Cyber security: Users still too carefree

“Reports of government agencies spying on the Internet have helped to increase awareness for the importance of cyber security in Austria, but people are generally still much too carefree,” said Roland Ledinger, head of the federal ICT Strategy Department in the Federal Chancellery during the presentation of the 2013 Internet security report in Vienna on Thursday. Some 150,000 computer viruses are in circulation around the world every day, and roughly 148,000 new computers are infected every day told Robert Schischka, head of Austria’s Computer Emergeny Response Team (CERT.at). A new piece of malicious software is released on the Net every 15 minutes, for a total of over 1.7 million bits of code since the beginning of 2013. In Austria, roughly 2 percent of 1,000 computers examined between January and July were infected.

More attacks against smartphones

Malicious software is becoming increasingly common on mobile devices like smartphones and tablets. Android is the preferred platform for attackers. Apps often open the door. The CERT.at director criticized that data is often transmitted using no or only weak encryption. The users themselves are also partially to blame for the security gaps. Applications are often granted access to sensitive information without a second thought: “A flashlight app on your mobile phone has no need to access your calendar or e-mail account.”

Phishing and ransomware

The greatest threat to private persons is still fraud. The methods have changed little in recent months. Phishing, the collection of passwords, and ransomware – where hard drives are encrypted and a “ransom” is demanded to release the data – are still very common. The manipulation of security certificates has also increased rapidly recently, Schischka said. Such certificates are assigned to malicious software, which makes it hard to identify it as harmful.

While document-based attacks that exploit weaknesses in formats such as PDF and Flash decreased, Java remains a problem. Many applications in companies require Java. But affected users are very slow to install current versions, Schischka said.

More reports of security incidents

The number of reports of cyber security incidents nearly tripled in 2013 compared with 2012. The Austrian agency for cyber security problems received over 30,000 security-relevant reports between January and September, and over 9,000 of them were classified as serious.

Corporate espionage has gained increasing attention in recent months. It has existing in Austria for many years, but Edward Snowden’s revelations have brought it to the attention of the general public. “Corporate espionage can affect a very large number of companies,” Schischka warned. “There are interesting high-technology companies in Austria.” Attackers often had access to sensitive information for several years, he said. “Such incidents are rarely made public, however.”

Many Austrians are now dealing more with cyber security and are learning about methods for encryption, for example, but a great deal must still be done to create the necessary awareness for security on the Net, Ledinger said. Half of all smartphone and tablet users do not use passwords. And antivirus software is rarely used on smartphones. Ledinger also said that the safe use of the Net must be taught at school: “It has to start in kindergarten.”

Cyber security strategy

In Austria, the federal government adopted a cyber security strategy in March that includes extensive measures to secure critical infrastructure. In coordination with the EU, one such measure is an obligation for companies to report cyber attacks. In areas of critical infrastructure like energy and healthcare, reporting will have to be mandatory, Schischka said.

But the primary focus in Austria is on measures for building trust. For example, the Federal Chancellery and CERT.at created the Austrian Trust Circle, which is to facilitate the equitable exchange of information between affected companies. The goal is to ensure that comprehensive information about weaknesses is shared. Such a system of exchange is already functioning smoothly among banks, in the energy sector, and in telecommunications, Schischka said.

Minimum standards and a common early warning system are to be created on an EU-wide basis through a Network and Information Security Directive (NIS) that is expected to be passed in 2014 on the basis of the Internet security strategy that was presented at the beginning of the year.

Snowden and the consequences

But action needs to be taken in the EU in other areas, as well. The revelations about Internet spying by the US intelligence services mean that encryption must be advanced in Europe, Ledinger said, “We must establish and strengthen expertise for this in Europe. There is no sense in using technology from abroad that may have back doors.”

And much needs to be done in terms of cloud computing. “We need a European cloud,” Ledinger said. Only companies that subject themselves to European law can be allowed to participate, he added. Spying to the extent revealed by Snowden must be made impossible. “We have to make offers and take precautions.”