CYBER SECURITY EUROPE PREVIEW 2018

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

INTERVIEW

cybersecurityeurope PAGE 38

essential step in enterprise security

strategy is to include security controls into Software Development Life Cycle (SDLC) [a process for planning, creating, testing and deploying an information system]. To reduce the risk of successful application attack, security aspects should be included in every phase of SDLC. The architecture should be done properly and with great attention to details. The sooner security experts are involved in a process of application development, and the sooner security vulnerabilities are found, the lower the costs of application changes become. What’s more, even if you create a perfect IT security system, you still then have to manage the human factor. Companies need precise processes of code review and employee training.

CSE: Cyber attacks often betray the ‘signature’ of the attacker and reveal insights into their future approach. Are we getting better at anticipating hackers’ future orientation,

and

at planning our cyber security strategies accordingly?

PJ: OK, so this is what happens: a cyber- attacker gets into your infrastructure and, using a server misconfiguration, creates an account by himself and… And what? This is the moment that we wonder if we could prevent this action from happening, and trace back a hacker’s activities in our systems. Luckily, (with digital systems) nothing can be completely hidden. In order to provide hackers’ future orientation, and to get

better than

the) cyber security race, we should be constantly carrying-out research to find all vulnerabilities before they are found by someone wearing a ‘black hat’. It is extremely important to focus not only on the current moment, but also on the cyber security future. It is simply not possible to secure the infrastructure with outdated knowledge about the potential attack vectors. With every new tool or solution we are getting better and better.

CSE: How can organisations extend the scope of their threat intelligence to gain better knowledge of who targets them in cyber attacks?

PJ: The most important notes from contemporary surveys are that, for significant data, cyber criminals’ targets are now bigger, and their rewards greater, than in years past. The simplest answer is that you should be aware of the fact of who can get the most from stolen data.

It’s simply not possible to secure your infrastructure with outdated knowledge of your attack vectors.

While new technology and solutions can help CISOs make better decisions for an organisation faster, nothing is more essential than having a second pair of eyes. To be precise, in order to gain knowledge about potential attackers, organisations may use specialised techniques known as OSINT (Open Source Intelligence) and SOCMINT (Social Media Intelligence).

CSE: Does top management in some companies still view penetration test programmes as a ‘nice to have’ but not an essential?

a hacker (in

PJ: To make penetration tests more compelling, we often provide our potential clients with the samples of our reports. In many cases they understate the value of penetration tests simply because they are not aware of all connected benefits. Penetration testing is not only about finding the vulnerabilities. Our reports always contain deep technical descriptions and recommendations on how to mitigate them. Sometimes we perform a demo to show how easy it may be to ‘hack in’ and gain high privileges or sensitive data.

PAULA JANUSZKIEWICZ IT-SA KEYNOTE 11 OCTOBER 2018 | 12:00pm-1:00pm, Forum I10 – International, Hall 10.1, Nuremberg.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48 | Page 49 | Page 50 | Page 51 | Page 52 | Page 53 | Page 54 | Page 55 | Page 56 | Page 57 | Page 58