WHAT IS CYBERSECURITY? INTRODUCTION Every day we hear more about cybersecurity, at the same time that we see in the media various news about hacks, information leaks, identity thefts and other attacks and threats. Incidents with worldwide coverage such as those of Wikileaks raise awareness about our computer risks, but they do little to answer the big question: what should we do to have adequate security? The purpose of this document is to answer this and other questions, such as: What is cybersecurity?, What is the difference between cybersecurity and computer security?, Why is it relevant to my organization?, What role do executives play in cybersecurity?, Is it an issue that affects users, families, public organizations or private companies?, Should we do something different from what we have been doing? To answer these questions, we will first review some recent facts about different cyberattacks: SOME RECENT EVENTS » February 2013. A security company has released a comprehensive study on the intrusions that a group of Chinese hackers have made in recent years to a multitude of American companies. The report practically attributes the authorship to the Chinese government, through a group of hackers who are employees of the People's Liberation Army (PLA). The Chinese government denies the evidence. » January 2014. More than 100 million customer and credit card data are stolen from Target department stores. The incident cost the company millions of dollars and the resignation of the chief executive officer (CEO) and chief information officer (CIO). Throughout that same year, several chain stores (Home Depot, NeimannMarcus, Staple and the P.F. Chang restaurant chain among others). In most of these cases, within days of the hack, the compromised data was sold on the black market at prices between $2 and $5 per card and included information about the zip code or the type of purchases users typically make (thus simplifying their fraudulent use by organized crime). » July 2014. Another security technology company releases an article documenting the work of the "Dragonfly" (organized crime) group that has been dedicated since 2013 to compromising equipment and networks of energy companies in Spain, the United States, France, Italy and Germany. The infection mechanism is through a Trojan called "Havex" that is attached to an email that appears to be normal, and that infects SCADA (supervisory control) and Industrial Control systems. On the same dates, and based on the aforementioned report and the investigations of another security provider, an American government agency publishes a Security Alert towards energy companies, explaining the form of infection of "Havex". » August 2014. J.P. Morgan Bank suffers various attacks, including denial of service. Nationalist Russian hacker groups claim responsibility, arguing retaliatory actions for the US government's measures taken against Russia. » June 2015. In an attack executed by another nation, the records of 21 million people from the U.S. Office of Personnel Management (US-OPM) are stolen, in an incident that has been described as one of the largest government data security breaches in U.S. history. » April 2016. The "Panama Papers" case comes to light all over the world. More than 2 terabytes of information were obtained from the archives of the Mossack Fonseca firm by an unknown source and given to a German newspaper who shared it, for investigation, with 400 journalists around the world. The documents detail the creation of more than 200,000 shell companies in tax havens. Among the owners are many politicians and businessmen from around the world, including several people very close to Russian President Vladimir Putin. These facts show us a new reality: » Today attacks are more intense » Attackers have more resources and new motivations » Attackers are no longer just hackers and activist groups, they have been joined by organized crime, extremist groups (including terrorists) and even nations On the other hand, organizations have more interconnected all their systems and, therefore, its level of technological risk is growing. In the next section, we will review each of the above statements in more detail. THE NEW ATTACKERS The profile of attackers has changed, organized groups are generating targeted attacks, more complex and very difficult to discover through traditional mechanisms. Adversaries have created a complete ecosystem that allows them to have the capabilities and resources (economic, technological and human) necessary to move freely. Their main motivations are economic and political. Economically, they have realized that the sale of sensitive information of organizations is a very lucrative business, so their main targets are financial institutions and large businesses. Politically, they realize the importance of cyberespionage, which allows them to steal information and industrial secrets (in general intellectual property) and, eventually, have the capabilities to carry out cyber-attack operations. These new attackers are now referred to as cyber actors, and we can define them, in a general way, as those people or organizations that have a goal, motivation and resources to do harm by looking for an opportunity and exploiting a vulnerability. The following types are identified: » Delinquent groups (organized crime) » Terrorist groups » Subversive groups ("hacktivism") » Hostile governments ("rogue states") » Independent hackers » Commercial organizations or competing political groups (cyberespionage) The attack strategies used are more complex and long-term, use multiple previous steps to reach their target, combine various exploitation and evasion techniques, They employ advanced malware as well as various mechanisms to go unnoticed. These targeted attacks are planned, articulated and executed thinking about the particular profile of the victim in such a way that it is much more feasible to succeed, which together with the value of the information that attackers seek to extract causes their impact on organizations to be very high. NEW THREATS One of the most sophisticated cyberthreats today is Advanced Persistent Threats (APTs), whose objective is to steal, for a long time, valuable information from a given organization. Attackers use multiple attack methods to breach the target organization, one of them is spearphishing (phishing campaign aimed at a specific target, which through addressing an email with a context that makes sense for that person or organization, makes it very credible and with a high probability that the user will read the email in question and open the annex that has previously been contaminated). Once the target is breached, backdoors are created that allow the attacker to have continuous access (this is known as communication to a command and control center or C2) to the compromised systems. The attacker then seeks to expand his reach by taking control of more computers to strengthen his permanence (achieve his persistence), with which, if successful, he manages to maintain access to the client's systems for long periods, in order to collect more information about the target, carry out more attacks (lateral movements) until he manages to have access to the target information and extract it (an action known as exfiltration). These attacks are typically organized through "campaigns," which may be made up of one or more operations, with each operation typically having the following phases: 1) Preparation 2) Infection 3) Expansion and Persistence Achievement 4) Information Search and Extraction 5) Cleanup MAJOR VULNERABILITIES Let's remember that vulnerabilities are the security weaknesses of our system, understanding a system from a PC or Smartphone, to an entire organization along with its computing and communications infrastructure, applications and business services, as well as the information involved in the above. One of the elements that has changed dramatically is our display surface, which means that today we have many more hardware and software elements to protect against intrusions. Since almost all technological vulnerabilities are associated with software, we now: 1. We have more pieces of software running on servers, PCs, laptops, tablets, smartphones, cars, and increasingly on "things" (what has been called the Internet of Things: refrigerators, smart systems, and sensors in various devices or objects including watches and smart clothes). 2. Everything is interconnected and it is very difficult, sometimes impossible, to distinguish where one network ends and the other begins, something that has been called the "blurred perimeter" of the new networks. 3.La complexity of technological architectures has grown: servers (virtualized and not) with different natures (databases, applications, services such as DNS, Active Directory, etc.), routers, switches, balancers, traffic accelerators (different types), private and public cloud architectures, intermediary software (middleware of various flavors), mobile applications, etc. For all of the above, it is now more difficult to protect our environments. While an organization has to provide security to all elements and their interconnections, an attacker only has to find a path through which they can enter.