Information On Cyber Threats and Risks 20160331

Information on cyber security
threats and risks

Content
1. Cyber security trends, threats and risks

2. The underground cybercrime
3. NBG Group initiatives
4. New regulatory requirements for cyber risk self-
assessment
5. Where we are and where we go?
Cyber security trends, threats and risks
Environment:
• Expanding global digital economy: 2-3 trillion

USD
• 5 billion devices connected online in 2015, 25
billion in 2025
Environment: Rapid growth of online transactions

• Cybercrime: crime performed through computers

and telecommunication networks like internet
• High gain with low risks to the criminals
• Main risks:
• Data leakage
• Financial damages
• Compromised data integrity
• Denial of service
Conclusion of the Internet Security Alliance (ISA) , the

American National Standards Institute (ANSI):
The single biggest risk involving cybersecurity

is ignorance and misunderstanding!
Cybersecurity has historically been looked at as a cost. ISA

believes that increasingly it has to be looked at as an
investment:
Greater trust = Stronger brand = Higher sales
Enemies:
• Outside Intruder (Hacker)
• Insider with malicious intent

Countermeasures:
• Background checks in recruitment

• Raise awareness
• Control access
• Invest in cyber security
• Manage social networking
• Discipline bad behavior
• Beware of vulnerability especially from IT and former
employees
• Annual loses due to cybercrime:

• 200 billion USD (10-20% of the total digital
revenue) currently
• 3 trillion USD in 2020
• Cybercrime is a tax on innovation, slows down
the business slow down and reduces the ROI
• Most of the companies are not aware or do
not report losses from cybercrime
• Recent case in Croatia:

• March – May 2014, 100 e-banking users
(corporations and individuals) were target
of cybercrime
• 190 unauthorized transactions, 15
successful, 220.000 EUR financial damage
• The regulation and the e-banking security
measures in Croatia are very similar to ours.
• This case triggered the latest regulatory
initiative of NBRM
• Post-attack (regulatory) changes in Croatia:

• New security measures for transaction monitoring
(additional or double verification, etc)
• Customer training
• Additional measures for identity management
(smart cards, additional OTP tokens)
• Changes of agreements with customers (the loss
will be covered by the bank)
• Raising awareness about security
• Information sharing for cyber attacks within the
financial sector.
• Post-attack (regulatory) changes in Croatia:

• Types of hackers based on motives:
• White Hat Hackers: These are the good guys, ethical

hackers, computer security experts who specialize in
penetration testing and other methodologies to ensure
that a company’s information systems are secure.
• Black Hat Hackers: These are the bad guys. Their
motivation is generally to get paid.
• Script Kiddies: Use borrowed programs to attack
networks and deface websites in an attempt to make
names for themselves.
• Hacktivists: motivated by politics or religion, revenge,

or entertainment.
• State Sponsored Hackers: It’s all about controlling
cyberspace. State sponsored hackers have limitless time
and funding to target civilians, corporations, and
governments.
• Spy Hackers: Corporations hire them to infiltrate the
competition and steal trade secrets.
• Cyber Terrorists: motivated by religious or political
beliefs, attempt to spread fear, chaos, terror and commit
murder by disrupting critical infrastructures. Cyber
terrorists are by far the most dangerous.
The underground cybercrime
Threats:
• SPAM
• Phishing
• Social Engineering
• IP Infringement
• Unauthorized access
• Malware
• Fraud
• Deep Web are the parts of the internet that cannot

be indexed by traditional search engines.
• The Deep Web has between 400 and 550 times more
public information than the public Web.
• More than 200,000 Deep Web sites currently exist.
• 550 billion documents are estimated to be found on
the Deep Web
• The Deep Web is accessed with tools like Tor browser.
NBG Group Initiatives
• Assessments / questionnaires:
• 2010 - Security self assessment

• 2011 - ISO 27001 assessment
• 2014 - Security systems data gathering
• 2015 - Cybercrime questionnaire
• 2016 - Fraud prevention questionnaire
• Workshops:
• 2010 - Security Workshop Sofia

• 2014 - Workshop for information security tool
Information security policy:
• 2012 - Policies and standards v1.00

• 2015 - Policies and standards v2.00
• 2016 - NBG Group Information Systems
Security Architecture
2014 - Appointment of Chief Information Security

Officer (CISO) of NBG Group
New regulatory requirements for
cyber risk self-assessment
• NBRM announced a mandatory tool for self-assessment of the
inherent cyber risks and levels of readiness
• Questionnaire divided into three levels of readiness:

• Basic (126 controls)
• Intermediate (120 controls)
• Advanced (98 controls)
• Inherent level of risks of SB has been determined as

moderate.The suggestion from NBRM is to fulfill Intermediate
Level of readiness in the next 3 years.
Where we are and where we go?
• Currently in place:
• Many security controls

• Many audit trails
• Protection of inside and outside perimeters, regular penetration tests
• Access control
• Intrusion detection software
Key issues:
• Complexity constantly increases

• Legacy systems
• Suboptimal size of IT team
• Extended user access to systems / data
• Lack of many security related processes and resources,
noncompliance (PCI-DSS)
• We are currently working on:
• Improvement of the internal perimeter

• Upgrade of workstations, network and local systems
• Central management of workstations and systems
• Endpoint protection
• Management of mobile devices
• Improvement of the external perimeter

• Planning firewall upgrades
• Improvement of web and email filtering
• Services from information security providers
• Key mid-term goals:
• Improve processes, training and awareness

• Network access protection system, prevent unauthorized
devices
• Improve log management system
• Real time notifications for security incidents
• Active response
• Digital threats management system
• User behavior analysis system

Information On Cyber Threats and Risks 20160331

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information On Cyber Threats and Risks 20160331

Uploaded by

Copyright:

Available Formats

Information on cyber security

threats and risks

1. Cyber security trends, threats and risks

• Expanding global digital economy: 2-3 trillion

Environment: Rapid growth of online transactions

• Cybercrime: crime performed through computers

Conclusion of the Internet Security Alliance (ISA) , the

The single biggest risk involving cybersecurity

Cybersecurity has historically been looked at as a cost. ISA

• Outside Intruder (Hacker)

• Insider with malicious intent

• Background checks in recruitment

• Annual loses due to cybercrime:

• Recent case in Croatia:

• Post-attack (regulatory) changes in Croatia:

• Post-attack (regulatory) changes in Croatia:

• Types of hackers based on motives:

• White Hat Hackers: These are the good guys, ethical

• Hacktivists: motivated by politics or religion, revenge,

• Deep Web are the parts of the internet that cannot

• 2010 - Security self assessment

• 2010 - Security Workshop Sofia

Information security policy:

• 2012 - Policies and standards v1.00

2014 - Appointment of Chief Information Security

• Questionnaire divided into three levels of readiness:

• Inherent level of risks of SB has been determined as

• Many security controls

• Complexity constantly increases

• We are currently working on:

• Improvement of the internal perimeter

• Improvement of the external perimeter

• Key mid-term goals:

• Improve processes, training and awareness

You might also like