Interview by Adeline Jacob from SmartCities, translation by itrust consulting.
There are viruses that attack bodies while there are others that attack computer systems. Neither type will have spared us in 2020, challenging both health and cybersecurity experts. Carlo Harpes, founder and managing director, and Guillaume Schaff and Matthieu Aubigny, Security Consultants at itrust consulting, analyse these current events and present the solutions proposed by the company to best navigate in this cyber-insecurity climate.
Has Covid-19 resulted in a more favourable setting for the resurgence of cyber-attacks?
Carlo Harpes: We were astonished when, at the beginning of the pandemic, the Luxembourg authorities announced that there had been no measured increase in cyber-attacks. This message went against our perception and our predictions. Finally, in August, Avast stated that the threat had increased by 27% for Luxembourg citizens. Most recently, we also learned that certain pieces of American security software had been breached. Almost at the same time, the world witnessed the longest shutdown of authenticated services from Google, WhatsApp, etc., in the world. We can indeed say that insecurity is increasing.
Guillaume Schaff: Studies have shown that phishing attacks increased significantly during the first lockdown (1). Hackers play a lot on human emotions to achieve their goals. The climate of fear in which we lived in March was therefore beneficial to them.
Matthieu Aubigny: In addition, there has been stress phenomenon at the telecommunications infrastructure level, and small vulnerabilities have probably become more significant as a result. These failures, however, have had the virtue of increasing the level of resilience of a certain number of tools.
In the United States, one attack in particular made a lot of noise...
Carlo Harpes: The Treasury Department and the National Telecommunications Administration were victims of a cyber-attack orchestrated by expert hackers inventoried APT29 who, according to the FBI, are linked to the Russian government. The attack in question on the Orion management software (network control/surveillance tool) of the American company SolarWinds was indirectly aimed at its clients: in addition to American federal agencies, the malware infiltrated leading companies in the IT world such as Cisco, Intel, Nvidia, Belkin or Microsoft without us knowing its real impact. To this day, it remains an unknown and a risk, because anyone capable of using SolarWind to penetrate Microsoft could also have used Microsoft to infiltrate its customers. These are speculations, but the underlying method, called a supply chain attack, is dangerous because it is difficult to detect. To such an extent that companies like Microsoft are calling for coordinated, international, legal and technical initiatives to deal with this problem (2). It is therefore legitimate to ask whether it is always advisable to use tools that are used on a large scale and therefore attractive to cyber-attackers. In general, we note that managers tend to invest in market-leading software more easily than to consult an expert who will know how to correctly use a less widespread product and set up real monitoring procedures via this product. This is a mistake. It is better to use lighter and simpler tools, ideally Open Source, and to use the services of a specialist to deal with anomalies.
Matthieu Aubigny: To use an image, let’s say that people tend to invest in the best tanks, but have neither a crew to observe the opponent’s movements nor a driver to defend themselves. What is needed is someone behind the screen who can spot failures and counter-attacks. Even in this age of Big Data and artificial intelligence, there is no substitute for a trained expert. You have to be aware that security products are necessarily in the sights of the attackers, since they have to be fooled before they can go any further. On the other hand, given the mass of data to be processed, the experienced expert will also have to use artificial intelligence and automatic learning to discover what is often a needle in a haystack.
What services do you offer when it comes to data protection issues?
Guillaume Schaff: Since May 25th 2018, we have been assisting our clients in complying with the GDPR by establishing registers of processing activities and preparing Data Protection Impact Assessments (DPIAs). In a basic approach, we also propose the establishment of security policies as well as data privacy notices pertaining to the processing of personal information. We also offer an external Data Protection Officer (DPO) service – mainly used by public entities – as well as incident management measures, for example in case of personal data breaches. In addition, we offer a wide range of documents to support our clients in their compliance and help them adopt good practices.
Carlo Harpes: We have also improved our security management system after introducing around 50 measures in line with the ISO 27701 standard, which provides recommendations on privacy management (PIMS). itrust is the first company to be certified for this under the OLAS accreditation.
‘It is better to use lighter and simpler tools (…) and use the services of a specialist’
What tools are you currently developing?
Carlo Harpes: First of all, we have refined our documentation to generate pandemic plans and deploy ‘templates’ that take into account ‘Privacy by Design’ and ‘Security by Design’. Secondly, we are carrying out a research project to develop a lightweight tool in terms of deployment and cost to provide intrusion detection capabilities and a Luxembourg-based support service for both industrial and private clients with no security knowledge. And, finally, as part of the Quartz project, with partners such as SES, we are developing new algorithms and sophisticated tools to secure a satellite-based quantum key distribution service. In this way, we will help to ensure the confidentiality of communications in a future where attackers will have quantum computers at their disposal. In parallel, we want to carry out research to develop security tools based on post-quantum cryptographic algorithms (i.e. secure against attacks by quantum computers), simulators and components for these computers, along with associated test tools.
Has the pandemic caused delays in the implementation of certain security or data protection measures?
Carlo Harpes: At our customers’ premises, many projects aimed at reducing IT risks have been logically postponed due to the unavailability of people or stagnating revenues. These companies have therefore agreed to act with greater than expected, but still acceptable risks. On the other hand, none of our customers have suspended their security certification or discontinued measures already in place. The majority of our customers used the opportunity to refine their crisis and pandemic plans.
Guillaume Schaff: Although our customers focused on their business activities at the beginning of the crisis, we are now seeing an increase in demand for Business Continuity Management, i.e. maintaining business activity in the event of a crisis, and for secure teleworking. We had detected shortcomings on both these levels in March, but I think that top management has really become aware of the need but also of the risks of accelerating the digitalization of their activity.
What do you expect to see in 2021?
Carlo Harpes: The past year has been very demanding. Our teams are exhausted by a workload that is likely to increase again this year. However, we are hopeful that this lack of human resources will strengthen solidarity and cooperation between the public and private sectors. It is by joining forces, with longer-term partnerships, that we will have the greatest impact.
(1) Dominique Filippone, « Avec le coronavirus, le phishing augmente de 667% en mars », https://www.lemondeinformatique.fr/actualites/lire-avec-le-coronavirusle-phishing-augmente-de-667-en-mars-78582.html