Raising awareness for cybersecurity

In this final episode of a three-part special, podcast host Bryan Ferrari talks to three guests specialised in cybersecurity. Bertrand Lathoud is COO (Chief Operating Officer) at the Luxembourg House of Cybersecurity, Philippe Parage is IT Infrastructure Engineer at the National Cybersecurity Competence Center and Lars Weber is CISO (Chief Operating Security Officer) at Spuerkeess.

Where do technical threats end and sophisticated criminal strategies begin? How can companies secure their infrastructures and still be successful? The experts answered all our questions.

Bryan Ferrari: To begin this episode, it's important to ask the following question. What is cybersecurity and what isn't?

Bertrand Lathoud: Cybersecurity is the security of any infrastructure linked to the Internet. Above all, it's about prevention and protection. And then, when necessary, incident response. But fraud goes beyond security. Fraud is a phenomenon in which a criminal abuses a system or other people in order to steal assets, whether money or information. In this case, the modus operandi may be old – what in Switzerland, for example, the Penal Code calls "vol à l'astuce", which is one of the names for swindling and consists of abusing people's credulity – but they can be reinforced by using very modern tools, such as deepfakes – fake videos or sound recordings to accentuate identity theft.

Lars Weber: We're really talking about protecting IT infrastructures against threats that are specific to the IT world. They often take the form of exploiting vulnerable passwords or vulnerabilities in systems. That's how we define this perimeter, commonly known as cybersecurity.

Bryan: We're all familiar with presidential fraud, for example. Which cyberattacks are the most widespread? Is there a certain pattern?

Bertrand: No, but we could differentiate between attacks targeting individual users and attacks targeting companies. And in the corporate world, these frauds are on the increase. But the most common type of attack, at least until recently, was ransomware. Because it allows criminals to make a lot of money with a relatively limited amount of effort.

Bryan: What is ransomware?

Bertrand: Ransomware involves criminals sending malware, i.e. malicious software that they have prepared, into a company's system. They then encrypt all the company's data and demand a ransom to return the data. That's basically how it works.

Bryan: Is this widespread in the corporate world too?

Bertrand: At the moment, it's the main attack on businesses.

Lars: It's also often seen as a form of opportunistic attack. A prepared e-mail is sent, either containing a virus or pointing to a location where the virus can be activated, to a whole range of e-mail addresses. Any Internet user can be affected. Often the impact is different for a private individual than for an employee. But nonetheless, we really do see this type of attack happening to everyone, given that the distribution vector is often email. There are also other forms of attack. Denial of service attacks, which are unfortunately very fashionable these days, essentially aim to saturate a system's Internet bandwidth or even its disk or memory capacity. You make a service unavailable and hope to be paid to stop the attack.

Philippe Parage: Another type of attack is the exploitation of software vulnerabilities, or Zero Day Attacks, which are much more technical than DDoS and phishing. They do not depend on any action by the victim or feedback from the user. The attacker targets a vulnerability that triggers a process that enables the attack to be launched. Zero Day attacks are not the same, because they are specific to each piece of software, and they are very dangerous.

Bryan: I've never heard of Zero Day before. Are there any examples to illustrate this? And why is it called Zero Day?

Lars: When the first computer viruses appeared, you could see the virus appearing and, generally speaking, the antivirus software already knew about it and was protected against it. But after a while, virus publishers realised that their viruses were often detected very quickly. So they started making viruses that change form quickly and become undetectable by the software. Today, these are viruses that are not detected by most antivirus software with an up-to-date signature. They are called Zero Day viruses because on the very day they appear, they are not detected. So the name comes from a historical development.

Bertrand: It's been extended to vulnerabilities in general. Because when vulnerabilities are discovered, they are generally published with a patch. That way, they can be repaired immediately in our system. What Lars is describing are vulnerabilities that have not yet been discovered by security researchers, but which have been discovered by criminals who are going to exploit them. Zero Day covers everything, both viruses and vulnerabilities. And as Philippe pointed out, the user doesn't have to be involved. So it's very, very convenient for the attacker, because he can penetrate the system and take control of it without being detected. Users can't even say "I've been asked to do something wrong" and report it.

Bryan: But, naively, couldn't we get round the problem by preventing people from downloading software onto company PCs?

Lars: You can also avoid the risk by switching off the systems… but you have to strike a balance between the need you want to address by using IT systems and the risks involved. So avoiding file downloads will work in some cases where people don't need to be on the Internet or don't need to download files. Unfortunately, in reality, you have to allow it because you need it. So we really need to find a configuration that minimises the risks, but also addresses the needs of the business.

Bertrand: As for the users, they have to fulfil their business mission. So if they are banned, they will try to find a way around the ban. And then we find ourselves in a situation that is much more complicated, because we can see parallel systems being set up, where users manage to bring external files into the organisation's system. This is very problematic. Lars underlined one of the problems: the most difficult thing for security managers is to strike a balance between the pressure of attacks, which makes them want to close down as many possibilities as possible, and the fact that security is not what brings in money for the company. What's interesting is that this isn't a technical problem, it's a human and organisational one. You can't solve security problems with a magic tool that blocks everything.

Bryan: OK, but what are we going to do about it, both personally and as a company? Because we seem to be in a race where we always come second..

Lars: Not necessarily. And that also exists in other areas of life. You drove to work this morning. Your car has weaknesses too. You also take precautions, you respect the highway code. You don't push your car to its limits, at least not every day. In computing, it's a bit of the same thing. We build highly integrated complex systems and it's very difficult, if not impossible, to control 100% of all the interactions between the different components of the systems. So if you really want to have 100% security, you need a very long, very detailed design. It has to be constantly adapted, and that's going to make innovation cycles very slow. And that's going to drive up the cost of systems enormously. Slow down the pace. So somewhere along the line, you have to accept that your systems are not perfect. And to protect yourself against the residual risks that you accept by using these systems, you need to have some basic hygiene.

Bertrand: At company level, what we're trying to do is to ensure that if an attack ever occurs on one of the remaining points of weakness, it doesn't spread everywhere. The idea is to limit the impact as much as possible in order to limit the damage. Again, these are architectural measures. For individuals, we can also have this idea of minimisation by being aware of what we put online, of the data we connect. You don't have to put everything online, connect everything. In that case, the fraudster will look elsewhere. Which reminds me of an anecdote when we were talking about security issues at a European working group, and the representatives of one country summed it up by saying that, in the end, you don't have to run faster than the bear, you have to run faster than your neighbour.

Bryan: So if your neighbour is weaker, the attacker will tend to attack him.

Bertrand: Yes, that's exactly it. But you can't reduce things to individual action. We can't be satisfied with that. Action by the public authorities is extremely important to ensure that the weakest members of society still have this minimum level of protection. That's what we're trying to do at the Luxembourg House of Cybersecurity: to provide the entire ecosystem with accessible tools and documentation. The dream would be for the reputation among criminals to be that it's not worth trying to defraud Luxembourg because it's a waste of time and money.

Bryan: For a company like Spuerkeess, it's different to being a small SME with around twenty people. The cost of all this becomes more important. If you have to choose between doing business and securing your systems, you're going to do business. In practice, what can an entrepreneur do?

Philippe: Raising awareness is essential. At NC3, we organise simulated attacks, like those proposed with ROOM#42, to evaluate processes, test participants' resilience in the face of stress, and improve their ability to communicate effectively. These exercises help to identify existing vulnerabilities, optimise companies' preparedness and, above all, make participants aware of the complexity of a real attack. Even though this is an exercise, it highlights the real challenges that organisations could face.

Bertrand: Then you also have to remember that, as a public agency, we're not here to compete with security companies on the market. Our idea is rather to carry out the initial tests or give basic advice to help small and medium-sized businesses get started with the security process. After that, we refer them to the market, because we also want an ecosystem of Luxembourg security companies to develop. And that's why, at the LHC, in addition to what the NC3 is doing, we have a platform called cybersecurity.lu, commonly known as Cyberlux, which provides an overview of all the players in the market, in other words all the security providers. And we have over 300 companies signed up.

Bryan: How can I access ROOM#42?

Philippe: For the moment, all you have to do is contact the Luxembourg House of Cybersecurity to book a session on our premises. A session can accommodate between 5 and 8 participants and consists of a briefing, the exercise itself and a debriefing. Small spoiler… you won't win.

Bryan: So, objectively speaking, you have to be better than your neighbour. If we compare ourselves with neighbouring countries, are we well equipped?

Bertrand: Obviously, when you look at France or Germany, you're looking at big countries with huge resources. Their central agencies are impressive. But they also face challenges of a different kind. However, what we can see, because Luxembourg has a very strong presence in European bodies, is that we are perceived as a country that is very active in cybersecurity. We often say, in English, that we box above our weight. We have put in place quite a few things that mean Luxembourg is well perceived. There's still work to be done, and we mustn't rest on our laurels, but there is recognition. We're on the right track.

Bryan: What about Luxembourg's banking system?

Lars: I don't think we need to compare. We have the same adversaries. We've seen recently that national borders don't stop computer attacks. But at the Luxembourg level, I think that, in terms of regulatory requirements alone, we are well placed. We are constantly being put to the test to improve, to keep up with everything that emerges. We are clearly faced with threats that we take very seriously and that we try to address as quickly as possible. So we're not competing with each other.

Bryan: If you were given the opportunity, what would you do first to take things a step further?

Lars: I think the most important thing is to keep watching what's coming, anticipating attacks and preparing for them. Constantly adapting. That's really the most important thing. It's a race that never ends. As long as we have systems that are connected, that are there, that have electricity in them, we should assume that sooner or later someone might be tempted to exploit a weakness in our system.

Philippe: Revisit awareness, start earlier. Already in schools, explain that it's possible and that such attacks are possible. We need to become an 'aware' society that doesn't ignore this threat and, through this awareness, adopt rigorous security hygiene to protect ourselves effectively. This includes using complex and unique passwords, activating automatic updates, and being more vigilant about risky behaviour, such as not clicking on links or attachments from unknown sources. For businesses, segmenting systems is a key practice for limiting the spread of incidents in the event of an attack.

Bertrand: Personally, I'd insist on sharing. Sharing information between professionals, to improve prevention and prepare better. This gives us better visibility of threats. It also means sharing documentation and training for the general public and defenders, things that are accessible and that enable everyone to adopt practices that greatly minimise exposure. So following on from what Philippe said, not only should we have education at school, but we should also have this information shared in a more sustainable way. Because sharing doesn't just mean putting information online, it also means making sure that people can find it and know where to go.

Bryan: I have one big fear… and that's artificial intelligence. I suppose that artificial intelligence, which is going to improve itself, isn't going to make your job any easier…

Lars: It depends. Artificial intelligence can be seen as an opportunity, it can also be seen as a threat, and the reality is probably somewhere in between. I think we also need to use all the capabilities of solutions based on artificial intelligence to protect ourselves. I think we clearly need to use these solutions to protect ourselves, because the attackers are using them.

Bertrand: What we are seeing, for the moment at least, is an improvement in certain stages of the attacks thanks to artificial intelligence. But we haven't seen a complete paradigm shift. This means that some of the defence tools are being undermined, but there are also some that are still effective. So if you have more or less consistent security in place, you're still protected. This is an important point, and we mustn't panic. But it's clear that you have to be extra vigilant.

Bryan: Recently, a year ago, a major flaw in the system prevented planes from taking off. It was Cloudflare. Will we have to get used to this kind of event and have an emergency plan ready to be deployed at the same time?

Lars: I think that for all the critical processes in a company, you have to ask yourself what you're going to do if you can't keep it running. There are several approaches to this. The first is to say, "OK, we accept that this activity, even if it's critical, won't work for four hours or two days" We can also see whether we have fallback solutions to activate in case the breakdown lasts too long. I think that often the tactic used is to have an independent solution that allows you to operate in degraded mode for a certain period of time.

Bertrand: There's no universal answer, because it depends on the sector of activity. For example, in the world of hospitals, there's a whole debate going on at the moment, because we can't afford to stop and shut down the hospital. People are dying. These are sectors that are considered highly sensitive. At a corporate level, Lars summed it up very well. It's something that's formally defined. There are methods, and you have to follow them. And then gradually put in place a plan to guarantee business continuity. Especially as, in some sectors, this is a legal requirement. We talked about information sharing earlier. An important point to bear in mind when sharing information is that some things take time to analyse from a technical point of view because they are complex. So we can't give any answers. And we have to be very careful. I remember one case that got a lot of media coverage. It involved TV5Monde in France. It was in 2015. Their system had been completely destroyed by attackers. The Islamic State seemed to be claiming responsibility on their website, which had itself been hacked. So for several days, everyone in Parisian circles got excited about this lightning attack by the Islamic State. Some time later, we realised that it was an attack carried out by Russian intelligence. What lost them was the fact that their translation of the communiqué into Arabic was not that of a native speaker. But it took a while to reach that conclusion.

Bryan: So back to geopolitics…

Bertrand: Yes… that was just to give some well-known examples, which are non-debatable and which are still very, very significant because they targeted entities that were important and visible.