digital.security attended the eleventh edition of the International Cybersecurity Forum on 22 and 23 January. In addition to a dedicated booth, our CERT Watch service had the opportunity to attend several conferences on various and complementary topics. digital.security offers you the opportunity to review this international event, which welcomed nearly 10,000 visitors this year. In addition to a synthesis of the plenary sessions where different ethical visions of cyberspace were confronted, this report also presents the latest innovations exhibited during the exhibition on the stands of companies and government agencies. It should be noted that several specialized reports have already been previously posted on our website.
“All connected, all involved, all responsible“
These words from French network and Information Security agency (ANSSI)’s director, Guillaume Poupard, testify to the global involvement of all in cybersecurity. As the human vector is at the root of major attacks (lack of updates, shadow IT, connection to fake Wi-Fi hot spots, etc.), governments, multinationals, SMEs and citizens must work together to improve cyberspace. Security is indeed everyone’s business, given that this ecosystem is universal.
The resilience of States and companies facing a “cyber-Pearl Harbor” was particularly highlighted by Guillaume Poupard, as well as their ability to organize, anticipate, detect and collaborate, which was defined as a priority. At the state level, various measures implemented were discussed, such as national and supranational regulations (Law on military programming, NIS, GDPR, law against information manipulation, etc.), standardisation (European Cyber Act under discussion, etc.) and dedicated certifications (Certification of security incident detection providers – PDIS, certification of cloud computing service providers – SecNumCloud, etc.)
During this exhibition, the major players in cybersecurity also pointed out the threats against connected objects – which are multiplying – and against industrial systems which are seeing a real increase in attacks. Faced with this growing threat, the Minister of the Armed Forces, Florence Parly, announced in particular that “the French army could now carry out cyber attacks, going much further than just defence“.
The French cyber defence strategy
Those words follow the announcement a week earlier of the new doctrine of offensive cyber warfare. The Minister took advantage of the CIF to launch the communication campaign and affirm the firmness of the French response to cyber attacks. Indeed, the Army has openly stated the need to recruit an additional 1000 cyber-combatants with “military knowlegde”. Let us remember that this doctrine will be part of the Army’s operational palette. The OCW will make it possible to exploit vulnerabilities in opposing digital systems during all phases of a crisis (intelligence, prevention, management or stabilization).
The director of ANSSI went back on this announcement by describing this doctrine as “coherent and in line with the Paris Appeal”. He recalled in particular that “France and Europe have a historic role to play in preventing the emergence of a digital Wild West” underlining the need for cooperation between European nations in the security of cyberspace.
During the opening plenary, the Director of ANSSI stressed the polymorphic nature of the threats, which were always “stronger, more proliferating and more difficult to attribute“. He also recalled that the slightest breach in the chains of trust could be exploited by attackers, some of whom were supported by States. Finally, Guillaume Poupard announced the launch of a national qualification for private actors.
This prerogative allows companies to use state-approved companies that can provide security knowledge and solutions. Faced with the diversity of threats, the ANSSI can now intervene at a host and ensure that an attacker does not use this server for malicious acts. The national qualification, which ANSSI has acquired, therefore allows it to work with private partners (recognised as reliable actors) to cover the widest range of French companies and infrastructures in terms of protection. The first three service providers were announced at FIC 2019 for the detection of security incidents, namely Orange, Sopra Steria and Sogeti. They will now be able to offer their services to vital operators to protect their vital information systems, in accordance with ANSSI’s requirement framework.
The challenge for companies
The increasing number of connected objects (about 50 billion will be produced by 2020) has become a growing target for hackers. The same applies to industrial systems, which are often interconnected with customers and subcontractors. These attacks target both companies and individuals. IoT is often used for in the formation of botnets. Malware is used for “machine zombies” purposes to conduct DDoS computer attacks. These connected objects that are by definition vulnerable can be hijacked by malicious hackers. This edition of the FIC brought together many ideas for securing the Internet of Industrial Things and Systems through “by design”, i. e. by integrating security from the design phase.
Cloud security was also discussed with companies. Data stored in the cloud presents many sources of threat. Cloud access must be secured at first glance to counter attackers who attempt to extract data. Many companies such as Amazon Web Services (with its identification system), Microsoft (and its Threat Intelligence program) and Google (and its Cloud platform) were present at the show to “reassure” companies and offer cybersecurity solutions.
The ever-increasing threats are affecting different parts of cyberspace. According to Guillaume Tissier, general manager of the strategy consulting firm CEIS and co-organizer of the FIC, “they focus on technology, but also on data, they also touch on viral propaganda with what are called fake news“.
The president of CESIN (Club of information and digital security experts), Alain Bouillé, was present at the event to take the floor and review the main cyber attacks in French companies. According to the fourth edition of CESIN’s annual barometer, “Phishing is the most frequent mode of attack, 73% have been victims“. Then comes the scam to the President, then the ransomware which affects 44% and social engineering up to 40%. He also highlighted one of the main concerns of Information Systems Security Managers, which is the Shadow IT, the fact that employees of a company use information and communication software not validated by the IT departments. The use of free cloud applications and services (such as Google Drive, WeTransfer…) increases the risk of attacks, data theft and can compromise their integrity. Alain Bouillé finally concluded that, given the impossibility of any security, sorting was essential to secure the most sensitive data.
Prices and new security solutions
The FIC is above all the place to discover new cyber and secure solutions. There are several new features to combat data threats. Here is a panel of them:
Lokly, the ultra-secure USB key is one of the favourites of the 2019 FIC jury. This USB key can be “used outside the computer thanks to a female USB port and its smartphone application which allows you to select the information to be transferred“. This key is intended for companies that need to transmit sensitive information. Its strength lies in the fact that it cannot move more than ten metres away from its owner. If this is the case, the phone signals it and the USB stick becomes unusable. It costs 240 euros for 8GB and 790 euros for 64GB.
Two former ANSSI alumni have created Citalid, a platform to protect against cyber risks. The objective of the platform will be to extract the most relevant threats and “measure the cost of scenarios, integrating uncertainties“. Citalid uses geopolitical, economic and social factors and press articles to measure companies’ exposure to IT threats. Citalid won the 2018 Innovation Award from the Foundation for Security.
Finally, the 2019 FIC Jury Prize was awarded to Yogosha. The start-up offers a bounty bug platform for securing any IT application perimeter such as e-commerce sites, SaaS platforms, customer spaces… The bounty bug allows companies to use hackers to detect any vulnerabilities on their IT systems. Yogosha connects hackers and companies (it has about fifty customers such as L’Oréal, SwissLife…) according to their IT skills and their ability to interact with the customer.
During this FIC 2019, in addition to the new security solutions announced and the awards ceremonies, we will also note the punches announced by the Ministry of the Armed Forces. Firm in the face of the attackers, the announcement of the launch of its first bounty bug is in addition to the Ministry’s flagship measures. Florence Parly announced during a plenary session a partnership between the Cyber Defence Command (more than 3,400 cyber-combatants) and the start-up YesWeHack, which is behind a European Bug Bounty platform. This alliance will make the Ministry of the Armed Forces the first ministry to adopt a security bug hunt in February 2019. The words of the ANSSI director “All connected, all involved, all responsible” are illustrated here. The Bug Bounty, which will open up new horizons for the cyber operational reserve, makes the cyber cause a global need in which all actors in cyber space, state or non-state, are involved.