Tag Archives: guest article

Eddy Willems Interview: Smart Security and the “Internet of Trouble”

For this week’s guest article, Luis Corrons, director of PandaLabs, spoke with Eddy Willems, Security Evangelist at G Data Software AG, about security in the age of the Internet of Things.

Luis Corrons: Over the course of your more than two decades in the world of computer security, you’ve achieved such milestones as being the cofounder of EICAR, working with security forces and major security agencies, writing the entry on viruses in the encyclopedia Encarta, publishing a book, among other things. What dreams do you still have left to accomplish?

Eddy Willems: My main goal from the beginning has always been to help make the (digital) world a safer and better place. That job is not finished yet. To be able to reach a wide public, from beginners to more experienced internet users, I wrote my book ‘Cybergevaar’ (Dutch for Cyberdanger) originally in my native language. After that it has been translated into German. But for it to have a maximum effect, I really want it to be published in the most widely spoken languages in the world like English, Spanish or even Chinese. That really is a dream I still want to accomplish. It would be nice if we could make the world a little bit safer and at the same time make life a little bit harder for cyber criminals with the help of this book.

Another ambition that fits into my dream of making the world a safer place, is to get rid of bad tests and increase the quality of tests of security products. Correct tests are very important for the users but also for the vendors who create the products. Correct tests will finally lead to improved and better security products and by that finally to a safer world. That’s the reason why I am also involved in AMTSO (Anti Malware Testing Standards Organization). There is still a lot to do in that area.

LC: Since the beginning of 2010 you’ve been working as a Security Evangelist for the security company G Data Software AG. How would you define your position and what are your responsibilities?

EW: In my position as Security Evangelist at G DATA, I’m forming the link between technical complexity and the average Joe. I am responsible for a clear communication to the security community, press, law enforcement, distributors, resellers and end users. This means, amongst other things that I am responsible for organizing trainings about malware and security, speaking at conferences and consulting associations and companies. Another huge chunk of my work is giving interviews to the press. The public I reach with my efforts is very diverse: it ranges from 12 year olds to 92 year olds, from first time computer users to IT security law makers.

LC: Data that’s been collected over the years leads us to conclude that 18% of companies have suffered malware infections from social networks. What measures can be taken to avoid this? Are social networks really one of the main entry points for malware in companies?

Eddy Willems

EW: Social networks are only one vector of many infections mechanisms we see these days. Of course we can’t deny that social networks are still responsible for even some recent infections: end of November a Locky Ransomware variant was widely spread via Facebook Messenger. But still Facebook, Google, LinkedIn and others have some good protective measures in place to stop a lot of malware already. Surfing the web and spammed phishing or malware mails are still the main entry points for malware in companies. Delayed program and OS updating and patching and overly used administration rights on normal user computers inside companies are key to most security related problems.

LC: What do you believe to be the greatest security problem facing businesses on the Internet? Viruses, data theft, spam…?

The weak link is always an unaware or undertrained employee. The human factor, as I like to call it.

EW: The biggest security threat to businesses are targeted phishing mails to specific employees in the company. A professional, (in his native language) well-written created phishing mail in which the user is encouraged to open the mail and attachment or to click on a specific link, has been seen in a lot of big APT cases as the main entry point to the whole company. These days even a security expert can be tricked into opening such a mail.

Another great threat is data breaches. Most of those are unintentional mistakes made by employees. A lack of awareness and a lack of understanding of technologies and its inherent risks are at the base of this.

Both of these risks boil down to the same thing: the weak link is always an unaware or undertrained employee. The human factor, as I like to call it.

LC: Criminals are always looking to attack the greatest amount of victims possible, be it through the creation of new malware for Android terminals or through older versions that may be more exposed. Do cybercriminals see infecting old devices the same way as infecting new devices? Which is more lucrative?

EW: Android has become the number 2 OS platform for malware after MS Windows. Our latest G DATA report saw an enormous increase in Android related malware in 2016. G DATA saw a new Android malware strain every 9 seconds. That says enough about the importance of the platform. Current analyses by G DATA experts show that drive-by infections are now being used by attackers to infect Android smartphones and tablets as well. Security holes in the Android operating system therefore pose an even more serious threat. The long periods until an update for Android reaches users‘ devices in particular can aggravate the problem further. One of the bigger issues is that lots of old Android devices will not receive any updates anymore, bringing the older devices down to the same level of (no) security as Windows XP machines. Cybercriminals will look to the old and new Android OS in the future. Malware for the old Android versions will be more for the masses, but malware for the new versions Android versions needs to be more cleverly created and are more lucrative if used for targeted attacks on business or governmental targets.

LC: In this age of technological revolution through which we are now living, new services are invented without giving a second thought to the possibility that it may be put to some ill-intentioned use, and are therefore left under-protected. Has the Internet of Things become the main challenge with regard to cybersecurity? Does the use of this technology conflict with user privacy?

EW: I wrote about the Internet of Things already a couple of years ago at the G DATA blog where I predicted that this platform would become one of the main challenges of cybersecurity. In my opinion IoT stands more or less for the Internet of Trouble. Security by design is dearly needed, but we’ve seen the opposite unfortunately in a lot of cases.

Besides Smart grids and Smart factories, Smart cities, Smart cars and Smart everything else, we will also need Smart security.

IoT is seriously affecting our privacy unfortunately. The amount of data IoT devices are creating is staggering and that data is being reused (or should we say misused). You’ve undoubtedly agreed to terms of service at some point, but have you ever actually read through that entire document or EULA? For example, an insurance company might gather information from you about your driving habits through a connected car when calculating your insurance rate. The same could happen for health insurance thanks to fitness trackers. Sometimes the vendor states in the EULA that he isn’t responsible for data leakage. It brings up the question if this is not conflicting with the new GDPR (General Data Protection Regulation).

I am convinced the Internet of Things will bring about much that is good. I can already hardly live without it. It is already making our lives easier. But IoT is much bigger than we think.  It’s also built into our cities and infrastructure. We now have the opportunity of bringing fundamental security features into the infrastructure for new technologies when they are still in the development stage. And we need to seize this opportunity. That is ‘smart’ in my opinion. Besides Smart grids and Smart factories, Smart cities, Smart cars and Smart everything else, we will also need Smart security. I only hope the world has enough security engineers to help and create that Smart security.

LC: New trends such as the fingerprint and other biometric techniques used with security in mind are being implemented, especially in the business world. What’s your opinion about the use of these methods? For you, what would the perfect password look like?

EW: Simple, the perfect password is the password I can forget. In an ideal world, I don’t need to authenticate myself with other tools anymore except part(s) of my body. It’s unbelievable how long it takes to implement this in a good way. The theory is there for ages and we have the technology now, it’s only not perfect enough which makes it costly to implement in all our devices. After that comes the privacy issues related to it, which possibly will postpone the implementation again.

We also need to think about the downside of biometric techniques. If my fingerprint or iris gets copied somehow, I don’t have the option of resetting or changing it. So we will always need to have a combination of authentication factors.

LC: Your book Cybergevaar pitches itself as a sort of information manual on IT security for the general public, offering various tips and advice. What were some of the greatest challenges in outlining a book aimed at every kind of Internet user? What piece of advice on display is most important for you?

EW: One of the big challenges in writing the book was leaving out most of the technical details and still remaining on a level that everyone, including experts and non-technical people, wants to read. I tried to keep a good level by including lots of examples, personal anecdotes, expert opinions and a fictional short story. Keeping all your programs and OS up-to-date and using common sense with everything you do when using your computer and the internet is the best advice you can give to everybody! The real problem most of the time is, as I mentioned before, the human factor.

LC: There’s been some talk of a “new reality”, the omnipresent Internet in every aspect of our lives. From your perspective, is this phenomenon truly necessary?

EW: IoT is just the beginning of it. I think we are very near to that ‘new reality’ even if you don’t like it. Our society will be pushed to it automatically, think about Industry 4.0 and Smart cities. In the future you will only be allowed to buy a car with only these specific Smart features in it or you will not be allowed to drive in specific cities. A smart cooking pan that automatically tracks calories and records your delicious recipes as you cook in real time will only work with your new internet connected Smart cooking platform. The omnipresent internet is maybe not really necessary but you’ll be pushed to it anyway! The only way to escape it will be maybe a vacation island specifically created for it.

We also need to think about the downside of biometric techniques. If my fingerprint or iris gets copied somehow, I don’t have the option of resetting or changing it.

LC: What have been for you the worst security violations that have marked a before-and-after in the world of cybersecurity? Do you have any predictions for the near future?

EW: The Elk Cloner virus and the Brain virus back in the eighties … everything else is just an evolution of it. We probably wouldn’t have this interview if nothing had happened 30 years ago or … maybe it was only a matter of time? Stuxnet was built to sabotage Iran’s Nuclear program. Regin demonstrates even more the power of a multi-purpose data collection tool. Both built by state agencies showing that malware is much more than just a money digging tool for cybercriminals. And of course the Snowden revelations as it showed us how problematic mass-surveillance is and will be and how it reflects back to our privacy which is slowly fading away.

Malware will always be there as long as computers -in whatever shape or form they may be around, be it a watch, a refrigerator or a tablet- exist and that will stay for a long time I think. Cybercrime and ‘regular’ crime will be more and more combined (eg. modern bank robberies). Malware will influence much more our behavior (eg. buying, voting, etc) and ideas resulting in money or intelligence loss. Smart devices will be massively misused (again) in DDoS and Ransomware attacks (eg. SmartTv’s). And this is only short-term thinking.

The only way forward for the security industry, OS makers, application vendors and IoT designers, is to work even closer together to be able to handle all new kind of attacks and security related issues and malware. We are already doing that to some extent, but we should invest much more in it.

 

The post Eddy Willems Interview: Smart Security and the “Internet of Trouble” appeared first on Panda Security Mediacenter.

“Cyber-crime is international, but we get stuck with national laws that may not be compatible in this fight”, Righard Zwienenberg

eset- panda- security

Our guest article Righard has been in the IT security world since the late 80’s, and “playing” with computers since the 70’s.

1- At the beginning, computer viruses were almost like a myth. However, over the years, computer attacks became real and they have evolved significantly, along with security solutions. To what extent are we doing things properly? It seems that today there are more attacks than ever before…

Obviously there are more attacks than ever before. In the beginning, having a computer was a novelty, on top of that, the underlying OS was rather diverse. Nowadays, almost everyone has one or more computers or devices. More devices makes the attack vector more interesting (higher chance of success for the cybercriminal) but as many more people are now “into” computers, there automatically are also more people that will exploit for ill purposes. It is inevitable. As in business, where there is an opportunity there will be an entrepreneur, likewise in cybercrime, if it can be exploited, someone will.

With the growth and evolution of the OS’s, security solutions followed. Actually not only the security solutions but also the general perception of security by the public. Guess banking Trojans and ransomware were useful to raise the awareness.

guest-article-panda

Senior Research Fellow, ESET

2- You developed your first antivirus in 1988. Back then, the number of viruses to detect was very small, despite the fact that they already used some really complex techniques. Considering the way computer threats have evolved, would it be possible for somebody today to develop an effective security solution by himself?

Why not? All you need is a good (new) idea and implement it. It may be the holy grail of heuristics and proactively block a complete new type of threat, or even multiple. That is how the current anti-malware products started in the late 80’s. Of course a single issue solution would nowadays not be enough anymore as customers expect a multi-layered, full protection solution and the sheer number of daily new malware will make it impossible to keep up just by yourself. So it will be more likely that you sell your technology to a larger company or you become a niche player in the 2nd opinion market. But… There is nothing wrong with that!

3- You’ve worked with groups that cooperate with governments, agencies and companies. In your opinion, who should be more interested in improving their IT security knowledge?  Governments? Companies? The public sector and authorities?

Sadly all of the above. Education and Awareness is key here. New threats emerge all the time, and you need to be aware of the to defend yourself against it. Or at least be able to check if your security vendor is defending you against it.

Governments try to have all people use digital systems and guarantee people’s privacy, but can they? They say they do, but then, even at large public events like the 2016 elections for the US Presidency, where you would assume all the security is in place, ignorant security flaws pop up.

media-center-eset-panda

In the above case, the official website for – the now elected – Donald Trump allowed an arbitrary URL to show the header above the news archive. That can be used as a funny gimmick, but most likely also be exploited if the arbitrary URL is extended perhaps with script code.

4- You have collaborated with law enforcement agencies in multiple cases of cyber-crime. In your opinion, are law enforcement forces well prepared to fight cyber-crime? Do they have enough resources?

They are well prepared and most of the time have the resources to fight cyber-crime. You will be surprised what they actually know and can do. But what usually is the problematic issue is international laws. Cyber-crime is international, but we get stuck with national laws that may not be compatible in the fight against cyber-crime. On top of that, cyber-crime is digital and very fast moving. Too much legislation prevents swift actions. Politics has to catch up with more organic laws that “go with the flow” and do not takes ages to get updated against the latest threats, allowing law-enforcement to rightfully act against cyber-crime and not to have a case dismissed in court due to old-fashioned legislation.

New threats emerge all the time, and you need to be aware of them to defend yourself against it.

5- Is there an appropriate level of cooperation between law enforcement agencies and security vendors/experts, or do you think there is room for improvement?

Room for improvement is always there. But LEO’s and the private sector already do work together (although as mentioned hindered by (local) laws). Some new cooperation initiatives are actually about to be started and initiated by LEO’s. It clearly shows that working together, it will be easier to reach the mutual goal: to get cyber-criminals locked up, removing safe havens for them.

6- Ransomware attacks can have disastrous consequences for consumers, employees and companies in general. The cost of recovery from a security breach can be very high for an organization; however, what do you think of the expenses a company must face to prevent such attacks?

These must be seen as a preventive measure, a kind of insurance. You do invest for a lock on your door although the door can be closed, right? And when you compare the cost for preventive measurements against the cost after ransomware (the lost work, the lost time, checking and cleaning up the entire network (as you don’t know if it put some executable files of some stolen data somewhere on an open share, or if a backdoor was installed, etc.), the negative public PR, etc.), it isn’t all that expensive. Awareness (and thus proper education) is the key for all people to understand that reporting suspicious activity earlier can actually save a lot of money for the company. In this case, the cost of a report of suspicious activity that turns out to be false is nullified by the cost saved by that single report of suspicious activity where it turns out the threat is real.

Awareness (and thus proper education) is the key for all people to understand that reporting suspicious activity earlier can actually save a lot of money for the company.

7- Righard, you’ve been working with AMTSO (Anti-Malware Testing Standards Organization) since its inception. During this time, you’ve had the opportunity to work in different positions within the organization: CEO, CTO, and now you are a member of the board. What influence has AMTSO had on the world of security solution testing? What difference has it made?

AMTSO had – in my perception – a tremendous influence on the world of security solution testing. Yes of course, it was a struggle in the beginning, errors were made, but now, after repairing the organizational flaws, AMTSO came up with Guidelines and Recommendations that were adopted by testers and vendors, making sure that all testing was done fair and equally. This has also caught the eye of other organizations that are now recommending AMTSO and AMTSO “compliant” tests or to get a product certified by a tester that has adopted the AMTSO Guidelines and Recommendations.

8- What challenges will AMTSO have to face in the near future?

AMTSO is growing and is now changing the Guidelines and Recommendations into real Standard Documents. This is a delicate procedure to complete, but when completed and done properly, a big step forward. As AMTSO is growing and getting more members of different industries, but also from the same industry with motivations or ways of thinking that are different than the established industry, with older and newer companies, keeping it all together to continue to build AMTSO broader and going for AMTSO’s goals, that will be a challenge. But I am sure the new management will be able to do so. I would not have stepped down as CEO/President if I didn’t believe it would be in good hands!

The post “Cyber-crime is international, but we get stuck with national laws that may not be compatible in this fight”, Righard Zwienenberg appeared first on Panda Security Mediacenter.

“Securing a business involves so much more than plugging in various pieces of computer technology”, Simon Edwards

guest article panda

I met Simon Edwards in January 2007 at the first AMTSO meeting in Bilbao. For many years, Simon dedicated himself to testing security products for Dennis Publishing and, at the time, he was also the technical director of Dennis Technology Labs. The prestige gained over the years has made him a recognized authority in this sector.  Less than a year ago he began a new career path when he started his own business, SE Labs.

1 – Since your time as the editor of the Computer Shopper magazine, your life has been linked with computer security. What has your experience been like in such a changing and innovative industry?

simon-edwards-mediumres

Simon Edwards, founder of SE Labs

I have always approached the security business from an ethical position because we genuinely want to make a bad situation better. We do much more than testing anti-malware products. We provide threat intelligence to very large companies and, in the UK, the insurance industry uses our information to make important decisions. That is a new diversion from testing, but we do still test security products and that feeds back into the threat intelligence information we provide. We didn’t set out to create a security testing business from day one, though.

When I was first asked to write an anti-virus group test I thought about how to do it, but without any input from other testers or even the companies that made anti-virus programs. In complete isolation from the experts I came up with a method of testing and found that some well-known threats could bypass anti-virus, particularly those that were more like Trojans and hacking attacks rather than standard self-replicating ‘viruses’. That was interesting.

The response from the readers was fantastic and every time we published such a test we sold more magazines than in a usual month. The anti-virus industry was less pleased and I received aggressive phone calls from some people who, today, I actually count as very good friends. We just had to get to know each other and develop trust.

I think that the default position the security industries take, when confronted by challenging results from a new face, is to attack. “We don’t know this guy and he’s saying our product sucks? He must be an idiot, or corrupt!” Nothing much has changed on that front. At least now people know SE Labs creates useful tests and works ethically. Well, most people do. There are some companies, particularly new ones, who are still working out what’s what. They assume that if you don’t support their marketing message then you are an enemy with a biased agenda.

The default position the security industries take, when confronted by challenging results from a new face, is to attack.

One big change is that vendors are starting to see the usefulness of testers really attacking systems, rather than just scanning regular malware that exists on the general internet. We were running hacking attacks in tests back in the days of Back Orifice 2000  and we also used other tools that the bad guys had access to. At the time that was extremely controversial, as the industry had a general view that creating threats was taboo. Many still feel that way, but we’ve been crafting targeted attacks for testing purposes ever since, and it seems fair considering how many products claim to prevent such things.

2- What is like to be an entrepreneur? Are you still able to perform the tests yourself or has management become the main part of your day-to-day?

I personally review every set of data that powers the tests that we publish, and I also develop the test methodologies used by the talented testers who actually sit in front of the systems and put the products through their paces. The ongoing testing and general office tasks are managed by the SE Labs team in London. Once a test is up and running I trust the team and spend most of my time doing one of a million other things. What’s really cool about setting up a company from scratch is that there are so many creative tasks to carry out. But, as we’ll see, there’s also a load of nonsense to contend with too.

When you are running a company on your own you make decisions about literally everything. One day I would be negotiating six-figure finance deals and then I’d be fielding questions about teaspoons. I spent literally half a day in Ikea arguing with colleagues about which cutlery sets to buy.

There is a lot of emotion and some immaturity in this emerging ‘next-gen’ industry.

Back to testing, I have spent a large amount of time trying to work with the newer companies in the industry. Some of them can be reluctant and I understand why. Startups are vulnerable and a poor result could kill a business before it even starts. That said, some of the aggressive marketing we’ve seen very much invites testing to challenge quite extraordinary claims. There is a lot of emotion and some immaturity in this emerging ‘next-gen’ industry. That needs to stop, because it does not serve the customers.

3- As Director of SE Labs, does your work continue to surprise you on a daily basis? Do you have to adapt your tests to the type of attacks that appear frequently? 

A fundamental part of what we do is to seek out and use prevalent threats. Theoretically every product should score 100 per cent in our tests because we’re not using threats from the edges of the internet or zero day threats. So it’s always been quite surprising to me that most vendors don’t score 100 per cent. It’s well-known in the security world that a test in which everyone scores 100 per cent is useless. I don’t think that’s true, as long as the test comes with a good explanation of what it’s trying to achieve.

But regardless, if I throw 100 well-known threats at the leading anti-malware products I know there will be compromises. And that still surprises me. We work with many vendors to help them fix these issues.

4- In addition to traditional security solutions, in the past few years several new solutions have appeared on the market with names like “Next Gen AV” that use a different approach to protect businesses. Have you had the opportunity to try one of these solutions? What has your experience been like?

We have managed to gain access to some so-called ‘next-gen’ products and I know what you’re expecting me to say! But they are not the snake oil that their crazy marketing suggests. They are proving to be competent solutions. I don’t think I’d want to run many on my systems without some other form of anti-malware, but they are not the ‘smoke and mirrors’ fake solution I think many people assume. They are not perfect but neither are they rubbish.

It’s always been quite surprising to me that most vendors don’t score 100 per cent.

5- There are also solutions from “traditional” manufacturers within the EDR category (Endpoint Detection and Response). Have you had the opportunity to try out any of them? 

Indeed we have, and we even run one on these products alongside so-called ‘traditional’ AV on our own systems. Being able to track a breach if/when it happens could be useful. Although we’re a relatively small company, it would be naïve to think that no-one would ever mess with us. We take security seriously, especially considering the nature of some of our clients (we don’t just test anti-malware products, but also provide security advice to some of the largest companies in the world). Our influence extends beyond the basic ‘AV test’ world and, as such, we need to be very careful.

6- You have been involved in AMTSO since the very beginning, and in fact you are currently a member of the Board of Director. In your opinion, what are the major accomplishments AMTSO has achieved since its inception?

The relationship between testers of anti-malware products and the developers of those products is a million times better today than it was. This is important because a good relationship means a productive development cycle of the software that we all use to protect our computers. Once it was the case that vendors hated testers and treated their results as something to work around, rather than use to improve products. I think that AMTSO has largely fixed that problem.

7- What are the challenges that AMTSO has to face in the near future in the testing landscape?

The next-generation companies are opposed to testing. They might claim otherwise, but in my opinion they don’t want to be challenged. Their focus is investment and growth. AMTSO needs to bring these companies into the fold and help them understand that there is something more important than just raising investment funding. Customers count and they need to be protected. Testing actually plays a crucial part in that. They can’t expect to succeed if they operate in a vacuum.

8- In your opinion, what is the biggest challenge that institutions and corporations are up against today in regards to cybersecurity? Does that time lag really exist between adopting new technologies in businesses and applying the proper security measures?

I think the biggest challenge is that securing a business involves so much more than plugging in various pieces of computer technology. Users are potentially the strongest link in the chain, whereas often they are accused of being the weakest. Training can help a lot here. Going back to fundamentals and really understanding what security is would help. It’s easier to spend a few millions on some new types of firewalls, but that’s not going to do the job. CISOs need to understand that.

 

The post “Securing a business involves so much more than plugging in various pieces of computer technology”, Simon Edwards appeared first on Panda Security Mediacenter.

“Counter- intelligence as a change to the IT security strategy”, David Barroso

david barroso panda

David Barroso is one of the key names in IT security in Spain and our guest article. We’ve known each other for years, as even though we haven’t had the chance to work together on joint projects, we have often met at security conferences over the last decade or so. That said, I’m going to let him introduce himself:

1-  David, who are you? How have you got to where you are in IT security? How did you get into this crazy, fascinating world?

It all started when I began university in the 90’s. I left my home town of Palencia to study in Madrid, living on campus with more than 300 others. The IT and telco people had set up a network of coaxial cables across the floor (later we were able to wire up each room with RJ45) and we were responsible for managing the network. In fact, in the late 90’s, we were the first ADSL customers in Spain, so it was like running a company of 300 employees. This was the era of the beginning of Linux, Windows 95, with all the fun of using winnukes, land, back orifice, exploits for X-Windows with your colleagues, generally to play tricks on people. But we also had to configure the whole network back then, to share a miserly 256Kb ADSL connection among 300 students: IP masquerading, QoS, provide email for everyone, Web pages, Linux security, Windows, etc.

I learned a lot during this time because we did everything from scratch and everything was really manual, not to mention the continuous incidents affecting our ‘users’.

panda security

David Barroso, CEO of Countercraft

2- As an entrepreneur you have set up your own company, Countercraft. What are the main challenges and obstacles nowadays when setting up a cyber security startup?

I think there are several major challenges. The first, of course, is to create a product or service that customers want to buy, and that means finding a balance between the technical and business sides of the project. Tech people often fail to appreciate the marketing and sales aspects, but both are essential.

Another mistake we tend to make in Spain is that we don’t think about creating something international from the outset; we try to do something local. That’s so different from the Israeli or US outlook (today’s leaders in IT security) where they want to take on the world from the word ‘go’.

It is also makes a difference where you start up your company. We are grateful to have had support though it is nowhere near the support that companies get in the countries mentioned before. They are not only supported financially, but are also helped to position their company or product.

Tech people often fail to appreciate the marketing and sales aspects, but both are essential.

3-  Tell us about a typical day in the life of David Barroso. What sort of challenges do you come up against in your day–to-day life?

The truth is that for obvious reasons, I’m working quite intensely at the moment, dedicating some 12-13 hours a day to our company, doing everything: programming (which I really enjoy), defining the product, analyzing the competition, discussing the market policy, talking with partners, visiting customers, administrating computers, changing print toner, buying laptops, sorting out invoices, etc. There’s no time to get bored.

We’re gradually beginning to outsource some tasks, especially after the round of financing, though there are still many, many things to do in a small company.

I’d say the main challenge is to try to get the whole band playing in tune in this early phase without creating problems further down the line.

4- Countercraft sets itself out as a counter-intelligence startup… Can you explain this concept and the focus of the company? What kinds of organizations need these solutions?

We are positioning ourselves as a change to the IT security strategy. Today, most companies tend to focus on setting up all possible security measures, then resolving security incidents as they occur.

What we propose is to use a lot of the techniques that our enemies are using, particularly as we need to be more proactive. Just as attackers deceive and lie, why not do the same thing (legally, of course)?

We use the classic concept of honeypots adapted to the present day, with many other techniques to make life as difficult as possible for attackers. The idea is to identify them as soon as possible, discover their tools and modus-operandi, as well as getting as much information about them as possible.

We are positioning ourselves as a change to the IT security strategy(…) Just as attackers deceive and lie, why not do the same thing ?

The types of companies that can adapt to this new strategy are those that have already done their security homework, i.e. mature companies from a security perspective, as it is not a good idea to use lures if you have security holes.

5- The world of IT security is advancing at an incredible pace, both in terms of technological developments as well as the sophistication and complexity of attacks. What new challenges will security companies have to face over the coming years?

An inherent problem is that human beings will always be the main entry point for security problems, and as such, technology and security products face an uphill task as we are so unpredictable. It’s also true that we don’t really like following security procedures and we are easily tricked. So even if we give most users highly secured desktops, attackers will (and already do) target system administrators, who generally have more freedom.

In our case, what we try to do is to find a human error or lapse on the part of the attackers (they also make mistakes), and give a tug on the loose thread to see if we get what we’re looking for. In other words, we also take advantage of the fact that attackers are human and make mistakes, maybe because of too much haste or greed, or a lack of knowledge.

6- The type of strategy employed by Countercraft is strongly focused on attacks that aim to penetrate corporate networks and steal sensitive data. Do you believe that these techniques could be used to counter other types of attacks?

Of course. In fact there are other scenarios in which we are using the same techniques, such as to counter fraud to identify and monitor malware and phishing campaigns, sabotage of governments or companies, or working with law enforcement agencies to tackle child pornography or online recruitment by terrorist groups.

7-  Managing to hoodwink cyber-crooks offers you the chance to find out a lot about them, not just how they operate and the steps they take to infiltrate a company, but also data that could also help to identify the culprits. Do you anticipate, as part of your strategy, working with law enforcement agencies, or would this be a decision for each of the customers you protect?

From the outset we work with law enforcement agencies, although the decision to contact them regarding incidents in companies is entirely down to the customer.

 

 

The post “Counter- intelligence as a change to the IT security strategy”, David Barroso appeared first on Panda Security Mediacenter.