TempBannerImage
TempBannerImageR

 

 

Keeping your devices secure

 

Marc Heuse is an IT security expert from Germany with 20 years of experience in the field. Over the years, he has worked with a variety of high-profile clients, including the European Central Bank, UNO institutions and car manufacturers. Today, he is an independent IT security consultant, helping businesses navigate the often overwhelming array of choices and strategies when it comes to protecting IT networks. We spoke with Mr. Heuse about some of the pressing cybersecurity risks for businesses today as well as how to find the best IT experts among a sea of options.

GSC: Today's advanced malware tools are often comprised of several different components, each with a different job description. One component that is often present in these attack toolkits is a keylogger, a highly specialized tool designed to record every keystroke made on the machine, giving the attacker the ability to silently steal huge amounts of sensitive information. Especially in a fast-paced and mobile world it is getting easier for cyber criminals to attack senior executives who have to travel a lot. Which preventive measures should be taken to avoid this?

Marc Heuse: To ensure a secure computer, you have to take care of two things: hardware and software.

To prevent tampering with the the hardware of a computer, never let it out of your sight. As this is not advice that can really be followed all of the time (e.g. you leave it in a hotel room or a car trunk when you go for a business dinner -- or an inspector carries it away at border control for a "routine inspection"), a good precaution is to use full disk encryption with TPM (Trusted Platform Module), password protect the BIOS, allow it to boot only from the hard drive, and -- if possible -- tether the hard drive to the BIOS via a password.

To protect against malware software, you have to install a good antivirus software that is updated at minimum once per day - same with Windows and other software updates - and stop using your computer at once when the antivirus symbol is not in the icon tray anymore. In this case, close the computer and hand it over to an IT security specialist.

For extra security, in several high-profile companies it is best practice to hand out "travel laptops" to executives going on a trip outside of the country. These laptops have the same security measures, but they only contain the necessary data and are wiped at the end of the trip. This has to be combined with security tokens for remote access. Although RSA SecurID is the market leader here, it is a a bad security choice. Instead, you should always deploy one that was manufactured in your country.

GSC: iOS was seen for a long time as invulnerable in comparison to Windows and Android operation systems. However, in recent times there have been numerous cyber campaigns attempting to attack iPhone users. What can be done to boost the security of iPhones?

Marc Heuse: iOS is still the most secure phone operating system and will remain so for the next few years. However, the most interesting targets are people with an iPhone (or an old Blackberry phone, although these are not a challenge for an attacker). For this reason, efforts to exploit iOS are in high demand and very expensive -- thus they are only used on the most interesting targets, and performed mostly by intelligence services or for industrial espionage. Another attack vector is actually the SIM card via a specially crafted binary SMS which is used by state actors.

The trouble is that there is little someone can do to protect themselves. Apple alone has control of the phone, so there is no option to install security software.

Therefore the few things you can do are:

1. Install updates as soon as they become available

2. Only install apps that are absolutely trustworthy

3. Do not surf the web with the browser if possible, or keep it to a few trusted sites

4. Avoid connecting to WLANs that do not belong to your corporation

5. If you are a high-profile candidate for espionage, change your phone and SIM card (you can keep your number) regularly

But note that a phone can not be protected. When entering the PIN, this can be shoulder-surfed -- a security pattern leaves a easy to see grease trace on the display if you hold it from an angle, and a finger print is all over the phone. Therefore sensitive information does not belong on a phone -- or tablet.

GSC: One of the recent phishing techniques is „Whaling", which is directed specifically at senior executives and other high profile targets within businesses. How can senior executives minimize the risk of being a whaling victim?

Marc Heuse: Whaling is different from "phishing" in two ways: First, the targets are of higher value, hence the attacker can deploy attacks that have a higher cost and are more successful. Second, the IT knowledge and especially the IT security knowledge of those targets is usually low, which makes attacks easier to perform.

So what senior executives have to do to minimze the risk is to learn about the risks, such as by attending a security awareness training, and then applying what they have learned.

Another important action these individuals should take to demand regular security checks of their computer and devices for trojans, perhaps twice a year. And finally, the secretary often has access to the emails and calendar, so the same -- awareness and security checking -- is important there too. But beware, there are more interesting targets than senior executives. It's the IT administrators which hold the keys to the kingdom. If you succesfully intrude their computers, all is lost.

GSC: Many IT consulting firms have realized the new market chances around IT ecurity. There are many companies offering services and consultancy for IT security and forensic. Understanding who is really an expert is not easy, especially when a company has been hacked. Knowing how to find the best consultant for the needs of a company can be a real challenge in times of emergency. What advice would you give to our readers as an expert in this area?

Marc Heuse: I have been in this industry for nearly 20 years now and worked as a manager at three large consulting firms. Over time, the IT security field has become more and more specialized. Nobody can perform all security services; that is not possible.

There are areas that are easier than others, like testing web applications, but others -- like forensics, malware analysis, source code audits, hardware analysis, etc. -- need highly specialized training and experience.

The obvious solution would be to go to a large security consultant company, as they ought to have all skills available. However, the truth about all consulting companies is that you do not get the best consultant fitting for your problem. You get the best *available* consultant. The best of the company might already be in another project, or booked for a higher-paying customer or a customer with a better relationship with the company. And in reality, no security consultant company has all skills at expert level.

So advice is here is very difficult, as every company pimps the CVs of their consultant to be the best and brightest so that their skills appear to fit the project 100%.

If you have a trusted IT security advicer who knows some bits of the skills required, they should interview the candidates. Otherwise you should interview them yourself and ask them about specific experiences with similar projects in the past, i.e. what they did, what tools they were using, and how this applies to your project. You won't necessarily understand a lot of the answers, but if you are a successful executive, you have a good reading of people, and that will help with screening the candidates to see if they are truthful and appear competent and confident - or not.

More information: www.mh-sec.de