She’s the CISO of The Internet Foundation of Sweden (IIS) and one of 14 trusted individuals to hold a Key to the Internet, which means the DNSSEC key generation for the internet root zone. Anne-Marie Eklund Löwinder is also one of the few Swedes who have been inducted into the Internet Hall of Fame. She recently spoke at a Detectify Go Hack Yourself meet-up and we also took advantage of the opportunity to speak one-on-one with her about why she got into infosec, common security mistakes she sees from companies and why monitoring is important.
Tell us briefly what was your first job?
I started working at 16 years old and got a job as a typist and here I was typing really fast, 300 characters per minute. I had to be accurate and mistakes were time-consuming since you had to use a razor blade and scrape away the typos and no one should be able to see you replaced the character. I worked for the courts that handle cases of inheritance so you can imagine no mistakes were allowed.
I’m a very curious person and I want to move on when I get tired of things, and at one point I felt like I was at the end of my learning path in this role and going back to school was the next best option for me to continue my learning journey or change jobs.
How did you get into information security?
When I worked for the Swedish agency for higher education, they were adamant on getting me to further my own education. There were options, I looked at law but thought “whoa, this is boring” and not for me. Eventually, someone recommended me to have a closer look at computer science. Despite my poor grades, I was able to qualify for this. Here they had a quota for a group called 25-5, which meant you had to be at least 25 years, working for 5 years and this is how I got in. We had a very good mix in our group. People of different ages and ethnic backgrounds. We were 50/50 gender wise and overall it was very dynamic.
There was a lot of programming and we studied six or seven different programming languages all from scratch like Basic, Cobol, Pascal, Simula, Lisp, Ada, Prolog, C… and in the end for no use at all. Programming doesn’t change that much but programmers rarely write code from scratch today. It would have been much more useful to know more about the semantics behind. I promised myself if I ever finish this exam, I will never write another single line of code and I kept that promise.
When did you realize you were in the right field?
My professor at Stockholm University, Louise Yngström was the perfect role model for me. I loved the pace and thrill of informatics from the first day and got me involved in information security. During my studies, we as programmers were not taught to think about how to restrict the values that could be put into fields (in data control), but I was curious and wrote characters where it was expecting numbers in the system, and I crashed things. I was actually not as good in writing code, rather I was good at making others’ code stop running very early on.
I could crush any system. I also had a little fun when writing error messages to tease programmers a bit. One I remember clearly was “Don’t you think you should try doing something else like growing tomatoes? Just give up the programming.”
What is information vs cybersecurity?
It’s same same but different names with one exception; information security is everything that involves information in any sense. You speak it, write it on paper, have it in computers. It’s the information in general and of course, how to protect it.
Cybersecurity is more about trying to protect assets like information from antagonistic threats. If you have someone once that information that is hostile, that is the difficult distinction.
IT security is in between because that involves computers, networks and systems. Cybersecurity is interesting since there are many people engaged in cybersecurity right now and talking about how to protect us from other Nation States yet we still don’t have enough baseline security to protect us from ourselves and our own mistakes. A lot is wide open and if we don’t have the baseline security then there’s nothing we can do to protect us from cybersecurity attacks.
Who has the bigger responsibility for security?
We must do what we can to protect our personal information but we also have vendors with access to the same things. For instance, if I have the most secure password ever but put it in a service that stores all the passwords in clear-text, then what use do I have for a very secure password? None at all even though I made my part of the deal, but they [the service] didn’t do theirs. We all have to contribute because it’s always comes down to the weakest link.
“…unfortunately many companies still don’t monitor, which creates a lot of blind spots.”
What’s your role today?
When I first began at the Swedish Internet Foundation, we were three people at the foundation and then we worked with our subsidiary NIC-SE and they were about 10-15 people. Today we are one organization and we are just above 80 persons, the security department is still only me.
But we have delegated the information security responsibilities to the information owner. Therefore it’s not that I do all the work but I am coordinating and giving advice to my peers. I’m providing support, coaching and education to prepare our teams for internal audits and create awareness and security ownership in that way.
So what is your day-to-day? I imagine it’s really very different given the nature of your work and also considering your passions.
It differs day-to-day as there’s a mix of some monthly routines and at our organization, we move through different security themes each month. I have, for instance, this is the risk management month and I deliver training on how to make risk analysis and the goal is to get a picture of what risks existing in each stakeholder’s part of the company. We conduct a risk analysis for every larger change in a service, bringing on a new vendor and if there are organizational changes.
Next month will be the continuity month which means the work will be focused on continuity planning so that if there’s a serious incident, or even a disaster, there will be a plan for how to get back on the right track again. So I’m trying to make it easy for my stakeholders to actually take the responsibility for information security not only by telling them this is what you need to do but also serve it to them in smaller pieces so they don’t need to feel overwhelmed, but rather feel like okay, it’s not that bad. It’s been a success story with a delegation of responsibility and I have the management team supporting me on this initiative.
How often are you traveling to speak?
In a couple of years I’m about to retire or at least slowing down a bit and I will spend more time on these kinds of adventures like external meetings and speaker opportunities and advisory committees. Last year I did 72 events and I really enjoy doing it. Next week I’m off to the key ceremony in Culpepper, Virginia.
The fact is I love my work. I love to do what I’m doing. I’m very lucky for having such an interesting and rewarding work.
The Swedish security scene is relatively small compared to other countries. Is that an advantage or disadvantage?
That’s good in a sense because we’re quite generous with information sharing. In 2009 we had a major incident in .se where we distributed a fault zone file. It was damaged and didn’t work, and when that happened, nobody could do look-ups within DNS. We discovered it very quickly and that’s where being in such a small country is such an advantage since we know all the ISP (internet service provider) leads of service providers and the technicians by name.
Since I have close communication with the DNS reference group, we were able to send them an email informing them of the situation and that they had to flush their system immediate and change zone file. Within more or less an hour we solved the problem. In other countries this would probably have caused huge problems because they might not have as close of a connection to the ISPs who are running the resolvers that will have the zone files in their service.
When did you first hear about hackers?
It could have been mentioned during my studies, but I started to hear more about it when Kevin Mitnick came along. I’ve always found hacking to be a fascinating activity and I can fully understand the means and why people try to find bugs and vulnerabilities. I can absolutely sympathize with that because it’s a thrill that gives you a kick. I think there’s a lot to learn from that philosophy because as a security person you need to be as curious.
How has the hacking scene changed over the years?
At first, hackers were curious people who wanted to do good or to utilize services on their behalf. They did it in a way that people didn’t understand what they were aiming for. Programmers received messages and didn’t know what to do with it.
In general, I see there are more hackers today for both the ethical and malicious sides.
“I could crush any system. I also had a little fun when writing error messages to tease programmers a bit.”
How can companies protect against malicious hacker attacks?
Well, I don’t think that they can protect themselves 100% but they can make sure there’s as little damage as possible by taking appropriate security measures. Even if your company doesn’t have security people, you should have a plan of action in case of a breach.
There are many companies out there that believe they’re too small to hack or not interesting enough. What’s your take?
Well, even though you think you are not interesting enough, you are probably interesting enough to use as a weapon against others. If you don’t protect your systems because “you don’t have anything to protect”, you are thinking about it in the wrong way.
You are actually underestimating what this is about, because when you connect anything to the internet, everything is visible. If you’re compromised, it’s possible for someone else use your systems to point to another target.
For example, there’s the case of distributed denial of service attacks where Zombie networks are created; these consist of zombie computers or zombie services that someone has taken over. I wouldn’t want my organization to become a weapon that is pointing to any other company, and imagine no other else would either. You have to make sure that you clean your own doorstep first.
What’s an emerging threat everyone should be aware of?
Nowadays, there is so much crypto-mining ongoing. Ransomware has been less common, but crypto-mining is actually growing because malicious hackers simply plant code in the background of the victim’s resources, which means the victim does all the mining work, while the hacker collects. It’s unfortunately common and goes unnoticed because many companies don’t have sufficient monitoring in place.
It seems like a no-brainer to monitor your assets. Why do you think companies neglect this?
2 reasons: First, they may not have the technical skills to do it. The other is cost. Some companies prefer not to spend money on monitoring because they would rather buy boxes for intrusion detection, firewalls or anything else rather than tracking what’s going on in their network or cloud.
I think monitoring your systems is one of the most important things you can do. That way you know what’s going on, know what kind of resources do you have and you can ensure they are used in the proper way. And if not, if something happens you should be notified and become aware of it directly. But unfortunately many companies still don’t monitor, which creates a lot of blind spots.
On that note, what about open source security solutions? Can those work for companies with a low cybersecurity budget?
I do like open-source and open-source doesn’t really mean that it’s free. It’s possible to engage in open source development groups for instance in GitHub where you can contribute to building good software that is open for everyone to improve and use. However, open-source products do not necessarily have automatic releases or the support agreements as you might get when you buying products from Microsoft or Apple. You have to be willing to spend money on the expertise you need for the support to make it sustainable.
At the beginning of the year, the EU rolled out bug bounty programs for popular open source tools. Will this encourage more companies in the EU to open their own bug bounty programs?
It’s a very good move forward to better each tool’s security and to make people more interested in working with security. However, I don’t think it will make companies more ready to have a bug bounty program because you need to have a plan of action on how to handle all the security reports. You would need to have quite a good security posture before you advance to running a program. It goes back to having the support and financial resources on your team to handle the reporting and triaging.
Does your organization collaborate with security researchers?
Yes of course, and the experience is varied. Sometimes I receive messages from someone telling me they found something on our website and in order to get more information, payment is required. In such a case, I don’t agree with the approach because it’s not the right attitude if you’re looking to collaborate with a report. Then there are other people who come with a comprehensive report explaining what vulnerability was found with steps to reproduce it and even remediation tips, and it’s done in goodwill. You know what I do in those cases? I send them a big cake as thank you.
Since we don’t have a bug bounty program, I’m very grateful that security researchers send me reports if they find vulnerabilities. However I don’t like the attitude of some reporter that say I don’t tell you if you don’t give me money because that’s similar to ransom.
You’re a big role model for many IT professionals in Sweden and especially women in tech. What’s the key to attracting more women to become technicians and join industries like IT security?
First of all, we need to find a language that attracts them. Our company did a study with another company to try to understand why women avoid or do women avoid the technical roles as a working area for them, and the point is they don’t. The reason why they are not in more technical roles is because of the attitude from male colleagues and that there is a glass roof. You come to a certain level but not any further, that is very common in larger companies as a female.
Women have a harder time getting to the middle management level than a man, and when you’re there, as a woman you can feel very lonely in a group that is 99% men. So it’s not the workload; it’s not the work hours; it’s other work environment factors that are impacting. In order to attract more women, we need to make them more comfortable to be in the workplace.
Despite this challenge, what actions can a company take to welcome women professionals?
There’s no Silver Bullet on solving the gender equation as it’s a lot of these bits and pieces. For example, having networks that bring females together and offering mentorships is a way to begin. By doing so, you welcome in younger women in this area. From what I’ve seen and people I’ve met, the interest is there from young females.
Information security is such a huge area where one could do everything from internal auditing to writing documents in Management Systems to writing code, or have operational responsibilities for security as a breaker or defender. There are so many options.
Security Professionals are challenged with showing ROI for their security Investments. What can they do to meet this need?
If you do a risk assessment, find a number of risks and you do the calculation of what would it cost the company in the case of a full stop in production for one hour, 10 hours and up to a week, then you have some monetary numbers to motivate. Once you realize what it will cost the company, you need to figure out exactly what it is you want to protect and if it takes at least two days to get things back on track, will the total operational cost of it be more or is it less than what the disaster caused in total.
It is a balancing act. it’s not that you can put as much money on security as possible just to make sure that you’re 100% protected, rather you should make calculations. If you choose to manage risk, it has a value and it has a price tag. Some others are in situation where security isn’t something they can afford at the moment, and if that’s the then you need to find something that you can do that is feasible because anything is better than nothing.
You cannot always look for the perfect solution, but do your best at the moment and then next year you can try a little bit harder and make sure that you are at least making improvements. You want small steps, not the status quo. There’s a saying, “Don’t ever let the good be the enemy of the best if you are good enough.”
Another thing is to speak in business terms because it’s all about business, it’s not all about security. I’d say stop painting all these threats pictures because if you threaten someone they would just stop listening. It’s easier to hide under cover since business focused people don’t want to hear about it. But if you talk in business terms and tell them “this is how much we will lose if X happens”, then I think you have their ear in a better way.
What’s a common security mistake you see made by companies?
Yes, it’s lack of encryption. I commonly see there’s a lack of understanding of encryption for example not knowing the basics like HTTPS or start TLS for web and email.
If it can happen that Firefox forgets to update certificates, and all of the plugins stop working then you realize that something is lacking here because monitoring certificates is not rocket science. You should know what certificates you have, when they’re valid and when you have to renew – it should be automatic to track these.
If you look at all the recent public breaches, we’ve seen Sony, Facebook, Yahoo and so on. Some small companies think they might not make a headline, but you know, if a breach happens, you will still suffer. That why it’s important to have some baseline security knowledge and to monitor everything.
Written by Jocelyn Chan