EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 2
Vulnerabilities
Whatever its cause, critical service disruption shall only occur infrequently impact only a small area have a short duration have only limited impact be a continuously managed & controlled process
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 3
Vulnerabilities
Something is vulnerable, if it can be exploited by a threat A vulnerability is a “place” that is especially prone to threats where damage can easily occur / has serious consequences easily “accessed” / difficult to protect from where damage can spread
understand threats, and that threats can hook in vulnerabilities only understand vulnerabilities, and not well mitigated threats understand human intent, and its deliberated risk
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 4
Vulnerabilities an Risks
Risk = Probability x Damage [$] I for each vulnerability
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 5
ICT is a Local and a Global Issue
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 6
Example 1: 150 Fiber connections are cut!
Angle Grinder, August 2005, Switzerland
Betondecke
Fiberkabel
ca. 250 Verbindungen
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 7
Dependency and Vulnerability
Bancomat
POSTankautomat
kontoführende Banken
5400 Geldausgabe-Geräte bei Finanzinstituten
89‘000 POS-Terminals bei Kaufhäusern,Supermärkten,Tankstellen, etc.
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 8
Day before Christmas 2000300 Billion SFr. per diem
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 9
Impact of ICT Vulnerabilities on Banks
Kennzahlen 2005 - 321 Teilnehmer - 800‘000 Tx / Tag - 300 Mia. CHF / Spitzentag
remoteGateremoteGate
SIS
SWX
Postfinance
SNB
Service Büro
CLS Interbank- Produkte
Banken
Schweizerische Nationalbank
Börse Schweiz
BankenSega Intersettle
Continuous Linked
Settlement
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 10
European CIIP R&D by Sector
0 1 2 3 4 5 6 7 8 9
4. Transportation
2. ICT services
8. Emergency/security services
1. Energy sector
9. Governmental services
5. Health care
10. High risk industries
3. Financial Services
6. Water management
7. Food management
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 11
Expenses for Countermeasures
Expenses for IT Security III: Dollar Amount of Losses by Type
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 12
Reported Incidents
Vulnerability Types vs. YearIntranet incidents are as well a topic of InfoSecViruses and malware are on place 2Mobile incidents grow rapidlyGenerally all incidents are decreasing. Cause is unclear. Might be it is good prevention.
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 13
Some Facts about dealing with ICT Vulnerability
Computer Zeitung (D): In 2010 will 90% of US corporation have IT security outsourced.The incidents decrease, the complexity and the damage increase. The complexity of IT security is far beyond the capabilities of SME’s. The tendency for future will enlarge this gap. From DoD US study: The complexity of attacks will relevantly increase.Modern malware distributes itself within few minutes over the whole world. Which enterprise can build a service with an adequate reaction time ever day day and night? (Alternative scenario: Business Continuity Planning BCP) Actual Trend: More and more intranet user are involved in attacks. Intranet monitoring must absolutely be an additional topic to the existing perimeter security.With outstanding IT security corporations do not have Information security. Trend: holistic security. Common security management for all threats.The facts can be downloaded from: http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 14
Preparing for Incidents
EAPC / PFP Workshop
Zurich, September 23, 2005 Prof. Dr. Bernhard M. Hämmerli Page 15
Questions