TAdviser: IT Security Day 2025

The conference was attended by representatives of such organizations as Sberbank Leasing"," GKU, Mosgortelecom FSBNU "Scientific Center of Neurology""",,, Public Bank of Russia NPAO Svetogorsk Pulp and Paper Mill Council,,, Ministry of Transport Russia" Tom Tailor VTB StroyCity," "," "." EvalarIceberry The event was hosted by expert Dmitry information security Belyaev.

Hype capitalizes well

On the need to build models of the future, providing for many options for the development of events, he built his report, Danila Medvedev futurist, RTD. He noted that there are macrotrends and small, "hype" trends - among those that appear in the news (for example, construction data center on the moon).

Danila Medvedev, futurist, RTD

It is hype trends that capitalize well, Danila Medvedev stated with regret, stressing that it is necessary to invest in "mental models" that help people not only track the flow of news, but be able to sift through information, understand what is important.

The ability of specialists to create complex models of the enterprise, the industry is limited, says the speaker. - Because of this, only a small piece of what is happening is seen, with which everything is clear, while somewhere nearby, perhaps, a fire is burning. In everyday work, this is normal, because everyone has their own area of ​ ​ responsibility, but when it is necessary to see the picture as a whole, then difficulties arise. To do this, you need to have a system model that gives a system vision.

The speaker briefly described the "forsyth" forecasting methodology. Questions are sent to experts, their answers are collected into a single material, which is again sent to experts so that they finalize and summarize the data. Based on the resulting material, forecasts are then made. Instead of developing three standard ways of developing events (pessimistic, optimistic, medium), a network of scenarios is built that show different ways in which the development of events can go. It is also decided how to prepare and how to act in one case or another.

Danila Medvedev presented his vision of the IT industry. In his opinion, the one here simply needs full-fledged foresites both in general and in certain areas, which are important for the success of the Russian IT industry and economy. Future thinking technologies and ways to model the future are strategic. They require creation, development, implementation and support.

Oleg Kuserov, director for, information security NPO National Settlement Depository JSC believes that the development quantum computers has already reached the stage of existing prototypes. This makes the threat of quantum attacks real as early as 2026-2028, as McKinsey predicts. Accordingly, every year a new risk for cyber security states business becomes more and more relevant.

Oleg Kuserov, Information Security Director, National Settlement Depository

The speaker spoke about the implemented pilot project. Here it was necessary to find CIPF with cryptographic algorithms resistant to quantum hacking, as well as test the solution and determine the possibilities of use in terms of performance and response time. Finally, obstacles and difficulties should have been identified.

As part of the pilot, a quantum-stable tunnel was created between two remote sites (data centers in Moscow and Novosibirsk) to transfer encrypted backups of 4.5 GB archive files. Files were transferred in two ways: through traditional cryptography and through QTunnel (a solution from KuWright).

The use of cryptographic algorithms that are resistant to quantum hacking is possible now, "he says. - Software QTunnel is easily installed in the current infrastructure of the ""group. Moscow Exchange A drop in performance when used is acceptable.

95% of companies have already been hacked

Dmitry Kostrov, Deputy General Director for Information Security, IEK GROUP, warns: fraudsters have turned data into valuable currency and are doing big business, the size of which by 2028 is estimated at more than $13 trillion.

Dmitry Kostrov, Deputy General Director for Information Security, IEK GROUP

The presenter listed the key cyber threats of 2025:

1. Ransomware virus, ransomware, ransomware-as-a-service, RaaS.
2. Non-updated software, misconfigured systems, and vulnerabilities in commonly used technologies.
3. Security Bypass: Tools and methods designed to bypass, disable, or evade cybersecurity systems .
4. Compromise by luring victims to malicious websites using methods such as search engine optimization "poisoning" and malicious advertising.
5. Phishing, which remains one of the most effective tools for cybercriminals to exploit human trust.
6. Malware installed by an attacker on devices with the intention of harming, extorting money or intimidating.
7. Distributed Denial of Service (DdoS) attack is a hacking method that uses multiple compromised devices to make an online service unavailable by temporarily interrupting, disrupting, or damaging hosting server services.
8. A supply chain attack is an attempt to gain access to or disrupt vital components of a company's supply chain.
9. Internal attack. The three main factors driving the surge in internal attacks are the complexity of the IT environment, the introduction of new technologies and insufficient security measures.
10. Compromising e-mails, largely due to the excessive trust of corporate mail employees.

According to Cybersecurity Ventures, if annual cybercrime were a country, it would have the third largest gross domestic product in the world after the United States and China, said Dmitry Kostrov. - In my opinion, 95% of companies have already been hacked.

Alexander Shcheglov, information security specialist, "Coffeemania," spoke about the successful attack of the ransomware virus in the summer of 2024, as a result of which the attackers requested two thousand euros for each encrypted server. The point of penetration was, presumably, a compromised VPN account.

Hacking and movement technologies used: mimikatz, powershell remoting, AV disabling, RDP. The recovery time after the attack from backups was 12 hours.

Alexander Shcheglov, information security specialist, "Coffeemania"

The speaker recalled that the first reaction to the attack was purely emotional, when I wanted to establish all possible means of defense. However, in the end, a rational approach prevailed. It was understood that the existing SMTs were enough to prevent an attack (the first "rings" were detected three days before encryption).

The weak link is people and regulations. Primary vulnerabilities are insufficient control over accounts, lack of regulations for the use and control of settings for remote access and management protocols, imperfect response procedures, lack of procedures and practices for information security audits.

An antispam solution has already been introduced in Coffeemania. There is a search for a solution for collecting logs, regulations are written, procedures are introduced, people are trained. The settings of existing IPS (Windows, AD, AV, NGFW) are improved, the level of information security maturity in the organization increases.

But the introduction of SOC is not planned. The EDR system has not been implemented either, but they are "looking closely." The same applies to two-factor authentication. A pilot was made on DLP, but they did not introduce the product. Two pilot projects were carried out with the SIEM solution, but they did not implement this system either, since there are no resources for high-quality support.

Our existing information security solutions warned about the upcoming attack, but we did not have an information security process built, "says Alexander Shcheglov. - After this incident, we implemented a number of measures, both organizational and technical plan.

Alexander Sevostyanov, director of the economic security directorate, spoke about the most dangerous attack vectors and methods of defense. DIAIPI He reminded the specifics. metallurgical industry Here almost all industrial enterprises are subjects CUES and operators (Federal Law personal data No. 187, Presidential Decree No. 250, Federal Law No. 152, Federal Law No. 149).

Alexander Sevostyanov, Director of the Directorate for Economic Security, DIAIPI

A significant share of industrial software and computer equipment from such companies - foreign production. Together with the need to switch to domestic IPS and OS, inferior to foreign counterparts in terms of security, there is an acute shortage of qualified personnel in the field of information security. Difficulties are added by both the risks of parallel imports and being in a state of "constantly under attack."

Alexander Sevostyanov explained that due to greater simplicity and efficiency, the main direction for attacks was the partners of the subject, contractors and personnel, and not the subject itself. The speaker shared how exactly they oppose such threats in TMK. Thus, in order to protect against unauthorized access to the IT infrastructure, a set of organizational and technical measures is carried out here, including checking a legal entity for reliability, segmenting the network, signing a non-disclosure agreement (NDA) and a number of others.

Industry partners of enterprises often begin to think about information security when the attack has already taken place: the data has leaked, the infrastructure is encrypted, says the speaker. - The company needs to carefully consider with whom to interact. It is necessary to check contractors and partners, require information security, compliance with a certain hygiene of information security. And, of course, you need to close your own perimeter, protect it.

Among other things, the speaker recalled the danger of receiving video calls from unfamiliar subscribers, since the video is recorded, processed by the neural network, and then can be re-voiced for fraudulent purposes.

For the "daughters" should be watched more carefully

Vadim Gritsenko, head of the information security department, Moscow Exchange, highlighted the transformation of threats. Their intensity is growing, complexity is evolving. New threats are emerging. The speaker named the most dangerous. In his opinion, these are targeted attacks, social engineering, phishing, "hacktivists," internal violators and data leaks, DDoS.

Vadim Gritsenko, Head of Information Security Department, Moscow Exchange

He gave an example of an incident in one subsidiary, where the administrator password matched the application password. As a result, the ransomware penetrated inside and encrypted the entire infrastructure. After contacting the parent organization, they were assisted. The services were restored from backups.

In conclusion, Vadim Gritsenko announced a list of organizational and technical measures taken to protect subsidiaries and affiliates:

• risk assessment of projects and products;
• managing committees;
• control of remote access to infrastructure, zero tolerance - the same rules as for any outsourcer, without exceptions;
• control of adjacent parties;
• AppSec and checking all external software, components;
• Perimeter and infrastructure security;
• continuous monitoring and prompt response;
• penetration tests and security analysis;
• Legal cleanliness, taxation and accounting issues;
• information security culture;
• assessment for compliance and certification according to FZ No. 152, GOST 57580 and other regulatory acts.

The insecurity of subsidiary affiliates - and we have more than ten of them - carries many risks. And first of all - for the parent company, - Vadim Gritsenko is sure. - We have developed basic requirements for information security of subsidiaries, including priority ones: compliance with regulatory requirements, access control, analysis of audit security at least once a year. They are assessing the fulfillment of our requirements. At the same time, the approach is reasonable - the requirements for companies are different, depending on their specifics.

Artem Kulichkin, Acting Director of Information Security for Subsidiaries of the Insurance Group Sogaz"," dedicated his speech to managing external attack surfaces (EASM, External Attack Surface Management). He emphasized that it is first important to identify public external IP addresses within the organization and Fully Qualified Domain Name (FQDN) names.

Artem Kulichkin, Acting Director for Information Security of Subsidiaries of the Sogaz Insurance Group

To do this, you need to collect data on IP addresses from the perimeter network equipment, extract data from contracts with providers, download configuration files from the DNS zone and conduct open source intelligence (OSINT, Open source Intelligence). You can use the bgp.tools tool.

When external IP addresses are identified, they need to be scanned in order to identify vulnerabilities, prioritize vulnerabilities and subsequently be monitored using a bot in order to identify new ports, services, DNS, "suggests Artem Kulichkin.

The speaker identified current threats: DDoS attacks, bots, brute force attacks, API attacks, incorrect configuration of servers, networks and applications, targeted attacks on web systems according to the OWASP Top 10 methodology.

Artem Kulichkin also told about the procedure for scanning external IP and FQDN:

• Loading domains and IP
• Port scanning (tools - Nmap, RustScan, MassScan)
• search https (tools - Nmap, Httpx);
• search for vulnerabilities in https (tools - Nuclei, Acunetix);
• search for vulnerabilities in services (tools - Nesus, OpenVAS, Nexpose, Nuclei);
• the result is placed in the database, visualized;
• prioritization of vulnerabilities, their elimination;
• monitoring: DNS, new ports, new https, bot in. Telegram

In conclusion, the speaker recalled that Gartner called External Attack Surface Management (EASM) a 2023 trend.

Domestic software costs are three times higher

Alexander Kapustin, Deputy Head of the Information Security Service, SO UES ("System Operator of the Unified Energy System of Russia"), shared his experience in using domestic information security solutions, as well as the results of import substitution in the company.

Alexander Kapustin, Deputy Head of Information Security Service, SO UES

He listed the problems of import substitution. Complex solutions are difficult to design and implement. The costs of introducing and operating a domestic product are three times higher, and much has to be written on its own.

Alexander Kapustin cited several practical cases of using Russian information security systems indicating the problems that arose. Positive shifts have been achieved in the main areas over the past year, although the problems have not been completely removed.

So, in the process of operating the NGFW firewall since 2019, the following comments were revealed: the failure to synchronize OSPF routes, license activation problems, difficulties with updating, clustering, as well as with technical support. The vendor promises to fix everything in the next release, but a clean installation of the new version is required. As of 2025, due to operational problems, it is necessary to support two branches of the operating system for the same hardware platform. The problem with activating licenses has been resolved, but during the activation process, the active node of the cluster is spontaneously switched.

At each stage of the development of any systems, information security requirements are taken into account, appropriate measures are taken to ensure it, and this is very important, - Alexander Kapustin is convinced. - With regard to the use of market IT products, vendors should actively interact with customers.

Ruslan Lozhkin, Director of the Cybersecurity Department, Absolut Bank, presented to the conference participants a conceptual view on data protection. He recalled regulatory innovations that have recently entered or will soon come into force.

Ruslan Lozhkin, Director of Cybersecurity Department, Absolut Bank

So, for example, Federal Law No. 420 increases the fine for leakage of personal data to 3% of the turnover (for re-leakage). Fines of up to 3 million rubles. for late notification. And according to law No. 421, a period of up to 4 years is proposed for the illegal collection, processing and distribution of personal data.

The presenter justified the need to share data and presented two concepts for their protection, evaluating the parameters. A model with a reference contour is long and expensive to build. There are no full technologies here. In pursuit of speed, the defense is bypassed. Dynamic depersonalization is performed on the partner side, so risks must be considered. If we take a model with encryption and control, then it is long and expensive to service monitoring and control tools. There is a lack of effective technologies, untimely detection of violations, insufficient control on the part of partners, compensating measures and also the need to take into account risks.

The organization, as a rule, has a blurred external perimeter, many sites, counterparties, and, accordingly, a large dependence on data sharing. How to protect data in such conditions? - Ruslan Lozhkin asked the audience a question. - There are two methods of protection: a reference data loop and a model with encryption and control.

The speaker himself considers the method of the reference contour preferable, but recognizes the great complexity of this model.

The strongest infrastructure can be made "leaky"

The report of Evgeny Mikhailov, an independent expert in the field of information security, was methodological in nature and dealt with general aspects of information security: the advantages of attackers in confronting defenders, and practiced approaches to ensuring information security.

Evgeny Mikhailov, independent expert in the field of information security

The expert listed the approaches to information security, which he described as interesting:

• protection using early detection systems for computer attacks and information security threats: Distributed Deception Platform (DEJAVU), Attack Surface Management (OWASP Amass, reNgine), Breach and Attack Simulation (MITRE Caldera);
• concepts of "zero trust" and "unacceptable events";
• the concept of "cyber resilience" or, more generally, "enterprise operational resilience";
• the triad "immutability, distribution, ephemerality";
• concepts of cyberimmunicity and secure development since the start of development (secure by design);
• integration of development, operation and safety processes (); DevSecOps
• data-centric, human-centric safety.

The focus of attacks is shifting from large business to medium and small, as well as to contractors of large organizations, explains Evgeny Mikhailov. - At the same time, the CIPF proposal in the market mainly concerns the imposed means of protecting information, which is definitely not enough to ensure reliable protection.

To complicate the attack on the IT infrastructure as much as possible and make it unattractive for attackers, Yevgeny Mikhailov advised the following. Remember to protect your entire IT infrastructure. Vendor best practices, recommendations, and technologies need to be taken into account in terms of security of the architecture of the solutions being implemented, since even the strongest infrastructure can be made "leaky" if incorrect architectures with incorrect configurations are implemented.

Access to test infrastructures and their elements, including accounts, should be limited in pilot time or work execution, with automatic shutdown or deactivation at the end of this period. For such components, a responsible person must be identified and an automatic notification must be configured - this is at least. It is better to focus on the technical impossibility of exploiting vulnerabilities and configurations, or on layered, multi-stage protection (demilitarized zones, etc.). Among other things, it is worth regularly informing users about information security threats using cases.

The realities of information security threats, the most promising new technologies and solutions were considered in his speech by Alexander Khachapuridze, a leading expert at information security, Ascona Group of Companies. He highlighted the key moments of the new information security reality. The number of attacks aimed at destroying infrastructure has doubled. Data leaks came out on top: 600 million personal data were compromised. There has been a significant increase in attacks on supplier chains, and attacks track the use of AI.

Alexander Khachapuridze, leading expert of information security, "Ascona"

Alexander Khachapuridze outlined what needs to be done for reliable protection. In his opinion, it is worth reducing the load on information security specialists, because attacks are still becoming more difficult, and there are not enough personnel. Conclusion - automation is needed. He also suggests moving to the concept of zero trust. You need to understand that there are no trusted zones and applications. Everything needs to be checked, confirmed. Another proposal is to observe the cyber hygiene of all employees of the company.

To achieve these goals, it is necessary to build security management ecosystems, use AI and large language models, as well as information security services, for example, commercial SOC, SaaS, IaaS, PaaS. You need to move from perimeter protection, within which there are trusted zones, systems, users, to the concept of Zero Trust Architecture, which assumes that there is nothing trusted. Finally, you should pay attention to the optimization of information security technologies and processes.

The Speaker elaborated more on the parameters and components of the Zero Trust Architecture concept, highlighting its revolutionary nature. "The post-active defense has outlived its usefulness," Alexander Khachapuridze is sure. "It's better to build a secure system than a secure system."

Tense Cyberlandschaft

Before talking about the products, Alexey Kiselev, head of the department for work with clients of medium and small businesses, Kaspersky Lab, presented a picture of the modern realities of information security. Our cyberlandschaft remains tense.

Alexey Kiselev, Head of SMB Customer Relations, Kaspersky Lab

Over the past two years, 69% of organizations in Russia have suffered from at least one information security incident. At the same time, regulation is becoming more complicated, an increase in fines for leaks is being discussed. The active replacement of foreign information security solutions continues, so the requirements of regulators for import substitution are increasing.

The speaker presented three configurations from the company's various attack protection products, depending on the level of threats:

• Common mass threats - Kaspersky Security Foundation;
• hidden threats - Kaspersky Optimal Security;
• complex attacks - Kaspersky Expert Security.

Each of the security configurations involves the use of a set of specialized products: Kaspersky Security for Business, Kaspersky Security for Mail Servers, etc., the speaker explained, talking about some of them.

The situation cyber security is not getting better, we are still being attacked. The number of critical incidents in Russian organizations increased by 39% CIS in the first quarter of 2024 compared to the first quarter of the previous year, - Alexey Kiselev cites the figures. - We became the most attacked country in the world in 2022, and we do not leave this position. Organizations that are accustomed to relying on Western information security solutions were among the distrustful, because they lost support and updates. Having seen a big surge in interest in our products, we have changed our approaches to their development.

Dmitry Ovchinnikov, architect of information security, UserGate, told about the new direction of the company's business - consulting services. He emphasized the complication of the IT infrastructure, the increase in the number of types of cyber threats, the transformation of information security crimes into a profitable business, as well as the increased availability of knowledge for hacking, phishing attacks, and connection to artificial intelligence attacks.

Dmitry Ovchinnikov, architect of information security, UserGate

The saddest thing, according to Dmitry Ovchinnikov, is that cybercrime has become a business. The network has specific marketplaces where data, hacking tools are traded, entire hacked companies are sold.

Stressing the importance of information security consulting to neutralize information threats, Dmitry Ovchinnikov listed what services UserGate offers in this direction. Among them are information security audits, penetration tests, expert services: incident investigation, proactive threat search, malicious code analysis. The speaker spoke about each direction separately. So, in terms of audit, the company promises:

• conservative approach to working with information;
• identification of deficiencies in information security processes;
• availability of ready-made information security standards;
• No audit impact on IT infrastructure
• Audit report as a complete guide to action.

In many companies, there has been a trend towards the so-called "practical security," when information security is strengthened by existing information security tools, their development and more optimal use, - said Dmitry Ovchinnikov. - And IT consulting fits well into this trend.

During the break and at the end of the conference, the participants talked informally, and also had the opportunity to familiarize themselves with the solutions and services of IT suppliers at the stands deployed in the event hall.