Deloitte heeft een breed producten- en dienstenpakket. Breder dan je wellicht in eerste instantie zou denken. Zo hebben wij binnen Deloitte Risk Services, de afdeling Security & Privacy. Dit onderdeel helpt cliënten bij vraagstukken die zij hebben op het gebied van informatiebeveiliging. In maart 2012 is het Deloitte Hack.ERS team (onderdeel van deze afdeling), zelfs wereldkampioen ‘ethical hacking’ geworden tijdens de Global CyberLympics.
De Global CyberLympics is een initiatief van de International Council of E-Commerce Consultants (EC-Council) en wordt ondersteund door het International Multilateral Partnership Against Cyber Threats (IMPACT). Doel van de CyberLympics is om het niveau van cybersecurity binnen landen te verbeteren en tevens samenwerking tussen landen te vergroten.
Hieronder een interview met een van de teamleden van dit winnende team.
1) What is the general idea of the Cyberlympics and why did Deloitte decide to take part?
The Global CyberLympics is an initiative by the International Council of E-Commerce Consultants (EC-Council) with the support of the International Multilateral Partnership Against Cyber Threats (IMPACT). The goal of the CyberLympics is to raise awareness for increased education and ethics in information security.
We joined as a Deloitte team as a training and benchmarking exercise. Participation of this sort of events helps us to keep up with the current developments and provides a good opportunity to support education within this area.
2) What are the tasks the Deloitte Hacker Team had to solve during the Cyberlympics and how does it serve Deloitte in general?
At the start of the CyberLympics all eight teams were provided with a number of Windows and Linux servers. The goal is to keep your own servers running while hacking the servers of the other teams. When a server is hacked, a signal is sent to the scoreboard and the team which hacked the server will get points. Whenever one server of your own servers was not available, you get a negative score.
Additional points can be obtained by answering questions like “What is the balance of account number 1234 on the banking application of team X?” This requires you to find specific information on the servers of the other teams.
Lastly you could gain points by opening physical locks with a lockpick set to represent a physical hacking challenge.
Participating in these kind of contests helps Deloitte in providing outstanding security consulting services to clients. Furthermore, it is a lot of fun to compete and participate ?
3) What kind of cybercrime did Deloitte deal with recently?
Deloitte is constantly helping its customers to improve their security posture. This is done by supporting organization in managing cyber risks (by performing security testing or defining a security strategy), raising awareness and skills within organizations (by providing specific training), implementing security processes and technology or supporting during cyber security incident investigations.
4) How would you quantify the losses caused by cybercrime and which are the most affected areas?
Cybercrime has a number of aspects which make it hard to give any accurate numbers on the current losses:
• One of the trends the last year is that non-financially motivated hackers are causing a lot of damage. Most damage in this area is reputational damage to the company, by making for instance classified information (usernames/passwords, emails, etc.) public. This type of damage is very difficult to measure, but can have an enormous impact on an organization.
• The first step in solving any crime is detecting that it happened. Because information can be copied without anyone noticing, it is hard to estimate what the actual numbers on cybercrime are.
• Because reputation is a part of the damage a company can sustain from a cyberattack, a lot of companies choose not to make this information public when not strictly necessary.
All these factors combined make it near impossible to make an accurate statement on the actual losses due to cybercrime. From the limited data that is available, we can safely say that cybercrime is costing millions of EUROs in the Netherlands only. The NVB has recently published that in 2011 internet banking fraud resulted in a loss of 35 million EUROs.
5) In your opinion, what kind of controls should every institution that handles customer data implement in order to protect against cybercrime?
The beauty about this area is that there is no single answer to that question. All circumstances require a different level of security: When I do internet banking, I want to be sure it is safe and do not mind I have to type in and SMS code or from a separate device, however when I log into Facebook I do not want to bother with difficult security measures. Therefore I think the most important thin any organization should have to protect itself, is a good risk management/risk assessment department for IT security that insures the right amount of protection goes to the right areas.
6) How do you assess the information threats of social networking companies like Facebook?
Social media is a great source of information. This information can be used many ways, like staying in touch, sharing experiences, finding new jobs. Unfortunately this information can also be used in bad ways and hackers use this information all the time. I still believe the benefits outweigh the negative effects; however we should be very careful what kind of information we share with the rest of the world.
7) Do you think that the development of an international framework regarding information security is favourable and possible?
There are a lot of attempts to standardize information security management, information security controls, etc. and I think this is a good thing to have choices and chose what fits the organization and information you are trying to protect best. However the more standards there are, the more difficult it will be to choose the right framework.
To come back to the earlier question on controls any organization should have, I do not think there is one “silver bullet” that will work for all organizations. The same goes for a framework; you should always choose the framework that fits your goals and organization best.
8) Today new technologies are released frequently, but they are not necessarily flawless. How do you assess the development of cybercrime in the future and what will be the upcoming challenges regarding cyber-security?
The speed at which new technologies are introduced is increasingly high, which puts a tremendous strain on the security industry. Since security is a relatively young field of expertise, we have a lot to learn and have good growth potential, but will need to keep innovating in finding new solutions to cope with all new technologies.
I think with the right people and innovation we will keep finding ways to keep the world a reasonably secure place, also in cyberspace.