Visit in the F-Secure Security Center in Poznan
The work of ethical hackers and F-Secure incident analysts, information on cyberattacks on organizations and users in Poland, and tools to detect and combat cyber threats - these are the main topics raised during the journalists' visit to the F-Secure Security Center in Poznan, where we visited on July 4, 2018 .
Our visit to the F-Secure headquarters was in a sense unique because it is here that the largest F-Secure operational safety center in the region is located. It is in Poznań that strategic decisions are made about the development of F-Secure products and services, and most importantly, in Poland an expert group provides 24 hours a day security for the network infrastructure of end customers, such as: banks, telecoms, companies from the industrial, financial and financial sectors. strategic, as part of the Rapid Detection Service security service carried out by F-Secure. We were informed that soon another Rapid Detection & Response service will be launched, which will be implemented in cooperation with distribution partners in Poland.
Leader of the Poznan cybersecurity expert group, Leszek Tasiemski, until May 2018 as VP, Rapid Detection Center, R & D Radar & RDS in F-Secure, and recently vice president of research and development on a global scale implementing the strategy of a company focusing on activities on business services - mainly targeted at medium-sized and large-sized enterprises - he presented to the journalists the statistics of attacks from the F-Secure honeypots network.
According to the F-Secure company, an average of 700 times an hour attempts are made to conduct cyber attacks on Poland. The first four countries with the most attacks on our country are: USA, France, Russia and China. The Internet has no borders, so criminals from any geographical region may be hiding behind the scenes to hack companies under a false flag behind the curtain of anonymizing servers.
Over the last year, more than 6 million attempts of cyber attacks have been made on Poland (data come from the honeypots network for the last 12 months, from June 1, 2017 to June 1, 2018).
As many as 60% of incidents came from the USA, while the most common attack vector were HTTPS and HTTP protocols - this means that servers were scanned for Internet applications whose gaps can be used to steal data or take control of a particular device.
The second largest source of attacks on Poland is France. Most of the detected incidents were attacks on the SMTP port, which indicates the activity associated with phishing and spam.
Over 90% of cyber attacks took place in the second half of August, and 12% of them came from only three IP addresses - they could have belonged to larger organizations using many thousands of computers. This indicates a mass infection that affected France during this period. It should be remembered that geography on the Internet is a fleeting issue, and cybercriminals often operate across national borders. The source is the last "stop" that the attacker used, and it is not always synonymous with its physical location.The devices from France could be used by hackers from another country to carry out further attacks.
- explains Leszek Tasiemski.
Russia is in third place. More than 800,000 have been taken since June last year. cyber attacks from IP addresses belonging to this country. Almost 85% of the detection related to the SMB protocol - the hackers most likely used to spread ransomware software, ie ransomware. It was an even movement spread over the year with a marked intensity in August.
The number of cyber attacks directed to Poland in the first half of 2018 was twice as high as in the same period of the previous year. For us, the biggest surprise is the decline in Russia's activity. So far, this country has dominated the world map of cyber threats. We now note that the number of cyber attacks is more often related to the size of a given country, which explains the more active participation of China and the US.
- sums up Leszek Tasiemski
The fourth position was China with the number of almost 600,000. Attempts to attack. Attacks from IP addresses assigned to this country were specialized in the search and use of unsecured MySQL databases.
Issuing any database directly to the public network is a cardinal administrator error. Hackers can therefore expect that if they can only find them, they will probably be badly secured and misconfigured. Certainly this problem does not affect banks and other large financial institutions, so in this respect our money is safe.
- adds Leszek Tasiemski.
Penetration tests of the Red Team F-Secure
F-Secure evidently aims at services, but does not give up on traditional software. It is hard not to notice investments in this direction, which contributed to the increase in employment of Poznań office employees 4 times over the past 3 years (currently employs over 90 experts).
Penetrating tests and the team of Red Team are led by Jarosław Kamiński. The tasks of a selected group of experts include risk assessment and security vulnerabilities, penetration tests and software fuzzing. F-Secure, having clients from all over Europe, sends anonymous employees to the client who impersonate attackers and carry out controlled attacks aimed at overcoming, circumventing and improving already implemented security measures.
The main task of the Red Team is to simulate a real attack starting from the target recognition phase using publicly available information, to calculating (eg searching for the weakest points of the IT system to attack or how to physically enter the building and penetrate security procedures from the inside). Next, it is a failure stage - eg escalation of rights and preparation of the final report.
Experts sometimes enter the building dressed as electricians or pretend to be journalists heading for a press conference and even forcing castles. Finding printouts of emails in rubbish bins, tossing an infected pendrive in a company parking lot or trying to get a password for a wireless network from a receptionist by a person claiming to be a new employee - these are just a few examples of tasks that they do every day at work. An old, derelict hard drive or correspondence left behind may allow them to carry out an attack.
Not everyone can become a member of the elite F-Secure team:
All employees have a "clean past" and an extremely hard moral backbone. This is very important to us because we have to trust people who have access to very valuable information. We do not accept even the best hackers who had something on their conscience in the past.
- explains Leszek Tasiemski.
Red teaming tests are targeted at medium and large companies. Jarosław Kamiński did not hide that the service is expensive and at the moment Red Team does not have any client in Poland. In the lobby, it was argued that it was not so much a high price for the service as a different approach and a culture of security for European companies. In addition, to employ experts from F-Secure, the organization must have security procedures in place at the notification stage that will be thoroughly checked.
Most often, after the controlled attack, the presidents open their eyes and realize that the risk is real. The key elements of business operation are at stake, such as engineering project databases, credit card numbers or customer accounts.
Some respond with surprise, others with disbelief, while a group is not surprised, because they give in to the controlled attack again. Such tests are worth repeating, because security is not given once and for all.
- sums up Leszek Tasiemski.
F-Secure Rapid Detection & Response as a service
In the last part of the meeting we visited the Rapid Detection Center - a place where cyber security specialists analyze potential threats 24 hours a day - have 30 minutes for initial analysis of each incident reported by sensors installed in the client's network, but the attack can be recognized even earlier, because at the information stage from the honeypots network.
The Rapid Detection & Response security service allows you to delegate the problem of analyzing, preventing and combating cyber threats in the hands of F-Secure experts in Poznan. The solution is constantly improved by F-Secure analysts, so that it can penetrate the network in an automated manner and use the knowledge of specialists in specific situations. The service operates on the basis of a combination of machine learning, processing billions of events per day, and analysis staff who continuously improve detection systems based on the typical behaviors of cybercriminals and malicious software.
Technology for F-Secure business solutions is being developed in Helsinki and in Poznan. A large part of the activity is based on research and development.
The group also has proprietary research tools. An example is the website https://riddler.io, which allows you to search for data with almost 400 million hosts.
Experts also automated analyzing entries on Twitter - they can accumulate 8,500 tweets per hour, based only on key words that are relevant at the moment. Then, the algorithms process this data to visualize emerging threats.
One of the main elements of the puzzle is a network of honeypots, or servers that pretend to be an easy target and are a lure for cybercriminals. Hackers attack them and thanks to that it is possible to obtain valuable data and develop further methods of fighting cyber threats. It is thanks to this network that it is possible, for example, to create a map showing the most frequent occurrences of attacks in Poland.
Dynamic development of F-Secure in Poland
Poland is a link between Europe serving local and foreign partners. From a strategic and personnel point of view, we have many experts and we are an important element of the service and software supply chain for European markets. Business products include endpoint security, vulnerability management tools, protection of third-party cloud solutions (Cloud Protection), managed detection and response service (EDR) and red teaming tests.
Leszek Tasiemski, using examples of implementation, drew the attention of journalists to "artificial intelligence", which plays an increasingly important role in our lives:
- The Chinese police is testing glasses with a built-in camera, combined with the AI (Artificial Intelligence) system for face recognition. The goal is to immediately identify people wanted by law enforcement agencies.
- Facebook recently sent users a request for permission to launch face recognition.
The development of this type of technology raises objections even among those who develop them. For example, Amazon employees have protested the delivery of face detection algorithms for law enforcement. And a few days ago, more than one hundred Microsoft employees sent a letter in which they opposed the company's provision of cloud computing services and artificial intelligence for US customs and immigration.
The development of artificial intelligence and privacy do not go hand in hand. The algorithms will be able to recognize our image and voice even without the slightest problem, to match and combine data collected on various social and dating portals, ultimately breaking the illusion of anonymity in the network. However, before intelligent systems become an integral part of our lives, it is worth considering both the benefits and the risks and making sure that we pay due attention to security measures. Currently, most of the "AI" technology has only a switch - we use them for one hundred percent or not at all. Over time, we can expect a growing number of settings to determine how much information we want to share about you. As users, we should require this option from solution providers. Then, on both sides, the usefulness and privacy will be on the scale - it is important that we can decide for ourselves to tilt this scale.
We must mention the privacy, identification and profiling in the context of the question we asked Leszek Tasiemski:
"F-Secure does not provide any data to identify the user using the F-Secure software. Would you subscribe in the opinion?"
The leader of the Poznan team had no doubts, giving as an example a real incident, which was taken by the Polish law enforcement agency - the police contacted the headquarters in Helsinki asking for information about a particular F-Secure Freedome user, because it was noticed that a crime was committed from the server in Warsaw, belonging to the VPN network of the F-Secure Freedome software. The F-Secure headquarters "polite" refused to the police representative in Poland, arguing that, firstly, F-Secure sends fully authorized information to the manufacturer's servers about threats that do not allow users to be identified. Under the second, even if it were possible, no F-Secure client data would be made available. Finland is a country with many facets, and one of them is a liberal superior law that puts the good of man above the community.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.