Cybersecurity at the CSTIC 2017 Congress: Be Secure

Cybersecurity

After the round of illustrative sessions on agility, transformation and Lean management that I summarize as people, people and people, Cybersecurity enters the scene! We are at the CSTIC 2017 Congress organized by the Spanish Quality Association (AEC) under the slogan “Be Agile. Be digital. Be Secure«.

All attendees are with cybersecurity on the surface after the ups and downs of the major ransomware surge. Fertilized land for the speakers, starting with Félix Antonio Barrio as Manager of Industry, Talent and R&D support at INCIBE. A charge that is a declaration of intent.

The change in orientation of this body materialized at the end of 2014 with the launch of the National Cybersecurity Institute of Spain, SA (INCIBE) offers us the luxury of having a benchmark public body in cybersecurity. So that we all have a clear image of the benefits it brings us, Félix gave us an accurate summary of its scope of action:

INCIBE What do we do?

Cybersecurity services: Awareness, detection, analysis, response.
Cybersecurity technologies: Cybercrime detection tools, fight against cybercrime and cybercrime.
Support for the development of the industry, R + D + i and talent: Development of the national industry, promotion of R + D + i, promotion and identification of talent.

INCIBE What do we do?

How can it be otherwise, throughout his speech Félix insists on the mantras of information security:

Take care of the configuration and use of email (INCIBE Decalogue)
Safe Practices Awareness (INCIBE awareness kit)
Minimum level access procedures to systems
Equipment audit / inspection and backup system

Solidarity in sharing defensive knowledge in cybersecurity

With the numbers in hand he explains that Spain is regularly among the five most attacked countries in the worldIn other words, we are not doing it wrong but we must continue working to consolidate cybersecurity by raising awareness and promoting talent: other people!

INCIBE How do we help you with cybersecurity?

Safe Internet 4 Kids

Logo is4k - Safe Internet 4 Kids

Safe Internet For Kids (IS4K) is a Internet Safety Center for Minors aimed at raising awareness and advising minors and their environment so that they can take advantage of new technologies without taking risks.

Talent Promotion

INCIBE Events promotion cyber talent

In addition to the promotion activities, such as CyberCamp (dissemination), CyberEx (maneuvers) or the Cybersecurity Summer bootcamp (training), work is also being done to consolidate a network of Centers of Excellence in cybersecurity and to promote research through the National Cybersecurity Research Conference.

Protect your business

INICBE Protect your company

A web space in which we have all the good know-how of INCIBE concentrated and at our disposal.

https://www.incibe.es/protege-tu-empresa

Excellent!

He then took over Jesús Cabrera as CEO at ILIFE Security. Its objective was to raise awareness because ...

WE ALL HAVE COMPETITION,
WE ARE ALL TARGETED.

To reinforce his message, he dissected for us the motivations, modus operandi and consequences surrounding Football Leaks. Thus, starting from a clear economic motivation (specifically, profit in bitcoins), Jesús explained to us that the attack methods used were carefully adapted after studying their objective. Finally, a backup copy at the address of the CEO of the target company was the attacked data, reaching them through emails impersonating identities ("phishing") sent just before a holiday in order to have time to exfiltrate the information using mechanisms of the deep internet ("Deep Web"). Colorin colorado, your data has flown.

Can we consider it an isolated case? Thinking that our information is not valuable to someone is the biggest and main security mistake.

Given that it seems that we have everything to lose, it was up to Agustín Solís as head of the cybersecurity business in Spain at Thales Sistemas de Seguridad present us the last bastion to defend:

Data, the asset to protect
(at all costs)

When all the other controls have failed, we have to put the last barrier in accessing the data. But in addition, the new European standards for data protection (GDPR) oblige companies operating in Europe to take an active role in the security of their information system.

An active role means, for example, that they are obliged to analyze the risk of known threats, establish security procedures, measure the effectiveness of the security measures adopted and, in particular, inform all those potentially affected by security breaches. the same.

Living up to these obligations will be very difficult if we do not align our treatment of information beforehand. The preventive medicine that Agustín Solís recommends is #cryption. That simple, that demanding.

Without a doubt, we will need help. At Thales they propose Vormetric as their answer to this demand and this is how they sell it to us:

Easy-to-implement, transparent full encryption.
Separation of roles.
Audit and registry for forensic analysis.
Centralized management of cryptographic keys.

Subject data, keep under seven keys, seen. We now focus our attention on security in the development of software applications by the hand of Ramiro Carballo as Director at CAELUM. A challenge.

BSIMM - Building Security In Maturity Model
Unplugged !

Ramiro's approach is to establish a framework of activities that guide the effort to improve the security of the software product delivered. How do we start from the expectation of safe software as expected value we have to work on security during the construction of the software because we seek to improve an intrinsic characteristic, that is, something that happens before finishing the final product (more detail in cost-effective quality from Masa K Maeda).

So that our effort is not blown away by the wind, Ramiro proposes that we establish a target level according to the BSIMM Model for Software Security Maturity (Building Security In Maturity Model). Thanks to the BSIMM model and its 12 practices, we will know where we are and how we can improve. Wow! One less excuse.

As a culmination, when we feel that we lack oxygen due to the anxiety of mitigating the risks derived from cyber threats that can paralyze our business, we have the proposal of Javier Huergo as Head of Assurance at Watch and Act Protection Services.

Facing the cyber cancer of our century
Get cyber insurance!

According to Javier Huergo, Spanish companies lose an average of 1,3 million euros per year in cyberattacks. Assets at risk include the reputation of the company, its brand, or even the usurpation of its identity. Like any insurance, it is about establishing hedges aligned with the value of our business assets.

An interesting icing on the cake for an intense round on Cybersecurity that once again has a strong impact on the need to involve everyone in our organization, because ...

We are all safety.

Finally, I want to thank the hard-working of this AEC CSTIC 2017 Congress for such a full day, the result of their obsessive (and contagious) vocation for continuous improvement in aspects of Quality delivered in Information and Communication Systems and Technologies.

Let's
"Be Agile. Be Digital. Be Secure »,
my friend

CSTIC17 Congress

Miguel Ángel Nicolaus

Miguel Ángel is CIO, Director of Innovation and co-founder of Panel Sistemas. Follow @ mnicolao11 on Twitter, or visit their profile at Analysis. You can also contact him via e-mail at this address.