Third Party Security and Patching: How to face this major vulnerability?
In analyzing root causes of incidents, third party security and patching is strongly represented as a solution to attacks around 80% of the time. It is, thus, an utmost and urgent issue that needs addressd.

From the perspective of attackers, it is essential to run the attack-business well, which is why they invest 10-20% of their time investigating the weakest point in the targets’ defense concepts. Well protected multi-billion-dollar global companies are hard targets to hit, but their suppliers, their contractors, their clients and partners are often protected on a SME level only.
Against this background, the weakest links are often represented by a third party, which is an ideal situation for hackers to get an easy hook in to the well protected castle.

There are many statistical reports on patching., With an observed share of 50% of patched systems functioning 10 days after a patch has been implemented, it is clear that the patching sequence is in many cases far less effective than what it should be. However, the other 50% of systems are vulnerable with known weaknesses for which attack suits can be downloaded from the internet or the darknet. For any hacker, these are easy targets that can be conquered at very low cost.

The theory behind the topic is really very easy to understand, however, counter measures need many careful steps. There are two enlightening presentations on this topic in this summit. The first one deals with third party and patching issues in procurement and creates a binding framework for security issues in partnerships. The second one is based on real-time measurements in which the partners are controlled with software and information will be presented on the real important issues of how the observed weaknesses can be presented and eliminated.

As usual, the goal of Summit 16 is to learn from the speakers, from each other and from the material distributed before the meeting in order to explore today’s most compelling trends in addressing the information and cyber security challenges with the best set of controls.

Culture could be considered as “the ideas, customs, and social behavior of a particular people or society” and represents commonalities of specific groups of people, including beliefs in specific values. Typically, most people think that culture is rather static than dynamic.

Our observation of the recent past depicts fast changes in technological and communicative means such as the internet, smartphones, group building (including on-line groups), innovation and societal integration. An additional factor is the seamless mixture of societies, such that we work today naturally in teams from many nations, while 50 years ago, we immediately felt a difference, even from people of another city in Switzerland.

As a security offi cer, we are concerned with all three issues simultaneously: fast changes, a seamless mixture of people with different origin, and nearly any mixture of beliefs and values. Without governance and clear direction, companies might develop a nearly unlimited number of very different odd subcultures. Now begins our tasks to care for a forward-directed and agile security culture, which adapts continuously to new situations.

We will get a report from Swisscom (main issue: business IT, Mobility, and cloud) and from SBB (Main issues OT, digitization, industrial control systems), and how they approach this enormous challenge.  First turn around the employees to accept net technology, processes and human interaction, and then demand on top of these aspects a new security culture. How to keep motivation at a high level, create identification with the security controls, and protect the IPR and the data? How to measure these aspects, and how to select the best option in specific situation for well-defined change program? Now we welcome you in the world of the 17th Swiss CISO Summit.

Traditionally, Development and Operation were two separate streams of activities, separated by long and intense testing, to guarantee a near incident free and secure operation. Time-to-market is a key issue and defines from the business side the performance and flexibility of a company at the market. The goal to speed up the entire process from development until production is from all business lines accepted and paramount for business success. Security requirements are different for various applications. We have attracted two keynotes presenting critical applications in the rail and financial sector, both taking advantage of innovative combination between develop- ment and operation, while maintaining a very high level of security.

Olaf Zanger will present Smartrail 4.0, a concept of complete digitization of railway operation. In this case study the engineering process is predominant, including all quality and safety requirements. Smartrail 4.0 is using agile methods, and Olaf will present how the safety process can be adapted for secure software develop- ment. The main goal is to provide the highest possible software quality in a “mandatory fail-safe system”.

Christian Reinhard and Arno Aukia will present the Finnova secure banking operation platform, which is based on DevOps in development and operation: Agile development processes, container platforms and tools used for operational security engineering are core topics. From the technology partner, the focus is on DevOps pipe- line and technology, and from the core banking application side, the focus is on the experience of setting up these systems, testing it, and handling risk assessment and security issues.

At this 19th Swiss CISO Summit we offer a forward looking topic, which is often the blind spot in the eyes of the security office. I am convinced, that the topic is very important and that we need to advance the security in the agile DevOps issues, and a sound understanding of risks.

After a longer period of E-banking fraud, the resistance of the merging better protected E-banking against the hacker’s penetration attempt was increasing so much, that the business model did not work out for the hackers anymore. The hackers needed to find a new source for their income.

The new source is primarily ransomware, which made them develop trojan horses, install them on the victim’s system, and encrypt the data of the system. The victim cannot work anymore and does not see his data. At this points the hacker start negotiating, how much money they want, for releasing the crypto keys, such that the victim can reuse his data.

Customers having a real offline backup, just install their data again, and work further. But there are quite a few corporations having mirrored server system, which protects very well against hard drive failure, but not at all against crypto locker software.

A crypto locker ransomware as well as other ransomware (e.g. payment for not publishing of embarrassing or confidential data) needs time to be placed in an evaluated system. This system selects hackers very carefully. And several steps are needed until the final key will be pressed when all data encrypt. During this period, Computer Emergency Response Teams (CERT) and Security Operation Center (SOC) may find indicator of compromise and can potentially mitigate the upcoming catastrophe.

Our debate will examine strategies which were successful in specific cases and share strategies which not succeeded before the system was under hacker’s control. And we will look at these strategies before the incident happened and at the response: How to negotiate with the hackers, how to start fighting, what means fighting for the victim, and how likely is success? How does the requested amount change when the fight continues for longer time? Which type of support we need in such situation, and how we can get this support? And is it wise to look for partners before the incident?

The first presentation from Frank Herberg (Switch) prepares the ground for broad discussion, how detection of indicators of compromise work, and how to respond to these. In addition, some response options are debated. The second presentation from Johannes Dohren (PwC) presents a true war story and demonstrates lively “what fighting against hacker” really means.

With this setup we expect to serve the community with an inspiring exchange for being better prepared and have more options to react on hackers attempt to harm us.

Against the background of ever-increasing and more rewarding criminal activities: Dear CISO, how are you preparing your organization for the future? Scenario, Attack Pressure, Strategies, and Actions

In 2020 Germany suffered losses of 220 billion Euro related to cyber security incidents, according to the asso- ciation Bitcom. Scaling this down to Switzerland will result in more than 22 billion CHF, more than four times the Swiss military budget. Hackers are rewarded with good money, and they re-invest the money in better tech- nology for attacking. This dream budget of hackers is not available in the counterpart, the CISO offices, which must defend their IT infrastructures. How to communicate the new conditions towards executive offices and get them aware that early investment into the security office might be better than sponsoring hackers later?

The pressure towards hackers to get caught is relatively small, especially if they operate from countries
with no contracts with Switzerland regarding law enforcement and countries not cooperating with other law enforcement agencies. The hacking business has better profitability rates than drug and other criminal businesses. Hackers realized that the ransom works better when attacking critical infrastructure. Of course, they need more and new knowledge when attacking SCADA and ICS, but investments will pay back soon,
as e. g. the colonial pipeline case demonstrated.

The Corona home office period displaces secure corporate working spaces to warm and beautiful homes. However, the security measures are not on the same level, and through diverse family interaction in the same net will the attack surface grow. In other words, hackers have easier access.

Innovation of technology is not to stop: Internet of things, cloud shift, choices of networks (4G, 5G, fiber, DSL), cellphones which have enormous computing and storage capacity, and the new generation of software open up for further attacks.

Against this background, we will discuss how security should be shaped in the following strategic period:

• What are the intentions of the top executives in respect to security? To which function should CISO report? And how should CISO deal with the new pressure of the management, which wants more reporting, more reliable security, and more control over the security function?
• Which strategies must be followed to succeed with security in the next period?
• How to reorganize security and security offices for counter-fighting attacks in the new area?
• Which actions are most urgent to be taken?
• How to speed up the implementation of security measures for new technologies the company has procu-red?Against this background, we want to have an open exchange stimulating each other to have a better picture of preparedness and a greater awareness of the many options to deal with the new and more challenging situation.

Against the background of ever-increasing and more rewarding criminal activities: Dear CISO, how are you preparing your organization for the future? Scenario, Attack Pressure, Strategies, and Actions

In 2020 Germany suffered losses of 220 billion Euro related to cyber security incidents, according to the asso- ciation Bitcom. Scaling this down to Switzerland will result in more than 22 billion CHF, more than four times the Swiss military budget. Hackers are rewarded with good money, and they re-invest the money in better tech- nology for attacking. This dream budget of hackers is not available in the counterpart, the CISO offices, which must defend their IT infrastructures. How to communicate the new conditions towards executive offices and get them aware that early investment into the security office might be better than sponsoring hackers later?

The pressure towards hackers to get caught is relatively small, especially if they operate from countries
with no contracts with Switzerland regarding law enforcement and countries not cooperating with other law enforcement agencies. The hacking business has better profitability rates than drug and other criminal businesses. Hackers realized that the ransom works better when attacking critical infrastructure. Of course, they need more and new knowledge when attacking SCADA and ICS, but investments will pay back soon,
as e. g. the colonial pipeline case demonstrated.

The Corona home office period displaces secure corporate working spaces to warm and beautiful homes. However, the security measures are not on the same level, and through diverse family interaction in the same net will the attack surface grow. In other words, hackers have easier access.

Innovation of technology is not to stop: Internet of things, cloud shift, choices of networks (4G, 5G, fiber, DSL), cellphones which have enormous computing and storage capacity, and the new generation of software open up for further attacks.

Against this background, we will discuss how security should be shaped in the following strategic period:

• What are the intentions of the top executives in respect to security? To which function should CISO report? And how should CISO deal with the new pressure of the management, which wants more reporting, more reliable security, and more control over the security function?
• Which strategies must be followed to succeed with security in the next period?
• How to reorganize security and security offices for counter-fighting attacks in the new area?
• Which actions are most urgent to be taken?
• How to speed up the implementation of security measures for new technologies the company has procu-red?Against this background, we want to have an open exchange stimulating each other to have a better picture of preparedness and a greater awareness of the many options to deal with the new and more challenging situation.

In light of ever-increasing and more rewarding criminal activities, “Zero Trust” promises a solution. But what does it mean, and how to implement it?

Zero Trust is perceived as a practical approach in today’s cloud-first world. But what does it take to move from a Zero Trust strategy to active implementation? Gartner recommends as best practices for building a Zero Trust foundation the following measures:

• Create a secure, standard federated identity management system
• Apply adaptive access for more granular resource and access control
• Roll out user-to-application segmentation (Zero Trust Network Access (ZTNA))

Today, a cloud-first strategy can be considered default and promotes building software directly in the cloud rather than building on-premises and migrating to the cloud. The goal is to create software faster and reduce the overhead associated with on-premises resources and cloud migration.

Platform advantages of a Cloud-First approach are flexibility, less overhead, more resources available without investments i.e. cost-effective upgrades, Improved recovery abilities, support options from the cloud provider, faster release cycles, and an integrated option for collaboration. And the business advantages embrace innovation, new business models, new composition and design of applications.

A central role in the cloud and Zero Trust plays secure identities: with two and more factors, we can nail down the acting identity and make them responsible for their actions.

The Zero-Trust-Modell (NIST 800-207) applies the following principles:

• Permanent control: access must be controlled at any time for any resources.
• Limitation of impact: by segregation, the impact of a compromise is limited. Later movement is not possible.
• Automated context detection and reaction: behavioral data are analyzed, and the contexts of all information technologies (Identity, End-device, Workload, etc.) are gathered and processed such that targeted responses are enabled.

These nice “promises” are compelling. First, however, we need to reflect on how to implement Zero Trust, which steps must be taken, and whether the security gain justifies investments and work effort. The more fine- grained we implement access control, the more work must be invested in the design and implementation of access control: What is the CISO’s experience? Where to cut the refinement of access control to limited efforts? And by when is the second line of defense (SOC) the better option?

We want to have an open exchange for creating a sharp picture of prerequisites for the success of implementing Zero Trust and having resilience success in defending our system against new forms of attack.

At first glance, vulnerability management does not look very attractive. However, for many enterprises, engaging with the processes around vulnerability and asset management is very beneficial. It lowers the attack surface relevantly.
Before starting with vulnerability management, the processes of the organizations must be mature and well defined: This means that patch management, lifecycle management, and adjunct processes are established on a high maturity level. In addition, it includes the perception turnaround from patch management for fewer errors to patch management as a strategic security activity.
It is a well-recognized fact that asset management will never be 100% perfect, but approaching a state of “near perfect” is highly desirable. It includes hardware, software (applications), middleware, firmware, and services like encryption (note: remember SSL heart bleed). In addition, the link between assets and responsibilities is of critical importance, where a group or a person may be responsible for an asset entity or an asset entity group.
Two levels of automation we face today: the automation of software production with DevOps and DevOpsSec, which is not relevant for this context. But the automation and orchestration of vulnerability scanners are highly relevant. Main processes must be efficient and automated; meanwhile, zero-day-exploits must be followed and evaluated still hand-picked. Those two approaches must be connected and tuned to each other.
Another issue is the gravity of CVSS rating depending on the respective security zone they show up: The rating may differ from the systematic rating because of enhanced or diminished business impact. The number of false positives, i.e. of false alarm is paramount. Unless this number is sufficiently low, these systems bring no value for the company. Finally, the everyday day routine, including the human factor within groups and between groups, plays a major role in the success of the next generation of vulnerability management.

It is very simple: CISOs need more security investments to improve security.

Decision-makers want to innovate businesses and create more revenue. In this role, decision-makers must be risk-takers: no risk means no new business. On the other hand, CISOs feel responsible for the company’s security and hate to have serious incidents. The anger would be even higher if a serious incident could be avoided with a recently rejected security project proposal. And the natural tendency of CISOs is to be risk averse. CISO must be aware of this opposing attitude of the decision-makers.

In the analysis of optimizing this ecosystem, there are two tools CISOs are using:

Reporting: This is how decision-makers receive information: There was sufficient education for them, and they know how to process the information.

Risk communication and reporting: Cyber risks are not in the core competence of decision-makers. And cyber risks are competing with many other risks for funding. The usual way of risk evaluation, likelihood, and anticipated damage is somewhat shaky because it is often a quite heuristic approach. Science and companies are developing new tools for making the risk assessment process more transparent and with better traceability. Does this change the mind of the decision-maker? Of course, there is still a gap between formal risk and business impact. But only business impact is relevant for decision-makers, and CVSS vulnerability scoring does not usually trigger any action.

Addressees of these efforts are board and executive management. Both addresses have different roles, and we want to elaborate on these roles and the variation between the various companies that will be present.

This summit aims to enrich each other with strategies, a successful mix of reporting and risk communication, and a topic and methodologies that look great but could be better in this context. Marcel Zumbühl will open the board perspective. We can learn how to prepare the communication with the most important facts and eliminate all that bothers the decision maker but has no real effect.

As a result, we hope less work will result because prepared information is more targeted and tuned to the decision maker. And probably, in some cases, also a new dimension of humility because we have better acceptance and understanding of the decision maker’s views.