Computer hacking and sensitive data theft is increasing. Companies are now highly connected and must adapt their security policy to strengthen the protection of their information assets. Hervé Debar, a researcher at Télécom SudParis and expert in cybersecurity, studies the different types of cyber attacks in order to optimize their detection.

The era when IT students developed viruses and then enjoyed their “success” based on the number of computers infected across the world is long gone… Today, the lure of money is the primary motivation for hackers and internet fraudsters and their targets include companies in the French CAC40 and Organizations of Vital Importance (OIV), i.e. those operating in sectors of vital national importance (transport, energy, telecoms etc.) SMEs and SMIs are also concerned by the rise in cyber attacks. They work as subcontractors for client institutions and are therefore targeted by hackers who want to obtain confidential files (R&D program, list of suppliers etc.) or directly infect the main client’s Information System (IS).

Highly connected companies

Two factors explain this evolution. The first is the increase in digital data managed and exchanged by companies. Information is at the core of their business activities. Secondly, organizations have become highly connected with fixed and mobile devices, peripheral devices (printers, cameras etc.) connected to networks, sensors in production lines, automated systems and the Internet of Things (IoT). “The result is that the economic value of connection is greater than the economic value of protection. We must therefore do the best we can to isolate what has to be isolated but still allow companies to benefit from a certain level of connectivity” Hervé Debar stresses.

In terms of computer safety, companies have to manage different problems including “the acceptability of security by users. If the recommended solutions are too complicated, they won’t use them and will find a way to get around them. Security must support use, not hinder it”, the expert from Télécom SudParis explains.

Complex regulations

To face up to this challenge, companies must be able to manage two major limitations. The first concerns the technical aspect. Services such as BYOD (Bring Your Own Device) or corporate Appstores (portals allowing employees to download selected applications to improve productivity) are being rolled out at a quicker rate than security measures.

The second limitation concerns the human dimension. Regulations on digital technology are very complicated, especially due to the Law on Military Programming and obligations imposed by the CNIL (French National Commission on Data Protection and Civil Liberties), and will become even more so in May 2018 with the introduction of the new European regulations on data protection. All companies will have to report personal data violation, in contrast to the law of 1978 currently in force which only concerns suppliers of communications services.

These legal constraints require companies to bring in experts who are able to administrate and roll-out IT security measures on a daily basis and inform staff members through training.

Attacks by computer zombies

DDoS (Distributed Denial of Service) attacks are a company’s worst nightmare. They use a network of thousands of computers or connected devices (often compromised) to interrupt the targeted service or services. There was a major attack of this kind in France between 18 and 21 September 2016, when the servers of OVH, a French web host, were inundated with millions of requests peaking at as high as one terabit per second. A squadron of around 150,000 IP cameras (or botnets) infected by cyber criminals were behind the attack. Hervé Debar has been studying this type of attack for a number of years along with 6cure – a Normandy-based start-up specializing in traffic cleansing – and in the framework of the NECOMA research project (Nippon-European Cyberdefense-Oriented Multilayer threat Analysis), one of the six FP7 projects financed by the European Commission under the Europe and Japan coordinated call. His team’s work consists in studying the possibilities offered by the mechanisms and functions of the network itself in detecting large-scale DDoS attacks which could saturate a single local defense system. The idea is to identify the attacking flow according to its provenance or technical characteristics in order to differentiate it from the legitimate flow, with the aim of restraining bad traffic to leave more room for “good” traffic

Detecting cyber attacks

It is crucial to detect these attacks as early as possible in order to combat them. Identifying cyber attacks is one of IMT’s principal research topics. “We mainly work on the detection of and protection against distributed denial of service attacks (see insert) and those which more closely target environments on the network side”, explains Hervé Debar. The process has seen several developments since the first work carried out at the start of the 1980s by the American military. It was initially limited to rolling out a few probes. The few alerts raised were dealt with “manually”. Then the number of sensors increased and alerts became more frequent. To manage them efficiently, companies implemented SIEMs (Security Information and Event Management).

“Today, we need to automate part of the reaction so that operators can concentrate on the attacks that are more difficult to deal with. We are heading toward more autonomous and more reactive systems which can protect themselves against attacks. But it remains a complicated matter. Artificial intelligence (my PhD subject) is one possible way to improve our response to a certain number of threats”, explains Hervé Debar. The other option is training staff members to react better to attacks. We talk of “cyber range” which allows a realistic simulation of cyber attacks and the evaluation of cyberdefense tactics. These centers are designed to help OIV operators in particular make the right decisions in response to the impact.

The professionalization of cybercriminals and the increase in vulnerability, which concerns both IT networks and industry, require greater awareness among all actors, both public and private.

A very involved practitioner

Hervé Debar is not a theorist, but a keenly involved expert with 25 years of experience in the world of Hervé Debar - cybersecuritycybersecurity and R&D. His work includes more than 100 scientific articles on the subject, the coordination of three European projects (WOMBAT, NECOMA and PANOPTESEC) and participation in a number of French and European programs on the subject. His long career in the private sector partially accounts for this considerable activity. An engineer by training, he obtained his PhD before joining Dassault AT (Automation and Telecoms) to work on European research projects. He then left for Switzerland to join IBM where he developed the IDMEF standard and a product called Tivoli Risk Manager, one of the first security information and event management products on the market. Upon returning to France, he joined Orange Labs in Caen and became an emeritus expert and leader of research activities on security. He then brought his considerable experience in the private sector to Télécom SudParis, where he has been in charge of the “Networks and Security” department since 2009.