Where To From Now? MCSC 2024

The 10th anniversary of the Munich Cyber Security Conference (MCSC 2024) occurred las week, in Munich at the IHK für München und Oberbayern , themed with "Where To From Now? Ways Forward Out Of the Cyber Conundrum"

Here are my individual reflections following the conference attendance. The opinions expressed in this write-up represent my own and not necessarily those of NVISO or its associated entities worldwide.

How blurry are the lines between cybercrime and geopolitics?

One of the panel discussed the increasingly complex interplay between cybercrime and geopolitics. The reliance and security of cyberspace are becoming increasingly crucial to the future of our society. Governments are recognizing the need for collaboration between public and private sectors to safeguard elections and democratic processes. Adversaries are using advanced technologies, including AI platforms, for espionage and warfare, blurring the lines between cybercrime and state-sponsored activities. The distinction between cybercrime and geopolitical actions is fading, making it impossible to ignore the threat of state-sponsored cyber attacks.

Therefore, the in-depth discussions explored the advancements in the digital realm, particularly how the highly-targeted financial sector has strengthened its defenses against cyber threats over the time with frameworks like #TIBER for objective-based red teaming. Our colleague Nico Leidecker of NVISO Security explained recently at the German Ard Tagesschau how modern attacks can leverage AI during the social engineering phase.

Further key takeaways from the panel discussion to increase the resilience, include:

• Operationally, regulators and organization (especially in the financial industries) are implementing threat-driven red team exercises (like TIBER) and purple teaming exercises to identify and assess vulnerabilities. NVISO Security is benefactors of the MITRE Caldera v5, code name “Magma" and is extensively in our managed services offering to ensure continuous improvement of our detection analytics and response playbooks. We believe Caldera is truly a force multiplier for blue teams, by allowing them to emulate adversarial techniques ‘at the click of a button’. Learn more about Caldera here: https://medium.com/@mitrecaldera/announcing-mitre-caldera-v5-06798b928adf
• Organizationally, Chief Information Security Officers (CISOs) are gaining influence by reporting directly to the board, which improves strategic decisions related to cybersecurity.
• From a regulatory standpoint, the creation of a Cyber Risk Profile (CRI) is promoting a shared understanding of cybersecurity challenges among banks, regulators, and technology providers.

As described above, I am very proud of NVISO Security and our partnerships with numerous institutions in finance, industry & other organizations like SANS Institute , aiming to bolster the industry's resilience.

Thanks again to all the valuable insight by participants of the sixth panel Sergej Epp & Rafael Garcia Oliva & Ron Green & Cheri F. McGuire & Cheryl Venable

My personal lessons learned with an cybersecurity icon - Bruce Schneier

At the MCSC 2024, I had the privilege to exchange personally with one of the cybersecurity legend Bruce Schneier. We discussed the aspects of AI′s growing role in connecting and controlling the IoT, leading to transformative changes in how we interact with technology and the world around us. Future AI-driven industrial control systems will independently manage traditional factory robots and schedule everything from operations towards automatic order supplies, finances and accounting. The control of large-scale, decentralized artificial intelligence systems that manage our operations is critically important.

One of my essential key takeaway of our discussion is that AI needs to be both trusted and trustworthy.

(IoT) Security by Design - Illusive, or will Norms and Standards prevail?

The Internet of Things (IoT) is evolving into a system where the traditional concept of robots is being redefined. Instead of standalone mechanical devices, modern robots are becoming interconnected systems with distributed sensors and actuators, with their processing logic located in the cloud. This network of devices functions collectively as a singular robotic entity. The integration of large language models (LLMs) like GPT and other AI systems is enhancing the IoT's capabilities, enabling these systems to understand human language, interact with human-oriented interfaces, and make decisions based on sensor data. In 2024, AI is expected to further merge with the physical world, controlling IoT devices and managing complex tasks such as energy consumption, industrial processes, and autonomous vehicles. This shift requires a reevaluation of security and trust in AI systems as they become more embedded in our daily lives and critical infrastructure.

The #AI #Act & #Cyber #Resilience #Act and other regulations across the world are showing a paradigm shift from user responsibility towards producer accountability for cybersecurity. Taking these measures to safeguard our digital environment is a crucial action. Regulations and certifications can provide a minimum requirements to protect data and prevent cyber attacks. The shift to producer responsibility could also support the get closer towards the goal of "Security by Design". This is a complex undertaking is possible according to the majority of the panel′s participants. To be successful on this journey, it is vital to enforce standardization and harmonization of safety certifications and to achieve a consistent protection of our digital tools in daily lives. Additionally, the collaboration between the EU and the US regarding harmonization of cybersecurity certification & standardization can have be impactful to enhance our shared cyber resilience.

Furthermore, Samantha Kight shared an interesting aspect about standardization within the panel discussion: "Some people within the industry share the perception that standardization are static and are not evolving over time, but according to Samantha it is crucial that standardization a vivid documents and are dynamically developed by community groups or working groups etc.". Additionally, during a coffee break I discussed the same topic about standardization with Claudia Plattner from the Bundesamt für Sicherheit in der Informationstechnik (BSI) and shared the vision. Both statements makes me confident that NVISO Security is on the right track with our contribution within working groups or standardization like at the OWASP? Foundation with the IoT Security Verification Standard by Cédric Bassem (please find more information here: https://owasp.org/www-project-iot-security-verification-standard/ )

Thanks again to all the valuable insight by participants of the fourth panel Thomas Rosteck & Samantha Kight & Peter Stephens & Vincent Strubel & Luis Jorge Romero & Katerina Megas !

Where To from Now?

I firmly believe that we will collectively tackle the challenges in our industry in 2024 and achieve success. I eagerly anticipate the opportunity to meet all of you at the #MCSC 2025 next year!

Thanks again for organising this great event Peter Moehring !