I'm Erka Koivunen, a Finnish cybersecurity expert. I'm here to answer your questions about #CyberSecMonth, creating a culture of security and what you, your boss, and your boss' boss need to know about being hacked.

Most corporate level security devices are sophisticated devices that require subscriptions and get updated frequent and do real time network threat analysis.

Most "home" level security devices are built into a router that is updated once in awhile by the user and are not designed as a security device but more for ease of use, and dont do any realtime network analysis.

Sophos offers a "home" license that limits the devices to 50 IPs. There is also the open source pfsense solution.

So the question is, are there any good home network solutions that provide decent protection? What are your recommendations for securing a home network?

You are right that most corporate solutions would be too expensive and would be too heavy to deploy and maintain for home use. And yet at the same time, it is not that uncommon to find that members of a family carry dozens of computers, tablets, mobile phones and park a number of other gadgets in their kitchen, living room, study and kids' rooms.

First, there is and will be need for so-called endpoint protection. That is, security software installed on your device. That may be anti-virus, it may be application-aware firewall, it may be VPN and it may be remote management agent. Whatever fits your need. One should really seek to make use of such security features and products if they are available. The licensing schemes are getting much more attractive to acknowledge the needs of connected families. This, in addition with the patch-harden-lock-up and good credential management makes your endpoints a tough nut to crack.

Second, there is an increasing number of devices that you are not able to patch (at least with the frequency that you'd wish) and that offer little in terms of configuration options to secure the system. You cannot install anti-virus or VPN to your smart telly, your cheap NAS or your Wi-Fi operated lightbulbs. These devices expect that the security is provided for them by the surrounding network. And you are correct in recognizing that the home routers are generally speaking not up to the task.

An enterprise level solution would be to segment the networks, deploy lan-to-lan VPNs, IDS and hook the system to SOCs monitoring routine. The home user can segment their networks (use the "guest LAN" if your router allows that) but that's about it. We have a solution up in our sleeve - we expect that it will available at the end of the year.

I am glad to see consumer protection authorities step up their act. If more similar decisions will be handed out, they may even change the way IoT manufacturers approach security. I am not holding my breath, however. More like eating popcorn. :-)

From a personal level, what sort of things can we do, other than installing anti-virus software, to make sure our data remains secure? As a secondary point, what's your go to anti-virus software to use, again, on a personal level?

Hi Cousinsal23! Congrats on being the first one to ask a question!

I cannot resist the temptation "go personal" and comment the "personal level" aspect of your question first. :-)

In anything you do in terms of protecting yourself online, please remember that it is increasingly difficult to distinguish between your professional and personal presence. So, if your job requires you to be mindful of what you share online and how to keep hackers out, please be as vigilant in your personal capacity as well. Otherwise you may end up becoming the low-hanging fruit that the attackers exploit in order to get after your employer, its customers or its partners.

Now, having established that, this is what I always do with my personal stuff:

• Everything starts with fresh install. The bloatware just sickens me.
• I patch, harden and lock-down all my gear so that there is as little as possible attack surface to go after
• I use full disk encryption together with strong password protection
• I backup, backup my backups and locate the backups of my backuped backups somewhere else than my home (did I already say about encrypting your backups)
• I keep a record of my family's gear, encryption keys and backups; nobody remembers this by heart
• I am wary of what networks I connect my devices with
• I am conservative on who I let to our home networks. Nobody get in the inner parts of the network.

Needless to say, I am pretty picky on what networked gadgets I am taking into use. My wife absolutely hates it.

The other question was about my personal choice of anti-virus software. Lately, I have been fooling around with our corporate products. Maybe it is because I want to relive my SysAdmin days of the 90's and exercise at least some level of centralized control over my assets.

On some other times I am giving our beta products a go. And when I get really adventurous, I might even try our competitors' products. Or go without AV at all (eek!).

Can you elaborate a bit more about your backup process and infrastructure? Do you do manual backups and then manually relocate the backed-up drives to another location? Do you remotely connect and backup to another device that is owned by a trusted friend/family member? Or do you use cloud storage?

I was recently discussing this with a friend who was exploring cloud storage options for his backups, but I don't know how I feel about putting my data in the hands of a large company. I feel like their redundancy and security capabilities are better than I could accomplish on my own, but they also seem like a much larger target.

Thank you!

Hello there,

The bulk of the backup tasks must be automated which I have achieved with a combination of local NAS boxes and cloud synchronization. Files that I frequently create or need to use on-the-go or feel the need to share with my friends I synchronize to clouds (there are a number of clouds that I synch with). Files that I want to control stay either on my computers (which run a regular backup to file server) or I store to the file servers. The cloud synhronized folders are included in those backups as well. The file server backups are on an encrypted file system and the backup are encrypted with whatever means Windows, OS X and Linux provide.

This is what everyone should do already as this is easy and effortless.

Now, I have an inherent distrust towards my file servers, incremental backups and the cloud synchronization. That's why I take full snapshots of folder structures and archives that I find important and worthy of preserving for years to come. I create huge tar.gz'ed chunks like "Photos 2016", "Resumes", My Own Music" etc., encrypt them with gpg and store them on offline media AND on a separate file server. This I do manually, and it takes quite a lot time and cursing. Every now and then I put everything I ever had accumulated and copy that on a disk or two and take them outside the home for storage.

Did I already mention, I realize that I may be dead tomorro? So I backup my passwords and encryption keys too. Will not tell, where though.

This is only for my personal stuff. I am so grateful for our IT staff at work that I don't need to do everything from scratch at work for my work related stuff!

I use full disk encryption

which one?

I recommend that everyone starts with the one that the OS supports natively and work their way up from there.

I found it the hard way that OnePlus One had a bug in its encryption routine. It messed up my mobile phone three times. Now it is somebody else's phone. :-)

I listen to a weekly podcast that talks about the latest cyber threats and I am often shocked to hear of the full extent of successful hacks and scams. Do you feel the general public are informed enough of the cyber threats and if not, why not? Do you think the media considers cyber threats to be serious enough to report on or is it so serious that they don't want us to panic?

Let me guess, it is the Risky.biz one, isn't it?

You are right that they seemingly have an endless supply of horror stories and successful breaches to report. However, what I love about Risky.biz is that - even while they are running a fast-paced radio show - they do very good job in dispelling some of the myths behind all those "advanced" and "unstoppable" hacks. Most often, the technical realization or a social engineering aspect of those attacks is actually pretty easy to understand and - what I find fascinating! - even easier to fix if the victims would've had the benefit of hindsight.

In that sense, I often find their podcasts uplifting in the sense that there is something you can do to protect you and your business. And that the attackers are lazy humans who make mistakes too.

Do you have any podcasts and / or blogs you recommend? Thoughts on Krebs?

Krebs is awesome in the way he exposes not only targeted organizations (who typically would prefer to stay silent) but also the criminal underground.

I have a personal issue with podcasts as they are quite inefficient way of transferring information. Risky.biz is the one that I follow most frequently.

Twitter is important but requires quite an effort to filter out the relevant (I follow way too many people).

Then I have a secret weapon: our own threat intelligence team is feeding us with curated articles, background dossiers and links to noteworthy content.

Lastly, I highly recommend that you also follow traditional quality media. Some of the best contextualizations have come from foreign policy and security correspondents or journalists following the economy.

Lastly, have you checked out CERT-EU's News Monitor: https://cert.europa.eu/cert/clusteredition/en/24hrs.html

Does the internal intelligence team share this to the public through a blog of sorts? Can they?

Ah, they sure do. We have a number of blogs and active Twitter users who are happy to share their take on the topical issues for the wider audience.

Let's start with the one with the longest and proud history, the blog from F-Secure Labs titled "News from the Labs": https://labsblog.f-secure.com/

There is also a more consumer-centric blog called Safe & Savvy: http://safeandsavvy.f-secure.com/

For corporate audience we have Business Security Insider: http://business.f-secure.com/

@mikko tweets .. a lot. :-) @5ean5ullivan, @r0zetta, @TimoHirvonen and @tomituominen are just a few other people from our wonderful team who share insights and cheeky commentary on a daily basis. Be sure to follow them!

Thanks for the reply. I listen to the SurfWatch Cyber Risk Roundup Podcast. I will try the one you mentioned. Cheers.

Likewise.

I read a lot about different hacks happening to companies. I'm not the most informed computer user in the world, but I'm not sure how concerned about this stuff I should be. Would you say the media tends to blow these things out of proportion, or are reports on stuff like the yahoo hack generally accurate?

Media is naturally interested in unusual and extraordinary as it is by definition "news". So there is the tendency of using superlatives and concentrating on the out-of-ordinary aspects of the story.

As a journalist I would hate to write about the zillionth of SQL injection if I find something mouth-watering about the way the hack went unnoticed, if the victim notification had caused controversy or if the vulnerabilities appear still unpatched.

There is lots of uncertainty in how incident get discovered and it is not that unusual that some aspects of the breach will never be fully understood. I know from experience how the initial information may later turn out to be inaccurate or even outright false.

In that sense, you might want to be wary of the news hype and seek to find more in-depth articles in periodicals, whitepapers or possible follow-up stories.

The added problem with big headline stories is that there are many stakeholders who will make an attempt to spin the stories to fit it their need. In that sense, cybersecurity has gotten mainstream like politics, economy and entertainment. Wasn't that what we all in this industry wanted..? :-)

Find more in-depth articles in periodicals, whitepapers or possible follow-up stories.

Could you namedrop your favorite one from these?

Digital Investigation is one periodical that I used to love to read. It may be due to the fact that I am not forensic investigator myself but it was always fascinating what you can do once you get hold of the device or image of its memory.

All the APT whitepapers one should read to keep one up-to-date with what TTPs the threat actors are using, how to detect their activity and - perhaps - to get a climpse on who they are are and how they operate.

Lately, I have enjoyed the staff report from US homeland security committee titled "Going Dark, Going Forward": https://homeland.house.gov/wp-content/uploads/2016/07/Staff-Report-Going-Dark-Going-Forward.pdf

I've seen numerous people lately taping over their webcams. I used to think it was for people paranoid about all this new technology, but then I saw Mark Zuckerberg does as well. Do you think this is over the top?

It's over the lense, not over the top. Use band-aid.

When working in cyber security industry like you are, do you feel like being out of the general public knowledge or otherwise being "off from the radar" would be beneficial for some positions in the industry? Have you, as a cyber security advisor and professional had to ever be really careful how you transmit and receive data relating to your work? Do you know of any cases of APTs on you as a person or to someone in a position similar to yours that might have occurred? And lastly, what do you think of LinkedIn as a source for targets?

EDIT: Seems like you answered to some of these points already, but if you still can find something to share regarding these ones, please do.

Thanks for waiting, p1n0.

The off-the-grid approach is actually what the classified systems are designed around. For instance, a system classified as SECRET cannot be connected to public networks such as internet.

And this is where the spies enter the game: if you truly hold secrets that mean anything to somebody else, they will go after your secrets regardless of how you defend them. You will find that it is really difficult to operate off-the-grid. For economical and human behavioral reasons you want to limit the amount of off-the-grid data and transactions to absolute minimum (of course all the time relating to the value of the secrets that you protect). Otherwise people start to get "innovative" and end up inviting the spies in.

With regard to being mindful of what to transmit over the network: I am always mindful of that.

I know about lots of APT cases. I have high confidence that it was not me that they were after, though. :-)

LinkedIn is great tool for handling one's business connections and excellent tool for marketing and headhunting. These are the qualities that also make it a great tool for reconnaisance and help in successful execution of cyber breaches. I use LinkedIn as I use all my devices, platforms and applications: with caution.

Hi and thank you for you AMA. Recently, our company faced a ransomware attack. Would have any suggestion of how to prevent it and manage it once the wolf is in the henhouse ?

Cosmin and Vangelis from ENISA already provided excellent advice. I have yet one more thing to add: regardless of your Anti-Virus product, now would be the moment to take a close look at the configuration and enable the more advanced behavioral detection mechanisms. In our products these go by the names DeepGuard and Advanced Process Monitoring. These detection engines are your last line of defence, make good use of them!

Do you perkele?

Certainly. With extremely menacing-sounding consonants.

What is it like in Finland? and How hard is it to keep my computer secure? What seeable impact do viruses have on my computer and how do I know if I have one? If I have a virus how do I remove it?

It is like this all the time in Finland: https://twitter.com/ekoivune/status/783305433306071040

Without knowing if you are using our products, I'd say it is extremely hard for me to keep your computer secure. :-) If you let your endpoint security vendor to help you, they will make their best, however.

The seeable impact of malware may include: ridiculous amounts of annoying ads, search engine and the opening page of your browser changing to something you didn't set it to be, apps behaving in strange fashion, overall slowness and most oftentimes nothing.

Sometimes the ISP cuts down your connection. The more caring ones seek to contact you and warn you about the security problems that may or may not be caused by malware. (It may be your compromised router, too.)

If your Anti-Virus says 'ping', I'd suggest you pay attention to what it was it warned you about. If it blocked an executable that you attempted to download, you are safe. If it all of a sudden started quaranteening files in system folders, you have a bigger problem.

The AV makes a valiant attempt in removing malware. There are online and offline scanners available and sometimes even remediation tools that may be of use when trying to get rid of the infection. If you are one those unlucky ones who are targeted by advanced threats, seek professional help.

In corporate environment, take the computer to your IT. They should have the tools and the means to not only get the infection off but also to provide you with a clean replacement device and reset all your passwords and kill your sessions.

Im a user of F-Secure and I cant help but notice how unintuitive the "my f-secure" platform is. In fact, it is so confusing and poorly organised that I consider stopping using it. Why is this? Have you recieved negative feedback on the interface before?

I am sorry you feel this way. AFAIK, the feedback has been positive but I will definitely let the product team know about your experience.

For best effect, I would encourage to make use of our community portal and post a detailed report about what it is that you find unintuitive:

https://community.f-secure.com/t5/F-Secure-SAFE/tkb-p/Protection%40tkb/label-name/my%20f-secure?labels=my+f-secure

Hello Erka,

I have read in a few places over the internet, that cyber-security has become a top priority today but there is a conspiracy that the Service Providers of cybersecurity are also responsible for a part of that demand. The analogy is apparently similar to the conspiracy of Pharmaceutical companies putting the brakes on research of cheap medicines, for example, to fight cancer so that more expensive treatments like chemo are still viable and in demand in the market. It is also hard to argue the fact that the hackers are responsible for those cyber security providers' bread and butter, and they would never develop a software to negate all kinds of hacking which would prevent any further possibilities for demand (once everyone has it). In other words, there is always a virus which can bypass an AV which makes the software developer to release newer versions, thereby making customers buy/upgrade to the same.

How much of the above is true? Do you think there is the slightest possibility of the above happening, even without your knowledge? Cheers.

Years ago, I attended a presentation by a minister of communications in India. He explained what their country is doing to modernise infrastructure and provide access for vast number of people. During the presentation he touched on the topic of cybersecurity and cybercrime.

He reminded that for a poor person living in a slum, a chance to con money out of a "rich Westener" does not only look tempting. A successful phishing operation or trojanized mobile app may the poor man's ticket out of the slum. We can be as outraged as we like and we can complain as much as we want about the need to step up our security in the Western world. Our disapproval will do nothing to stop the man from trying.

The really hard question, the minister asked: would you do the same if it was you and your family in the slum with other way out?

It is not that cybersecurity industry is doing a sloppy work and it certainly is that we would be contributing to the criminality ourselves. There are bigger forces moving behind the scenes: an endless supply of people with no legitimate way to earn their living by using their talent.

A lot of companies seem to only want to invest in cyber security measures AFTER an incident. It never seems to be a priority. How do we hammer home the importance of security to people with little or no technical experience/knowledge?

Side question: I'm a recent graduate from a Computer Science degree and I have just started an infosec career. I have literally no idea what I want to specialize in or what to focus on going forward. Any tips?

Excellent observation! Before answering I should point out that I have been involved with incident response side of things throughout my whole professional career in security. It is only natural that I see the world through IR filters. :-)

In digital domain, cybersecurity is a feature of a protocol, software, process or way of doing things. Not a thing in itself. Building security in requires planning, care and due-diligence. Sometimes you even end up having to abandon something cool. Project-wise, security is often seen as a nuisance. Something that an ambitious and results-driven organization only comes to think after they have a day-off from the chaos of running their normal business (which is never).

For most business leaders, the incident is the first time they actually have to take security seriously. Everything leading up to the materialization of the incident will be treated as negotiable.

After an incident there is a serious need for top leadership to do something symbolic and visible to make things right and to help get back to business. The regulators will demand breach notification reports, evidence of mitigation efforts, root cause analysis and plans that help address the problems identified. The customers want compensation and feel let down. The partners upstream and downstream want to know how much they were exposed to the problems. The general public is hungry for scandals and the investors want to assess the extent of economical liability the incident exposes the company to. The staff feels humiliated, too and is fearsome of personal repercussions. The leadership would soon be ex-leadership if they would not take things seriously in such crossfire.

The old saying "never let a good crisis go to waste" bears much wizdom. NOW that you finally have your upper management's attention and now that you can excert external pressure to get things moving in the right direction, you should really come up with a plan for immediate, mid and long term.

If you are clever, you will find a way to approach your leadership so that they can be able to learn from other people's mistakes and mishaps.

Lastly, the career tip: information security is much more effective when applied to specific problem area. Specialize in secure programming or find your career in building automation systems in secure fashion. As I pointed out, cybersecurity is usually a feature. Having said that, if you become the next 1337 h4x0r that can break, fix and transform anything, we might have a position for you..

Hello, thank you for your time in doing this. For someone who might be looking to get into this field as a career path, but having no idea where to start, what or where would you recommend as a good place to start? Whether that be a particular programming language or a good resource, I would be happy for your suggestions. Thank you.

I think that might even be a topic for another AMA. I will take this to Mikko.

In the meanwhile, take a look at what we came up with Helsinki University. You know, that is the Linux University. :-)

Who would win in a fight between you and Mikko? ;)

OK, jokes aside: the thing that worries me most about ransomware is that in theory, if it manages to stay quiescent long enough, it could infect all backup media too. Is there any serious talk/proposals to address this risk, and is it worth addressing? I remember the guys making Plan 9 proposed a write-only backup store many years ago, for unrelated reasons, and it looks interesting to me under this new threat.

If the fight would be on Twitter, Mikko would win because he has has so many people willing to follow him. I'd beat him on Facebook simply by limiting the audience to not public. :-b

We are mostly focusing on detecting and blocking ransomware and related suspicious behaviour. However, there is point in having a clever backup policy too.

A sure way to test the validity of your backup data is to evaluate whether the contents still are intelligible when restored on a known-good machine.

I also recommend that you seek to "contain" the fallout of ransomware infection by limiting the amount of valuable data the users have write access to.

From theoretical point of view, I would encourage that you seek to enforce Clark-Wilson Model: don't let users access the data directly but rather through trusted applications. It is one thing to access raw files and start encrypting them than to only view and modify your business critical data through a front-end GUI..