Skype

A while back I came across my next Security Profile. He is from Estonia. He is not afraid of taking even the Estonian Security Police heads on. And he covers a lot of topics including security.

Jaanus Kase is a fun read combined with great insights. He also lets you in on a different cultural background – different from us who grew up in the west.

A former Skype marketing guy, Jaanus is speaking freely on topics of his interest.

On explaining what Information security is in his point of view, he is hard to stop.

Jaanus came into the information security area by working at a security product vendor (Cybernetica - www.cyber.ee). Later he moved on to a company focusing on ID-cards and digital signatures (Sertifitseerimiskeskus - www.sk.ee). His background is diverse, and adds to his wide definition of the topic.

On defining

K: Jaanus, how do you define Information Security (IS)?

JK: IS is actually a pretty simple thing. And yet it is very important, as we must all deal with it as individuals and employees, whether we want it or not. It used to be very simple in the Middle Ages -- you stayed at a village and had a limited circle of people to interact with. Whereas these days, information is increasingly digital, be it your bank data, your health records or confidential work data. And information can be moved globally at an instant. So it's important to be conscious about what and where you post or store.

Regarding the meaning of IS, the classic definition continues to work very well. IS is defined as a mixture of confidentiality, integrity and availability. Confidentiality means that secret information should remain secret and the information owner should define who can access it and who can't. Integrity means that information shouldn't be changed by unauthorized parties. And availability means that information should be available to those who need it at all times according to the access policy of the specific info.

Global impact

K: Do you have any examples of how this impacts business?

JK: This may sound like an academic discussion, but recent events of the world and Estonia have driven the message home to many people in the world. We were targeted by an organized cyberattack in April and May.

Discussion continues about how exactly it was organized and what is its long-term and political impact, but from a technical perspective, it was definitely an IS event. For example, bank systems were targeted, rendering card payments in retail stores suddenly unavailable for a short period during the business day.

I believe this event suddenly made a lot of people both in Estonia and elsewhere yet again realize that we live in a networked world where the threats are very different from what they used to be. It used to be so that you could see and touch the enemy and could physically attack and destroy him in a conflict, if we talk about war. Now conflicts are more virtual and asymmetric.

Age of information security

K: This sounds like war?

JK: This sounds a lot like the rationale about "war on terror" and it's indeed all kind of the same thing.

So IS these days has an all-encompassing global impact and yet is able to reach every individual in different ways. So if we say that we live in an information age, you could also call it the age of information security.

IS has the same impact as, for example, physical security. It is understandable for most businesses that they need to lock their doors and windows and maybe maintain on-site manned security and CCTV surveillance and such, and maintain proper policies and procedures.

It's a bit less obvious about IS policy and procedures, but from business perspective, it's exactly the same thing. In both physical and IS, there are many different measures you can take to protect your assets, and they have wildly different prices.

So it becomes a simple question about cost-benefit analysis to determine the appropriate thing to do. And it's not only limited to businesses -- the same kind of analysis applies to every individual when securing their homes and online records.

Psycology in attacks

K: What challenges do you see emerging?

JK: One challenge is that cybercrime definitely continues to be active, and continues to go towards "social engineering" type of things, and not only pure technical attacks. When the IT industry was younger, it was often effective to do online attacks to businesses and try to e.g steal credit card information by cracking the servers.

By now, the cyberdefenses have become pretty good and it is more effective for attackers to try to subvert their way in to end users' computers with the help of what's generally called "malware" (the differences between types of malware continue to blur).

This may be needed to get access to resources in that particular business, or it may be an operation to extend criminal botnets. And it becomes harder and harder to distinguish "good" and "bad" contacts in case of e.g. email -- the phishing mails have become really really good.

Converging technology

JK: Another challenge has to do with "convergence" and with technologies like VoIP. Not one particular VoIP product, just the concept in general. It used to be so that in a company, your IP network, phone network and CCTV networks were all separate and redundant. This meant that even if one went down, others remained up, and they didn't interfere with each other.

But these days, there is a trend to move everything to IP (wired or wireless). This makes a lot of sense as it makes e.g the physical setups simpler and provides great cost advantages, but it also means that a whole new class of risks and threats are introduced that businesses now need to understand and manage.

Thank you Jaanus for sharing your valuable insights with us! 

You meet Jaanus at his blog: http://www.jaanuskase.com/

I believe you will enjoy it!

There has been a lot of buzz around the Skype outage lately. Skype is saying this is not a security problem, and the industry is not totally agreeing.

IMO, this is a typical security event. Not IT-security perhaps, although it might be as well. It is about information security in the broad meaning. It is about service quality. About reputation. About business continuance. And most of all - it is about respect of the customers.

To me this is all very simple.

You set a goal (Skype: global leader of VoIP - or any other hairy goal).

You determine your strategy to get there (Skype: Free for all, add paid services, high quality, P2P).

You analyze potential risks that may get in your way (Skype: Competitors, lack of bandwidth, SERVICE outage - local/global).

Review the probability and potential costs of each risk (Outage: loose customers short and long term, loose credibility, loose revenue).

Set up countermeasures relevant and adequate to the risk and its impact (Outage: back up power, backup Super-nodes, different location and NICs).

Prepare a PR&info-plan for each possible (and unlikely) event (Skype: make sure you know what happened. Never blame anyone unless you can prove it. Prepare one story, stick to it).

Voila. There you have it. This is not rocket science. It only takes a little care, a little planning and a little sense. Add a violent fantasy, and an open mind, and you will be getting a pretty good list. It most likely will never be able to cover every aspect out there. But it sure will help you when disaster strikes - because you are prepared.

This list only uses Skype as an example. It is not conclusive, only covering a few possible areas, and speculating as to the relevant Skype issues.

If you turn the table to the users - they need to do the same homework. Some 30% of Skype users use it for workrelated communication. How do they experience this type of outage?

This is all about security. Securing the continuance of the company. Securing the trust of your customers. Securing the future, revenue stream and profit.

After all, you are in it for the money - make sure you protect your assets!

---------------------Edit:

I just came by this post by David Whitelegg CISSP CCSP (what a name, huh? - Pun intended). It pretty much sums up how to treat security IMO.