The extremes are attracting each other

Calin Rangu

25st of May, 2009Cyber-security Conference

Bucharest

Agenda History and Present:

IIRUC Service and R-IT

Cyber-security : the real dimension

The public-private partnershipCyber-security centers – integrated universe

Proposed measures and standards

What IIRUC Service can do?

History and Present 1968: the original IIRUC company was established 1991: IIRUC-SA was registered as a shareholding

company out of the original IIRUC company 2004: IIRUC SERVICE SA was established, based on the

traditional IIRUC SA company 2008 (February): Raiffeisen Informatik Austria (R-IT) ,

the second largest IT service provider in Austria, achieved the sole control over IIRUC SERVICE SA

2008 (October): Approval of the Master Plan for the company development

2008 (October): Opening new Headquarter with a Data Center facility and a central Call Center dept.

2009 (January): The set-up of the IT security business line – global partnerships and product related services

2009 (June) – Professional and IT Security Operations related services

Raiffeisen Informatik Group2009’s turnover:

Over 1 billions EURO

IIRUC Service means: Over 25,000 customers Over 70,000 equipment in

service East-Europe competence

hub Running international

projects (Ukraina, CEE) Multiple certifications 350 employees 120 cars fleet 60 nationwide locations in

8 areas 47 nationwide stores 50 service laboratories 1 national training center

IT Operations

Outsourcing

Security Services

Software Solutions

Output Services

Client Management

Raiffeisen Informatik Offered IT Services, strategical vision for Romanian market

3.000 Server

20.000 Corporate Clients

All highway system in Austria

320 local communities

28 hospitals

25 banks

40.000 km Network

520 TB Storage

1 Billion Transactions p.a.

300 Mio. printed Pages p.a.

Several Data Centers

Cyber Security – the real dimension of the problem

The Cybersecurity Act of 2009 of USA, proposed in late March, starts with the assessment:

"The Congress finds the following:

(1) America's failure to protect cyberspace is one of the most urgent national security problems facing the country."

The situation: confused atmosphere about cyber-security. States need help passing security tests, yet the government is drawn to the big problem of securing the Internet.

The declaration: the importance of the Internet as an infrastructure to our economy and society and the inability of the private sector to solve cyber-security problems

The government is always hopelessly behind the private sector in technology. But in front of all are there the cyber-bad-guys.

There are better ways for the public sector to complement the private sector.

Open networking and connectivity - vulnerabilities in computer systems.

Too much legislative dialog around corporate responsibilities.

It may be far more effective to involve the service provider utilities as part of the solution.

The initiative for a national identity and authentication service and its large civil liberties implications is a discussion that should be conducted at the highest levels.

The real dimension of the problem

The Internet has brought unparalleled positive change in our lives -- the security reality is far different from the hype.

In past the changes due to adoption of the telephone, television or transportation network that has worked without security oversight - security incidents have been far short of catastrophic.

Private industry knows how to build in business resiliency, indemnify consumers, and allocate new technologies to reduce risk.

The government can learn about managing risk from private enterprises and should avoid rushing in to set standards.

The real dimension of the problem

The states are unprepared to respond to a ‘‘cyber-storms’’ and that ‘‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between governments and governments and the private sector.’’

Booz Allen Hamilton, recommended to ‘‘establish a single voice for cyber-security within government’’ concluding that the ‘‘unique nature of cyber-security requires a new leadership paradigm.’’

Corner stone of cyberspace security strategy : long-term challenge in cyberspace from intelligence agencies and militaries, criminals, and others.

Losing this struggle will wreak serious damage on the economic health and national security

The single stable solution can be the public-private partnership

A new leadership paradigm

The creation and support of Regional Cyber-security Centers for the promotion and implementation of cyber-security standards.

Each Center shall be affiliated with a nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.

PURPOSE : to enhance the cyber - security of small and medium sized businesses through:(1)the transfer of cyber-security standards, processes, technology, and techniques to Centers and, through them, to small- and medium-sized companies;(2) the participation of individuals from industry, universities, State governments, other agencies, in cooperative technology transfer activities;(3) efforts to make new cyber-security technology, standards, and processes usable by small- and medium-sized companies;

Regional Cyber Security Centers – USA example

CYBERSECURITY METRICS RESEARCH - that can assess the economic impact of cyber-security. These metrics should measure risk reduction and the cost of defense

SECURITY CONTROLS - to block or mitigate known attacks

SOFTWARE SECURITY - a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilitiesSOFTWARE CONFIGURATION SPECIFICATION LANGUAGE - establish standard computer-readable language for government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.STANDARD SOFTWARE CONFIGURATION- security settings for operating system software and software utilities

VULNERABILITY SPECIFICATION LANGUAGE for vendors to communicate vulnerability data to software users in real time.

NATIONAL COMPLIANCE STANDARDS FOR ALL SOFTWARE - a standard testing and accreditation protocol for software built

Recommendation:Measures and auditable cyber-security standards

What IIRUC Service/Raiffesien Informatik can do?

1.Partnership

2.Know-how

3.Professional Services

4.Product related Services

5.Operational related Services

Shift the Security Perspective

Security zone Authentification Redundante Infrastructure Intrusion detection Fireproofing Waterproofing Overload protection Access control Video control …

Virus protection Firewall Digital certif, Authentification Encription IT-Tools for Checks ...

Security management Security policy Risic analyse Security concept Roolbook Quality controlling Audit …

Professional Services

Product

RelatedServices

Operational

Related Services

ComprehensiveSecurityComprehensiveSecurity

PhysicalSecurityPhysicalSecurity

Organi-zationalSecurity

Organi-zationalSecurity

IT SecurityIT Security

Comprehensive Security

Organizational security

IT and Business Security

Thank you for your attention!

SC IIRUC SERVICE SA

Thank you for your attention!