in#financial#transactions.# Cryptosense,#
Cybercrime#Research# Institute,#MWR# Infosecurity,#and#Sicherheitskultur.at# provided# invaluable#
practical# insights# into# the# nature# of# attacks# and# possible# mitigation# measures.# Encryption#
of#messages# and# transaction# plays# an#increasing# role# in# prevention# (Cryptosense),# as#
well#as#the#importance#of#the#penetration#studies#being#undertaken#by#
financial#and#non*financial# institutions.# The# second# day# ended# with# a# presentation# from#
the# Dutch# Bankers# Association,#
emphasizing#the#importance#of#banks#understanding#that#they#do#not#compete#on#security#and#
the importance#of#various#industry#task#forces#to#enhance#cooperation. Participants#were#
kind#enough# to#assess# the#effectiveness#and# usefulness# of# the# two*day# seminar# and# give#
us# ideas# about# possible# future# events# of# this# kind.# Based# on# the# evaluation# results#
attendants#were#highly#satisfied#with#the#event#(preparation#and#content#delivery#was#rated#4.8
#out#
of#5,#facility#4.9,#and#speakers#5.0).#Two#thirds#would#welcome#similar#events#to#take#place#an
nually,# one# third#even# semi*annually.#We# hope# that#the#Seminar#will# help#participants#in#
their#work#and#
that#they#took#home#some#new#ideas#and#initiatives#about#the#importance#of#cyber*preparedne
ss.# FinSAC# would# like# to# thank# the# speakers# for# their# excellent# contributions# and# stands#
ready# to# continue#supporting#country#efforts#in#this#important#area.