Security Summit - C&D Piazzese - v1
-
Upload
rosario-piazzese -
Category
Documents
-
view
32 -
download
0
Transcript of Security Summit - C&D Piazzese - v1
Sicurezza IT: solo compliance o necessità di business?L’esperienza concreta di Data base security
Rosario PiazzeseExecutive Manager Codd&Date SuisseGovernance, Risk, Compliance, Assurance & SecurityCodd&Date Group Competence Center Director
Milano, 15 Marzo 2016
CODD&DATE
CODD&DATE offers since 1985 management consulting services in Governance, Risk, Compliance, Assurance and Security to support the Operational Engine (Organization, Back Office, ICT, etc.) of Financial Institutions.
Consulting means to be close to the customers to design, supervise and ensure the maximum performance of eachoperational strategy.
Services:
• IT Strategies & Governance
• Project Management
• IT Governance, Risk , Compliance, Audit & Security
• IT & Data Architectures
• IT Security, Design & Architecture
• Payments Architectures & Consulting
Since 2013, COOD&DATE is part of the Vipera Group, a company specialized in payment services, with a strong international presence, based in Milan and listed on the London Stock Exchange.
3
CODD&DATE for Security
4
ComplianceGovernance &
Risk Mgmt
Assurance & Security
Management Models
Organizational Models
BPM Models
IT Governance, Strategies and Design
Covering
Constant uptime of IT
operational engine and
relevant components
(Business Continuity)
Technical choices to
avoid vulnerability
(Cyber Security,
Information Security,
Security By Design)
BUSINESS AS USUAL
Rules Scenario
5
Compliance Individual Rights Security Measures Best Practices
SEPA2Single Euro Payments Area
• Information Availability • CIA• Data Governance (ISAE 3000)• Need to know
MiFID IIMarkets in Financial Instruments Directive
• Information Availability• Data Privacy
• CIA• Data Protection
• Segregation of duty• Need to know
PSD2Payment Services Directive
• Information Availability• Data Privacy
• CIA• Data Protection
• Data Governance• Need to know• Segregation of duty• Defense in depth
Rules Scenario
6
Compliance Individual Rights Security Measures Best Practices
GDPRGeneral Data ProtectionRegulation
• Data Privacy • Data Protection• Data Governance• Need to know
NISNetwork Information Security
• Information Availability • CIA • NIS
Cyber Security• Information Availability• Critical Infrastructure
Protection
• CIA• IoT
• Data Governance• Need to know• Defense in depth
Privacy Shield • Data Privacy • Data Protection• Data Governance• Need to know
Cloud Security• Information Availability• Critical Infrastructure
Protection
• CIA• IoT
• Data Governance• Need to know• Defense in depth
Digital & New Rules Trends
9
PSD2
SEPA2
MiFID II
Network
Brokerage elimination, cross borderimpact
Cross border electronic payments integration
Extra bankingcoverage,
governance model, operation 24/7
NIS
DIGITALIZATION
Technology, Data, Security & Digital
11
Data Governance
Data protection:
privacyvs
availability
CIA
New trends:clusteringprofiling
predictivemarketing
Access:segregation
vsprivacy
DIGITALIZATION
CODD&DATE for Security
13
Compliance operational
impactsevaluation
Governance & Risk
Mgmt: SSAM & IT
Risk Evaluation
Matrix
Assurance & Security
Management Models: CIO, CSO and COO Advisory
Organizational Models: eg. ISO 2700x, COBIT
BPM Models: ProcessSecurity by Design (BPN)
IT Governance, Strategies andDesign (Security Requiremets)
Covering
Constant uptime of IT
operational engine and
relevant components
(Business Continuity
Plan, Service Continuity,
Disaster Recovery)
Technical choices to
avoid vulnerability (NIS
& CISA Requirements
and Design, Vulnerability
Models, CVSS)
BUSINESS AS USUAL
IT Solutions:
• Mobile
manage
ment
• BC/DR
• Vulnerabi
lity
• GRC
• Payment
Security
• App
Security
Locations
17
MILANOOperational HQVia Pietrasanta n. 1420141 Milano
SAN MARINOVia 4 Giugno n. 39/B47899 Serravalle (RSM)COE SM 23384
BERLINSWITZERLANDVia Maggio, 1C – 6900 Lugano Bahnhofstrasse, 100 -8001 - Zürich
LONDONPLC HQ
STOCKHOLM
Contacts
18
Rosario Piazzese
Codd&Date Suisse Executive Manager
Codd&Date Group GRCAS Division Director
+41 78 8116090
+39 349 3990794
https://ch.linkedin.com/in/rpiazzese
Codd&Date
Via Pietrasanta14
20141 Milano - IT
+39 02 87393631
www.codd-date.it
Codd&Date Suisse
Via Maggio, 1C – 6900 Lugano – CH
Bahnhofstrasse, 100 - 8001 – Zürich – CH
+41 91 2601609
+41 44 562 7177
www.codd-date.ch
Common Vulnerability Scoring SystemTraining per professionisti
Luca AllodiDISI - Università degli Studi di Trento
Digitalizzazione, compliance e gestione del rischio software
20
– US Cyber Security Order (Press release Feb’2013)
• “NIST will work collaboratively with critical infrastructure stakeholders to develop the framework relying on existing international standards, practices, and procedures that have proven to be effective”
– U.S. NIST SCAP Protocol v1.2( Draft Jan 2012)
• “Organizations should use CVSS base scores to assist in prioritizing the remediation of known security-related software flaws based on the relative severity of the flaws.”
– PCI-DSS v2 (June 2012)
• “Risk rankings should be based on industry best pracLces. For example, criteria for ranking ―High risk vulnerabilities may include a CVSS base score of 4.0 or above”
– U.S. Government Configuration Baseline (USGCB)
• Supported by the industry� Rapid7, Telos, VmWare, Symantec, Qualys, Retina etc. etc.
CVSS e Vulnerability measurement
• Molti diversi tipi di vulnerabilità nel software
– Buffer overflows � attaccante può eseguire codice arbitrario sul sistema attaccato
– XSS, CSRF � perdita di confidenzialità e integrità dei dati
– Privilege escalation � attaccante acquisisce privilegi nel sistema
– …
• Il processo di prioritizzazione delle mitigazioni è centrale
– Best-practice largamente condivisa nell’industria: patch the most severe ones first
� Common Vulnerability Scoring System (CVSS)
– Standard per vulnerability severity measurement e prioritization adottato worldwide
21
CVSS – Storia
23
• CVSS v(1) introdotto nel 2004 (First.org)
– Industria manifesta interesse
– Non peer-reviewed, miglioramenti in programma
• CVSS v(2) bootstrap nel 2005, rilasciato nel 2007
– Peer-reviewed, industry feedback
– CVSS diventa lo standard-de-facto per vulnerability scoring
• CVSS v(3) bootstrap in 2012, rilasciato nel Giugno 2015
– Sulla base di v2, implementa diversi cambiamenti
• Scope, Impact measurements, Attack Complexity, User Interaction, ..
– Da Dicembre 2015 riportato nei bulletin ufficiali, già in utilizzo in diverse realtà
Università degli Studi di Trento � CVSS Training
• UniTn è “authoring member” del consorzio First.org per la definizione di CVSS
• Diverse attività di ricerca scientifica su vulnerablity measurements and prioritisation
• L’Università degli Studi di Trento propone training di una giornata a gruppi di professionisti ed aziende interessate.– Il training avviene all’interno di una ricerca scientifica volta all’identificazione di eventuali punti di
perfezionamento dello standard.
• La giornata di training comprende– Presentazione CVSS v3
– Descrizione metriche e loro nuove definizioni
– Discussione approfondita del loro utilizzo, con esempi
– Scoring exercise collettivo su un sample di vulnerabilità
– Scoring exercise individuale su un set di vulnerabilità
– Discussione finale
24
Contatti
• Se interessati potete contattare
– Luca Allodi � [email protected]
– Fabio Massacci � [email protected]
– Marco Cremonini � [email protected]
– Rosario Piazzese � [email protected]
• Siamo a disposizione presso lo stand Oracle Community for Security per ogni chiarimento
http://securitylab.disi.unitn.it
25