Cyber security expert explains how fundamental security has become a priority for all organisations, emphasises that governments should focus on creating awareness

Merike Kaeo, CEO of Double Shot Security, a threat intelligence information company, where she develops cyber security solutions for incident response teams, is currently in India on a short trip. In an exclusive interview with The Hindu, Ms. Kaeo explains how the entire network can be vulnerable if every user does not exercise his/her personal responsibility when it comes to cyber safety.

Where would you say India stands in terms of network security?

It is not worse than anywhere else. With the advancement of the internet, fundamental security is a priority for all organisations: from internet service providers to banks and hospitals. It is the responsibility of everyone to exercise caution to mitigate attacks. Phishing in particular has become a lot more sophisticated, with criminals doing their homework. A lot of research now goes into making phishing emails look like authentic communications from government agencies, and a single click can compromise your computer. Users need to be very careful with such emails. Also, governments should create awareness that a government agency would always send an official letter, and never just an email. With social media, it is easy for those indulging in spear-phishing – phishing to get to a particular target – to know more about their targets and design emails accordingly.

Would you advise a particular limit to how much should be put up on social media?

I don’t think we can ever control that. Hence, the emphasis is on caution. For example, chief financial officers of companies are among the targets of spear-phishing. If they get an email, which appears to be from an authentic source, seeking release of funds for a particular invoice, it is always safe to cross-check with the person concerned before releasing the funds.

What are the other dangers that a user is exposed to besides financial loss?

Phishing emails can be loaded with malware with key logging encryption, which means they log all the keys that you hit on the keyboard and convey it to the hacker. This includes passwords, financial details, and personal information, and such information can be sold on the dark net. There is a healthy economy on the dark net for such information. Another risk is that people building botnets are always on the lookout for devices, and compromised devices, too, are sold on the dark net. These devices can later be used for distributed denial of service (DDOS) attacks and the users of these devices would not even know it.

Have DDOS attacks evolved over the years?

Definitely. Earlier, there were only denial of service (DOS) attacks, which were first observed in 1996-97. The first DDOS attack was noticed in 1997, and today, hackers can use millions of devices for DDOS attacks on massive scales. The sheer number of devices available with the development of technology and the fact that criminals are getting smarter has increased the impact of DDOS attacks. Suppose a bank falls prey to a DDOS attack and is unable to allow electronic transactions. It is important to think, in today’s scenario, whether a lot of us will even be able to reach our bank in time, as we are so used to doing everything online. Add unforeseen factors like a bus breakdown or a flat tyre to the mix, and the situation gets worse.

So, the overdependence on electronic transactions is also a problem?

I actually don’t subscribe to that. I believe it is a fallacy that electronic transactions can not be relied upon. It is, instead, our job to look for ways to fix the problems arising out of it. We can not lose sight of the fact that we are evolving, and that every one of us has a role to play. When the first car broke down, we didn't abandon automobiles and go back to horses.

What can we do in such a scenario?

Simple things. Like the length of our passwords, for example. It is better to have a ‘pass-phrase’ than a password. It is a single phrase which can stay constant, but you can change characters from lower case to upper case, or replace an ‘i’ with a numeric one periodically so that it’s easy to remember, yet hard to crack. It also rules out the need to constantly think up new passwords and remember them, or have to write them down somewhere, which, again, is a risk. A practice I follow is multi-step authentication for all my accounts. For example, even after I enter my password to log in to my Facebook account, I still need to request a one time password. It is an inconvenience, but it takes all of one minute and I am secure in the knowledge that even if my device is somehow compromised, the hacker will not be able to access my account without an OTP, which will only be sent on my registered number.

Are such options available on social media platforms? Why don’t social media companies promote them?

They do, but how many of us actually listen to what they say? They did have ads which appeared on users’ timelines for a couple of months, but they weren’t generating any traffic so they were ultimately taken off. Governments can play a big role, by creating awareness of such practices in the form of ads that appeal to the masses. It is important to understand that any laxity on our part can contribute to a larger calamity. Our machines could be one of the millions that could be used to execute a DDOS attack and we would have no idea.

What can companies or organisations do to prevent DDOS attacks?

A very important factor is to establish a relationship of trust with the internet service provider (ISP). Again, the human connection, and individual responsibility. The benefit is if a company ever finds its server is under attack, it can call up the ISP, and the ISP can filter the traffic coming to that particular server. But that takes a certain working relationship which has to be built and maintained. Nothing beats people-to-people trust.

There are some who say physical security and cyber security are no longer separate concepts

I completely agree. Physical and cyber security are merging, as the virtual world mimics the physical world. Which also means that cyber security is dependent on us. If we notice any irregular traffic on the servers and even if we don’t understand it, it is our job to bring it to the notice of IT experts. It’s like driving a car. I’m not a mechanic, but if my car makes a sound, I will take it to a garage.