Web security trends 2020 from 3 security leaders – 10 minute mail

In part 1 of web security trends 2020, we discussed the rise of Crowdsourced Security and the ever-changing attack surface. This time we turned to 3 security leaders to get their perspective on trends to come in 2020:

Anne-Marie Eklund Löwinder

CISO at the Swedish Internet Foundation, Internet Hall of Fame (2013) and holder of one of The Keys to the Internet:

Photo of Anne-Marie Eklund Löwinder (source: internetstiftelsen)

Photo of Anne-Marie Eklund Löwinder (source: internetstiftelsen)

What security issues/trends are you anticipating for 2020?
We are all targets. I believe that the world of digitalization continues to grow in complexity. As a result of that, it becomes even more difficult to protect the technical environment appropriately in our homes and workplaces.

With more and more systems and software, plugins and apps, we will continue to be challenged with keeping everything updated. Attackers will probably outpace incomplete and hurried patches. With more devices brought to our homes, most of them with network access with or without our knowledge, the exposition will let cybercriminals to home in on IoT devices for espionage and extortion. The digitalization leads to critical infrastructures being more exposed and they will most certainly be plagued by more attacks and production downtimes (I’ve just finished reading Sandworm by Andy Greenberg).

The increasing use of cloud services continues to change the security map. When more and more companies are handing over their information to someone else’s IT environment, aka cloud service providers, vulnerabilities in their environment, such as container components, will be top security concerns for DevOps teams.

Some novelties will introduce new attack surfaces for misconfiguration and vulnerable codes. Not monitoring enough will result in bigger damages than necessary. User misconfigurations and insecure third-party involvement will also compound risks in cloud platforms.

Threat intelligence will need to be augmented with security analytics expertise for protection across security layers. Which means companies must put more resources on security. But will they? Are the executive leaders of the companies willing to act upon the increasing risks? To what extent?

Are there any trends to do with security automation or ethical hackers? 
I am not aware of any specific trends that do with security automation or ethical hackers, but the value in skilled ethical hacking is critical for identifying vulnerability in cybersecurity solutions before a real bad actor comes along. NSA recently handed over a serious vulnerability in Windows 10 to Microsoft, which to me shows a change in behaviour. Maybe they understand the problem with keeping them secret for future use when the collateral damage threatens to be global.

What are your current challenges and how do you plan to tackle these this year?
My current challenges are to keep the staff (at the Swedish Internet Foundation) happy by offering new and modern solutions, and keep them informed about the risks and of what’s going on at the same time.

What event do you look forward to in 2020?
Internetdagarna! As always.

Tanya Janca

Application security specialist, Ethical hacker, Pentester, Women in Security co-founder, frequent speaker:

Photo of Tanya Janca

Photo of Tanya Janca, application security specialist, pentester and frequent speaker

What security issues/trends are you anticipating for 2020?
I anticipate more breaches and news stories of ‘cyber tragedy’, but also more companies investing in their employees via training and enablement in the workplace to create processes for faster and more effective security.

I also think we will see a lot more cultures moving towards DevOps and automation of security testing, defences and detection. I believe the Information Security field will try to move towards using more Artificial Intelligence/Machine Learning to provide better security experiences, for better or worse. I also foresee many companies abusing new technologies to violate user’s privacy, which is a trend I find both unethical and worrisome.

Read: Tanya’s blog series on DevOps and security: Pushing Left, Like a Boss.

Are there any trends to do with security automation or ethical hackers?
More and more development shops are realizing that if they don’t move to the DevOps model/culture they will no longer have a competitive advantage. I am currently seeing many security teams that are getting on board with this, adding automation, security sprints and adding security tooling to CI/CD pipelines, and other forms of “DevSecOps” (application security activities that are adapted to DevOps environments). I’m also seeing quite a few mature AppSec companies creating stripped-down versions of their tools to be used in pipelines, with varying results, and newer companies that have CI/CD in mind when creating brand new products.

I’m very, very excited to see innovation in this area in 2020. Application Security is a young field, and I suspect there will be very new types of tools coming out to solve this problem in new ways, and I can’t wait to see it.

What are your current challenges and how do you plan to tackle these this year?

This year I have three career goals:

  • to help guide and support a few new AppSec startups in hopes to help them launch new and innovative products
  • to create DevSecOps and AppSec training that is affordable, accessible and fun
  • to have a better work/life balance than I have had in previous years.

I will also continue to coach companies launching and improving their AppSec, DevSecOps and Azure security programs. Wish me luck!

What ways will you/your team measure success this year?
I keep personal and professional KPIs that I won’t share here, but I can say that I believe setting goals and measuring yourself (regularly) against them is a fantastic way to ensure you reach your version of success.

I also believe in setting and enforcing personal and professional boundaries (for example, I do not take meetings before 9:00 am because sleep is very important to me). Setting a list of yearly/quarterly/monthly goals, as well as a set of boundaries, is an activity that I feel would serve any person well in their career.

What event do you look forward to in 2020?
I always look forward to every WoSEC (Women of Security) meetup, especially the “WoSEC Crashes RSAC” meetup during RSAC this year! I’m also looking forward to several different locations of B-Sides, and I especially love the AppSec conferences from OWASP.

Laura Kankaala

Security Researcher and Undetected podcast host at Disposable mail, ethical hacker, Disobey board member and frequent speaker:

Photo of Laura Kankaala

Photo of Laura Kankaala, security researcher, Disobey board member

What security issues are you anticipating for 2020? 
Security of cloud environments and understanding exposed attack surface is going to be crucial for companies to secure sensitive data. Having sensitive data storage or internal servers accessible over the Internet and indexed directly in services such as Shodan is an unnecessary risk that companies are taking with their infrastructure. As of writing this, there are more than 73,000 MongoDBs available indexed in Shodan. Most of these are likely hosted in some Software-as-a-Service (SaaS) platform.

On the positive side, I think companies are becoming more vigilant about security. It is kind of hard to ignore security because data breaches and security incidents are constantly in the mainstream media. I encourage companies of all sizes to take a critical look at their security practices and at least include a responsible disclosure policy on their public website.

Are there any trends to do with security automation or ethical hackers? 
I’m sure the usage of crowdsourced security will increase, it seems like the number of bug bounty programs, both public and private, outnumber the active researchers. For Crowdsourced security to be successful, we [security professionals] need to get better at sharing knowledge and offer help to get people started in security research.

However, bug bounties are just one facet of ethical hacking, as they typically just scratch the surface of the overall security of the company. For example, fixing an XSS bug found by a bug bounty researcher won’t fix the root cause of why XSS vulnerabilities exist. Preventative measures like security tools and educational content should reach the developers without increasing their workload tremendously.

When it comes to automating security, I think it is important to automate tedious tasks to pave way for tasks that require more time and attention. Automation also works to provide more consistency in security testing results in different phases of software development. In order for companies to grow bigger and faster in a secure manner, it makes a lot of sense to employ automation in the appropriate places.

What are your current challenges and how do you plan to tackle these this year?
This challenge will probably span over multiple years, but I want to make security automation the norm.

What we are doing at detectify is in addition to in-house security researchers we work closely with Crowdsource ethical hackers all around the world to be able to tap into the knowledge of novel vulnerabilities to complement our security automation tool. I don’t think this is necessarily a challenge, but more like a great opportunity for our customers to get insight into the security posture of their web applications and get knowledge of zero-day vulnerabilities as soon as possible.

What ways will you/your team measure success this year?
For me, success doesn’t happen in a void. Things are either done or they are not done. Getting things done can surely be a success, but will it truly matter unless it has a positive effect on someone else’s life?

My team and I have set numeric and performance-based goals that are a general path to follow. However, to be successful, the teams need to meet more than numbers and performance metrics. We need to collaborate and provide something meaningful to our community and peers.

What event do you look forward to in 2020?

I have a personal stake in this, but I am looking forward to Disobey that we are organizing in Helsinki, Finland. I am on the board of members for this conference so I hope that everything runs smoothly. We have a very active infosec community in Finland, but it’s exciting to see people from all over the world attending our event, either as a speaker or as an attendee.


How can Disposable mail help with your security plans for 2020?

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

8 ways to create better cybersecurity awareness with a limited budget – 10 minute mail

Not all cybersecurity budgets are made equal, and for some that means having too many or too few tools. For others this means having few employees or being the lone ranger responsible for better security awareness in the company. Here are options that fit every budget:

Cybersecurity on a budget

Invest in VPN to protect your peers and staff

This seems like a no-brainer but VPNs should be standard for all organizations, especially with the normalization of cloud computing and remote work from all employees. While not every WiFi hotspot can be trusted, one cannot expect employees to stop all work due to an insecure connection. But how can you demonstrate value to your board or management? Try setting up a “trustworthy” WiFi pineapple at your next company party for a live demo of Man In The Middle. Yes, MITM is still possible today even with HTTPS.

Assess assets with an Incident Response Plan

If a hacker were to be detected in your systems this moment, what would your next step be? Having an incident response plan in place, communicated and rehearsed would hopefully have you calm and collected knowing what action to take with systems backed up. Applying that mindset that someone is already accessing your systems and being prepared in how to respond is the best way to stay on top of threats.

With this in your toolbox, you will be able to show stakeholders what information could be compromised should a hacker get into “X” or “Y”. Best of all, it doesn’t require external resources to execute, and if you don’t know where to start, here’s our guide on how to build an Incident Response Plan.

Implement a responsibility disclosure program

There’s a lot of talk about bug bounty programs and leveraging ethical hacker knowledge but having a full program in place comes with a price tag and demand for human resources to fix complicated issues that skilled bug bounty hunters will find. Without being able to show the value or ROI, how can you get the budget needed?

We recommend starting with a responsible disclosure program on your site. This option invites ethical hackers to report vulnerability issues without concern for legal repercussions and they do it out of goodwill. With knowledgeable staff, this can be set up without external resources and you’ll receive feedback via vulnerability reports from ethical hackers. This could also help make an informed case for future improvements such as a bug bounty programs, more frequent pentesting or implementing an automated solution. Need inspiration? Disposable mail has a publicly available responsible disclosure policy in place.

Disposable mail Website Security Check Computer

Threat modelling before it happens

Threat modelling is often done by security teams and with the rise of DevOps, it’s being incorporated into developer workflows as well. With this tool, teams look at assets, threats and vulnerabilities in the software. This answer what exactly needs to be protected, what are the external/internal threats to protect against as well as what vulnerabilities exists that need to be fixed. This tool can also be used by non-security team members to get them in the mindset of continuous improvements and protection of assets.

Automated web vulnerability scanning

In 2018, our Disposable mail Crowdsource white hat hackers submitted almost 450 new vulnerabilities to better the breadth of our web vulnerability scanner. From Crowdsourced modules alone, we had 50,000+ vulnerability findings in our clients’ assets scanned. You can imagine all the JIRA tickets that had to be issued and handled, and it was a helpful way for the security manager to get an overview of the security status of web applications. The vulnerability reports summarize what could be exploited by a hacker and then managers can prioritize remediations accordingly in workflows.

Using an automated web vulnerability scanner can save you time from detecting known vulnerabilities and allows your security team more time to dig deeper for issues that require more creativity and cannot be automated. A modest investment for a web application scanner is relatively less costly than a multi-million or billion user breach such as we saw in 2018.

Results from automated scanning to show the security status of your web applications and can be compared with the results of annual security audits and penetration testers to get more value out of the latter.

Security training as part of employee on-boarding

One way to scale up security awareness in an organization is to include it in the on-boarding process and educate employees outside of the core security team. For some that could mean everyone besides the CISO. However, there’s a growing trend for developers and designers to care about application security (in fact that’s how Disposable mail got started!) and supporting them on this journey is valuable. Here are some ways to make security skills accessible:

  • Host internal knowledge sessions and providing a working environment where developers can hack their own code
  • Build up security champions
  • Employee-led sessions on how to hack or learn about information security
  • Eliminate the blame-game when a security issue occurs and enable ownership of writing secure code
  • Run Capture-the-flag (CTF) events for participants to practice offensive and defensive coding skills

Developers aren’t the only ones who need training. Be sure to include training people of all levels from interns to C-level on the real-life implications of phishing, password management and social engineering.

Sharing knowledge is caring for colleagues

Even a security company needs to encourage better security practices for awareness from staff but not everyone has time for 1-to-1 sessions to communicate it all. At Disposable mail, we’ve been able to scale up security knowledge sharing by creating explanatory video on OWASP Top 10 and other known vulnerability on the Disposable mail Youtube channel for colleagues and anyone else security-interested. We also have internal lightning talks on our security test updates, hack demos and weekly security tips from our security researchers to encourage everyone to think security-first.

Start an internal RSS feed or channels for security news and interesting write-ups

With the rise of digital workplaces like Facebook Workplace and Slack, it’s even easy today to share interesting articles and learning resources. To build up a security mindset in the workplace, you could set up RSS feeds to automate news from your trusted security channels like the popular Reddit community /r/netsec or get immediate notifications when research articles from Disposable mail Labs are published (you know we had to mention that!).

Final thoughts

Building up security awareness or a security culture is not a cut-and-paste job, and with some of the mentioned tools and internal learning resources, adoption may be easier. There are things one should pay for like VPN or an online vulnerability scanner to help with the tedious and easily preventable matters, while there are ways to be resourceful when creating cybersecurity awareness. Lastly, all levels of organization should be aware of security risks and planning as if someone is already in.

Curious to see how Disposable mail automated web vulnerability scanner can make security easier for you? Get started today with a free trial and check your web applications for 1000+ known vulnerabilities today.


Author:
Jocelyn Chan

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cybersecurity from an overhead cost to a business enabler – 10 minute mail

Implementing cybersecurity projects shouldn’t only depend on return on investment or viewed as a cost. There’s a better way you could be evaluating it. Businesses should be thinking about how adding cybersecurity can add more business value and enable company growth. The landscape is changing and security is starting to be seen as a competitive advantage more often, and for some industries, it’s a reason customers want to do business with a brand. We discuss 5 ways cybersecurity can be a business enabler:

CyberSecurity-As-Business-Enabler-White

Gain a competitive edge with cybersecurity and acquire bigger accounts.

If your company is a supplier, having a good understanding of the security status of your applications is crucial. It’s 2019, and it’s imperative to be knowledgeable of your own security status as no one wants to be the weak link in the supply chain.

If you are using an automated web app scanner like Disposable mail, you can get detailed reports on the security status of your products and continuously monitor your web applications. This gives customers a piece of mind knowing that security is part of your company culture to keep the proverbial doors shut from your end of the supply chain. You may even gain a competitive edge as it could make your offering seem less risky for the buyer and expedite the procurement process, especially from enterprises that likely have infosecurity requirements.

Some companies require vendors to complete security questionnaires as part of the process. Knowing your answers in details will streamline the acquisition process. Here’s some insight from Paul Langley, Information Security Manager at Loopio, an RFP response software provider:

“If you are in the B2B space and you want to win big enterprise deals, you need to provide some sort of assurance of your security practises. Prospects and customers want to know that the data they are trusting you with will be secure, along with meeting specific legal, regulatory and compliance requirements they may have.

Your responses to security questionnaires should provide maximum value and answer questions in as much detail as possible, saving time from follow-up questions and further evidence requests. A simple ‘yes’ or ‘no’ will not always be sufficient. Having a standard approach to security questionnaires can also buy time before your company needs to perform a third party security audit or certification (SOC 2, ISO 27001, CSA, etc.).”

Know your third-party applications and their security status. 

Adding third-party applications are commonly used to facilitate better understanding of customers, website interactions and automating some processes like customer service chatbots on a landing page. Doing so will help you understand customer behaviour better and scale up business activities, adding more customers into the figurative funnel, but can this backfire?

59% of respondents in the 2018 Ponenom Institute annual survey experienced a data breach from third-parties, while 22% of respondents admitted that they were not sure at all whether a data breach happened or not. These numbers start to make sense as headlines in 2018 included Magecart and malicious third-party javascript that compromised large company web applications including British Airways and Ticketmaster.

While your main application may be secure, cybercriminals are now gaining access into companies via third-party suppliers and finding the backdoors in. Third-party applications may be key to scale up operations, but be sure to do the due diligence on their security status and monitor the data that’s transferred to avoid being an embarrassing headline.

Develop faster. Stay Agile AND secure.

Historically, security is seen as a compliance unit, a cost center, but there’s a way to turn the dialogue around. Turning security into a business enabler is a hot topic now, and it begins with shifting paradigms to communicate what the added business value of cybersecurity is. For many B2C companies, this means connecting with intrinsic customer needs like personal security. Training developers to also consider the security needs of the customer could mean added value into applications, better user experience, and fewer fires to put out. Having cybersecurity shouldn’t stop a company from scaling, but rather scale together with development. This can be achieved by automating some of the security processes like code scanning, testing, while security teams work closely with developers to design with security in mind during the CI/CD development cycle.

Even if you don’t have a security manager, developers can still be equipped with automated tools like Disposable mail, use threat modeling and partake in internal training on common vulnerabilities like OWASP Top 10. While they can seem trivial to some, even a common vulnerability like XSS or misconfigured S3 buckets can lead to customer information or company user details to be leaked and misused in other ways. With the right checks in place, security can suddenly become a value-added for smooth customer experiences, fewer bug fixes and scaled up development.

Flaunt your cybersecurity as a USP to win end-users.

The banking sector has been using cybersecurity as a way to leverage their businesses and win customers over. Things like money sit close to personal privacy, and the marketplace has many other new products and companies entering this area such as IoT. There’s a concern that risk is being introduced into private homes, workplaces, and during commutes. This also opens up an opportunity for businesses in these sensitive markets to start leveraging product security as a competitive advantage.

Besides these personal possessions, the safety of children’s personal information in web or mobile apps is also vulnerable, which is something Pokemon GO recognized and turned into business value. They were able to leverage the security of the game to reassure parents that the game was safe for children to play, and still earned $795 million in 2018, which was a 35% growth in the last year.

Cybersecurity transparency for retention.

While GDPR compliance requires customer data is stored safely, and it requires companies to notify individuals whose information may be compromised within 72 hours. WIthout the right communication, customers may begin to think there’s more to the story and there’s something to hide. This could backfire and lose your valued customers and even land you a hefty fine, or a PR headache. Should a data breach occur, there’s an opportunity for businesses to respond with transparency, diligence, and urgency to show whether your brand is customer-centric and concerned for data protection.

How does Disposable mail help?

Start with securing all your web applications where there’s a possibility for user interaction. Automating this process with a web application scanner and domain monitoring service like Disposable mail can get you started on this path. Besides the common vulnerabilities like OWASP Top 10, you can also test for more creative exploitations submitted by the Disposable mail Crowdsource white hat hackers. Once you begin with a more fluid and structured way of working with web security and connecting it to business values, it can scale together with the business and enable faster and better growth.

Have you included an automated DAST-solution as part of your cybersecurity strategy today? If not, it’s easy to get started with Disposable mail automated web application scanner by signing up for a free 14-day trial. No credit card is required, and you’ll be up and scanning within minutes.

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Anne-Marie Eklund Löwinder: “I was good at making others’ code stop running very early on.” – 10 minute mail

She’s the CISO of The Internet Foundation of Sweden (IIS) and one of 14 trusted individuals to hold a Key to the Internet, which means the DNSSEC key generation for the internet root zone. Anne-Marie Eklund Löwinder is also one of the few Swedes who have been inducted into the Internet Hall of Fame. She recently spoke at a Disposable mail Go Hack Yourself meet-up and we also took advantage of the opportunity to speak one-on-one with her about why she got into infosec, common security mistakes she sees from companies and why monitoring is important.

Disposable mail’s exclusive interview with Anne-Marie Eklund Löwinder

Tell us briefly what was your first job?

I started working at 16 years old and got a job as a typist and here I was typing really fast, 300 characters per minute. I had to be accurate and mistakes were time-consuming since you had to use a razor blade and scrape away the typos and no one should be able to see you replaced the character. I worked for the courts that handle cases of inheritance so you can imagine no mistakes were allowed.

I’m a very curious person and I want to move on when I get tired of things, and at one point I felt like I was at the end of my learning path in this role and going back to school was the next best option for me to continue my learning journey or change jobs.

How did you get into information security?

When I worked for the Swedish agency for higher education, they were adamant on getting me to further my own education. There were options, I looked at law but thought “whoa, this is boring” and not for me. Eventually, someone recommended me to have a closer look at computer science. Despite my poor grades, I was able to qualify for this. Here they had a quota for a group called 25-5, which meant you had to be at least 25 years, working for 5 years and this is how I got in. We had a very good mix in our group. People of different ages and ethnic backgrounds. We were 50/50 gender wise and overall it was very dynamic.

There was a lot of programming and we studied six or seven different programming languages all from scratch like Basic, Cobol, Pascal, Simula, Lisp, Ada, Prolog, C… and in the end for no use at all. Programming doesn’t change that much but programmers rarely write code from scratch today. It would have been much more useful to know more about the semantics behind. I promised myself if I ever finish this exam, I will never write another single line of code and I kept that promise.

When did you realize you were in the right field?

My professor at Stockholm University, Louise Yngström was the perfect role model for me. I loved the pace and thrill of informatics from the first day and got me involved in information security. During my studies, we as programmers were not taught to think about how to restrict the values that could be put into fields (in data control), but I was curious and wrote characters where it was expecting numbers in the system, and I crashed things. I was actually not as good in writing code, rather I was good at making others’ code stop running very early on. 

I could crush any system. I also had a little fun when writing error messages to tease programmers a bit. One I remember clearly was “Don’t you think you should try doing something else like growing tomatoes? Just give up the programming.” 

What is information vs cybersecurity?

It’s same same but different names with one exception; information security is everything that involves information in any sense. You speak it, write it on paper, have it in computers. It’s the information in general and of course, how to protect it. 

Cybersecurity is more about trying to protect assets like information from antagonistic threats. If you have someone once that information that is hostile, that is the difficult distinction. 

IT security is in between because that involves computers, networks and systems. Cybersecurity is interesting since there are many people engaged in cybersecurity right now and talking about how to protect us from other Nation States yet we still don’t have enough baseline security to protect us from ourselves and our own mistakes. A lot is wide open and if we don’t have the baseline security then there’s nothing we can do to protect us from cybersecurity attacks. 

Who has the bigger responsibility for security?

We must do what we can to protect our personal information but we also have vendors with access to the same things. For instance, if I have the most secure password ever but put it in a service that stores all the passwords in clear-text, then what use do I have for a very secure password? None at all even though I made my part of the deal, but they [the service] didn’t do theirs. We all have to contribute because it’s always comes down to the weakest link.

What’s your role today?

When I first began at the Swedish Internet Foundation, we were three people at the foundation and then we worked with our subsidiary NIC-SE and they were about 10-15 people. Today we are one organization and we are just above 80 persons, the security department is still only me.

But we have delegated the information security responsibilities to the information owner. Therefore it’s not that I do all the work but I am coordinating and giving advice to my peers. I’m providing support, coaching and education to prepare our teams for internal audits and create awareness and security ownership in that way.

So what is your day-to-day? I imagine it’s really very different given the nature of your work and also considering your passions.

It differs day-to-day as there’s a mix of some monthly routines and at our organization, we move through different security themes each month. I have, for instance, this is the risk management month and I deliver training on how to make risk analysis and the goal is to get a picture of what risks existing in each stakeholder’s part of the company. We conduct a risk analysis for every larger change in a service, bringing on a new vendor and if there are organizational changes.

Next month will be the continuity month which means the work will be focused on continuity planning so that if there’s a serious incident, or even a disaster, there will be a plan for how to get back on the right track again. So I’m trying to make it easy for my stakeholders to actually take the responsibility for information security not only by telling them this is what you need to do but also serve it to them in smaller pieces so they don’t need to feel overwhelmed, but rather feel like okay, it’s not that bad. It’s been a success story with a delegation of responsibility and I have the management team supporting me on this initiative.

How often are you traveling to speak?

In a couple of years I’m about to retire or at least slowing down a bit and I will spend more time on these kinds of adventures like external meetings and speaker opportunities and advisory committees. Last year I did 72 events and I really enjoy doing it. Next week I’m off to the key ceremony in Culpepper, Virginia.

The fact is I love my work. I love to do what I’m doing. I’m very lucky for having such an interesting and rewarding work.

The Swedish security scene is relatively small compared to other countries. Is that an advantage or disadvantage?

That’s good in a sense because we’re quite generous with information sharing. In 2009 we had a major incident in .se where we distributed a fault zone file. It was damaged and didn’t work, and when that happened, nobody could do look-ups within DNS. We discovered it very quickly and that’s where being in such a small country is such an advantage since we know all the ISP (internet service provider) leads of service providers and the technicians by name.

Since I have close communication with the DNS reference group, we were able to send them an email informing them of the situation and that they had to flush their system immediate and change zone file. Within more or less an hour we solved the problem. In other countries this would probably have caused huge problems because they might not have as close of a connection to the ISPs who are running the resolvers that will have the zone files in their service. 

When did you first hear about hackers?

It could have been mentioned during my studies, but I started to hear more about it when Kevin Mitnick came along. I’ve always found hacking to be a fascinating activity and I can fully understand the means and why people try to find bugs and vulnerabilities. I can absolutely sympathize with that because it’s a thrill that gives you a kick. I think there’s a lot to learn from that philosophy because as a security person you need to be as curious. 

How has the hacking scene changed over the years?

At first, hackers were curious people who wanted to do good or to utilize services on their behalf. They did it in a way that people didn’t understand what they were aiming for. Programmers received messages and didn’t know what to do with it.

In general, I see there are more hackers today for both the ethical and malicious sides. 

How can companies protect against malicious hacker attacks?

Well, I don’t think that they can protect themselves 100% but they can make sure there’s as little damage as possible by taking appropriate security measures. Even if your company doesn’t have security people, you should have a plan of action in case of a breach.

There are many companies out there that believe they’re too small to hack or not interesting enough. What’s your take?

Well, even though you think you are not interesting enough, you are probably interesting enough to use as a weapon against others. If you don’t protect your systems because “you don’t have anything to protect”, you are thinking about it in the wrong way. 

You are actually underestimating what this is about, because when you connect anything to the internet, everything is visible. If you’re compromised, it’s possible for someone else use your systems to point to another target.

For example, there’s the case of distributed denial of service attacks where Zombie networks are created; these consist of zombie computers or zombie services that someone has taken over. I wouldn’t want my organization to become a weapon that is pointing to any other company, and imagine no other else would either. You have to make sure that you clean your own doorstep first.

What’s an emerging threat everyone should be aware of?

Nowadays, there is so much crypto-mining ongoing. Ransomware has been less common, but crypto-mining is actually growing because malicious hackers simply plant code in the background of the victim’s resources, which means the victim does all the mining work, while the hacker collects. It’s unfortunately common and goes unnoticed because many companies don’t have sufficient monitoring in place.

It seems like a no-brainer to monitor your assets. Why do you think companies neglect this?

2 reasons: First, they may not have the technical skills to do it. The other is cost. Some companies prefer not to spend money on monitoring because they would rather buy boxes for intrusion detection, firewalls or anything else rather than tracking what’s going on in their network or cloud.

I think monitoring your systems is one of the most important things you can do. That way you know what’s going on, know what kind of resources do you have and you can ensure they are used in the proper way. And if not, if something happens you should be notified and become aware of it directly. But unfortunately many companies still don’t monitor, which creates a lot of blind spots.

On that note, what about open source security solutions? Can those work for companies with a low cybersecurity budget?

I do like open-source and open-source doesn’t really mean that it’s free. It’s possible to engage in open source development groups for instance in GitHub where you can contribute to building good software that is open for everyone to improve and use. However, open-source products do not necessarily have automatic releases or the support agreements as you might get when you buying products from Microsoft or Apple. You have to be willing to spend money on the expertise you need for the support to make it sustainable.

At the beginning of the year, the EU rolled out bug bounty programs for popular open source tools. Will this encourage more companies in the EU to open their own bug bounty programs?

It’s a very good move forward to better each tool’s security and to make people more interested in working with security. However, I don’t think it will make companies more ready to have a bug bounty program because you need to have a plan of action on how to handle all the security reports. You would need to have quite a good security posture before you advance to running a program. It goes back to having the support and financial resources on your team to handle the reporting and triaging.

Does your organization collaborate with security researchers?

Yes of course, and the experience is varied. Sometimes I receive messages from someone telling me they found something on our website and in order to get more information, payment is required. In such a case, I don’t agree with the approach because it’s not the right attitude if you’re looking to collaborate with a report. Then there are other people who come with a comprehensive report explaining what vulnerability was found with steps to reproduce it and even remediation tips, and it’s done in goodwill. You know what I do in those cases? I send them a big cake as thank you.

Since we don’t have a bug bounty program, I’m very grateful that security researchers send me reports if they find vulnerabilities. However I don’t like the attitude of some reporter that say I don’t tell you if you don’t give me money because that’s similar to ransom.

Anne-Marie Eklund Löwinder featured on a milk carton - Photo by Safaa

Photo: Live from Safaa’s kitchen: Anne-Marie featured on a milk carton

You’re a big role model for many IT professionals in Sweden and especially women in tech. What’s the key to attracting more women to become technicians and join industries like IT security? 

First of all, we need to find a language that attracts them. Our company did a study with another company to try to understand why women avoid or do women avoid the technical roles as a working area for them, and the point is they don’t. The reason why they are not in more technical roles is because of the attitude from male colleagues and that there is a glass roof. You come to a certain level but not any further, that is very common in larger companies as a female.

Women have a harder time getting to the middle management level than a man, and when you’re there, as a woman you can feel very lonely in a group that is 99% men. So it’s not the workload; it’s not the work hours; it’s other work environment factors that are impacting. In order to attract more women, we need to make them more comfortable to be in the workplace.

Despite this challenge, what actions can a company take to welcome women professionals?

There’s no Silver Bullet on solving the gender equation as it’s a lot of these bits and pieces. For example, having networks that bring females together and offering mentorships is a way to begin. By doing so, you welcome in younger women in this area. From what I’ve seen and people I’ve met, the interest is there from young females.

Information security is such a huge area where one could do everything from internal auditing to writing documents in Management Systems to writing code, or have operational responsibilities for security as a breaker or defender. There are so many options.

Security Professionals are challenged with showing ROI for their security Investments. What can they do to meet this need?

If you do a risk assessment, find a number of risks and you do the calculation of what would it cost the company in the case of a full stop in production for one hour, 10 hours and up to a week, then you have some monetary numbers to motivate. Once you realize what it will cost the company, you need to figure out exactly what it is you want to protect and if it takes at least two days to get things back on track, will the total operational cost of it be more or is it less than what the disaster caused in total.

It is a balancing act. it’s not that you can put as much money on security as possible just to make sure that you’re 100% protected, rather you should make calculations. If you choose to manage risk, it has a value and it has a price tag. Some others are in situation where security isn’t something they can afford at the moment, and if that’s the then you need to find something that you can do that is feasible because anything is better than nothing.

You cannot always look for the perfect solution, but do your best at the moment and then next year you can try a little bit harder and make sure that you are at least making improvements. You want small steps, not the status quo. There’s a saying, “Don’t ever let the good be the enemy of the best if you are good enough.”

Another thing is to speak in business terms because it’s all about business, it’s not all about security. I’d say stop painting all these threats pictures because if you threaten someone they would just stop listening. It’s easier to hide under cover since business focused people don’t want to hear about it. But if you talk in business terms and tell them “this is how much we will lose if X happens”, then I think you have their ear in a better way.

What’s a common security mistake you see made by companies? 

Yes, it’s lack of encryption. I commonly see there’s a lack of understanding of encryption for example not knowing the basics like HTTPS or start TLS for web and email.

If it can happen that Firefox forgets to update certificates, and all of the plugins stop working then you realize that something is lacking here because monitoring certificates is not rocket science. You should know what certificates you have, when they’re valid and when you have to renew – it should be automatic to track these. 

If you look at all the recent public breaches, we’ve seen Sony, Facebook, Yahoo and so on. Some small companies think they might not make a headline, but you know, if a breach happens, you will still suffer. That why it’s important to have some baseline security knowledge and to monitor everything.

Thank you again Anne-Marie for your time to be interviewed by us. Learn more about Anne-Marie and her work at The Internet Foundation in Sweden.


Written by Jocelyn Chan
Marketing Coordinator


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.