Cybersecurity Q&A: Two IT experts talk prevention, detection and what to do when you get hacked

The rise of cybercrime has resulted in a robust industry of cyber security professionals, endlessly engaged in a cat-and-mouse struggle for dominance with would-be hackers. We interview two cybersecurity experts on the current trends, their expectations for the future and their advice for how companies can best protect themselves.

Andreas Bogk, a hacker and member of the Chaos Computer Club for more than 20 years, is a Principal Security Architect at HERE Technologies. Tonje Vik Jevard is a Cybersecurity Advisor at NorSIS, The Norwegian Center for Information Security, which works to promote a secure digital environment in Norway.

How has cybercrime evolved over the last three to five years?

Tonje Vik Jevard: In most recent reports on cybercrime we’ve seen a shift in focus from technology to the human aspects. As communication technology and software becomes more secure, the cybercriminals are bypassing technology and targeting us through social manipulation to get hold of our money and information. Good examples of such activities are CEO-fraud, Microsoft-fraud, dating-fraud and ransomware.

Andreas Bogk: Certainly the most striking development in the area of cybercrime has been the rise of ransomware. We’ve seen this type of attack become more frequent and also more sophisticated. The main drivers of this development are the availability of decentralized digital payment systems such as Bitcoin, as well as the commoditization of the components required for an attack on the black market. Often enough, companies that lack proper protections and business continuity plans suffer severe damages, or end up paying the ransom.

Have you seen any types of cybercrime that are specific to the Nordics? Are there any local or regional trends?

Andreas Bogk: Cybercrime is an entirely global phenomenon, as it is usually not very targeted. Regional differences are visible when it comes to nation state actors though. Key industries such as energy and defense, but also high-tech and research, are typical targets for industrial espionage or sabotage, and these attacks align with the global political and economic situation.

Tonje Vik Jevard: Citizens of Nordic countries are likely targets of cybercrime as our societies are on the forefront of digitization, everybody is online and we possess a high level of trust which might make us susceptible to social manipulation and fraud. However, as we saw with “Wannacry” (a ransomware that spread from machine to machine earlier this year) the Nordic countries were not highly affected as our machine park is quite new and we use updated software. One shift we’ve seen the past year is an increase in targeted ransomware attacks that are able to differentiate the ransom payment based on the victim’s ability to pay. As the Nordic countries are quite wealthy this might lead to higher ransomware demands in our region.

Are you seeing an increase in the number of hackers targeting corporates and larger companies?

Andreas Bogk: Attacks against corporates are on the rise. However, the lone hacker is not the only threat, and not even the worst. While there are some spectacular cases of data theft performed by individuals, or ransomware damaging company properties, the threat that is harder to defend against is state sponsored or organized attacks. Those are usually well-organized and staffed, with big budgets, access to powerful attack methods, and staffed with analysts who know what to look for.

What areas of companies are being targeted and for what purposes? Are departments such as treasury and finance especially vulnerable?

Tonje Vik Jevard: It all depends on the criminal’s agenda. With CEO-fraud, employees working in finance are especially vulnerable as they have the means and authority to transfer money on behalf of the company. However, if the criminals are seeking information about technology development or other secrets they might target the engineers or even the cleaning assistance that has the keys to the room with the prototypes.

Andreas Bogk: Usually, the most important targets inside a company are the IT department, to ensure access to all systems across the organization, followed by HR, to understand the company structure and find the interesting targets inside a company. From there, the targets entirely depend on the purpose of the attack: is it about espionage, sabotage, theft? Large scale theft is still rare, mainly because it is difficult to actually exfiltrate larger sums of money, but it exists, and makes treasury and finance a valid target.

What kinds of attacks are the hardest to prevent? The easiest?

Andreas Bogk: The hardest to prevent are attacks that focus on the human factor. No amount of training and awareness can completely eliminate the risk that employees enter their corporate credentials on a wrong website, open an attachment in their mail with a backdoor software, or otherwise compromise the security of the organization. This is why modern security practice focuses on detection as well as prevention. Easy to defend against are classic network based attacks, firewalls do a pretty good job at mostly stopping them.

Tonje Vik Jevard: Targeted attacks are the most difficult to prevent. If a professional organization with vast resources is hired to target your company’s finances or secrets, you often need to be equally professional to detect the attack. Random non-targeted attacks are usually easier to stop, as they can be prevented by traditional best-practice routines, like keeping the software updated, having a good system for backups and so forth.

What do you see as the greatest IT weakness among large companies?

Tonje Vik Jevard: Large companies need to have good processes for IT security management, and they need to be supported, understood and adhered to by top-level management. A CEO needs to understand the business impact of digital risks.

Andreas Bogk: Often, the greatest weaknesses are old and forgotten, unmaintained and unpatched systems. They provide leverage for an attacker and reduce the skillset and effort needed for a successful attack.

What is the most important component of a strong in-house IT security system?

Andreas Bogk: There is no single component that makes or breaks a good in-house IT security system. It’s important that all of them are in place. It is highly recommended to establish an Information Security Management System, such as specified in the ISO/IEC 27001 standard. This will cover relevant components for both the prevention and detection of attacks in the form of responsibilities, processes, standards and measures.

Tonje Vik Jevard: A well-running IT security management process is key in every organization, and a sensor network may be able to detect many attacks against a company. However, we still rely on employees’ ability and willingness to report incidents, manage risk and take appropriate actions. Individual workers can be a great protection when their security awareness is high, they receive proper security training and the company has developed a security culture that supports their business goals.

How can businesses become better at early detection of security breaches?

Andreas Bogk: Early breach detection is highly dependent on central collection and processing of log information. In this case, a Security Information and Event Management system is required. Of course this also requires efficient event collection, which can be supported by modern tools such as Cylance and Carbon Black for detecting malware on computers, or Microsoft Advanced Threat Analytics for processing Active Directory events. Of course, this also requires an on-call team of security engineers, who can analyze and process incidents.

What game plan should businesses have in place if they become a victim of cybercrime?

Tonje Vik Jevard: Defense against cybercrime must be a part of the business continuity planning. If the company has become a victim of cybercrime it is important to report the incident to the law enforcement agencies. Also, it’s important to learn from the incident, and adjust accordingly to prevent similar incidents from happening in the future. If a company is able to be open about incidents and share their knowledge with other organizations this may lead to greater awareness in society.

What new methods of cybercrime are on the horizon? What do you see coming and how can companies be prepared?

Tonje Vik Jevard: We’re most likely to see more challenges related to Internet of Things, especially related to ransomware. The information stored in wearables and health applications might be collected by criminals and used for extortions. At the same time, technology will continue to advance, and we’ll see new creative ways to manipulate us socially.

Andreas Bogk: I think we will see a rise of industrial espionage from private entities, not just nation states. This is relevant whenever there is information of very high value, such as in M&A cases or high profile law suits. Companies need to prepare by hardening the IT systems used for handling highly classified information.

The information provided within this website is intended for background information only. The views and other information provided herein are the current views of Nordea Bank Abp as of the date of publication and are subject to change without notice. The information provided within this website is not an exhaustive description of the described product or the risks related to it, and it should not be relied on as such, nor is it a substitute for the judgement of the recipient.

The information provided within this website is not intended to constitute and does not constitute investment advice nor is the information intended as an offer or solicitation for the purchase or sale of any financial instrument. The information provided within this website has no regard to the specific investment objectives, the financial situation or particular needs of any particular recipient. Relevant and specific professional advice should always be obtained before making any investment or credit decision. It is important to note that past performance is not indicative of future results.

Nordea Bank Abp is not and does not purport to be an adviser as to legal, taxation, accounting or regulatory matters in any jurisdiction.

The information provided within this website may not be reproduced, distributed or published for any purpose without the prior written consent from Nordea Bank Abp.

Related articles