Sicurezza IT: solo compliance o necessità di business?L’esperienza concreta di Data base security

Rosario PiazzeseExecutive Manager Codd&Date SuisseGovernance, Risk, Compliance, Assurance & SecurityCodd&Date Group Competence Center Director

Milano, 15 Marzo 2016

Company Introduction

2

CODD&DATE

CODD&DATE offers since 1985 management consulting services in Governance, Risk, Compliance, Assurance and Security to support the Operational Engine (Organization, Back Office, ICT, etc.) of Financial Institutions.

Consulting means to be close to the customers to design, supervise and ensure the maximum performance of eachoperational strategy.

Services:

• IT Strategies & Governance

• Project Management

• IT Governance, Risk , Compliance, Audit & Security

• IT & Data Architectures

• IT Security, Design & Architecture

• Payments Architectures & Consulting

Since 2013, COOD&DATE is part of the Vipera Group, a company specialized in payment services, with a strong international presence, based in Milan and listed on the London Stock Exchange.

3

CODD&DATE for Security

4

ComplianceGovernance &

Risk Mgmt

Assurance & Security

Management Models

Organizational Models

BPM Models

IT Governance, Strategies and Design

Covering

Constant uptime of IT

operational engine and

relevant components

(Business Continuity)

Technical choices to

avoid vulnerability

(Cyber Security,

Information Security,

Security By Design)

BUSINESS AS USUAL

Rules Scenario

5

Compliance Individual Rights Security Measures Best Practices

SEPA2Single Euro Payments Area

• Information Availability • CIA• Data Governance (ISAE 3000)• Need to know

MiFID IIMarkets in Financial Instruments Directive

• Information Availability• Data Privacy

• CIA• Data Protection

• Segregation of duty• Need to know

PSD2Payment Services Directive

• Information Availability• Data Privacy

• CIA• Data Protection

• Data Governance• Need to know• Segregation of duty• Defense in depth

Rules Scenario

6

Compliance Individual Rights Security Measures Best Practices

GDPRGeneral Data ProtectionRegulation

• Data Privacy • Data Protection• Data Governance• Need to know

NISNetwork Information Security

• Information Availability • CIA • NIS

Cyber Security• Information Availability• Critical Infrastructure

Protection

• CIA• IoT

• Data Governance• Need to know• Defense in depth

Privacy Shield • Data Privacy • Data Protection• Data Governance• Need to know

Cloud Security• Information Availability• Critical Infrastructure

Protection

• CIA• IoT

• Data Governance• Need to know• Defense in depth

Individuals vs Systemics

7

Individual Rights Systemics

Defenses

Compliances & Digitalization

8

Digital & New Rules Trends

9

PSD2

SEPA2

MiFID II

Network

Brokerage elimination, cross borderimpact

Cross border electronic payments integration

Extra bankingcoverage,

governance model, operation 24/7

NIS

DIGITALIZATION

Digital Scenario

10

Cloud

Mobile

Big Data & Business Analysis

Digitalization

IDC Banking Forum 2016

Technology, Data, Security & Digital

11

Data Governance

Data protection:

privacyvs

availability

CIA

New trends:clusteringprofiling

predictivemarketing

Access:segregation

vsprivacy

DIGITALIZATION

Services

12

CODD&DATE for Security

13

Compliance operational

impactsevaluation

Governance & Risk

Mgmt: SSAM & IT

Risk Evaluation

Matrix

Assurance & Security

Management Models: CIO, CSO and COO Advisory

Organizational Models: eg. ISO 2700x, COBIT

BPM Models: ProcessSecurity by Design (BPN)

IT Governance, Strategies andDesign (Security Requiremets)

Covering

Constant uptime of IT

operational engine and

relevant components

(Business Continuity

Plan, Service Continuity,

Disaster Recovery)

Technical choices to

avoid vulnerability (NIS

& CISA Requirements

and Design, Vulnerability

Models, CVSS)

BUSINESS AS USUAL

IT Solutions:

• Mobile

manage

ment

• BC/DR

• Vulnerabi

lity

• GRC

• Payment

Security

• App

Security

References

14

References

15

Contacts

16

Locations

17

MILANOOperational HQVia Pietrasanta n. 1420141 Milano

SAN MARINOVia 4 Giugno n. 39/B47899 Serravalle (RSM)COE SM 23384

BERLINSWITZERLANDVia Maggio, 1C – 6900 Lugano Bahnhofstrasse, 100 -8001 - Zürich

LONDONPLC HQ

STOCKHOLM

Contacts

18

Rosario Piazzese

Codd&Date Suisse Executive Manager

Codd&Date Group GRCAS Division Director

rosario.piazzese@codd-date.ch

+41 78 8116090

+39 349 3990794

https://ch.linkedin.com/in/rpiazzese

Codd&Date

Via Pietrasanta14

20141 Milano - IT

+39 02 87393631

info@codd-date.it

www.codd-date.it

Codd&Date Suisse

Via Maggio, 1C – 6900 Lugano – CH

Bahnhofstrasse, 100 - 8001 – Zürich – CH

+41 91 2601609

+41 44 562 7177

info@codd-date.ch

www.codd-date.ch

Common Vulnerability Scoring SystemTraining per professionisti

Luca AllodiDISI - Università degli Studi di Trento

Digitalizzazione, compliance e gestione del rischio software

20

– US Cyber Security Order (Press release Feb’2013)

• “NIST will work collaboratively with critical infrastructure stakeholders to develop the framework relying on existing international standards, practices, and procedures that have proven to be effective”

– U.S. NIST SCAP Protocol v1.2( Draft Jan 2012)

• “Organizations should use CVSS base scores to assist in prioritizing the remediation of known security-related software flaws based on the relative severity of the flaws.”

– PCI-DSS v2 (June 2012)

• “Risk rankings should be based on industry best pracLces. For example, criteria for ranking ―High risk vulnerabilities may include a CVSS base score of 4.0 or above”

– U.S. Government Configuration Baseline (USGCB)

• Supported by the industry� Rapid7, Telos, VmWare, Symantec, Qualys, Retina etc. etc.

CVSS e Vulnerability measurement

• Molti diversi tipi di vulnerabilità nel software

– Buffer overflows � attaccante può eseguire codice arbitrario sul sistema attaccato

– XSS, CSRF � perdita di confidenzialità e integrità dei dati

– Privilege escalation � attaccante acquisisce privilegi nel sistema

– …

• Il processo di prioritizzazione delle mitigazioni è centrale

– Best-practice largamente condivisa nell’industria: patch the most severe ones first

� Common Vulnerability Scoring System (CVSS)

– Standard per vulnerability severity measurement e prioritization adottato worldwide

21

CVSS evaluations – the assessor’s activity

22

CVSS – Storia

23

• CVSS v(1) introdotto nel 2004 (First.org)

– Industria manifesta interesse

– Non peer-reviewed, miglioramenti in programma

• CVSS v(2) bootstrap nel 2005, rilasciato nel 2007

– Peer-reviewed, industry feedback

– CVSS diventa lo standard-de-facto per vulnerability scoring

• CVSS v(3) bootstrap in 2012, rilasciato nel Giugno 2015

– Sulla base di v2, implementa diversi cambiamenti

• Scope, Impact measurements, Attack Complexity, User Interaction, ..

– Da Dicembre 2015 riportato nei bulletin ufficiali, già in utilizzo in diverse realtà

Università degli Studi di Trento � CVSS Training

• UniTn è “authoring member” del consorzio First.org per la definizione di CVSS

• Diverse attività di ricerca scientifica su vulnerablity measurements and prioritisation

• L’Università degli Studi di Trento propone training di una giornata a gruppi di professionisti ed aziende interessate.– Il training avviene all’interno di una ricerca scientifica volta all’identificazione di eventuali punti di

perfezionamento dello standard.

• La giornata di training comprende– Presentazione CVSS v3

– Descrizione metriche e loro nuove definizioni

– Discussione approfondita del loro utilizzo, con esempi

– Scoring exercise collettivo su un sample di vulnerabilità

– Scoring exercise individuale su un set di vulnerabilità

– Discussione finale

24

Contatti

• Se interessati potete contattare

– Luca Allodi � luca.allodi@unitn.it

– Fabio Massacci � fabio.massacci@unitn.it

– Marco Cremonini � marco.cremonini@unimi.it

– Rosario Piazzese � rosario.piazzese@codd-date.ch

• Siamo a disposizione presso lo stand Oracle Community for Security per ogni chiarimento

http://securitylab.disi.unitn.it

25

GRAZIE

26