Mikko Hyp­po­nen, Chief Re­search Of­fi­cer, F-Se­cure

DQ Channels - - Spot Light -

In­dia is be­ing con­sid­ered as the most vul­ner­a­ble coun­try to the cy­ber at­tacks, so what we can do to get rid of this sit­u­a­tion?

Get rid of the old tech­nol­ogy. It’s one of the ex­pla­na­tions that we can see so many dif­fer­ences in the risk rate in dif­fer­ent coun­tries. For in­stance, Win­dows XP is out of sup­port for two years now, no se­cu­rity patches; and they are run­ning in In­dia. That means you are ap­proach­ing to­wards the risks which are al­ready fixed, they don’t ap­ply to you be­cause you are run­ning an old sys­tem.

An­other thing is the role of op­er­a­tors and the tele­com providers. There are some ven­dors which typ­i­cally keep their own net­work clean, they mon­i­tor both traf­fic and they mon­i­tor the servers. They iso­late the com­pany lap­tops, there could be own users. In some cases they even call the cus­tomers or some­times dis­con­nect the cus­tomers, put them in a wild card and they ex­plain them they can’t be al­lowed on the in­ter­net un­til they clean the ma­chine and they keep tools to clean the ma­chine. The role of op­er­a­tors is cru­cial in keep­ing the net-

clean and this is also be­gin­ning in In­dia too.

In the cur­rent sce­nario of In­dian mar­ket, do you think we have enough skills be­fore in­vest­ing in the se­cu­rity?

The crux of the mat­ter is, we need bet­ter se­cu­rity en­gi­neer­ing for that we need bet­ter se­cu­rity en­gi­neers to be­gin with and that is a cru­cial prob­lem. We have a cap on se­cu­rity ex­perts, we don’t have enough qual­i­fied peo­ple in se­cu­rity, and this is a prob­lem we al­ways have to face while hir­ing skill­ful em­ploy­ees for F-Se­cure as well. That is why we are search­ing for the qual­i­fied peo­ple by vis­it­ing the Univer­si­ties, to re­cruit peo­ple who are ca­pa­ble enough to work.

In this area, F-Se­cure is ed­u­cat­ing peo­ple. We run Cy­ber Se­cu­rity Base which is a course se­ries in col­lab­o­ra­tion with Uni­ver­sity of Helsinki that fo­cuses on build­ing core knowl­edge and abil­i­ties re­lated to the work of a cy­ber se­cu­rity pro­fes­sional. Th­ese are on­line cour­ses any­one can ac­cess it.

With in­crease in trend like BYOD and BYOA (Bring your own ap­pli­ca­tion), with cor­po­rate giv­ing us ac­cess of the com­pany; what are the con­cerns that should be ad­dressed to pre­vent at­tacks?

If the em­ployee wants to ac­cess the cor­po­rate data on their own de­vices, then they have to fol­low some cor­po­rate rules. A com­pany sets the de­ci­sion of what kind of set­tings have to be ap­plied on the de­vices and you have to ap­ply them in your set­tings. So if the em­ployee fol­low those guide­lines well and ap­ply them on their de­vice, I think then there is no prob­lem.

How­ever, it is quite of­ten peo­ple think that the mo­bile phones are less se­cure com­pare to the com­put­ers. But in ac­tual it’s the other way around. In fact I al­ways tell peo­ple to use tabs and Mo­bile phones to do crit­i­cal stuffs, for ex­am­ple Mo­bile bank­ing. If you do it from a com­puter you have more chances to get at­tacked but if you do it from your iPad then you have no rea­sons to worry.

What are the top things that CSO of the or­ga­ni­za­tion should know to se­cure his em­ployee?

Firstly, they must do threat as­sess­ments for the com­pany. Ask ques­tions like who would like to steal by us?; do we have en­e­mies?; do we need to worry about hac­tivists? Etc. For ex­am­ple oil com­pa­nies and foreign in­tel­li­gence are prone to hac­tivists at­tacks. Step two; com­pany should build a skilled team which could han­dle such mat­ters. But mostly we see, is a bit tough, in many or­ga­ni­za­tions there are peo­ple al­ready present in your or­ga­ni­za­tion that have the rel­e­vant skills. Step num­ber three ed­u­ca­tion, ed­u­ca­tion and train­ing.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.