Internet not designed for security, warns international expert
- 02 March, 2015 15:00
Tackling internet security
The Internet still remains vulnerable to security breaches, warns a Finnish security expert.
The problem with the internet is that privacy and security has been “bolted on,” according to Mikko Hyppönen, a globally-acknowledged computer expert with the Helsinki-based company, F-Secure.
Hyppönen, in Sydney at a recent security forum told CIO Australia the internet - with 2.4 billion users - was never designed to be a secure system. “The internet was designed to be an open and fault-tolerant system,” he said.
“We will never get rid of vulnerabilities. Vulnerabilities are basically bugs, and we will always have bugs, as the programs we use are written by human beings. And human beings will always make mistakes.”
Hyppönen, who has helped law enforcement in the US, Europe and Asia tackle cybercrime, noted that a lack of planning leaves the internet vulnerable to continued breaches.
He added that cyber-security is now taking centre stage. But that when the web came around in 1990s, governments had ignored this phenomenon for many years.
“Eventually they realised just how important it is, he said. “Governments now see too many concrete examples where cyber-attacks can affect a whole society. They’re now starting to take action.”
No perfect security
When planned properly, encryption does works, he said. “We have the technology to do secure end-to-end communications. But being able to encrypt traffic doesn't yet mean perfect security. If the communication is perfectly secure, the attacks move to target the endpoints.”
However, there’s a continued disconnect between security and open information access.
“We all like privacy. We don't want anybody to monitor us at all times: that's not what a free and democratic society is about. At the same time, we have a clear need for law enforcement and security agencies to be able to work in an online world.”
The conundrum lies in balancing government transparency with securing communication channels.
“They key issue here is transparency. Citizens need to know what their government is doing, and how successful their privacy-breaching operations are. This could mean, for example, annual transparency reports from governments.”
Life of online crime
In a transparent information-sharing environment, cyber-crime is gaining a foothold. “Out of all IT sectors, nothing is growing as fast as IT crime,” added Hyppönen.
And it's easy to see why: there are millions being made by organised online criminals with tools like banking trojans, ransom trojans, mining trojans or keyloggers.
“In many ways, this is not a technical problem but a social problem: when you have lots of people who have skills, but who don't have the opportunities, some of them will use their skills to do online crime to earn their living.”
Among the checks, companies need to be more proactive about protecting client and corporate information. “This isn't easy, and requires a layer of defences,” he said.
Internet security planning starts, at the ground-level, with staff training and awareness, he said. “This is also about having processes and policies in place.”
He added that corporate systems and networks need to be maintained, updated and patched, as and when needed. “Audit the internal and external systems that are in use,” he said.
Moreover, it’s important to routinely monitor the status of network for abnormal behaviour. “It’s about backing everything up. Make sure logs are properly maintained, and be ready for incident response, if (and when) something happens.”
Hyppönen, also Chief Research Officer at F-Secure, the Finnish antivirus company, said there are few alternatives to open information access, including email, the sharing of corporate data, or anywhere, anytime communications spanning billions of connections worldwide.
Moreover, there is nothing private about social media channels, or peer-to-peer communication. Malware is also more pervasive, including on Android phones.
Consumers need to be mindful about what they install, including third-party apps. “What looks like a game may compromise a personal device, and leave other connections vulnerable to attack,” he said.
Follow Shahida Sweeney on Twitter: @ShahidaSweeney