Christian Fredrikson Issue: Global-ICT 2015
Article no.: 9
Topic: The art of cyber war
Author: Christian Fredrikson
Title: CEO
Organisation: F-Secure
PDF size: 214KB

About author

Christian Fredrikson is the President and CEO of F-Secure Corporation. Fredrikson joined F-Secure in January 2012 from Nokia Siemens Networks where he was responsible for global sales of the Network Systems business unit. Before that he has held several executive positions in Nokia since 1994, including head of the Asia Pacific region and head of Operational and Business Software Unit.

Fredrikson is a member of new EU cloud computing board, the Steering Board of the European Cloud Partnership (ECP). He is also a member of Communications Administration Committee of Ministry of Transport and Communications Mobile in Finland and a member of the Board of Remedy Entertainment Ltd.
He holds a master’s degree in engineering from Åbo Akademi University in Finland.

Article abstract

Different organisations are targeted by different types of attackers, with varying motives and attack techniques. For a retail organisation, it’s likely that customers’ financial and account data is high on the attack agenda. Whereas, for a telecoms operator, foreign nation states are likely to want to know what private communications are running over your network. Protecting data and credit card numbers from online criminals is completely different from protecting a network against a distributed denial-of-service attack or covert surveillance launched by hostile government organisations. 

Full Article

Nearly three thousand years ago, Chinese military strategist Sun Tzu wrote, ‘if you know the enemy and know yourself, you need not fear the result of a hundred battles’. Today, the battleground may have moved from the Mongolian plains to the internet, but the premise still stands.
Cyber security is an ongoing battle. It has grown from skirmishes with bedroom hackers of the 90s and early noughties for fun to the quiet war taking place today. We should be under no illusions when it comes to online security; there is no end in sight to the attacks. The hackers and hacks will keep coming.
Despite these attacks gaining more attention in recent years, they still often lack the excitement of a physical attack and fail to grab the attention of the public, as a daring bank robbery would. So is the psyche of people in the early 21st century. Valuing and protecting digital assets is less tangible than traditional physical belongings. This is why people are concerned when they lose their door keys, but think nothing of using insecure passwords for their online accounts.
Perhaps the problem stems from removing responsibility from individuals as to their actions, through a growing reliance on computing systems. When people are given the option to blame their computer or the system they use, they have lost some of the fastidiousness which would have once have been the bedrock for a successful business service. And it would be churlish to deny that, in general, employees have less time than they once did to meet the demands of their job. It is little surprise that many still see security measures as the sole remit of the IT department and their mess to clean up when things (inevitably) go wrong.
Get the enemy in your sights
It is well established that businesses now have a lot to lose in the case of a cyber attack. Customer credit card information, customer data, embarrassing internal emails and digital assets are common targets for thieves. As we continue our march to efficiency by computerising every facet of a company, we open up more and more possible attack points. The result can be overwhelming and financially prohibitive – after all, it is easier to gain board investment for a business’ core activities than for something seen as peripheral, like security.
So, how do businesses assess the threat? The first step is to figure out who is out to get you.
Different organisations are targeted by different types of attackers, with varying motives and attack techniques. For a retail organisation, it’s likely that customers’ financial and account data is high on the attack agenda. Whereas, for a telecoms operator, foreign nation states are likely to want to know what private communications are running over your network. Protecting data and credit card numbers from online criminals is completely different from protecting a network against a distributed denial-of-service attack or covert surveillance launched by hostile government organisations.
The good news is that not every organisation is targeted by all types of attackers. The bad news is that no one can identify potential attackers as well as the company itself. Attacker attribution work is hard to outsource, as it requires an implicit knowledge of the organisation’s workings.
By understanding our enemies, limited resources and budgets can be put to more effective use.
Identify the weakest front
High-profile cyber attacks in recent years have acted as a warning to many organisations about potential entry points for hackers. The hack on RSA’s SecurID products was via a simple phishing email which was even caught in the Outlook junk folder, but then opened by an inattentive employee.
Unfortunately, it could be argued that a lack of internal training to spot possible cyber attacks and deal with them appropriately is a subject which has been bandied around our industry for many years and will not disappear. People are fallible, especially when the consequences of their actions are not fully conveyed to them. I expect we will continue to see breaches like this happening for the foreseeable future.
One area I also expect to see an increase in attacks is through third parties. The biggest example of this being the 2013 attack on US retailer Target which saw 40 million credit and debit card details stolen. The financial cost of this attack to Target is US$162 million, notwithstanding the US$90 million covered by insurance. In hindsight, Target would have been wise to establish the security measures implemented by its supplier eco-system, as its attackers did. After all, why directly target the cash cow when a phishing email to its heating, ventilating and air conditioning supplier which had its network credentials would achieve the same results? Had Target known that its supplier was using a free consumer security product to shore up its defences, it is highly unlikely that it would have fallen victim, as no responsible business would leave such a gaping hole in its security perimeter.
This is where the low-hanging fruit lies for many attackers. They understand that the vendor selection process is focused on cost, expertise and financial stability. Conversations around security fall way down the list, if they appear at all. Disregarding security policies nowadays is tantamount to gross misconduct; it shows a complete disregard for customers and their data. Someone must take responsibility for ensuring that hard-won reputation and industry position is protected and this falls on the shoulders of the main business, for it is the only one which holds the influence to make vendors sit up and take notice.
Give strong orders
There are some basic questions which all organisations should ask their suppliers, in order to be confident that they will not act as an unwitting trojan horse for criminals. Firstly, they must outline how they keep customer data safe. Do they use password managers and what is their password policy? Where is data backed up to and how often? Do employees only have access to data through work computers or through other devices, such as their smartphones? If so, what BYOD policy is in place? Are IT departments empowered to make secure systems and processes or restricted by management misunderstanding and cost-cutting?
Secondly, phishing attacks may be old news, but they aren’t any less effective. What has the supplier done to educate its staff about social engineering? Teaching staff about how to spot a suspicious email is not like informing them of the company’s fire drill procedure. It is a message which must be regularly reinforced and tested.
All businesses can afford to be better protected and insistence on strong security policies can only benefit us all. A top-down approach is what will bring this renewed focus on protection, so the onus is on every company to insist that its suppliers match their own security measures. Time spent on this now, making security considerations an intrinsic part of negotiations, will help to swiftly win many battles further down the road.
Being unconquerable lies with yourself; being conquerable lies with your enemy.
It would be easy to point the finger at vendors as the weakest link when it comes to security, but this is not the case. The weakest link is the person or department which doesn’t ask the hard questions of their suppliers. It is wholly acceptable to expect a supplier to represent their customer and their values, especially when it comes to customer-facing services, such as delivery and sales. Sarbanes-Oxley is making a way forward here with financial considerations, but we are yet to have an equivalent which tackles security and data protection.
The first step is to acknowledge that everyone is responsible for their actions – whether it is the CISO ensuring that all remote workers use VPNs or the receptionist not opening email attachments from unknown senders. Security is not a new subject, so excuses for lax security are wearing thin.
It is safe to say that there will never be a time when the internet is truly safe. There will always be attackers. But it is also safe to say that we can mount a strong defence. The war is far from lost and vigilance will win the day.