Part of the deep web, the dark web is a collection of hidden sites accessed via darknets (computer networks built on the Internet that protect user anonymity) such as the Tor computer network. The dark web, known to the general public for illegal uses (such as selling drugs) and shocking content, is also used by whistle-blowers and political opponents, and also contains completely legal content.
Cryptology (“the science of secrecy”) encompasses cryptography and cryptanalysis. Cryptography focuses on protecting messages and includes all the methods for encrypting information, through the use of secret codes or keys, to ensure confidentiality. Cryptanalysis centres around decrypting messages, without having the cryptographic keys.
A security process that uses multiple authentication methods—or factors—to verify the identity of the users who want to log in to their devices and accounts or complete transactions. This could include, for example, a combination of a username and password (cognitive factor), credit cards (physical factor) and fingerprints (biological factor).
European Union Agency for Cybersecurity (ENISA)
The European Union Agency for Cybersecurity was established in 2004 to strengthen the European Union’s cybersecurity prevention and detection capabilities. To this end, it provides practical advice to the public and private sectors of member states, publishes reports and studies on cybersecurity issues, and helps to develop suitable European strategy and legislation.
A false positive occurs when a cybersecurity tool labels a legitimate object as a threat (positive), which generates a false alert. The increased monitoring carried out by information systems within organisations has led to a surge in the number of security alerts, and reducing false positives has become an important issue in preventing the SOC (Security Operations Centre) teams handling those alerts from becoming desensitised.
The detection of anomalies means the identification of strange or unexpected events that may raise suspicions of malicious activities. Based on machine learning, anomaly detection techniques are used in many areas of cybersecurity, such as for detecting intrusions—on a computer network, for example—banking fraud or vulnerabilities. An alert will be triggered when malicious behaviour is detected.
A group of cybersecurity experts responsible for protecting an organisation’s information systems by detecting threats and responding to security incidents. A CERT (Computer Emergency Response Team) pools support requests and alerts. It also plays a preventive role and contributes to the overall improvement of security systems by exchanging information with other CERTs and contributing to studies. AKA: CSIRT (Computer Security Incident Response Team).
Group’s Security Operations Centre (SOC)
The SOC is a platform that ensures the security of an organisation’s information by identifying, analysing and responding to security incidents using a combination of technological solutions and procedures. The SOC team monitors activity on all the entity’s information systems (websites, applications, databases, servers, networks, terminals etc.) to detect anomalies that may signal an incident. It will then need to process the incident and ensure that it is investigated and reported.
A security incident is the materialisation of a risk. It is an unwanted or unexpected event that undermines the availability, confidentiality or integrity of an IT system. Examples of security incidents include unauthorised use of a password, intrusion into an application, disclosure of sensitive data or saturation of an IT resource.
building a secure
With the ubiquity and interconnection of information systems on the one hand and the increase and sophistication of threats on the other, cybersecurity has become a vital part of modern society.
Driven by ideological, financial or personal motivations, cyber attacks target States and institutions, companies (from SMEs to large industrial groups) and private individuals. They give rise to geopolitical, economic, national security, reputation and privacy issues. Threats are becoming more sophisticated and are growing exponentially.
In response to the growing number of attacks, cybersecurity has become a discipline in its own right and is gradually taking shape.
In 2014, the National Institute of Standards and Technology (NIST) provided a methodological framework, taking a risk-based approach and built around five stages (identify, protect, detect, respond and recover), which is now a benchmark for public and private organisations.
In Europe, the General Data Protection Regulation (GDPR), adopted in 2016, creates a robust and consistent regulatory framework aimed at increasing the security of personal data, an essential component of cybersecurity.
Cybersecurity research is starting to get serious. Cryptologists are committed to protecting the confidentiality, authenticity and integrity of data, leveraging the latest advances in artificial intelligence or quantum computing to meet future challenges. Machine learning and deep learning engineers develop solutions to anticipate risks, detect threats and react more quickly.
These technologies and solutions to guard, protect, detect and quell these threats are, however, a double-edged sword: something that may provide defence today might be used to attack tomorrow.
Essentially, technology and the law are not enough. Humans are the biggest weakness in IT systems. Cybersecurity is therefore also based on user awareness and training. Users have to adopt good practices and become as vigilant in cyberspace as they are in the streets.
In the context of the COVID-19 pandemic, the necessary use of remote work has increased the exposure of companies and employees to attacks (e.g. cyber attacks via videoconferencing). These attacks cause — and sometimes reveal — weaknesses in corporate cybersecurity. Hackers take the opportunity to venture into new fields of attack, such as connected objects, which are not currently secure enough. However, cybersecurity is also exploring these new fields of attack in order to stay ahead of future threats.
What is cybersecurity?
Anticipate, identify, protect, detect and react. Below are the five main stages of cybersecurity, whose specific challenges (privacy protection, business protection, national security etc.) go well beyond “simple” IT security.
Cybersecurity: be prepared!
With the likes of malware, phishing, denial-of-service attacks, information or identity theft and demands for ransom in exchange for a decryption key, cybercrime is on the rise. Cybersecurity has become essential.
With the Internet becoming an increasing part of everyday life, individuals, businesses, hospitals, institutions and governments are having to contend with a growing number of cyber attacks. No one is spared!
Intentional and malicious, these actions can be carried out by a single person (a hacker), a group of hackers, a State or a criminal organisation. The most common types of cyber attacks involve installing malware (short for “malicious software”), phishing, denial-of-service attack (DDoS – disruption or flooding of the network in order to make it unavailable), information or identity theft, ransomware (demand for ransom in exchange for an encryption key to unlock the encrypted data).
“In this context, cybersecurity aims to protect data and information systems, whether before, during or after an attack”, explains Laure Jouffre, Director of Digital Identity, Personal Data and Security Innovation at Orange. As a preventive measure, security solutions are offered to all digital players to protect their networks, applications, computers and data.
A cyber attack must be detected quickly and requires a rapid response. Most of the time, there is a financial goal. “Attackers target what has the highest value for the business and do not hesitate, for example, to block the activities of companies or steal their customers’ data, which could damage their brand image”, says Laure Jouffre.
Cybercrime is a profitable business that has significant room for innovation and recruiting skills. However, cybersecurity is also adapting, innovating and recruiting in response. “Each company has to define its priorities, make choices and set up its own cyber strategy. Budgets are not unlimited”, notes Laure Jouffre. Identifying the weaknesses of information systems, including those of its subcontractors, is a major focus of companies’ cybersecurity strategies.
The threat exists. It is permanent, becoming increasingly sophisticated and has been growing steadily over the years. “Any weakness provides an entry point for attackers”, she underlines.
The health crisis in 2020 is a good example. First, there has been a big shift of small and medium-sized companies to e-commerce, without always having an adequate digital security policy.
Second, with employees generally working from home during the first lockdown and their use of personal video conferencing tools, sometimes without sufficient security, some companies were lacking secure remote access. The demand for VPN (a Virtual Private Network) increased in France by 41% as of mid-March. Remote working also requires increased hardware security for PCs, tablets and mobile phones etc. “Companies now need to take into account this new work-from-home environment in their cybersecurity policies. Just like the verification and security of user identity when they want to access their company’s information system. Let’s not forget the migration of services to the cloud, which involves a new level of security”, notes Laure Jouffre. All these new uses must be taken into consideration. The exposure of infrastructure on the Internet is growing and so is the security perimeter that needs to be protected.
Moreover, the human factor remains one of the main weaknesses exploited by cyber attackers. “It is therefore essential to raise the awareness of both employees and customers to the risks of cybercrime, and to do so regularly given the evolving nature of the attacks”, says Laure Jouffre. Despite Internet users paying more attention to cyber issues, the legitimate concerns sparked by the pandemic have facilitated hackers’ attempts to pass themselves off as public institutions (health ministries, the WHO etc.) by creating fraudulent domains or sending phishing emails from fake addresses to obtain credentials and passwords, or send attachments to exploit weaknesses. Furthermore, attacks have intensified on critical infrastructures and vital organisations, such as hospitals. In this case, organisations that fall victim to a ransomware attack have often been forced to pay the ransom, simply because people’s lives are at stake.
“Despite this backdrop, there wasn’t a flood of cyber attacks in 2020. Ransomware has gained momentum, with companies having to pay ransoms that sometimes amount to millions of dollars, often paid for by insurance policies they had previously taken out”, says Laure Jouffre. Cybercrime has become a major industry. According to the World Economic Forum’s Global Risks Report 2020, in 2021, the damage caused by cybercrime could reach $6,000 billion. The report reveals that the risk of cyber attacks will be the second biggest threat to global trade over the next decade. “Cybercriminals are real experts, specialised by field of activity. They no longer hesitate to join forces and exchange tools on what is known as the
For Orange, cybersecurity is a strategic activity based on five pillars, anticipating, identifying, protecting, detecting and reacting. “We therefore continue to innovate, thanks to our networks and experts in cybersecurity, artificial intelligence and ”, says Laure Jouffre.
Everyone has their own cybersecurity strategy! That said, strong and optimised security is based on a balance between:
– Knowledge of the threats and weaknesses;
– Adequate protection measures, which are especially exploited to their maximum
– Detection capabilities covering all digital tools so that their configuration can be continuously adjusted
– A fast and effective response to prevent leaks and recover data as quickly as possible
– Security awareness and education programmes
A brief history of cybersecurity
From Creeper, the first example of a completely harmless computer worm designed in the Arpanet era, to the more costly ransomware, here are the attacks that have left their mark on the history of cybersecurity.
Creeper & Reaper
Bob Thomas wrote a program capable of moving between computers using Arpanet, the predecessor of the Internet. Ray Tomlinson then went even further by creating a self-replicating version — making the Creeper the first computer worm — followed by the first antivirus, the Reaper, designed to remove it.
The first case of cyber espionage
During the Cold War, German hacker Markus Hess and his accomplices hacked more than 400 computers belonging to the military and the United States Department of Defense (DoD), including the computers at the Pentagon, to steal military and trade secrets and sell them to the KGB.
Exploiting vulnerabilities in Unix, the Morris worm was one of the first to spread across the Internet. The (unintentional) damage caused and the significant psychological impact resulted in its designer, Robert Tappan Morris, being convicted under the US Computer Fraud Act.
Spread through Outlook and masquerading as a love letter, ILOVEYOU inserts itself into files on the infected computer and renames them to overwrite them. It spread to millions of machines and caused an estimated $10 billion in damage.
The biggest military hack of all time
British hacker Gary McKinnon hacked dozens of US Army, DoD and NASA computers, causing damage estimated at around $800,000.
Spread by email and affecting the Windows operating system, MyDoom was the most expensive and one of the fastest malware attacks in history. Its goal was to allow a large number of machines to be controlled remotely in order to send spam or launch DDoS attacks.
Stuxnet, the first cyber weapon?
Stuxnet malware was very sophisticated and targeted the Siemens industrial control systems, in particular a specific type of industrial programmable logic controller (PLC), used in Iran’s nuclear programme. It was reportedly designed by the NSA in conjunction with an Israeli intelligence unit.
Massive Yahoo! attack
In 2016, Yahoo! announced that a 2013 hack that resulted in massive personal data theft had affected one billion accounts. The company then admitted that all of its three billion accounts had in fact been affected. This was the biggest cyber attack in history.
Sony Pictures Entertainment Hack
The subsidiary of the Japanese group Sony suffered a massive data breach. The cyber attack — one of the largest ever suffered by a company in the United States —was at the time attributed to North Korea in retaliation for the release of the film “The Interview”, produced by Sony Pictures.
Cyber attack against TV5 Monde
Perpetrated by a group of hackers claiming to be Islamic State, the attack on TV5 Monde resulted in the station’s programmes being suspended and messages of support for Daesh being published on its social networks. We will now turn to Russia.
Cyber attack on several Ukrainian power plants
This is the first known successful cyber attack on a power grid. At Christmas, several Ukrainian suppliers were victims of a sophisticated attack (which started with the IT systems becoming compromised by the malware BlackEnergy, making it possible for DDoS attacks to take place), which caused a network failure.
Bangladesh Bank cyber heist
During this attack, $81 million were stolen from an account held by the bank at the Federal Reserve of New York. In 2017, The Wall Street Journal revealed that American investigators suspected that North Korea had sponsored this cyber heist, committed by Chinese middlemen.
WannaCry was used in a massive global cyber attack, infecting 230,000 computers in 150 countries, including the UK where a third of NHS hospitals are affected. At an unprecedented level, this attack is said to have caused losses of $4 billion worldwide.
The BBC broadcast a speech created by artificial intelligence reproducing Barack Obama in an extremely realistic way. In the autumn, a Reddit user using the pseudonym “Deepfakes”, posted several pornographic videos featuring celebrities and using the same process.
Massive DDoS attack against AWS
Amazon managed to counter, without any disruption to its services, a massive 2.3 Tbps DDoS attack — the largest in history — carried out over three days against Amazon Web Services, its entity specialising in cloud computing. The previous record was set in 2018, at 1.7 Tbps.
A final word on passwords
Behavioural analysis, Mobile Connect, adaptive authentication: researchers are working on methods to eradicate passwords, or to just have one single password. A master key as simple as a PIN code…
Passwords are putting up a fight. Despite their considerable vulnerabilities, their usage online continues to grow exponentially: Internet users have an average of 200 accounts, each protected by a password. It’s estimated that 80% of data leaks are due to weak, reused or stolen login details. Cracking login details doesn’t pose much of a problem for hackers, and users often lack caution: 99% of users reuse the same password on multiple accounts. And it’s not just security flaws that are the issue. “Password fatigue” is a concern for Internet users: How can we remember somewhere around 30 passwords at a time, and how on earth are we supposed to remember login details for sites that we haven’t visited for years?
With all this in mind, researchers have spent years working on a system that will make passwords a thing of the past. Or at the very least, it will ensure that we have just one password to remember that will get us into our phone, PC, and all web and mobile services.
How will users be recognised?
Behavioural analysis is one of the approaches showing the most promise. It involves developing ways to automatically and continuously recognise users on their PC or mobile device. “Teams at Orange have spent four years exploring this field”, says Olivier Métais, Head of the Group’s Identity Department. “Our aim is to use all possible and imaginable sensors for user recognition on mobile devices. As an example, we’ve worked on a tool that recognises users’ gaits: By enabling a 3D sensor on the phone, we can recognise the characteristics of a person as they walk. This proved a really interesting avenue, but although we can accurately recognise a user’s gait, we encounter difficulties in differentiating between two gaits”.
Characteristic finger movements
Another behavioural approach has yielded more conclusive results: studies of users’ finger movements on their smartphones. With the help of SWipe and ACCeleration features in smartphones (referred to as “SWACC”), users’ gestures can be differentiated by their shape, the width of the lines they trace on the screen and the force applied. “We’ve developed an experimental solution of great interest to banks: user recognition through touchscreen writing”, says Métais. The application asks users to draw four numbers in four boxes and user authentication on the mobile device is completed based on how these numbers are written.
Behavioural analysis can take many forms, depending on the data collected through use of the mobile device. By studying communications and the people that users make contact with on their mobiles—including phone calls, emails, texts or messaging services—we can provide users with continuous authentication and detect fraud or identity theft (related topics). It’s also possible that GPS data could be used to check that movements are in line with the users’ traditional routes. “Of course, we can combine several of these methods for more secure continuous authentication, such as studying gait, communications, GPS positions and using SWACC”, explains Métais.
The simplicity of PIN codes combined with the strength of mobiles
Passwords can also be changed to a simple PIN code. Mobile Connect is a concrete solution to the problem of “password fatigue”. This initiative, developed by the GSMA consortium, aims to replace long and tedious passwords with a single four-digit code while offering a high level of security. The aim is to make the user experience as simple and user-friendly as possible: when connecting to a service, the user is notified on their mobile, they enter their PIN code and can therefore connect, regardless of the device used to identify themselves. This is how Mobile Connect et moi, the application initiated by Orange, provides an easy and secure connection to a number of French government services, such as impots.gouv, Ameli, Guichets Entreprises and CPA (Compte personnel d’activité — Individual activity account, for accumulating social benefits).
“Our teams are also exploring a promising security standard that’s currently emerging: FIDO2 (Fast Identity Online)”, explains Métais. “This will help us to provide secure web-based exchanges using cryptography, with the same user experience as Mobile Connect. Both services make use of two-factor authentication.”
Combining multiple methods
In spite of everything, the security of an authentication method—or rather, the level of trust in it—decreases over time. A new approach has been developed that takes this into account and combines all of these innovations: adaptive authentication. “Our aim is to combine all these authentication methods so as to offer the most streamlined experience while continuing to adapt to the ever-changing risks”, says Olivier Métais. When no risks are identified, implicit authentication (network authentication) can be used. In this scenario, nothing is asked of users, they’re simply given mobile access. As soon as access to more sensitive data is attempted (such as personal information), higher-level security authentication will be required. If a financial transaction is then attempted, security levels may increase again to require reauthentication, for example via Mobile Connect”.
Adaptive authentication is already available and ready to be deployed by Orange in a selection of countries in Europe, Africa and the Middle East. So for those still logging in to your favourite sites with “123456” and “qwertyuiop”: take note!
Best practices for a cyberspace you can trust
How do you protect the confidential data of your customers, whether they are companies or individuals? Between logins and passwords, double authentication, antispam and antivirus systems, there are numerous tools used to reduce the risks associated with cybercrime.
Who hasn’t received a seemingly trivial message in their inbox with a cyber attack lurking behind it? Phishing, intrusions, malware, fake websites — these are just some of the many hacking techniques that target both individuals and businesses, local and regional councils and national government agencies.
In France, on the cybermalveillance.gouv.fr website launched by the Agence Nationale de la Sécurité des Systèmes d’Informations (the French national cybersecurity agency), a 2020 study shows that more than 9 out of 10 people have faced at least one malicious cyber attack. The type of attack most frequently encountered by Internet users was phishing (affecting 70%), with ransom demands and viruses in joint second place (52%).
In order to increase security against all these types of attacks, many companies—with Orange foremost among them—provide their customers with the assistance they need, explaining to them the importance of good digital hygiene. “The first rule is to understand that our personal data is protected by a digital identity of its own, i.e. a sum of elements that enable a person to be identified digitally”, explains Maxime Pétesch, Orange’s Director of Consumer Security Privacy.
How to choose the right password
It all starts with creating a password, the secret element that allows a user’s identity to be authenticated. “This is currently the most common way to secure access to email, social networks or e-commerce applications and websites”, says Maxime Pétesch. While it is generally recommended to use a reasonably long (at least 12 characters) and sufficiently complex password, to change it once every six months and to avoid using the same password everywhere, it nevertheless remains difficult to define what a good password is and how often it should be renewed. “International experts have found that if users are forced to change passwords too often, they will tend to use the same one for all sites”, he continues.
While there are no standards for creating a good password, the CNIL (Commission Nationale de l’Informatique et des Libertés — the French national data protection agency) makes some recommendations that are always useful to know.
Moreover, passwords are still only too often managed with a low level of protection, as they are rarely changed, duplicated dozens of times for email message services, social networks, bank account websites, online shopping sites etc. Some attackers take advantage of this to hack them, and have access to a wide range of techniques that enable them to do so. So, to prevent these malicious acts, users need to ensure that they protect their identity right from the very start of their digital lives, “in other words, right from the very first time they configure their computers, tablets, mobile phones etc.”, says Maxime Pétesch.
Why change your password?
Keeping the same password indefinitely will one day result in it being stolen and then—sometimes long after—users will find themselves at the mercy of fraudsters. While also bearing in mind the sensitivity of the services involved, best practice therefore requires users both to frequently change their passwords and to select an appropriate level of complexity.
Does a password that is never shared and is never revealed remain as secure as it was on day one? The more time that passes, the likelier it is that a user’s password will be stolen at least once. So the trust users can place in a password decreases a little more with each passing day.
Fingerprint or password: Which choice is best?
All means of authentication have their advantages and disadvantages. Even a very complicated password can be stolen. Fingerprints are a more secure means of authentication because they are more difficult to steal. Nevertheless, the number of fingerprints remains limited to 10 per person. And once they’ve been hacked, they can no longer be used. The best biometric authentication technique in terms of security is iris recognition.
Strong authentication and password managers
In response to the increase in cybercrime, digital services are making , also known as strong authentication, available to their customers. This technique requires, in addition to the login and password, either the customers’ fingerprints or the use of temporary codes that are sent to them via a text message to their mobile phone, or that are generated by the application of the service concerned. Alternatively, in the case of their Orange account, customers are asked to enter their four-digit Mobile Connect code on their mobile phone. Multi-factor authentication is now required when making payments on e-commerce platforms and in the banking sector. It is also used by most Internet service providers, who have noted that email addresses are usually associated with many of their customers’ online accounts and therefore wish to protect this gateway. Resetting passwords also involves using inboxes in the majority of cases. “Cybercriminals who successfully hack a mailbox can easily use the ‘forgotten password’ function of the various services that clients can access”, says Maxime Pétesch.
The use of the multi-factor authentication technique thus helps protect sensitive user data.
Another useful authentication service is provided by “password managers”, which simplify the use of passwords. Because of the sheer amount of passwords to be managed and as an alternative to saving them in customers’ Internet browsers, this type of software program—very often a paid for service—has become essential for many users.
“To prevent these malicious acts, users need to ensure that they protect their identity right from the very start of their digital lives, in other words, right from the very first time they configure their computers, tablets, mobile phones etc.”.
Let’s not forget the need to protect your hardware
While password-based authentication systems are currently an essential security key for accessing the digital world, users must at the same time protect their devices “starting with the installation of the updates that are offered to them”, Pétesch insists. “The way hackers operate is by targeting vulnerabilities in equipment operating systems. Installing the latest version of Microsoft or Apple software often corrects their security vulnerabilities”, he continues. Updates prevent cybercriminals from taking control of devices. The same is true of anti-virus software, which aims to counter the installation of malicious software programs.
While a large majority of users respect the rules for protecting their personal data, the threat is now growing with the success of connected objects. Operating through wireless connections (Wi-Fi, Bluetooth etc.), they provide an additional surface through which cybercriminals can make their attacks. “All consumers who are equipped with connected objects must consider the data to which these connected objects give access”, warns Maxime Pétesch. “They will need to be much more vigilant if it is equipped with a voice assistant than if it has a simple temperature sensor”.
Alternatively, a hacker can take over a connected object by turning it into a ‘bot’, a sort of remote-controlled ghost computer, so as to use it in denial-of-service attacks, i.e. so as to make the targeted sites unavailable, “without the owner suspecting a thing”, Pétesch notes.
It is always extremely difficult to identify the actor or actors behind a cyber attack. So, in the face of multiple frauds with sometimes disastrous consequences for their victims, some insurance companies offer specific policies related to the risks of digital life.
While many tools exist to strengthen security against all these types of attacks, the main actor to stop them remains each and every Internet user. “If you are in doubt, the first reflex to regain control is to change your password as soon as possible”, Maxime Pétesch concludes.
Personal data: Is comprehensive legal protection enough?
Since the General Data Protection Regulation (GDPR) came into effect in 2018, the challenges of processing of personal data have resonated more powerfully than ever. The overall regulatory framework for these matters is robust and continues to grow, but we need to remember that there is always a certain level of risk.
On 25 May 2018, the GDPR came into force in all member states of the European Union (EU). The day marked a paradigm shift in our approach to data protection and the entry of the general public into this domain.
Know and make known
Member states are making legal reforms to standardise their data protection regulations and, ultimately, to speak with a single normative voice. As an example, France is amending its Information Technology, Data Files and Civil Liberties Act and expanding the supervisory role and jurisdiction of the CNIL (Commission Nationale de l’Informatique et des Libertés — the French data protection authority). In today’s world, it is also increasingly rare for non-EU countries not to have a legislative instrument on this matter, with particular attention given to data security. “One of the main obligations under the GDPR deals specifically with this issue of security”, says Orange’s Data Protection Officer (DPO). “We can only secure what we know, which has led to our approach of recording data usage based on the services and needs of business operations. By virtue of its scope and the burden of responsibility that the GDPR places on organisations, it has provided a comprehensive and robust guide for everyone. Data usage is ubiquitous in our society. For example, the issue of data arose as debates broke out when an app to protect against COVID-19 was launched: the concerns regarding such an app were heeded and discussed. This widespread awareness regarding personal data is an indication of the influence that GDPR has had. Two years after being introduced, we can consider the GDPR a success, attuned to the challenges of modern-day society.”
Where does cybersecurity fit in?
Cybersecurity is one of the ways in which we can meet this GDPR obligation, even if its implementation goes beyond regulatory frameworks and the challenge of data protection. Companies don’t wait for policies like GDPR before they draw up, implement and fine tune their own strategies in this area. According to a data security lawyer at Orange, “We’re used to the idea that for a system to be secure, it must be disconnected. To be more realistic, cybersecurity is a balancing act — you’re trying to reconcile security on the one hand with usability on the other. The challenge is to find ways that are both robust and agile to avoid getting in the way of users. But we shouldn’t be lured into thinking that there are no risks involved — unless we create our own non-interconnected, state-level Internet, and thereby create a two-speed digital world. As a carrier, cybersecurity is in our DNA, and we’re constantly making sure that we comply with this requirement in this time of increasing regulatory pressure.”
The currently prevailing approach to security is a risk-based one; it was a necessity even under the previous law on Information Technologies, Data Files and Civil Liberties. This means that for a company like Orange, all relevant technical and organisational measures must be put in place to limit the risks associated with certain types of data processing. As such, our security teams follow standards set both internally and by reference bodies such as the CNIL, at national level, or the at EU level.
As a company that never acts alone, processes are also defined and planned to take into account the risks associated with interacting with the wider ecosystem, for example when a partner connects its IT system to an internal database. A set of global security policies are used to coordinate all of this and ensure consistency. The defining feature of this set of measures is that it is always in motion. Every day, projects are created that are subject to data protection regulations. This means that data protection practices must be continually refined and all teams, across all departments, must be able to adapt accordingly. This kind of constant attention is crucial to ensuring compliance, especially given CNIL’s close monitoring of this situation, which it does irrespective of the nature and size of the parties concerned, as we have seen recently with sanctions imposed on doctors, for example, or on any small business.
Beyond legal protection
A regulatory environment is essential, but can it eliminate every risk to the individual? “Legal protection is insufficient. In the same way that you need to be careful—on the street or on public transport—and make sure that your handbag isn’t left open and vulnerable to theft, it’s also important to keep an eye on your ‘personal data bag’ when, say, browsing the Internet or loading data-hungry apps without knowing how much they actually need, or clicking links in emails from unknown sources. Younger generations appear to be more security-conscious than some of their elders. But if we take some time out to think about security, there are things we can all do like changing our passwords regularly and using a password manager where possible, for example CNIL or ANSSI (Agence nationale de la sécurité des systèmes d’information — France’s national cybersecurity agency). That space between the chair and the keyboard is fundamental to cybersecurity at both a corporate and an individual level. And that is the user.”
The home: a cybercocoon to protect
Whether you’re working from home instead of the office, streaming films rather than going to the cinema, doing your shopping online or using online healthcare services, the COVID-19 pandemic has changed our everyday lives — particularly in terms of how we use our personal devices. And this is much to the advantage of cybercriminals.
More than nine out of ten people have experienced malicious activities online. We’re talking about phishing — those emails supposedly from our bank or other trusted sources that aim to steal our passwords or bank details. Nor are we referring to traditional account hacking, which might be a result of phishing, weak passwords or data leaks on another platform. You can go to the Have I been pwned website to find out if your credentials have been compromised. This won’t prove whether an account of yours has been hacked, but it is a good indicator of whether it is time to change your password and secure access to your devices. But perhaps the most sophisticated scam is one that involves a fake technical service, sometimes with real “telephone support” to better mislead Internet users. For all these Internet hackers, the main objective is financial gain, although in some cases it’s also with the intention of harassment or reputational damage. So what can we do about this, and who is safeguarding Internet users?
What measures are in place to protect your connection?
Installing antivirus software on your device is the traditional cybersecurity solution, but new security measures are on the rise, particularly at the network level. Philippe Fredon, Orange Home and Security Marketing Manager, explains: “The advantage of this type of protection is that the user doesn’t need to do anything, so we bypass the barrier that the software installation process may represent. We use this protection mechanism for parental controls on mobile phones: you simply select an option on the child’s account to block dangerous or inappropriate sites. Being present on the network means we can also be more responsive — We can quickly detect and block new fraudulent sites as we see attacks on our networks”.
IoT: the weak point of choice for cybercriminals
Another area of action is residential gateways, because they have the ability to control all connections in the home, including connected devices that don’t have antivirus software installed. Gateways can detect if a camera is being attacked and react accordingly. This is all the more important given that IoT objects, which represent a burgeoning industry, are host to numerous security flaws stemming from poor development practices and inadequate levels of protection on the part of manufacturers. This is especially true at Christmas, when hackers expose flaws in low-cost devices such as baby monitors or even toys that are hijacked to gain access to the private family network. But the industry is beginning to address this. ENISA (the European Union Agency for Cybersecurity) is working on security certification schemes, namely for IoT objects and services. This is an area in which Orange is a direct contributor. For several years, Orange Labs teams have been auditing hundreds of objects of all kinds and have created a clear picture of the vulnerabilities, risks and security requirements specific to IoT. In preparation for such a scheme, Orange has drafted a set of security specifications for suppliers of items sold in shops.
There is no substitute for good habits
According to Philippe Fredon, “Your private connection is best protected by combining device-, router- and network-level security measures. But leaving it there would be to forget a fundamental aspect of cybersecurity: best practices. These include setting up strong passwords and two-factor authentication where available, keeping software updated and being vigilant against suspicious messages, and even any messages that appear official. These are just the basics, which may seem obvious but they’re still important to remember, and it will remain that way for a long time”.
With the boom in remote working due to the COVID-19 pandemic, however, some additional new measures come into play. These involve keeping your professional and personal use of devices separate. We recommend that you separate your storage spaces from messenger services and use a VPN to access a company’s Intranet, thus protecting company data from espionage.
But these steps are not enough if you’re unfamiliar with best practices for ensuring the optimal security of your digital activities. Sites such as Orange’s bienvivreledigital.fr and the French government website cybermalveillance.gouv.fr publish the latest trends in threats and Internet usage.
Banking, a sector that is both exposed and secure
As the cyber threat to banks strengthens (including fraud, intrusion and data leaks), the effects of a cyber attack can quickly become critical, resulting in direct financial losses. How can this sensitive industry protect its customers?
The financial sector is one of those that attracts the most attempted cyber attacks, and several successful attacks have stuck in our minds, for example:
– the Central Bank of Bangladesh, the victim of fraudulent fund transfers in 2016 — $81 million was lost, disappearing through casinos in the Philippines;
– Equifax (in 2017) and Capital One (in 2019), US credit finance companies that experienced the loss of more than 100 million customers’ personal data;
– India’s Cosmos Bank, the victim of a 2018 cyber attack on its ATM management system, which led to a loss of around $13 million in a matter of hours through fraudulent withdrawals across 28 countries.
– the New Zealand Stock Exchange, which was paralysed for several days by denial-of-service attacks in August 2020.
“Trust is a fundamental notion in banking”, Philippe Carles, Chief Information Security Officer at Orange Bank, reminds us, “because of the very nature of the business — money management and intermediation between savers and borrowers. The relationship between customers and their bank has always been based on trust and, more particularly, on the financial institution’s ability to safeguard its savers’ assets. As well as leading to possible financial losses, a serious incident could damage the bank’s reputation and erode that trust.”
While the banking industry has previously been used to managing a host of financial risks (credit, market, liquidity etc.), it must also be able to manage operational risks. These include IT risks and cybersecurity, which are becoming increasingly important owing to the digital transformation of businesses and the continuous trend of cybercrime. Moreover, the banking sector is highly regulated, with regulations that impose provisions on banks in the interest of protecting customers. Consequently, banks have established governance to manage their risks, with a set of technical and organisational measures in place and controls on several levels.
Tricking humans rather than machines
Alongside attempts at “classic” cyber attacks (intrusion, denial of service etc.), against which banks now have safeguards in place, many hackers prefer not to attack banks “head-on”. They instead prefer fraud attacks that target people—whether bank employees or customers—often by combining phishing and social engineering.
Therefore banks, especially online banks, must implement strategies to prevent fraud generated by accounts being opened with real stolen credentials or fake credentials.
Fraudsters can also target banks’ customers through traditional phishing campaigns, sometimes contacting them directly over the phone to obtain the additional information needed to gain access to the customer’s space or to validate a fraudulent transaction.
Indeed, it is well known that passwords have inherent vulnerabilities and that strong authentication is preferable. It has also become mandatory from a regulatory point of view. One of the relatively common authentication methods, because of its simplicity and ease of deployment, was to use a one-time code sent by SMS in addition to the usual combination of login and password. However, fraudsters can sometimes bypass this mechanism, using different methods, including:
– calling victims directly, pretending to be an adviser from the bank, and using various excuses to get victims to simply tell them the OTP received via SMS on their phones.
– using malicious mobile apps that can read text messages.
– doing a “SIM swap”, posing as a legitimate customer and telling the mobile network carrier that a SIM card has been lost in order to receive a new one, thereby accessing their text messages directly.
“At Orange Bank, we decided to rely on mobile applications, not only to deliver services to customers but also for security when using these services”.
Security through mobile apps
As the SMS code is no longer considered reliable, banks are gradually adopting other measures. “At Orange Bank, we decided to rely on mobile applications, not only to deliver services to customers but also for security when using these services”, says Carles. As a result, Orange Bank has been a pioneer in mobile payment, SMS transfer, real-time balance, blocking/unblocking of bank cards in the mobile application since all of these services were launched. The bank has also recently introduced a family offer, the Premium pack. The security of these services revolves around authentication through the mobile application. Security steps must be taken on the mobile phone that the customer has designated as their trusted mobile device. Even access to their account from the customer area of the Orange Bank website, via a traditional web browser, requires authentication via their mobile phone. This prevents customers from entering their password on a computer, which can sometimes be less secure than a phone. When customers have to validate a card transaction (through the famous ‘3DS’ protocol), they do so via their mobile app through push notifications. Customers can also trust their phone’s biometric system, which is genuinely easy to use and secures transactions — seeking to always ensure the right balance between user experience and security.”
Prevention, detection, reaction
Authentication is only one aspect of banking security. Orange Bank, for example, makes use of Orange Cyberdefense for threat intelligence on the Internet. How? By identifying domain name registrations or Facebook pages imitating Orange Bank that are potentially part of a phishing operation so that they can be closed down before any action takes place (and therefore before prospective or existing customers get duped). Orange Bank also works with Orange Cyberdefense to detect intrusion attempts in its information system, with a Security Operations Centre (CyberSOC) where several billion events per month are analysed and correlated, looking for signs of compromise. “It is particularly important to detect threats such as ransomware, which affect all companies, as early as possible”, notes Carles.
Orange Bank has introduced measures to detect unusual behaviour regarding account opening and banking transactions (purchases, transfers etc.), based on static and dynamic rules using machine learning technology. This means signs of fraud are detected upstream in order to react as quickly as possible. Hackers routinely introduce new types of fraud, so banks must remain on the lookout to constantly improve their anti-fraud measures — innovating as much as fraudsters!
The challenges of a broad ecosystem
Banks’ information systems are often complex. They often combine traditional and newer systems, and rely on a set of networks with a large number of partners (for example, exchanging financial flows or subcontracting back office processing). “This broad ecosystem represents a risk that must be managed — contractual clauses, managing services, monitoring flows, and so on,” says Philippe Carles. Downtime y or an intrusion on a partner’s premises could have significant consequences on the bank’s activity. There are plenty of examples of supply chain attacks through partners and suppliers. In particular, we can cite the Solarwinds case, which was heavily publicised at the end of 2020, or Alten or Sopra. Taking this ecosystem into account leads to a rethink of IS architecture and security.”
Another trend, which also affects some players in the banking industry, is the use of cloud services. “Orange Bank has chosen to go on the cloud, with AWS and Microsoft in particular, for several reasons: usage-based billing, resource elasticity, reliability (via automated processes), and so on. Cloud hosting can cover some security risks better than traditional hosting. But it does mean we have to manage new risks. Migrating to the cloud also pushes us to rethink security by onboarding all the teams (developer, system administrator, operator etc.), who previously worked in silos, in order to move towards a DevSecOps model that harmonises agility and security.”
Moreover, banking regulation also helps to make the banking ecosystem larger still, by promoting competition among banks and the emergence of new players in the interest of customers. “With the European regulation ‘PSD2’ (2nd Payment Services Directive), opening up banking services to new players such as account aggregators or payment initiators is a godsend for users, but exposes us via APIs”, explains Carles.
This new banking and digital ecosystem opens up an era of opportunities and challenges. Each player will have to take on their role and share of responsibility. Banks, as a trusted intermediary, need to keep their risks under control, and are therefore bound to continue improving their technical and operational resilience to deal with accidental and malicious threats, particularly cyber attacks, as cybercrime continues to thrive.
What are we up against?
The cyber threat is multifaceted and constantly evolving. Cyber attacks affect individuals and large industrial groups. From sophisticated cryptanalysis algorithms to rudimentary manipulation techniques, they employ a variety of methods. In cyberspace, just as in war, you have to know your enemy!
Brute force attack
Method used in cryptanalysis to “guess” a password or an encryption key by testing every possible combination, one by one. The premise of this is simple. In theory, it means that any password can be cracked. What’s uncertain is the time required to find the solution (from a few minutes to several years), which mainly depends on the length and complexity of the password.
Malware that takes a user’s data hostage with the aim of extorting money from the victim. Once the system is infected, it encrypts files to make them inaccessible. A message is then shown demanding payment of a ransom, in exchange for the password that the user will need to decrypt the files. Ransomware has become a major threat for individuals, businesses and also public institutions (e.g. hospitals).
This is malware that collects and transmits information about a user to a third party. While some spyware simply records the victim’s activity for advertising purposes, others are more dangerous. They can install other malware, such as “keyloggers”, which record keystrokes or take screenshots to recover usernames and passwords.
This seemingly legitimate and harmless program is a lever for attack: it contains malicious software (the “payload”), which is unknowingly installed on a computer by the user. The “malware” will perform actions on the infected machine, not the Trojan horse. “Cracked” software — a free version of software that you usually have to pay for — or a USB stick can serve as a Trojan horse.
Technique used to obtain personal information that will be used to steal money or will be sold on the black market. Cybercriminals “disguise” themselves as a trusted third party (bank, administration etc.) and send fraudulent emails to a large number of contacts. The message will contain a link that directs users to a fake web page, where they will be asked to enter confidential information, which will be recorded by the criminal.
This is targeted phishing, which involves stealing an email sender’s identity in order to steal money (e.g. CEO scams) or to infiltrate an organisation’s IS (e.g. industrial espionage). In this case, once the hacker has managed to contaminate an initial machine, the attacker takes control in order to work within the IS, obtain administrator rights and access the information sought.
An attack that exploits security vulnerabilities in an application that interacts with databases. This involves modifying a current SQL query by injecting an unexpected piece of query. The hacker can therefore access the database, then modify or delete its content. SQL injection is one of the most common cyber attacks and one of the attacks most commonly used to steal data.
DoS & DDoS
The aim of a denial-of-service (DoS) attack is to make an IT service unavailable. When launched from multiple sources (zombie machines), it is referred to as a Distributed Denial-of-Service (DDoS) attack. Because of their relative simplicity, these attacks take place frequently and can cause significant financial loss.
This type of attack often exploits known, but unpatched, vulnerabilities to alter the appearance or content of a website. The sign of a compromised site can range from a simple message saying “hacked by…” to a whole site being replaced by a statement, to the addition of information or tips on how to improve site security.
Social bots are AI software used on social media to generate automatic messages. These form part of the arsenal of cyber propagandists, along with “fake news” and data leaks (e.g. “MacronLeaks”). The manipulation of public opinion using these methods is now another cyber threat faced by States. The biggest fear is that “hacktivist” groups, and even other States, might interfere with electoral processes and, in the long run, destabilise democracy.
Businesses and cyber attacks: An ongoing and ever-evolving threat
just like in a physical war,
there are two sides: the attacker on one side, the defence on the other. The threat is everywhere and can affect any company.
When it comes to cybersecurity for businesses, knowledge of this threat is the starting point, preceding any thought process. Virtual at first, it can become material and therefore requires implementing the immediate means to address it. This threat is the reason, first and foremost, for which companies are equipping themselves with cybersecurity solutions, even before regulatory compliance. But how do we define it?
Ongoing and evolving
A key determinant of the threats is their ability to accumulate. “Today’s threats do not just replace yesterday’s, they overlap”, explains Laurent Célérier, Executive Vice President of Technology & Marketing at Orange Cyberdefense. “Threats that have existed for 10 years or more are still present in the cybersecurity ecosystem, to varying degrees, and new types of attacks are joining them all the time. Their evolving nature is another distinctive feature. Take ransomware, for example. In principle, over the past several years it has not changed. It is used to attack an information system by encrypting data before offering a decryption key in exchange for money. But companies have gained experience in this area and have implemented backup devices to reduce or eradicate their impact. Cybercriminals have therefore adapted their model, doubling encryption through prior exfiltration of the most sensitive data. This gives them two means of pressure, the unavailability of the data and the possibility of disclosing it.”
From reputational damage to sabotage
Cyber attacks can be classified as four main types. They can be intended to damage a company’s reputation by altering a brand on the Internet or defacing a website with a political message etc. Other attacks have a financial purpose similar to the extortion of funds, such as diverting bank websites and ransomware. The attack can be used for spying purposes, in order to steal company or government secrets. Lastly, in some cases, it is outright sabotage, such as that caused by the malware Stuxnet, which targeted Iran’s centrifuges for uranium enrichment. Cyberspace has become a place where the powerful clash. The cyber attack on SolarWinds, regarded as the largest-ever orchestrated attack on the US government, is a recent reminder.
The keys to security
Once the threat is known, it is a matter of identifying which resources need to be protected. The issue differs for each type of business, whether a large retailer, for which billing and logistics systems are essential, or a law firm, where data privacy is imperative, for example.
The security strategy that results from this first phase is most often centred on three key topics. This starts with access protection, from the most basic (passwords) to more advanced systems, such as multi-factor authentication. Protection of the company network must also be explored, through the implementation of firewalls, anti-DDoS and VPNs etc. Special attention must also be paid to endpoints, the terminals connected to the company’s network and used by its employees. Regarded until recently as a commodity, interest in their protection increased massively after attackers took advantage of organisations’ underinvestment in this area to get in through the cracks.
On top of these classic issues, two security issues have been on the rise in recent years. Firstly, the rapid growth of the cloud, implying the need for stronger support for companies migrating to these technologies. And secondly, the cybersecurity of industrial systems has gradually shifted paradigm. While the systems are not current, their connection to corporate networks or the Internet to maximise their capabilities is more so. Industrial automation systems, which until now have been operating in a vacuum, have become connected and therefore have widened the scope of threats to them.
“Today’s threats don’t just replace yesterday’s, they all overlap”.
Cybersecurity, a continual investment
Cybersecurity is now up against a skills challenge, which artificial intelligence and the automation of certain tasks will not be able to face alone. Progress in this area also depends on the investment of solution providers and companies. Cybersecurity has to be considered from the point of view of flow, not stock. Exploration and investment in the field need to be continuous. Moreover, the human factor must be taken into consideration. Despite an over-tendency to focus cybersecurity on the technological aspect alone, it relies on three pillars, ‘people, process & technology’. In 2020, around 15% of cyber attacks were linked to human error. User training and the development of a corporate security culture are crucial.
Four scenarios for the future
How is the cybersecurity ecosystem likely to evolve? For Laurent Célérier, four probable scenarios can be defined. “First, we can imagine that, following a technological break that is unknown at the present time, the level of cybersecurity increases significantly, with governments undertaking to demilitarise cyberspace, which would then become a universal asset just like Antarctica or the deep seabed. The second possibility is that of a sort of cold war, in which regulatory progress would lead to a significant rise in cybersecurity and the de facto ruling out of small players. There would be no more cybercrime, only State powers would remain, which very few or none would confront due to the enormous costs involved in the attacks. The third assumption is akin to the current situation, where cybercrime exists but remains under control, with a cost still acceptable to society. The final alternative is a breakdown. A large-scale global attack takes place and confidence in digital technology is destroyed. From a widespread and standardised Internet, we would move to a different cyberspace, more local and with significant technological differentiation.”
Bleak scenarios, to say the least, which should encourage businesses to focus more on their cybersecurity challenges.
Research at the cutting edge of cybersecurity
The increasing number of attacks, sometimes on critical systems, is a major concern for governments and businesses all over the world. Cybersecurity research teams are taking action with the intention of dissecting and preventing this threat.
For cybercriminals, the age of virtualisation is a real boon. Physical barriers are tumbling as networks open up in the Cloud. IT management companies are choice targets because they use the same systems for core clients such as governments and major industrial groups. “And we realise that those that are considered the biggest specialists in the sector are sometimes the worst off”, said Adam Ouorou, Director of Trust & Security Research at Orange. “This was evident in the recent hacking of US company SolarWinds and its clients. That scandal also reveals the failure of government agencies to implement effective strategies”. Through its cryptologists and AI experts, Orange’s cybersecurity team looks closely at these kinds of events in order to learn from them, and above all be able to prevent them.
An undesirable effect of cybersecurity is that aspects that are beneficial for defence can be used against a company to attack it. This is the case with regard to cryptography, which is capable of ever greater feats in protecting data but can also be used to steal data from its owners using ransomware. In cybersecurity, it is therefore essential not to become passive as a result of research so as to ensure that defence stays one step ahead of the attack, based on the adage: “Prevention is better than cure”. For instance, when you opt to host your data on the Cloud, it is recommended that you use multiple storage locations. Unfortunately, in the race to save money, preventive measures are often overlooked.
Threat analysis: permanent watch
Artificial intelligence (AI) is not immune to malicious activity. When it comes to deepfakes, a few minutes of video are enough to destroy a reputation, whereas it takes considerable time to prove it is fake. But AI also shines in terms of defence, where it increases the ability to anticipate events, thereby reducing response times. Ouorou explains that: “With AI you can detect unusual behaviours — it’s all about knowing how to differentiate between deviation and threat in order to avoid or false negatives. At Orange, for example, we have developed our own platform to detect and monitor the evolution of threats. So, in 2020, the use of the words “Covid” or “black lives matter” in hacking operations showed us that the news is a goldmine for cybercriminals.”
An issue also being addressed by the sector
At Orange, cooperating with operations teams is crucial for research. It is on the ground that the latest developments in cybercrime are identified, and that involves Orange Cyberdefense, the various countries in which the Group operates, Orange Business Services and its business clients. But this cooperation needs to go beyond the company’s boundaries. “In the Internet of Things (IoT), manufacturers are insufficiently concerned with cybersecurity, meaning that many attacks originate through these weak points. Then, that data is passed on via our own networks”. Orange contributes to the joint effort by looking for weaknesses, finding solutions and developing technological building blocks that are then made available to manufacturers. If you are unable to take action on vulnerable targets, mediation features (gateway or software module in Livebox) are available, which act by neutralising the ability to cause problems after infection by blocking any associated information flows.
Operators looking for allies… hard to find?
Faced with sophisticated attacks, politicians are starting to realise that the response also needs to be state-led. Partnerships are being launched by Europe or research in France. Such is the case, for example, for the PROMETHEUS collaborative project in Europe on post-quantum cryptography and the RISQ project on the same issue, which involves French industrial players and the ANSSI (French National Cybersecurity Agency). “The trade war between the United States and China is making Europe wake up, which is a good thing”, concludes Ouorou. We put too much trust in that which comes out of so-called “ally” countries, while being unable to check whether the promised guarantees are being respected. Protecting digital spaces in a practically deindustrialised Europe has become a complex task. That is why research always needs to stay one step ahead”.
AI to help fight against cyber attacks
Among the many applications and uses in which it is integrated, AI has proven to be a valuable contribution to cybersecurity in many ways. The implementation of AI requires a calibrated organisational structure and involves experts from different disciplines working together.
Where there is data, artificial intelligence can add value. For the last few years, this theoretical assumption has been exemplified in the cybersecurity sector, where AI is an unprecedented “analytical propellant”, notably in regard to three key challenges.
From detection to automated response
It is principally about using the power of AI and other mathematical tools to new threats as early as possible. “These technologies can help us identify unusual behaviour or new vulnerabilities in infrastructure or application data and thus gather information to help us strengthen defence and security solutions”, explains Sandrine Mercier, Head of Security at Orange. “We need to define ad hoc algorithms that are able to analyse and trace deviant or malicious behaviour in real time and that can assess the relevance of that information”.
The second challenge stems from the first. “We have so much data at our disposal”, says Sandrine Mercier, “data that we must make operational and then transform into qualified, relevant and structured information. The challenge is to build intelligence that is operational enough that we can use it as leverage for informing defence actions.”
Finally, the implementation of AI can also be engaged in the challenge of developing the skills of cybersecurity experts. In this case, it is used to simulate attack environments and scenarios to train experts in incident response but also to enable them to test defence solutions.
AI proven in “real conditions”
The bottom line is the data itself: to determine the performance level of an AI solution, and any underlying solutions, you need data — a lot of data. This can come from public data banks or, for a carrier such as Orange, can be drawn from network supervision. “We use anonymised production data in compliance with data protection laws such as the GDPR”, explains Sandrine Mercier. “We rely on the data generated by our own activities, such as that of our large collaborative accounts in order to test and demonstrate selected algorithms in a real environment. When approved, the transition from pre-production to production involves an equivalent or similarly agile approach to fine-tune and adjust our algorithms in real time, and ultimately maintain their level of efficiency”.
“We need to define algorithms that are able to analyse and trace deviant or malicious behaviour and that can assess the relevance of that information”.
AI solutions need relevant sector expertise to be operationalised
The design and production of AI solutions is both technical and organisational. According to Sandrine Mercier, “we need science, mathematics and industry experts, such as application and network operators. A mathematician can develop an algorithm but cannot provide an information value to the data that is analysed by the algorithm. This is where industry analysts and cybersecurity experts come into play: to define the confidence level of the information, the relevance and the possibility of its exploitation and, ultimately, to approve its operational implementation. It is absolutely crucial that data science/mathematical expertise be combined with a degree of knowledge of cybersecurity”.
This is what enables us to achieve reliable and effective solutions that are implemented in supervision centres to detect new threats or abnormal behaviours, throughout the to structure and partially or completely automate certain defence scenarios, and in other areas such as finance to identify fraud.
The constant quest for innovation
Beyond the many services and solutions already on the market, Orange’s research teams are still exploring the field of AI and pushing it to new horizons. AI & Cyber solutions are currently being developed — some in order to strengthen threat awareness within the and thus they develop the effectiveness of our knowledge in terms of Threat Intelligence. Others enhance vulnerability identification in internal or client systems by expanding the exploitation of data generated by infrastructures such as applications. These two areas of development already provide us with additional capabilities in terms of threat awareness, identifying as proactively as possible and incident response organisation.
How can intrusion into an information system be prevented? Elias, a Pentester at Orange Cyberdéfense, explains his job and his background.
Jobs within cybersecurity
In response to the proliferation and diversification of cyber attacks, the cybersecurity market is booming and offers many career opportunities. Security architects, SOC analysts or consultants are among the most sought-after roles.
Information Systems Security Researcher (ISS)
In basic research, an ISS researcher designs and conducts research projects to gain new knowledge and contribute to the emergence of innovative technologies in their field. They report on their work and discoveries by writing scientific articles or participating in conferences and may also teach. In applied research, they perform scientific and technological monitoring and carry out R&D work to develop new products, processes or services.
Cybersecurity consultants support companies and administrations in securing their IS. They take action upstream to help the organisation define its cybersecurity and compliance strategy. They can also intervene in the event of a crisis following a cyber attack. In the first place, based on a diagnosis during which they assesses the existing level of security and define intrusion scenarios, they propose appropriate methods and tools according to their clients’ needs and the context.
Responsible for designing, developing and maintaining IS security architectures, security architects ensure that the technological choices for projects carried out within their companies are relevant and sustainable. To do this, they have to ensure that these choices are consistent with the IT strategy and comply with the security requirements of the organisation and that the security bricks deployed are robust and interoperable. They also have to monitor new threats and regularly review the existing architecture.
A cryptologist is an expert in the security of communication systems and is responsible for protecting sensitive data. To do this, they develop ways of encrypting and encoding information using complex algorithms to ensure that transmissions remain confidential and guarantee data authenticity and integrity. As part of their work, they also analyse existing encryption algorithms to ensure their effectiveness and test programs designed by their colleagues.
A SOC (“Security Operations Centre”) analyst is responsible for supervising the IS and monitors, detects and analyses security incidents and helps to deal with these incidents and improve prevention methods. For these purposes, they interpret thousands of alerts originating from the SOC using various tools, such as SIEM (“Security Information and Event Management”) and user behaviour analysis solutions, reports made available to it (by the CERT, for example), security software etc.
An IAM (“Identity and Access Management”) specialist is trained in managing identities and access (IAM) to IS and applications, i.e. all the processes put in place by an organisation to manage authorisations for users of its IT resources. The IAM specialist can find out the “what, when and why” behind access. An IAM specialist will, for example, be responsible for helping to set up role-based access models.
The human factor in cybersecurity
Over 90% of security incidents are thought to be down to human error. To prevent cyber risks, including social engineering attacks, people must adopt scrupulous cyber hygiene. Meanwhile, organisations should combine technological bricks and cybersecurity training for employees.
In January 2018, against a backdrop of escalating tensions between the United States and North Korea, the Hawaii Emergency Management Agency, a branch of FEMA (the American federal agency responsible for crisis management) issued a false ballistic missile attack alert. Following the incident, the public discovered a photo, taken a few months earlier, in which one of the organisation’s agents was posing in front of screens. A Post-it note, with a password written on it, could be seen stuck onto one of them…
The vast majority of security incidents suffered by companies and administrations are down to human error. Such errors include weak passwords, disclosure of sensitive information on social networks, neglect or lack of caution with regard to certain emails and phone calls, as well as inappropriate use of professional computer resources. How, then, can we manage the human factor in cybersecurity?
Wise to the fact that the human factor is the weakest link in IT security, hackers are now using employees as a gateway to organisations’ information systems (IS).
They do this by attempting to extract information from their victims by using deception (identity theft, for example) and by exploiting psychological weaknesses (ignorance, naivety, neglect, greed etc.) and organisational vulnerabilities rather than IT vulnerabilities. Typically, the fraudster will call an employee, pretending to be a computer maintenance technician or a partner with an urgent problem, in order to find out their usernames and passwords. This is called social engineering — a concept theorised and popularised by repentant hacker Kevin Mitnick in his 2002 book The Art of Deception — or psychological hacking. Social engineering is therefore defined as the art of manipulating people into performing actions or disclosing personal or confidential information for fraudulent purposes. The end goal is usually to obtain money or gain access to an organisation’s IS.
Many cyber attacks — some of the most common today — rely on social engineering. The Social Engineering Framework has plenty of information about this subject.
Spear phishing, a variant of phishing, is a prime example of using employees to break through an organisation’s defences. This type of targeted attack generally involves impersonating the sender of an email in order to infiltrate an IS. This technique consists of creating a scenario from scratch, often from preliminary research (the attacker will, for example, know personal information about the recipient, the names of some of their colleagues, the jargon used by the employee within their department or sector of activity etc.), in order to gain the victim’s trust. The “social engineer” then obtains new information, which makes them more and more credible and means they can reach new targets in key positions. One example of this technique is CEO fraud, which involves the hacker posing as the head of a company in order to obtain a wire transfer.
Two examples of social engineering attacks are water point attacks, which involve infecting a website that employees of a sector of activity or a targeted organisation regularly visit, or “scareware”, which makes the victim think their computer is infected or is at risk of being infected in order to get them to buy fictitious software or download malware.
If every single person is capable of posing a “security risk”, what behaviours should be adopted to guard against risks both personally, but also professionally, to protect their employers and professional partners? What measures should companies take to manage the human factor in their cybersecurity strategies?
Good cyber hygiene
Above all, this is a matter of individual responsibility. All users must be aware of and apply a certain number of good practices, both at home and at work. The French government’s “R!SQUES” site lists a whole range of very useful tips, including: choosing the right password, regularly updating operating systems, software and applications, being careful when distributing personal information online, when opening emails or making online payments, being as vigilant with your mobile devices — which are not very secure these days — as you are with your computer etc. These basic rules are known as “computer hygiene”; good habits that users have developed to look after their devices and software and improve their online security.
The website also recommends keeping personal and professional use separate, and warns about the risks of BYOD (“Bring Your Own Device”). This practice, which consists of using personal devices in a professional setting, is increasingly popular. However, it poses significant problems in terms of personal and professional data.
Raising awareness and training employees
Organisations too must adopt and enforce cyber hygiene rules. They can minimise human risk with technical solutions, such as anti-virus and anti-phishing filters, designed to respond to known threats and prevent employees from downloading or running most malware. However, they must add to their cybersecurity arsenal by taking action to educate employees about cyber risks and create a culture of information security.
Security consultant at Orange Cyberdefense, Guillaume Laudière distinguishes between communication, awareness and training. Communication is a short action used to convey a message about one or two topics using compelling content. Awareness involves educating people and explaining good security practices. Training over a long period of time is used to acquire knowledge or skills.
In the specific case of social engineering, this will, for example, involve using scenarios to show administrative and sales staff the importance of never revealing sensitive information over the telephone, taking a look at the latest techniques used by attackers, practising by simulating attacks etc. Ultimately, both procedures and technologies should be adopted to minimise the impact of successful attempts at social engineering attacks.
While the human factor is IT security’s Achilles heel, human intelligence is also the best defence against attacks, whether they originate from social engineering or from technical flaws. Improving people’s knowledge and understanding of current and future cyber threats is therefore an essential part of an effective cybersecurity strategy.