Discover below the presentation presented during the Assises 2021

Cet article Assises 2021: fighting back against ransomware: how the CAC40 is reacting? est apparu en premier sur RiskInsight.

ORGANISING A CYBER CRISIS EXERCISE IN A LARGE COMPANY 

There are many reasons to organise a Cyber crisis exercise: evaluating the integration of Cyber security in the crisis management system, improving interactions between the different teams, and testing the capacity of the security division to make itself understood by top management. 

From a simple table-top process test to SOC/CERT training to a large-scale exercise involving dozens of crisis teams and months of preparation, the resources allocated to a crisis simulation vary greatly. This article focuses on the last category. 

WHAT’S A TYPICAL CRISIS EXERCISE? 

Looking at the figures, some of the largest crisis exercises in France have consisted of one day of activity, 150 people mobilised, 10-12 crisis teams in several countries, 30 facilitators, 20 observers and more than 300 stimuli. Being able to make a success of such an event requires both a high level of preparation and a very solid facilitation team on the D-day. 

One of the key issues found in these types of exercises is that there is only one take. It is therefore essential that ALL the actors take part in the game, and that the scenario involves all the participants. Preparation and facilitation are key in such exercises to make sure the time spent on the simulation is worthwhile.  

SIX MONTHS TO PREPARE 

1/ Selecting the attack scenario 

The first months of work are always devoted to the attack scenario. Ransomware, targeted fraud, attacking suppliers… the choice of weapons is large. In ambitious exercises, it is not rare to combine several attacks in one crisis: smoke screen launched by the attackers, identification of a second group during the investigation, etc. Whatever the scenario chosen, the key is to be as precise as possible: 

• What are the attackers’ motives? 
• What path of attack did they take? 
• When was the first intrusion? 

The exercise is long and preparation beforehand is needed, especially when 150 players investigate an attack for several hours. Spear-phishing, water holing, code compromise, privilege escalation: the vulnerabilities used by the fictitious attacker are not real, but they must be plausible and “validated” by technical accomplices throughout the preparation. Similarly, for business impacts, they should be reviewed with business specialists: the level of fraud at which the situation becomes critical, critical activities to be targeted as a priority, most sensitive customers, etc. The choice and involvement of accomplices are essential and they should be integrated into the coordination team on D-day.  

2/ Building the script of the exercise 

The script consists in defining minute by minute the information that will be communicated to the players. The calibration of the exercise rhythm is a complex point. The temptation to impose a strict rhythm is great to “master” the scenario but attention needs to be given to leave enough space for reflection.  

The start of the exercise is another complex point: should the scenario start directly in a crisis situation or on an alert that will test the general mobilization process? Most often than not, the second option is chosen. That way, the technical teams (CERT, SOC, IT…)  can be mobilised for the entire duration of the exercise. ExCom members should have their diary freed up during that day as well.  

3/ Preparation of the stimuli 

Technical reports, fake tweets, messages from worried customers, these are all useful stimuli for the players.  

Videos are often used to captivate. Indeed, nothing is more striking than a fake BBC report relaying the current attack (logo, board, etc. the more realistic the better). For more realism, videos of people “known” in the company (message from the CEO, interview of a factory boss, etc) can be used.  

The same goes for the technical side: the duration of the exercises often does not allow the players to carry out the technical investigations themselves, but they will ask a lot of the facilitators. Everything must be ready to avoid panic: Malware analysis reports, application log extracts, IP address lists, etc. 

As mentioned in the introduction, the most ambitious exercises may require the creation of 300 stimuli to get through the day and remain credible – is represents a lot of work.

D-DAY 

On D-Day, early morning, a meeting is organised with all the animation team and observers for the final adjustments. A few hours later, the observers will go to their crisis cells and start the players’ briefing. 

1/ Starting on a good basis 

For many players, this may be their first exercise. The briefing is therefore essential to avoid confusion between fictional and real-life events:  

• Players call the police in the middle of the exercise

• The players contact a mailing list of 400 people without specifying that it is an exercise

• Real customers be called to be reassured

• A production site is neutralized “by prevention”

To avoid such situations, it is essential to iron out the rules of the game during the briefing: the players must communicate with each other, but they must go through the facilitation unit to contact external stakeholders. Throughout the day, the facilitators and accomplices in each team find themselves in the shoes of a client, a technical expert, a CEO, or a regulator, according to the players’ requests.  

2/ Rely on an efficient facilitation team 

The sequence of events depends on the efficiency of the animation cell. A successful exercise includes a lot of improvisation on the day. Stimuli may have to be readjusted according to the reactions of the players, the score is never fixed and the facilitation cell will be put to the test on the day of the exercise. The largest crisis exercises have particularly professional crisis management teams, including the head of the facilitators, PMO, technical manager, business manager, call management centre, etc.  

We suggest not to take any risks on D-Day and to recreate teams that are used to working together and know each other. Doing so is the best way to gain time that will prevent the organisation team from going into crisis itself. 

Cet article Organise a cyber crisis exercise in a large company est apparu en premier sur RiskInsight.

Repeated sick leave, insomnia, withdrawal, security systems companies have been under great pressure for several years. Although threats are intensifying, it is not enough to explain this phenomenon. It is clear that the level of stress is more related to the functioning of the sector and management practices, rather than to the very nature of the activities carried out. Last year, a study by Nominet showed that 23% of ISSMs in 2020 admit to using medication and/or alcohol and drugs to cope. And very clearly, the phenomenon is not limited to ISSMs alone, but to the entire ISS community (SOC analysts, project managers, experts…). But how have we been able to move from passionate, close-knit teams in less than 10 years to such an HR situation?

Cybersector HR approach

Requests for intervention are very rare concerning HR policies, training courses, managerial practices even though the smooth running of the sector and the well-being of the employees have a definite impact on the medium-term level of safety. Sportsmen and women know it very well, the state of mind in the changing room has a major influence on the final result.

Faced with this observation, some major accounts have taken an interesting step: they have integrated these HR operating topics directly into their maturity framework (NIST, ISO, etc.). This is indeed an excellent idea that enables them to deal with essential subjects in a few weeks via an already established organisation and processes (insurance, evidence review, cyber programme, etc.). Another advantage, the framework is often an essential input to the construction of the strategy, and this HR dimension is thus directly integrated into the multi-year plan of certain companies. Concrete and measurable objectives are defined for staff turnover, employee motivation or even the work/life balance. Finally, these elements are regularly presented to top management alongside the patching rate, zero-trust convergence and resilience capacities!

When the physiological well-being of the employees is integrated into the objectives of the sector, and therefore at the same time into those of the CISOs, companies have a much smoother run; but it is still necessary to address the right subjects!

Priorities: Valuing expertise, encouraging mobility and aligning salaries

Pentesters, CERT analysts, DevSecOps specialists… the security sector is made up of a multitude of experts, who are not always recognised, valued and motivated with relevance. Unfortunately, too many companies still have a natural tendency to overvalue management to the detriment of expertise. It is therefore indispensable to create an ecosystem favourable to experts in the ISS fields. The field of possibilities is vast: the implementation of specific career paths, encouraged access to certification, involvement of communities of expertise in major decisions, external valorisation (conferences, media).

The subject of mobility is also essential. There is indeed a feeling of suffocation within the sector: the tension on cybersecurity resources is so great that many employees feel they are stuck on their posts, without the slightest possibility of evolution. As a result, morale is low, people are going around in circles, asking questions, criticising creating an unhealthy climate. A obvious solution exists: encouraging or even imposing mobility. For example, some major accounts have recently set up incentive governance that allows ISSMs to spontaneously propose mobilities and exchange resources, the subject of cybersecurity is vast enough to create rich and exciting careers. A healthy sector is one with a mobility rate of at least 10%.

Finally, there is a need to discuss wages. There are major differences between CISOs remunerations from one entity to another, and the salary structure itself may differ. It is therefore impossible to create team spirit and solidarity in such conditions. The project is not simple, but it deserves to be discussed with the HR, all the more so in a context of strong mobilities which will necessarily lead to complicated situations.

Employees no longer understand their organisation and suffer as a result.

In recent years, safety has taken on a whole new dimension: in France, there is an average of 1 safety FTE per 500 to 3,000 employees, with an average of around 1 per 1,000. The era of the small team of 15 passionate people within the IT department’s operations is over. With large teams, a simple decision can take weeks.

There is an urgent need to rebuild a more readable operational model with a trend in pooling and eliminating redundancies.

1. Regrouping centres of expertise (Audit, Cloud…)
2. Creation of a single cyber defence centre (SOC, CERT…)
3. Structuring of a single Cybersecurity Programme within the Group’s reach
4. Pooling of the PMO in a Reporting Factory.

This type of grouping will make it possible to create an emulation, to embark and to give collective meaning. Of the recent reorganisations, it is estimated that around 40% of the sector’s employees work on activities with a transversal scope.

Salary alignment, re/up-skilling, training/certification plans, mobility processes, reorganisation of the sector, there are many subjects to be dealt with to boost well-being and enable employees to build a full and rewarding career within the sector. However, this work cannot be carried out by the HR functions alone. It is essential that the CISO and team managers are strongly involved to establish the efforts over the long term.

Cet article Security channels on the verge of burn-out – an attempt to explain this phenomenon est apparu en premier sur RiskInsight.

20 years later… the situation is totally different and security has taken on a whole new dimension in companies. The figures speak for themselves: in France, there is an average of 1 security FTE per 500 to 3,000 employees, with an average of around 1 per 1,000. Some financial players can even reach record ratios of 1 per 200 by integrating the different lines of defence. I’ll let you do the math: this quickly represents several hundred, even thousands of employees! ISSM are therefore now in charge of a plethoric and highly diversified workforce. The historical experts have been joined in recent years by loads of Project Managers, PMO, COO, Program Managers, and even sometimes by specialized buyers and HR, who are gradually learning to work together. Like a sports coach, the CISO now has to deal with such a workforce and find the right organization, the right game system to get results.

NO REVOLUTION, THE FUNCTIONAL SECTOR REMAINS THE NORM

The reasons for reorganizing are always broadly the same: lack of control, a feeling of inefficiency, diffuse responsibilities… and the work involved in reorganizing can seem colossal. This leads some CISO to very quickly consider disruptive solutions, and in particular the idea of grouping all security resources into a single, hierarchical team. Let’s not waste time and let’s be very clear: in 95% of cases, this solution is not chosen. Such a move simply presents too many risks of excluding the security function, which is difficult to reconcile with the need for business proximity for certain activities: support for business projects, raising awareness among specific populations, budget negotiations, etc. The functional channel remains the norm: a central team and relays (local CISO, security correspondents, etc.) spread throughout the organization. However, some industrial players have recently moved towards centralisation, but the move is more motivated by a desire to bring together cybersecurity resources with the security team, which is particularly mature in this sector.

The attachment of the CISO also remains an element of debate, which has been widely relayed and commented on for years. CIO, Risk Management, Financial Management, CEO… it sometimes seems as if it’s a race to see who will be the highest in the hierarchy! But contrary to popular belief, there is not necessarily a trend in the field towards the exit of the IT department. Quite the contrary: 3 out of 4 CISO report to the CIO in large companies and most reorganizations lead to such an affiliation. The reason is simple: it is often an excellent place to be in action, to make progress on issues and to obtain a budget! Warning: for those who decide to be attached to a different department, remember that 80% of a cybersecurity budget falls within the scope of the IT department. It is therefore essential to nurture a quality relationship between the CISO and the CIO. I have witnessed a few power struggles in recent years, and it is rarely the CISO who wins

That’s it… we’ve got the basic principles: a functional network, often attached to the CIO, with CISO in the company’s main areas of activity. The task now is to distribute all the cybersecurity activities within this organization, and there are many of them: policies, studies, awareness-raising, the Cybersecurity Program, project support, audits, SOC, CERT, etc.

BREAKING DOWN SILOS AND SEEKING OPERATIONAL EFFICIENCY

As a service provider, I can testify to this: it is quite common to be solicited several times for the same study within a Key Account, in several different entities. This is quite understandable: in a pipeline model, each entity/country has a safety team, and without clearly established rules of the game, local management often has the reflex to reinforce its team at the slightest need (specific study, audit results, etc.). This is the whole trap of a sector: it has many advantages but creates complexity and redundancies. And believe me, when the Group CISO finds himself explaining to top management why the company has 3 SOC and 4 incident response units… it’s rarely the best meeting of the day ;-).

In order to avoid such situations, the trend is towards the pooling of expertise and the creation of central cybersecurity service offerings. In very concrete terms, this means that many organizations are pooling 1. cybersecurity expertise (studies, innovation, awareness-raising, etc.) 2. Detection and response (SOC, CERT, crisis exercises, Threat Intel, etc.) 3. Audits and controls (slopes, redteam, code analysis, etc.) 4. Project management and PMO (reporting, PMO, communication…). Add a governance and strategy entity, and you are not far from getting the organization chart of many Group CISO! Note that there are alternatives: some organisations opt for a distributed model, consisting of distributing services across entities (for example: the USA is now in charge of the intrusion test service for the entire company), and very large companies often opt for the creation of intermediate Hubs (by region, by business line…) delivering these services. Regardless of the organisation chosen, this consolidation movement is underway: it is estimated that around 40% of the sector’s employees work on activities with a cross-functional scope… and the increase has been exponential in recent years.

This move towards centralisation frees up local teams (CISO or business/country/entity correspondents) who can thus consume services and refocus on activities requiring close proximity to their businesses: risk assessment, integration of security in projects, security revenues, etc. In the security sectors, this is where we still find the bulk of the workforce (easily 30 to 40%)… but this situation is very probably temporary! The widespread use of agile technology has a direct impact on these teams, who find themselves changing jobs from one day to the next because they are projected into the Feature Teams to train, coach and equip “Security Champions” who are gradually gaining in autonomy. Result: local CISO are also industrializing and organizing their teams into service centers for these Feature Teams (development standards, code review, analysis methods…) Follow my eye: the spectre of a single, centralized security team is likely to resurface quite quickly in the debates… and it is the agile transformation that accelerates the process!

IT IS NOW POSSIBLE TO MAKE A CAREER IN A SAFETY FIELD

We have widely commented on this: some security channels have gone from a few dozen people to several hundred or even thousands in the space of a few years. Of course, this requires a bit of organisation… but it is also a great opportunity for all the employees in the sector! Project management, team management, expertise, communication… very few sectors offer such diversity, and the situation is ideal for attracting and retaining talent. I can only recommend that you take advantage of a cyber-security reorganization to highlight this wealth and work on skills management: salary alignment, re/up-skilling, training/certification plans, individual responsibilities, mobility processes… there are many topics to be addressed to boost well-being and enable employees to build a full and rewarding career within the industry!

Cet article Organize or reorganize the security sector of a large company – Feedback est apparu en premier sur RiskInsight.

Cet article Organiser ou réorganiser la filière sécurité d’une grande entreprise – retours d’expérience est apparu en premier sur RiskInsight.

Identification and mapping of key processes

Let’s start with a definition from the regulator: the European Central Bank defines cyber-resilience as the ability to protect oneself and to quickly resume activities in the event of a successful cyber-attack. This definition has led many companies to adopt a 360° vision on the topic (prevention, crisis management, reconstruction, business continuity, etc.) through the prism of a concrete cyber-attack on key business processes. The novelty lies above all in the fact that all the analysis is focused on critical business chains, even though it is still necessary to know them. Identifying and mapping key processes is often the most complex part of a Cyber Resilience Program. Unfortunately, there is no systematic method: a list drawn up by the Risk Department, a decision by the Director of Operations, recycling of business impact analyses (BIA), criteria established during regulatory audits, etc. One thing is certain, this list cannot be drawn up by the cybersecurity team in its own corner and requires the involvement of the business lines as early as possible in the process.

Analyzing the cyber-resilience of a business chain: the A.R.M. method

The cyber-resilience of a business chain can be improved by acting on several parameters: 1/ avoidance of the attack, 2/ rapid reconstruction, 3/ maintenance of business activity during the attack. As a result, many companies have structured their Cyber Resilience Program around 3 indicators: A (AVOID), R (RECOVER) and M (MAINTAIN), making it possible to target one threat at a time. Of course, most current initiatives are working on Ransomware scenarios (Ryuk, Maze, Sodinokibi, etc.).

A – AVOID

The first step is to assess the level of resistance of business chains to the feared cyber threats. The ATT&CK Framework is increasingly used here and this indicator can simply correspond to the percentage of techniques used by the attacker against which the business chain is protected (for example, the chain is protected against 60% of the attack techniques used by the ransomware groups of the moment). The level of assurance required differs from one company to another: even if most companies still work via self-declaration, it is possible to integrate a review of evidence or Redteam audits into the approach to make the results more reliable.

R – RECOVER

The second step requires assessing the reconstruction time of the business chain in the event of an attack (for example, the chain can be reassembled in 9 hours after a ransomware attack). This time can obviously be different from one attack to another: destruction often restricted to Microsoft systems, possibility to use backups or not, integrity checks necessary after reconstruction, etc. This requires a detailed analysis of the impacts of each attack studied. Be careful, when mapping, it is necessary to consider the reconstruction of ALL the assets impacted by the attack. It is often observed that a few specific assets can double or triple the overall reconstruction time. Here again, the level of insurance required differs from one company to another: it is possible to work on paper, but the real reconstruction test is clearly the best option for reassurance.

R – MAINTAIN

The last step requires assessing the ability of the business lines to work in a degraded mode before returning to normal. This is a purely business indicator, which obviously differs from one sector and chain to another: it can be a question of transactions, reception of parcels or number of passengers depending on the sector and the chosen chain. To calculate it, it is necessary to work with the business on the assumption of long-term unavailability of the critical chain and to evaluate the percentage of the activity that can be delivered in another way. To understand the approach in a theoretical, and deliberately provocative way: does a business process vulnerable to a cyberattack, but whose activity can be maintained without an IS for a few days, really need to increase investments in cybersecurity? This is the type of topic that a Cyber Resilience Program must be able to arbitrate.

Most Cyber Resilience Strategies and Programs on the market obviously embrace this recurring assessment phase, adding over the years cyber threats and business chains to be analyzed. At the same time, they are managing a series of cybersecurity, IT and business projects to increase the level of resilience. The most mature Programs also maintain catalogs of solutions to speed up the process and improve the scoring of the various business lines (data safes, standardized backups, market partnerships, shared business fallback solutions, etc.).

As we have seen, a cyber-resilience strategy involves multiple skills: the cybersecurity department to select threats and assess the robustness of chains, the business lines to select critical chains and work on business continuity, IT and the Business Continuity Plan (BCP) for crisis management and assessment of reconstruction capacities. The best solution is to host this type of Program directly at the Operations Department level, in order to influence all these channels. However, these Programs are currently structured at the level of the CISO or the Risk Management Department. The key in this case is to deploy effective governance that allows all stakeholders to remain within their area of expertise.

Cet article Cyber-resilience, an opportunity to bring cybersecurity and business closer together est apparu en premier sur RiskInsight.

However, for some time now, some executive committees are no longer as generous and require more effort from the IT Security sector. It is well known that it is not easy to prove the effectiveness of the means committed, and some CISOs find themselves struggling to even maintain their annual budget. The post-COVID situation may not help, and we can think that there is no reason why cybersecurity should escape the imperatives of future savings.

In the field, the following three levers may present opportunities to optimize the costs in the IT Security industry: 1. review of the Operating Model, 2. contracts optimization, 3. automation and offshoring.

1/ REVIEW OF THE OPERATING MODEL

To optimize an IT Security Operating Model, the question of redundancy must be quickly addressed. The observation is often the same from one company to another: the IT Security industry has grown very quickly, and different teams have very similar or even redundant missions. Many service providers can attest to this: it is quite common to be called upon several times for the same study within a Key Account, in several different entities. Even if some companies are considering to deal with this subject by a complete centralization of the security team (some recent examples in the industry), the key is rather to gather at least the cyber expertise in a centralized way and to structure service offers that can be used by all: pentests, SOC, redteam, policy writing, awareness…

Be careful, this may represent a major change in stance for many CISO teams, which move from a role of prescriber to a role of service provider with all its facets (SLA, quality measurement, and even penalties). However, it is an excellent way to eliminate redundancies, optimize costs and clarify responsibilities in the process.

2/ CONTRACTS OPTIMIZATION

Purchasing contracts often account for more than half of the IT Security industry’s expenses and can obviously present excellent avenues for optimization. Many companies have multiplied the tactical deployment of security solutions and it is not uncommon to find situations with 4 types of IPS, 3 EDRs and 3 SIEMs… A simple way to regain control and optimize costs is to return to the use of a catalogue with centrally negotiated prices: maximum 2 products referenced per technology and an obligation for all entities to use the catalogue. The results can be spectacular by playing on volume effects.

Same approach for services: the aim is to avoid scattering contracts and to ensure competition. In the field, there is typically a trend towards contracts optimization that do not require specialized cyber expertise: project management, change management… From experience, it is quite simple to get 10%-15% off the daily rates, the panel of companies being much larger for this type of task. However, security value must be kept: it is not a question of lowering the guard on expertise or cyber strategy.

3/ AUTOMATION AND OFFSHORING

Automation can also be an optimization avenue to be explored in the medium term. Especially since the movement is already underway: SOAR solutions for incident handling, automatic learning for anomaly detection, deployment of measures in the Cloud… Many cyber security activities are currently seeking optimization through the automation of repetitive tasks. The results are obviously not immediate, but the current economic climate clearly risks boosting projects of this type.

An offshore strategy, on the other hand, can have much more immediate results, but beware of rushed projects. Offshore security activities are anything but tactical and require a great deal of framing work to understand the specificities of each country, to establish proximity with local management, and above all to integrate offshore seamlessly into the IT Security operating model. Successful offshore operations involve up to 20% of the industry’s offshore workforce. The key to achieving such volumes is to focus on providing standardized offshore services (operations, vulnerability scans, translation, etc.), and to limit extended teams, which can be attractive on paper but often counter-productive because they are complex to manage.

Cet article Cybersecurity will not escape cost reduction est apparu en premier sur RiskInsight.

Defining a cybersecurity strategy in a large company

The name is not always the same: master plan, security model, action plan, roadmap but the basic idea is always to set a set of projects that will allow to converge towards a 3-4 year security target, shared and understandable by the top management. 15 years of master plans means 15 years of introductions based on accelerating the threat, tightening regulations, accompanying transformations; the reasons for establishing a cyber strategy are still globally the same. The method for designing a cyber master plan has evolved considerably.

10-15 years ago, life was simple.

A master plan could be constructed in a few interviews with the ISSR and his team, “according to experts”. To provide a logic, consultants would base themselves on a pictorial model such as a fortified castle or an airport, which served as a pretext for setting up the fundamentals and explaining the choices. The attacks still seemed remote, the cyber was less dispersed than today and all the master plans were more or less the same. With a little hindsight, these cyber strategies above all had a great real role in raising awareness / training top management, who were gradually involved in the choices and discussions.

In 2021, the context has changed a lot. It is no longer enough to say “expert opinion”: some major accounts are now investing hundreds of millions of euros a year in cybersecurity, and executive committees are demanding more evidence of the effectiveness of the strategy deployed. All the more so since the “fundamentals” (patching, bastion, etc.) are now supplemented by an arsenal of measures, each more specific than the last, which raise questions about the relevance of a single strategy for a large company. It is clear, for example, that between a retail bank focused on the leakage of customer data and an investment bank fearing unavailability of certain trading channels, the priorities are different. The current crisis is certainly likely to reinforce this trend: strategies must now be much more finely tuned to the business lines.

A pragmatic and agile strategy, aligned with business priorities

The first months of work are always devoted to the method that will bring rigour and credibility with management and regulators. Very concretely, it is a question of defining the company’s Cyber Framework and a method enabling each entity to define its Target Profile (target to be reached on the Framework). Differentiated strategy for each entity.

Large companies no longer have questions about the Framework and NIST has established itself as the market leader. The 5 functions (identify, protect, detect…) speak volumes to management and above all its popularity favours the Benchmark. The frameworks chosen do not matter anymore, as long as they are based on a market reference. It should be noted that most companies do not hesitate to specify controls to make them more pragmatic: EDR, SOAR, AD security, anti-fraud; the Framework simply acts as a library of potential controls on which the company will base its strategy.

In large companies, the Group often imposes a first level of security for all, corresponding to the pursuit of fundamentals: SOC, bastion, patching, etc. Most systemic attacks still exploit these weaknesses, and the risk of inter-entity propagation must be managed in a cross-functional manner. This common target is quite similar from one company to another and is generally established on the basis of benchmarks provided by the consulting market. More challenging, each entity is then led to define its own target, according to its own stakes. Beware, the mapping and weighting mechanism between the Framework controls and the risk mapping can be complex. The key is often to get out of the cyber sector and work jointly with the Risk Department.

The must-haves of the moment: AD and IAM security

The figures resulting from the cyber strategies of major French companies are important: 10-20M of investment on average per year in the industrial sector, and up to 100-150M per year for Financial Services. Each strategy is different but recent feedback shows that budgets are fairly evenly balanced between 4 types of projects:

1. Security foundations (patching, awareness, director security, etc.)
2. Protection of sensitive environments (LPM, AD security, data protection, etc.)
3. Zero-trust convergence (inventories, IAM, risk-based authentication, compliance, etc.)
4. Cyber-resilience (detection, crisis management, reconstruction, business continuity, etc.).

A few years ago, the NCS and the LPM were definitely emerging as the top priority topics. Today, they are very much in competition with Active Directory security and AMI.

Cyber strategy is an essential tool for setting the course, federating actions, and involving management. However, establishing a multi-year master plan is a great opportunity to get teams on board around a common goal. Some security departments have grown from a few dozen people to several hundred or even thousands in the space of a few years, and many employees are currently looking for a meaning in their role. One should take advantage of this “moment” that is the creation of the strategy to create aspiration, enthusiasm, real team spirit in the sector. It is the ideal moment to multiply the work groups, involve as many employees as possible, adopt a transparent approach, have the top management challenge the teams; in short, turn this strategy construction into a sector event.

Cet article Defining a cybersecurity strategy in a large company est apparu en premier sur RiskInsight.

Malgré tout, de plus en plus d’attaques sur des environnements Blockchain sont constatées, avec des fraudes s’élevant souvent à plusieurs dizaines de millions d’euros.

Mais alors, quel niveau de confiance peut-on vraiment accorder à cette technologie ? Décryptage des attaques visant la Blockchain et retour sur les mesures à prendre pour améliorer ce niveau de confiance.

Protéger les services et applications accédant à la Blockchain

Un membre d’un réseau Blockchain est identifié grâce à une paire de clés cryptographiques : une clé privée, qui lui permet de signer ses transactions et de bénéficier des transactions reçues ; et une clé publique, qui permet aux autres membres du réseau d’identifier les transactions émises de sa part et de lui en transmettre. S’assurer de bien conserver et protéger sa clé privée est donc vital. Or, celle-ci est souvent stockée par son propriétaire sur son ordinateur ou téléphone, périphériques connus pour être aisément attaquable.

Aussi, de plus en plus d’utilisateurs choisissent de confier leur clé privée à des intermédiaires. Force est de constater que la plupart des attaques impactant Bitcoin ont en réalité directement ciblé ces plateformes intermédiaires. Il est donc primordial de protéger la manipulation des clés privées et plus globalement l’ensemble des services accédant au réseau Blockchain.

Dans le cas d’une Blockchain s’appuyant sur des smart-contracts, le niveau d’interaction avec l’extérieur du réseau peut être important, puisque ces derniers s’appuient sur la vérification de paramètres d’entrée, potentiellement externes au réseau. Il n’est alors plus question de sécuriser seulement les plateformes accédant à la Blockchain, mais également celles accédées par la Blockchain pour valider les conditions d’une transaction.

Exemples de services accédant à la Blockchain Bitcoin

Surveiller la puissance de calcul des mineurs pour éviter une attaque 51%

L’attaque 51% consiste à avoir plus de 51% de la puissance de calcul du réseau dans le but d’annuler, ajouter ou modifier des transactions présentes dans un bloc. L’idée est de créer une chaine alternative et plus longue que la Blockchain existante afin de la remplacer. Cela est rendu possible en exploitant un paramètre essentiel de la Blockchain : lorsque deux chaînes sont concurrentes, la chaine la plus longue est considérée comme la chaine légitime.

Explication de l’attaque 51%

Ce risque est plus important dans le cadre de Blockchains privées ou hybrides, composées d’un nombre restreint d’utilisateurs, et pouvant donc plus facilement représenter plus de la moitié de la puissance de calcul. Aussi, des mesures de sécurité doivent être mises en place pour prévenir et détecter ce type d’attaque : engagements contractuels, mécanismes de surveillance et de contrôle, etc.

Sécuriser le code des smart-contracts

Un smart-contract est un programme informatique inscrit dans une Blockchain et qui s’exécute de manière automatique une fois les conditions du contrat réunies.

Les conséquences d’une erreur de codage peuvent être catastrophiques et difficilement réversibles, comme en témoigne l’affaire TheDAO (application basée sur la Blockchain Ethereum et se présentant comme un fond d’investissement participatif et mutualisé). À partir d’une vulnérabilité découverte dans le code source du smart-contract TheDAO, un membre du réseau a pu drainer le compte principal de l’application à hauteur de 50 millions de dollars. Ces fonds furent en partie récupérés suite à une opération appelée « hard fork », s’apparentant à une attaque 51% concertée.

En soi, ceci n’était pas une attaque car le contrat a été respecté, seule sa conception était défaillante. La création de cas d’usage basés sur des smart-contracts doit impérativement être associée à des mesures de sécurité applicative et un développement sécurisé.

Un système Blockchain est souvent considéré comme sécurisé par nature, mais les attaques présentées témoignent du contraire. La nature des plateformes accédant ou accédées par la Blockchain, la complexité des éventuels smart-contracts ou le nombre de mineurs du réseau sont autant d’éléments pouvant influer sur la sécurité du service fourni.

Affaire TheDAO

Cet article Peut-on avoir une confiance sans limite dans la Blockchain ? est apparu en premier sur RiskInsight.

Pourtant, ce concept n’est pas nouveau : la Blockchain est la technologie sur laquelle s’appuie la crypto-monnaie Bitcoin, apparue en 2009. Mais alors, pourquoi ce regain d’intérêt ? Quelles sont les caractéristiques de cette technologie et quels usages peut-elle favoriser ? Quels sont les obstacles à surmonter pour qu’elle puisse se démocratiser ?

Des algorithmes remplacent le tiers de confiance

La Blockchain est une technologie qui permet aux membres d’un même réseau d’effectuer en toute confiance des opérations de stockage et de transmission d’informations, appelées « transactions », et ce en toute confiance, sans aucune autorité centrale de contrôle.

Cette technologie se présente sous la forme d’un registre contenant l’ensemble des transactions enregistrées depuis sa création (dans le cas de la Blockchain Bitcoin, il s’agit par exemple de l’intégralité des transactions financières effectuées depuis la création de cette crypto-monnaie). Ce registre dispose de 2 caractéristiques essentielles :

• Il est distribué: tous les membres du réseau disposent d’une copie du registre, rendant quasiment impossible la modification de ce registre par un individu sans l’aval du reste du réseau ;
• Il est fiabilisé par les acteurs du réseau – : la confiance établie au sein du système est assurée par les membres du réseau eux-mêmes ; aucune autorité centrale ne joue le rôle de tiers de confiance.

Au sein du registre, les transactions sont regroupées dans des « blocs » enchainés par ordre chronologique (dans le cas de la Blockchain Bitcoin, un bloc correspond à environ 10 minutes de transactions). Le schéma ci-dessous permet de comprendre la cinématique de création d’un nouveau bloc, et donc l’enregistrement d’une nouvelle transaction dans la Blockchain.

Cinématique de rajout d’un Bloc à la Blockchain – Vision globale

Ainsi, le tiers de confiance est remplacé par des algorithmes permettant à tous les membres du réseau de vérifier facilement que les mineurs n’ont pas ajouté, supprimé ou modifié une transaction lors de la création des nouveaux blocs.

Du simple stockage sécurisé à l’exécution de « contrats » intelligents

Toute situation faisant intervenir un tiers de confiance coûteux ou faillible est une opportunité pour créer un cas d’usage Blockchain. Banque, immobilier, santé, transport… tous les secteurs se sentent concernés et réfléchissent actuellement aux opportunités offertes par la Blockchain pour améliorer ou remplacer les modèles actuels.

Trois catégories de cas d’usage se distinguent aujourd’hui :

• Record keeping – Blockchain utilisée comme registre de stockage pour déposer des données dont on souhaite garantir la preuve de par leur existence, leur date de création et le droit de propriété, comme par exemple : des brevets, des données médicales, etc.
• Digital transactions – Blockchain utilisée pour du transfert de valeur : transaction immobilière, crowdfunding, crypto-monnaies, etc.
• Smart-contracts – Blockchain utilisée pour développer et stocker des smart-contracts, à savoir des contrats entre plusieurs parties, rédigés sous forme de code informatique, et qui s’exécutent sans intervention humaine selon les conditions et termes qu’ils contiennent.

Les acteurs du monde de la finance s’intéressent tout particulièrement à la Blockchain. Que ce soit en France ou à l’international, de nombreuses initiatives sont menées, parfois sous forme de consortium, dans le but d’évaluer le potentiel des usages de cette technologie dans le secteur et de définir des protocoles standardisés.

Bien que la Blockchain ait été initialement pensée comme un système public, la plupart des réflexions actuelles concernent des Blockchains privées (propre à une organisation) ou hybrides (propre à un ensemble de partenaires).

Performance, écologie et réglementation : les obstacles à surmonter

À titre d’exemple, le réseau Bitcoin permet d’enregistrer environ 7 transactions par seconde, à comparer aux 2 000 transactions par seconde de VISA. Pour s’imposer à large échelle et développer de nouveaux cas d’usage, la Blockchain doit donc pouvoir améliorer ses performances.

Le défi de la performance repose sur une définition et un calibrage des paramètres intrinsèques à la Blockchain en fonction de l’usage que l’on souhaite faire de celle-ci (taille des blocs, processus de création des blocs…).

De plus, elle s’avère très consommatrice en énergie. La consommation électrique actuelle du réseau Bitcoin est notamment équivalente à celle de 280 000 foyers américains.

La réglementation s’avère aussi être un obstacle, l’évolution rapide de la technologie et des cas d’usage amenant de nouvelles interrogations : application du processus KYC (Know Your Customer) ? Poids juridique d’un smart-contract ? Etc. Certains ministères et parlementaires français commencent à s’y intéresser sérieusement (cf. encadré).

Timeline – Réglementation Blockchain en France

Cet article La blockchain : un nouveau modèle pour la confiance ? est apparu en premier sur RiskInsight.