Cybersecurity Breaches Human impact and Regulations
07TH July 2021
In this second-part of our discussions with Cybersecurity expert – Ludovic Petit, we particularly focus on the impact humans have on not just causing cyber-attacks but also on mitigating the risks involved in the world of Cybersecurity Breaches.
(Part-I with Mr. Petit : The world of Ransomware: trends, recent issues & awareness)
Ludovic PETIT is Chief Executive Officer at JADE, a cybersecurity and business strategy consultancy. He assists companies to create a unifying and value-creating culture of digital security through consulting missions related to cybersecurity and business strategy, legal compliance on information security and through audits. Being a well-respected authority on cybersecurity and data protection, Ludovic PETIT also serves as Associate Researcher at the Research Center of the National Gendarmerie Officers Academy, Commander, Defence and Security Citizen Reserve Gendarmerie, Auditor of the High Studies Centre of the Cyberspace, member of the Board of Directors of Cyberlex, the Law and New Technologies Association and was Global Chief Information Security Officer at Altran.
It is true that every system is not perfectly secure. However, a lot of breaches are explained by the lack of best practices (human level) and by cunning methods like Social Engineering – could you please elaborate on these factors?
Mr Petit: There is no such thing as 100% security, in fact for a quite simple reason: technology today is so complex that there can be errors in software design, or in operational implementation. This is a fact, and we must accept it as such.
Thus, for developers, the concept of “secure coding” about software design, whose purpose is to minimize the possibility of vulnerability in the code you write.
Secure Coding is a technology agnostic set of general software security coding practices, which can be used in a comprehensive checklist format, that can be integrated into the development lifecycle.
The reference in this area is OWASP, a non-profit foundation that works to improve the security of software.
OWASP provides an open-source training platform created for developers to learn and practice modern secure coding techniques, and helps develop secure coding skills through real-world challenges, to ensure knowledge acquired can be confidently applied in the real world.
The daily cyber news unfortunately shows us that, far too often, the principles of security and secure coding are obviously not respected, but this is not the main reason.
The combination of ‘security patch not applied, or not up to date’ + the ‘lack of security process’ in the operational implementation of the solution generally leads to major flaws and issues in information systems, so in information security. Let’s now switch to Social Engineering.
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.
The interesting thing about social engineering is that, although it can be dangerous for a company, it can also be used by the company in security awareness sessions for its employees.
The key is psychological manipulation, depending on the level of credulity, emotion, guilt, responsibility of the person under attack.
A well-known example is the “Fake President Fraud” or “CEO Fraud”, a social engineering attack where a hacker tries to convince a financial department employee of a company to send out a payment to the attacker’s bank account, by claiming an emergency context under false pretences.
Another classic is to call a company’s switchboard pretending to be a service provider to obtain confidential information about people or internal processes, which can then be purposely exploited by competitors or hackers.
Although most of the time, attacks are carried out either by an email (Phishing) targeting a specific person (Spear Phishing attack) or directly by phone, social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved.
What is the weight of human involvement in Ransomware issues?
Mr Petit: To be pragmatic, I would say that prior to any involvement of a target, interest must first and foremost be aroused.
I ‘skip’ over the types of attacks that rely on technical and security weaknesses, allowing the hacker to inject and activate malware/ransomware within an information system.
This is a phase of a process well known to hackers, in which one is already doing what is called a ‘mapping’ of the context one is trying to target, to perfect what is called ‘target acquisition’. In other words, we first gather information on the company, its context, its business, its financial value, etc., to design a succinct but realistic approach that will arouse the interest of the target person regarding his or her daily activity.
And what medium to use for this if not the free and most used service on the internet… namely email.
The ROI of a ransomware attack carried out by messaging is unparalleled, as it is free, fast and cannot be formally identified.
It only takes one person in a company to click on a link in an email forged by the hacker, or to open a document attached to the email sent, for ransomware to be activated on the target person’s computer/system. Done!
In fact, to sum up, reality of facts shows that the weight of human involvement in Ransomware issues depends on the level of awareness of the individual. And it is not always easy to detect a phishing email that might contain Ransomware, because, whatever one thinks, hackers are also very clever.
There is no magic or ‘one size fits all’ solution.
The implementation of a solid anti-spam solution for email is obviously a requirement. So is raising staff awareness of security risks.
A wave of attacks has been surging over the last months on countries and companies. After the Colonial Pipeline’s attack, the White House wrote an open letter where it reminded the need for companies to adopt better standards of security. Could you please share your inputs on the specifics discussed here?
Mr Petit: President Joe Biden and the White House have acted on major cybersecurity risks as a matter of national sovereignty, just as it is for France and every other country in the world.
Without playing devil’s advocate, let us not forget that a legislator/a country legislates when the industry is not able to take the necessary measures to manage and mitigate risks, or issues, which sometimes impact on the continuity of service provided to individuals or the nation, or which could potentially harm a nation’s interests.
In France, for example, this led to the creation of the status of Operator of Vital Importance (OIV), whose Military Planning Law (LPM) obliges operators designated as being of vital importance to the nation to adopt a certain number of measures designed to protect their integrity and that of their computer systems. The LPM also includes implications for partner companies and/or subcontractors of companies qualified as OIV.
Another example is the status of Essential Service Operator (Opérateur de Service Essentiel – OSE) and Digital Service Provider (Fournisseur de Service Numérique – FSN), which are dependent on the Network and Information Security (NIS) Directive that requires them to ensure a high level of security of their networks and information systems.
This is in fact due to a paradigm shift:
Historically, until the beginnings of the Internet at the end of the 1980s, technological developments took precedence over the legal reference framework, which had not evolved accordingly, posing a major problem for the legislator.
The law then evolved in line with technological developments, as in France in the case of the Godfrain Law of 5 January 1988, on computer fraud, the first French law to punish acts of computer crime and hacking. It is one of the pioneering laws concerning the law of new information and communication technologies (NICT), after the law of January 6, 1978, called “Loi Informatique et Libertés”, which introduces the notion of automated data processing system (STAD) and provides for several correlative provisions of the Godfrain Act (concerning the obligations of the data controller with regard to guaranteeing the security of the data – Art. 34 of the 1978 Act).
This trend has since been reversed, and France has been a forerunner in legal developments relating to new technologies, emulating many around the world, as for example the California Online Privacy Protection Act of 2003 (CalOPPA), which came into force on 1 July 2004 and was amended in 2013, and which was the first state law in the United States to require commercial websites and online services to have a privacy policy on their website.
This paradigm shift is illustrated by the fact that, nowadays, and for the last twenty years or so, the legal and regulation framework rule the technical means to be implemented to comply with the law, as for example the General Data Protection Regulation (GDPR) which came into force on 25 May 2018 for any company processing the personal data of European citizens, with a notion of extra-territoriality.
It is therefore clear today that technology is no longer sufficient to protect the interests of a company or a nation, hence the need to legislate accordingly. This is certainly not THE solution, but I think it is good to sometimes consider the legal constraint as an opportunity for a company to work on Cybersecurity in a relevant way and at the highest level according to its business sector.
Beyond the legal obligation, I would add that cybersecurity is not only a necessity but also a matter of common sense to protect the company’s assets and thus contribute to being perceived as a trusted partner by its customers and partners.
Thus, the White House open letter where it reminded the need for companies to adopt better standards of security makes sense, and as a security expert I fully agree to this approach.
What are the key items that remain unresolved currently and potentially for the future?
Mr Petit: I think that real international cooperation between nation-states is needed. Strengthening the links between governments, organizations working on global cybersecurity is an important step, as is the synergy between the academic sector, private industry, security companies and governments.
But the reality is quite different, we must admit. As General de Gaulle said, “Nations have no friends, they only have interests”.
On a more optimistic note, and this is the reality of the situation, one of the most important challenges that partly answers the question is that it is time for the function of Chief Information Security Officer to be at last considered and recognized by the Executive Committee and HR Department as a major one within companies, and that Executive Committee take the full measure of it by providing the means to the CISO to honour the mission for which he/she was hired, by bringing him/her support and confidence.
Do you believe states and firms are doing their best to avoid these kinds of situations?
Mr Petit: It is always a case of the glass being half empty or half full. Although I am a natural optimist, I will say to remain diplomatic that the situation is very clearly perfectible.
I have the feeling that everyone looks at each other but does not see each other, everyone hears each other but does not listen to each other. And this is a widely shared feeling in the cybersecurity community.
We can always do better, for sure, maybe there should be much more interaction between States and firms. However, I think that this should also be done through a kind of appetite for communication on the part of the big leaders of industry as well as governments, which admittedly does not always work both ways.
Let us end this interview on an optimistic note. I am fortunate to be able to do a job that I have been passionate about for more than thirty years, and which, in view of technological developments, can only have exponential durability over time because it is applicable to all sectors of industry.
You know, the prism of cybersecurity has many facets.
I hereby thank Xperts Council for the opportunity to briefly share some passion.
