Estonia

A while back I came across my next Security Profile. He is from Estonia. He is not afraid of taking even the Estonian Security Police heads on. And he covers a lot of topics including security.

 

Jaanus Kase is a fun read combined with great insights. He also lets you in on a different cultural background – different from us who grew up in the west.

A former Skype marketing guy, Jaanus is speaking freely on topics of his interest.

 

On explaining what Information security is in his point of view, he is hard to stop.

 

Jaanus came into the information security area by working at a security product vendor (Cybernetica - www.cyber.ee). Later he moved on to a company focusing on ID-cards and digital signatures (Sertifitseerimiskeskus - www.sk.ee). His background is diverse, and adds to his wide definition of the topic.

 

 

On defining

 

K: Jaanus, how do you define Information Security (IS)?

 

JK: IS is actually a pretty simple thing. And yet it is very important, as we must all deal with it as individuals and employees, whether we want it or not. It used to be very simple in the Middle Ages -- you stayed at a village and had a limited circle of people to interact with. Whereas these days, information is increasingly digital, be it your bank data, your health records or confidential work data. And information can be moved globally at an instant. So it's important to be conscious about what and where you post or store.

Regarding the meaning of IS, the classic definition continues to work very well. IS is defined as a mixture of confidentiality, integrity and availability. Confidentiality means that secret information should remain secret and the information owner should define who can access it and who can't. Integrity means that information shouldn't be changed by unauthorized parties. And availability means that information should be available to those who need it at all times according to the access policy of the specific info.

 

Global impact

K: Do you have any examples of how this impacts business?

JK: This may sound like an academic discussion, but recent events of the world and Estonia have driven the message home to many people in the world. We were targeted by an organized cyberattack in April and May.

 

Discussion continues about how exactly it was organized and what is its long-term and political impact, but from a technical perspective, it was definitely an IS event. For example, bank systems were targeted, rendering card payments in retail stores suddenly unavailable for a short period during the business day.

 

I believe this event suddenly made a lot of people both in Estonia and elsewhere yet again realize that we live in a networked world where the threats are very different from what they used to be. It used to be so that you could see and touch the enemy and could physically attack and destroy him in a conflict, if we talk about war. Now conflicts are more virtual and asymmetric.

 

 

Age of information security

 

K: This sounds like war?

 

JK: This sounds a lot like the rationale about "war on terror" and it's indeed all kind of the same thing.

So IS these days has an all-encompassing global impact and yet is able to reach every individual in different ways. So if we say that we live in an information age, you could also call it the age of information security.

IS has the same impact as, for example, physical security. It is understandable for most businesses that they need to lock their doors and windows and maybe maintain on-site manned security and CCTV surveillance and such, and maintain proper policies and procedures.

 

It's a bit less obvious about IS policy and procedures, but from business perspective, it's exactly the same thing. In both physical and IS, there are many different measures you can take to protect your assets, and they have wildly different prices.

 

So it becomes a simple question about cost-benefit analysis to determine the appropriate thing to do. And it's not only limited to businesses -- the same kind of analysis applies to every individual when securing their homes and online records.

 

Psycology in attacks

 

K: What challenges do you see emerging?

 

JK: One challenge is that cybercrime definitely continues to be active, and continues to go towards "social engineering" type of things, and not only pure technical attacks. When the IT industry was younger, it was often effective to do online attacks to businesses and try to e.g steal credit card information by cracking the servers.

 

By now, the cyberdefenses have become pretty good and it is more effective for attackers to try to subvert their way in to end users' computers with the help of what's generally called "malware" (the differences between types of malware continue to blur).

 

This may be needed to get access to resources in that particular business, or it may be an operation to extend criminal botnets. And it becomes harder and harder to distinguish "good" and "bad" contacts in case of e.g. email -- the phishing mails have become really really good.

 

 

Converging technology

 

JK: Another challenge has to do with "convergence" and with technologies like VoIP. Not one particular VoIP product, just the concept in general. It used to be so that in a company, your IP network, phone network and CCTV networks were all separate and redundant. This meant that even if one went down, others remained up, and they didn't interfere with each other.

 

But these days, there is a trend to move everything to IP (wired or wireless). This makes a lot of sense as it makes e.g the physical setups simpler and provides great cost advantages, but it also means that a whole new class of risks and threats are introduced that businesses now need to understand and manage.

 

Thank you Jaanus for sharing your valuable insights with us! 

 

You meet Jaanus at his blog: http://www.jaanuskase.com/

I believe you will enjoy it!

The next Security Profile is a guy from the Baltics. His background include Skype, as well as the ID-industry.

What I like about Jaanus is the stuff he covers on his blog - it is not only security - he covers a lot from politics, to humor to security. 

The profile will be posted tomorrow. Meanwhile, consider getting acquainted with Jaanus at his blog! 

Arbor Networks Jose Nazario gives an upate on the Estionan cyberwar over at Techrepublic.

He states:

"We do see attacks against big corporations and big governments, and if you look at those attacks, some of them are probably politically motivated as a way of speaking out. I don't think this is going to become as common as seeing people on the streets. But it's something that some governments have to consider much more than I think they needed to five years ago."

Estonia, one of the Baltic States, is held hostage by a DDOS attack against many governmental web servers. Officials in Estonia claims the attacks originate from Russia. Russia, as usual, denies commenting.

What called the attack? The moving of a statue in downtown Tallinn. In other words, what most of us would think as nothing worth caring about. Obviously, someone disagrees.