 Here is a security session and we'll talk apparently about cyber security and all things related to that. So the plan for today, this session is a general session of interest related to security privacy and other topics. And we'll talk about why security is important or not. What should we do and about very, very common misconceptions in security area. And the second session is more technical deep dive, which will happen in a couple of hours from now. And we will go to a different room and talk more specifically about the HS2 hardening and about answer your questions, some feedback. And we'll look in more specific details on implementations and how security the HS2 work together and how we can make our systems more compliant, more safe and robust depending on your use case. A couple of words about myself. I'm working with cyber security for more than 20 years and did a lot of stuff, including security auditing, penetration testing, compliance, privacy, various application security, engineering, teaching students and other things. I've been working with the HS2 for two years and based out of possible way. And to make this session a bit more interactive. I have a backlog of questions. It's a literally a Google document that you can access it by this link either pure code as a link security HS2.org slash ask. And then you can write your questions there, or feedback or comments as the whole overall as I speak. And either we will pick up the interesting questions and discuss them in the orders here either I can provide the answers after after the meeting in document itself, and it can be used for future reference for other things, and we can do some discussion about all the second session as well. If you need me to share your comments, you can write your name or email if you'd like to, or we can stay anonymous so it's totally up to you but it's important to get feedback for us and maybe it's more handy than to ask a question during the session. So, to begin with the main topic. So we're talking of cybersecurity here came from two different situations. The first one is once people come to us and say, Oh, we would like to do security properly, and we don't know how to start with, or we bought a very, very expensive security device a firewall or something. What should we do. This is one station. And another one is when we meet our implementers and they say, Oh, we just had a security incident. And the system is not working. People can't use the HS2. And we don't know what's happening. We're always somewhere in between two situations when we would like to do something really cool and do everything properly. And sometimes it's too early because we are, it's hard to navigate and to understand what's actually we need to do. And the second is when it's a bit late. Oh, we are in the crisis now and we need to help our implementers to resolve the issues. So, we'll talk about what's happening in between and how to approach security properly because in the world of consulting in the world of what we hear and listen, there are a lot of different ideas and trends and security is not the easiest domain to understand to get to. It will try to untie all the stores, the important stores here and talk about it a bit more in detail. And very practical question. How would you define a risk to have any ready definitions or anything to share. Okay. Typically, it's, once I asked this question, and someone has a ready answer, there are like 10, 15 different definitions of risk. And it's, and I think in the previous presentation, Bernard talked something about risks. And he definitely had some meaning. And when I talk about risk, there's also a kind of definition of that. And there is a general one that was quite recently adopted by the ISO organization. And it is as simple as that risk is an effect of uncertainty on objectives. It comes from the standard. And in certain cases, it is important to understand that there can be different interpretations or different means of that. But in general, it's an effect of uncertainty on objectives. So, important takeaways from this very, very short definition, which may be not very familiar or common to everyone is that it can be either negative or positive. So the risk, including security risk, of course, can be either a disaster, or it can also an opportunity, something that can help us. So it's not always negative risk is always connected to the context to the goals or objectives of the organization. And it's also related to the uncertainty or likelihood of the event that may or may not happen. And in order to talk about security risks and to plan and to implement our security response properly, we need to start with a very, very high level risk management exercise to understand what is really important for organization and how to deal with that. And the first exercise that we'll do is kind of looking into what are our objectives. If we had a workshop, we would do it in groups or other things. But now you can, as a personal exercise, you can try writing down, as I talk, you can try writing down the main goals of your organization and you can try to see if you have enough protection against the risks. And you don't need to share it with anyone, but it's a good kind of a mental exercise for yourself to see, oh, I'm working for the public health institution, or I'm working for NGO, or I'm working for the private company. And these are the organization's objectives, the goals. Is there anything related to cybersecurity that can happen and can damage the impact delivery or impact reaching these goals? So typically there are really a couple of things that are the main, the principal objectives of the organization and understanding the potential risk effect of them is the second thing. So once we write what's the most important, the values, the processes, it may be the kind of the core activities. Then we try to think, okay, this is what we do and here is the potential risk. The third one is we try to assess the likelihood of what bad can happen and then create an action plan. So it can be a mental exercise and we'll try to go through different steps. And once you come back home, I suggest doing this exercise with your teams. And if you do it now, we can discuss it during the next meeting or outside of the sessions because in many of the cases people start implementing security measures or without making this kind of exercise or vice versa, they haven't done that and they face the real risks before recapping what the objectives are. Let's take to make this a bit more easy. Let's look at the point of view of the defender or the organization that is being attacked. So what bad actually can happen? So the most immediate is it's a failure to provide public service. It can be a violation of the law, for example, in the case of all privacy data leaks where the citizens or employee information becomes publicly exposed. In some cases it might be a direct financial loss. It might be a reputational damage and maybe something else. Do you have any examples of what is important or what bad can happen to your organizations? Is there anything missing on this list that is important for your teams? Yes, please. I guess what's important is that data security is more of a factor. You have a lot of information to ensure that. And you see that your data is secured. I guess VHS2 do provide end to end encryption. But I mean there are other security threats as well. So you need to look around that as well. Thank you. So you mentioned encryption. And encryption is treated as one of the solid protection measures. But how do we make sure that encryption works in this case? So it is a very common idea. Every product should have a lot of security features. But using them properly is also kind of an art and a kind of knowledge and skill. That's why we typically should ensure that we select and implement these measures properly based on the goals of the organization. So yeah, it's true. So from the practical experience, if we look at the history of security incidents in the last two, three years globally, for the private sector, clearly the biggest threat is a financial loss. Because once the organization loses money, it breaks a business model. And I think the most of the organizations that suffer its banks, insurance companies, all kind of the services that retail services where you have some material assets. But this is not our case. What are the biggest threats that impact the public sector or NGOs or the organizations that don't have any immediate financial assets that are attractive to attackers? It's often mentioned and I think it's the kind of a last resort threat that it is a reputational damage. So it's often believed that reputation is something that is very important. And if you have a security incident, it can be recovered and there is a significant loss. The practice shows that in reality it is not always true. So reputation is extremely important, but it's about handling the PR response. So it means that as we proceed in time and if we handle the response properly, it's not a big problem and the organization can recover from that. And one important thing to consider is, okay, we need to have someone to respond to the incident and to manage our public communication in crisis to do things and I think we are generally covered. There were, if you heard about major security breaches of the last two, three, five, ten years, all the organizations that suffered from these breaches, they survived, they continued operating, nothing happened to them. They had a lot of problems, but they were not existential problems. They did not stop, they didn't prevent them from working further. So it looks like it's a problem, but not the major one. For the public sector, I think I've been talking to different people and I've heard I think there are two bigger problems. One is a legal non-compliance and the violation of the law for institutions that should support and demonstrate a good example of following the law. And I think all kinds of non-privacy non-compliance, technical non-compliance, data governance non-compliance is a real effect which can lead to the court claims, can lead to the different issues related to the general national data security and other things. So I think that if we look at the security from the compliance perspective, following the compliance requirements is extremely important and if something is not in place, it means that we should pay quite a lot of attention to that because it undermines any security issue, undermines the whole legal structure, the whole legal approach for the organization. In the next session, we'll talk a bit what kind of compliance requirements can be implemented in DHS-2, what do we support, what is outside of DHS-2 as a product and as compliance is used as an extra burden to any organization, I think that our mutual goal is to make it as efficient as possible. So the best-winning organization is the one that can introduce and implement compliance in the most lightweight and the most easy way and this is what we're aiming for. And another thing is, like we're going from bottom to the top, is failure to provide public service. So if the government or the public function is not working properly and it typically impacts a lot of internal KPIs or a lot of inorganizational policies. So typically, if something stops working, it's a problem because citizens can't get the service, data is not available and all kinds of operational issues. So these are the most typical things that are at risk and it means that the investment or the money that was spent on the organization to make it work, it is kind of wasted. And the instrument, the tool, is not working properly. So I think these two are the biggest one and if you have any feedback and comments on that, let's discuss it later. Now let's look on the attackers' point of view. So how attackers see the same story, what's important for the attackers because once we understand what they're actually looking for, why do they attack our systems? It makes our task for protection much easier. All that I'm talking about is based on the experience that was reported by the HS2 users and these were real-life cases of what happened and they're supported by any other product in the industry. So from the attackers' perspective, the main interest is typically a kind of a financial interest, no surprise. So people are interested in getting something for free in order to be able to either resell, either to use for any kind of malicious purpose and get some monetary gain on that. The most typical thing is, okay, we have installed HS2 on a brand new server and in a couple of months nobody was checking what's going on on the server infrastructure there and we noticed that the server is overloaded, there is abnormal high system utilization and we don't know what's happening. We're running the latest HS2 version but we don't know what's in the server environment. Then we help the team to understand what's going on and see that there is a crypto mining tool consuming all resources and trying to mine cryptocurrencies in the server in the background. And from our perspective, it's a very strange use case. So people got into the system, not for stealing our data, but just for using our computing power. But it's a security breach, it's a violation. Our users can't work and there is someone who is not authorized who is sitting in the system and doing some bad stuff. For the motivation for people who do this kind of security attacks is just to get some extra CPU power or create a botnet or just proxy traffic to some other services like the platform for short attacking. This is a very, very typical example and we typically ask why and we say it just because it's a free resource that can be hacked. Second thing is selling user accounts and personal data. It's mostly related to, again, to banking institutions or kind of high profile accounts or high value accounts. But on the black market, if you get personal data of someone, they can be sold roughly from 10 cents in US dollars or like 10, 50 cents to 5, 10 dollars per account. So depending on how many user accounts you are able to mine and hack, including personal data, emails, phone numbers, social security numbers, whatever, depending on the country where the speaker originates, you can rate and create and sell a database of this account and get some extra money. So this is kind of a profitable business and then these databases of user data are used for spamming, they're used for different social engineering attacks and they like this aggregated and curated arrays of data they have some certain value in the criminal market in dark web. And if you by any chance have access to dark web, you can just see the marketplaces where different databases are sold and they have very, very specific and clear monetary value. But if you have roughly a thousand of users or thousand of records, it can be worth from like 50 dollars to hundreds or maybe thousands of dollars. So this is a clear financial motivation. The third case is, on one side I would say very exotic. On the other side it is increasingly common nowadays. It is related to the targeted interest in your systems and this is probably an attack that you will not even notice. It's related to APT actors or advanced persistent threats. So these are on-purpose hackers that are looking for data or for information in different systems. We know that all kinds of the state hacker groups, state control traffic groups, they combat in cyberspace and by some case your systems can be also the target if they consider that your data is valuable. To make this assessment, you need to be quite or justification for accessing this data. You need to have very specific interest and very specific purpose and we know the examples of data being collected kind of randomly but then analyzed and processed, not in the case of HS2 but in the case of other popular data leaks that happened in the joint public sector in the last 5-10 years. Typically it can be the case getting the voting database of the whole country if there were some cases when the whole population registered one Asian country leaked like two years ago and the same was in South America as I recall. So there are quite a lot of well-known examples of that and I think this data was some kind of processed and released to the public for a specific purpose. And the fourth case is script kiddies. It's all kind of random stuff happening on internet, young geniuses, students or other people who would like to try new brand security tools or regular internet noise, automated scanners or whatever. It can impact your systems even if you don't think about this. So it's a regular internet noise that happens all the time. To give a kind of understanding of how polluted internet is, for example, if you take a brand new computer connected to the internet on the public address, someone tries to connect to it within 30 to 15 minutes with some kind of security attack. So the internet space is scanned and assessed all the time by multiple parties and it's a part of the regular noise that happens there. And these kinds of attack may be quite harmful and they can be quite harmless. It's really hard to predict. What could go wrong? So what are the typical problems that happen and that everyone should be aware of on a very, very high level? In the last 20 years or all the time that I've been doing with security, weak passwords and all kinds of lack of security hygiene is the biggest problem ever. We talk about passwords all the time. We have implemented a lot of improvements to that but at the end of the day, both new users, experienced users, everyone, they got hit by password attacks and with the kind of development of technology they become more and more sophisticated. So it's not only that you have a password from 1 to 6 or a password which is called password or the password that is incorrect because it's an old meme on security. So it's different combinations of that but in the kind of a nutshell it's about lack of security hygiene and using the basic rules that you can either read online, either get from the security teams in your organization so it's about very, very simple human factor related security hygiene things. Second, we've just installed our system, we configured it in some way and in three days it got hacked. There can be different reasons for that but once we use the up-to-date software and we have designed it properly the most common case is lack of configuration or improper configuration or just not doing the full deployment to the end. So it means that with the complexity of the modern systems the more complex environment you have the bigger chance of doing something wrong or not fulfilling all the security requirements is kind of a bigger problem so we try to make the HS2 as easy to install as possible and to ensure that safe security defaults are always in place so the only solution here is to study a lot about how to deploy systems and to not overcomplicate things once you discuss your deployments and plan your deployments. The third most common thing is outdated software lack of updates, there were some discussions about it but running legacy software is always almost a bad idea and in the last two years this approach got extra flavor. There is a term which is called supply chain and it means that not only your software that you run the HS2 on may be vulnerable but all the dependencies all the components that were used to build this software they can be also vulnerable and if you update the package itself there is no guarantee that the dependencies that were included in this software package application they were not vulnerable so in our case we have an automated process of developing and checking all the dependencies for the HS2 but if you use a operating system or database with some other or dependencies that were not checked you have potential at risk so the attackers are always trying to find the weakest part in this chain and the weakest element in this chain and it means that if they are not able to attack your system they will be looking for the vulnerable parts of the supply chain to attack them and the last case is poorly designed to develop software including the same supply chain so if you are using some technologies to deploy systems on that are poorly designed or have lack of security controls it means that even if you use a very secure software the underlying layers at risk I've been talking to one of the NGOs in Norway last week and they told me that they had invested a lot of time and resources in building security of their systems but as they were running a lot of different applications and people in different countries where they operate had a lot of different technologies tax the effort was not worth that because they simply did not cover all the underlying layers and the design decisions that were made by people in different countries were not always good from security so whatever they built on the top of that was not secure just because of the vulnerabilities in the underlying platform so holistic approach to security always wins so it's not an easy thing to do at once so after talking about motivation after talking about impact and failing to reach the organizational goals the remaining component is likelihood and for example if we try to do some kind of the risk management for banking or insurance they've been doing it for hundreds of years and there are really good mathematical statistical models and you can predict the likelihood of such event or you can predict the likelihood of the credit score or the reputation of the loaner or many other things related to the case of foreign insurance based on the very proven mathematical models this is not the case for security yet if we look at the history of the whole cyber stack I think the first quantitative efforts the quantitative model for security appeared I think in 1992 or 1993 and we are still not there yet although we have a lot of data since then so most of the approaches they are very very qualitative so we talk about the exposure of the systems to the internet so if you have anything connected to the internet there are high chances that it is hacked if you run outdated software there are high chances that it is hacked if you don't have a really good understanding of security within your organization it is also kind of a signal that something bad can happen so there are a lot of criteria that we can discuss in more details during the next session or outside of this session rooms but in general we try to select the most important criteria based on the qualitative assessment this is what shows the real attitude to security so when everything breaks there are some who says okay there is no problem to that and these are common explanations to that I am sure that you've heard them from someone in your organizations we don't have budget we don't have time we don't have skills and it looks like security is not a priority for many although the amount of security incidents and the severity and the impact of the incident it grows from year to year so for the statistics that we have from 2022 this year is not available yet but I think that every third organization in the world had a security incident so it means that in this room there is a likelihood that one third of people, for example this role had faced a security issue or will face a security issue through this year as an organization so it's quite a lot and it's growing and the big problem is that attackers see more and more value of the user data or the cyber attacks and it becomes much more profitable for them to attack so it means that the stakes are growing and we have more and more problems and we are still not there yet because we really don't have enough awareness and sufficient knowledge because it's kind of a not very trivial domain to understand and, for example, general physical safety I think like when driving a car many people use seat belts or safety belts or if you go to the airport and go through security checks it's very different to what was in the car industry 50 years ago so I assume that in some years we'll come to the same state where we go through the scans we use some belts or similar things in the security domain but in general we don't understand the impact and the severity of risk that happened and once we don't understand them we don't make a proper risk assessment and our risk appetite is too optimistic and we are more on the incident mitigation side rather than on incident prevention side and what happens is the perception changes so people think more about security but typically it is based on the incident follow-up rather than on prevention measures so this is exactly what we're going to change together we're trying to encourage you to think more about cybersecurity and to educate your peers educate your colleagues and to grow the security awareness and knowledge within their organization so what can be improved? First, everything starts from the top and it is important to raise security awareness on the exact level and the biggest justification for that is we would like not to report our managers about the ongoing crisis but we would like to report that we have prevented that or we know how to prevent the potential crisis and it means that before doing anything we need some management commitment we need some management support and management understanding that it is important and otherwise we will be just mitigating one incident after another and it is a kind of a painful, low effective way of doing things the second is making proper risk assessment and risk choices and it's about agreeing what is the impact on what are priorities the third thing is having clear ownership of data and systems within their organizations in the same manner as someone owns all the physical assets and in the same manner as their people responsible for teams for team management for all kinds of physical assets and the processes and other things and it's about assigning roles and responsibilities based on the ownership this list can be extended and this is a very high level thing it is something that we start with but there is a huge layer of technical and practical security happening once we get to the management support or once we get to the technical department and this is what we are going to talk about in the next session about the HS2 security practices about hardening the HS2 about compliance making compliance easy and answering your questions that's all from me if you have any follow-up questions now, please ask thank you for your presentations I'm Intan from Indonesia I have two questions for you has the HIS to receive ISO certifications 27,000 because they are so very important for me in the next years we have certifications of 27 ISO just like standardizations from our government to connect the system of populations data so this is one question and the second is what is the differences between ISO 27,000 and 30,000 that you said before how to risk management approach you use 30,000 for the ISO what is the difference between two types ISO because I know about the ISO 27,000 there is an approach of the risk management so what is the differences between two types thank you thank you, great questions let's start with the first one so DHS2 does not have ISO 27,000 certification because it does not apply to the software so ISO 27,000 is information security management systems compliance and it tells about how organizations are or should be compliant or should be managing their security in accordance with the best practice with the standards so it means that once you come to the software there should be some different standard that applies if we look at the ISO 27,000 there is a chapter that is related to the software systems development where you describe how your organization acquires or develops software this is the only part where you can find some kind of connection or some compliance requirements that may apply to us if we talk about general requirements like logging like access control and password policy DHS2 supports them but it is always up to the implementation so it's how you configure the system rather than what software can do in short the standard itself doesn't apply we would say that for the software applications there are some better standards for that like all the standards to describe security in the products but if you would like to find some mapping between DHS2 and ISO requirements there is applications, software development and acquisition there is access control, logging and typical things that should be implemented in the organizations for all the systems including DHS2 and if you have some specific requirements on how to address DHS2 we can take it for the next session discussion to go into details and see these mappings in addition to that there is a really good website I'll share a link in the document a bit later which makes a compliance mapping between different standards for example ISO, NIST all kinds of French NS, AN, SSI and other standards so if you are compliant with one or would like to have some requirements in alignment with one standards you can see for example how it matches all the others and it's really helpful to mitigate for this kind of the set of the different requirements we use internally also when we check if there is anything that matches and that applies to our environment so that's it but I agree that there can be specific cases where you should consider how the system is implemented to ensure compliance with ISO 27000 internally for our organizations we didn't consider that because we are developing software and in order to establish some secure software development process we need a bit more detailed standard than ISO and we are aiming for compliance with these standards as well as all the standards second question the difference between ISO 27000 and ISO 31000 so as I mentioned 27000 is information security management system standards and it talks about information security 31000 is a risk management standard which tells how an organization can manage all kinds of risks including security risks and for some historical reason the definition of risk sits in ISO 31000 standard rather than in ISO 27000 but in ISO 21000 it refers to ISO 31000 so they kind of harmonize with that so if you are required to do some risk management as a general organizational practice you can have a registry of risks for your organization, ministry and so on you can look into the ISO 31000 because it has a really good guidance on that and you can apply these risks to the general organization risks to the policy risks to the compliance risks and security risks as well and the last addition it's a relatively new standard and it's actually developed good for like use because it's quite new and considering a lot of insecure area I see someone from the back row willing to ask a question Thanks Michael I'm actually just relaying a message from the document that you shared but I think would be a really great thing for us to talk about here today the question I'm just going to read it directly because I think it's pretty good is there any security document available for DHS-2? Do any PED testing is there any other testing that's done and are there any security standards that you choose to comply with which maybe was talked about a little bit already I think that would be great I have it open here Thank you for reading so many questions in one and really good that they were asked so security document available for DHS-2 so everything that we do as an open source is public so we have two web pages I'll write them in the document later it's DHS-2.org slash security it explains security features of the product and the second one is DHS-2.org slash trust and it explains how we do security and the high level explanation of our security approach is on the second link DHS-2.org slash trust for pen testing it's a bit more complicated because DHS-2 is open source and everyone can download and install software so it means that if we test something we can get a radically different result from what you test in your environment and for example when someone sends us pen testing reports from the field we see that roughly 80% of the vulnerability is found they are not related to DHS-2 but they are related to the specific implementations and configuration issues or software security issues in that installation so it means that what we can do is to have a reference setup of DHS-2 and make a pen testing report so we did it internally for the current release and we are going to make it public in the next months to have something available but it will say some estimates about our security level for our own setup so for your implementations we always recommend to have your own penetration test because they will consider your features installed how it is configured in your environment and for us we always love to receive penetration testing reports and if we see something important there that is relevant to DHS-2 we definitely consider proof and put into the bug fixes as well as you can see they have some security components and changes there so for other testing done we do security scanning of the code source code with the public tools and we have public dashboards I will share the link for your reference for the next session and we do security audit of every new big release as for now starting from the last version we released and for the senders I think I answered that but we are aiming to comply with the OWASP web and mobile application security standards and software assurance maturity model which is most relevant for security teams and software teams going to touch something around data disclosure agreements about what? We have one as a template that was created roughly three or four weeks ago and we can talk about this in the next session because it is a specific use case but we have a suggested form of data sharing agreements that DHS-2 implementers and contractors that support the system with some security component included Thank you everyone so we will end the session there just to remind you that Michael has a dedicated session on security and he is of course here for the next couple of days please feel free to reach out to him and speak to him but of course he has a dedicated session where we will get into more details so T is already outside but just before you break for T so the first thing is I again urge all of you please join the WhatsApp group because we always communicate everything in that WhatsApp group because we have one more city tour plan for today so if you are not in the WhatsApp group then you may miss important messages so please do that and secondly about the Google form that we have shared in the WhatsApp group only 80 people have submitted so far so we have around 25 missing unfortunately if you don't submit it by this by today noon we might not be able to share with you the certificates and other documents by the end of the week and finally about the people for the people who have paid us on site the registration fee you will be receiving a soft copy of the receipt during the day in case if you don't receive it by tomorrow morning we will meet our team at the registration desk and let us know that's it thank you we are breaking for T please if you will come back at 11am and we will continue with our country presentations we do have quite a few today so we just want to be on time so we will start back with our colleagues from Libya so please enjoy your break thank you and soon to be seen through some very different eyes those of his exotic wildlife from the crystal blue waves of the Indian Ocean where giants gather together along the sandy beaches of Gaul home to newly hatched turtles through the temples of Polonarua to meet cheeky locals and to the highlands seen for the first time from an eagle's eye Sri Lankan wildlife presents so majestic so playful so vibrant so Sri Lanka Sri Lanka lonely planet destination of the year 2019 beautiful vibrant and soon to be seen through some very different eyes those of his exotic wildlife from the crystal blue waves of the Indian Ocean where giants gather together along the sandy beaches of Gaul home to newly hatched turtles through the temples of Polonarua to meet cheeky locals and to the highlands seen for the first time from an eagle's eye Sri Lankan wildlife presents so majestic so playful so vibrant so Sri Lanka