Interviewing Security Architect Jiri Kohout
The security of the Internet infrastructure: connected applications, Internet of Things, and every mobile platform, for example, is based not only on secure development but also on widespread knowledge about information security. Every user should have at least minimum knowledge about security. Every public tender should demand security of the final product or service.
In this week’s interview-the-expert, we have Jiri Kohout, a senior security architect from Unicorn Systems, a renowned European software company providing the largest information systems and solutions in the area of information and communication technologies.
Hi Jiri, please tell us about yourself and your background. How did you get into the field of information security and why you chose Unicorn company?
Information security was always a fascinating topic for me. In high school, I tried to secure all the data that I had. But after my hard drive malfunctioned I realize that data security is essential not only for me but also for business. Though security risks are very different such as hardware failure, accidental delete, intentional change, denial of access. The protection of the data should be complex and deeply integrated with company processes. For most of people, data security is mysterious and hard to handle, and that info security is all about hackers and competition between white hats and black hats. I still find it quite challenging to be a step ahead of the black hats. I try to make people aware and spread information about security risks and find out ways to mitigate them. And that set my direction in ICT security field.
My first contact with Unicorn was at Unicorn College. I met some students who had been working for Unicorn, who gave me the insider's view of Unicorn's processes and the company philosophy. I was impressed, but the real breakthrough was when my future boss responded to my CV almost instantly and positively. We both felt that the cooperation made perfect sense. My mission at Unicorn was to strengthen Unicorn's competence in ICT security field. I hope that I contributed this important mission, and it was a success. I am glad that I can be a part of Unicorn because it is not only about work but also about passion and perfect interpersonal relationship.
Let’s get back to Security. You wrote an article about Distributed-Denial-of-Service (DDOS), published in the Security World Magazine. Without getting too technical, could you tell the readers what it is. Is this a common practice? What are the impacts for companies as well as the end-users?
DoS attacks are realized incessantly. You can see it for example here live (D)DoS monitoring of real traffic by central routers. The principle of DoS is apparent from the abbreviation - Denial of Service. Basically, attackers overload the data resource and deny access to provided service. They do this by exploiting some flaws in the running service at the server side or by filling the data bandwidth with various types of data, so there is no free bandwidth for legitimate requests from clients.
The second “D” means Distributed – used in cases when more than one device are involved in generating the DoS traffic. A successful (D)DoS attack renders the service inaccessible (web application/web service). The service unavailability can affect other connected third parties especially IT systems that are slow or not well-designed and well-coded, not to mention affecting the ability to communicate with others on the Internet.
Let's look at another example. If an e-mail providing company experiences a DoS attack on their SMTP ports, none of their clients can send emails. If I use a system that accesses data from the stock exchange, and the stock exchange's web service is under a DoS attack, the system needs to know how to behave in case of inaccessible service. Otherwise, the users can register or report issues like system slowdown or system failure.
What do you think about the DDOS attack that shut down Sonny’s PlayStation service last Christmas? How can this happen to a major company with a lot of resources? Is it because hackers have become smarter and skillful? Or can we say that “it takes an entire village” to do information security right?
Every perimeter has the weakest point. Even if we have a robust infrastructure, and we think that we are prepared, we usually don't know about every type of attack that we might face. This is why penetration tests are crucial.
On the other hand, a centralized effort of many attackers with broad knowledge of networking can deactivate almost every network. We can defend by deploying DDoS protection appliances (with more or less success) and using network systems e.g. Akamai that can handle an enormous amount of data traffic or by allowing the provider to look inside the traffic and intercept it. In the Czech Republic, we have the FENIX security project, found to respond to “a series of intense DoS attacks, which targeted big Czech media, banks and service operators in March 2012. The aim of the project is to guarantee that the services offered by the participating subjects remain available in the event of another DoS attack.”
Every network has its threshold of requests and throughput. If there is a known vulnerability of the target infrastructure, attacking becomes much easier. Fighting against DoS is a never-ending story. Nowadays hacking is a profitable business in which the smarter and more experienced parties win. For most attackers, hacking is not always about work but about prestige and fun. Lots of cyber attackers live their lives "inside" the virtual world of the Internet and accumulate broader and deeper knowledge than those who are on the defending side.
How does DDOS apply to mobile?
Mobile devices can be involved/affected in an DDoS attack by two ways: as a source or as a victim .
As sources: Mobile devices or other smart devices like smart TVs, smart fridges, smart cars, etc. be parts of a DDoS attack as request sources managed by attackers through deceptive applications. Because only a few devices are updated by manufacturers after sales, the risks only increase.
As victims: In the scenario in which the mobile applications use a web service to operate, and the web service has been shut down in a (D)DoS attack, the applications cannot transact user requests to the backend servers, resulted in user experience failure. This is an example of the Sony attack when Xbox and other Sony devices cannot connect to Xbox live and PSN.
According to Gartner, 75% of mobile applications will fail basic security testing. What are some of Unicorn’s approaches to solving this problem?
I'm not directly responsible for defining and implementing security and "security by design" framework governing the development of mobile applications. However, I'm convinced that every Unicorn's software architecture has background knowledge in IT security. Moreover, our solutions are tested using OWASP methodology before their release - both on the server and client sides. We are one of very few IBM’s partners who can perform penetration tests of the source code, using IBM AppScan Source tool. Because of that, I’m confident that our applications will pass the testing.
Anything else you want to share?
The security of the Internet infrastructure: connected applications, Internet of Things, and every mobile platform, for example, is based not only on secure development but also on widespread knowledge about information security. Every user should have at least minimum knowledge about security. Every public tender should demand security of the final product or service, requiring a security certificate for example. We should commit to the security-by-design approach because the money spent on security at the design level is much lower than after. We should prioritize security over the [application] functionalities or reducing costs of the solutions.
It's up to us to define how secure the Internet will be.
For more information about Unicorn System, please visit the company website.
~ Interviewed by Cindy Dam ~
Most Recent Articles
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
- Entangled ways of product development in the area of cybersecurity #1 - Asynchronous or parallel?
- State machine miracle
You Might Be Interested in Reading These Articles
Mobile app startup companies are notorious for cutting corners. One of the first things that is cut is security. After all, they have the big guys like Comcast, AT&T, and Verizon to protect mobile users, right? Wrong! All the way down the line. TechCrunch's article about security for mobile devices is an interesting theory on the state of security on the Internet. Although, they do hit the mark in the article about how companies fix the problem after the fact of the security breach.
Published on January 13, 2015
When it comes to hacking, there are many technical aspects that can be difficult to grasp without an extensive background in the field. One of the most common sources of confusion is the comparison between black box penetration testing and white box penetration testing.
Published on January 15, 2019
With APIs (Application Programming Interfaces) becoming a crucial factor in any web or mobile application, security feels more like a journey than a destination. Of all the constituents that encompass an application, API gateway offers easy access points for a hacker to break in and steal your data. A single error in API can cause immense problems for any organization using your API.
Published on November 22, 2016