How secure is my data?

Prof. Dr. Mitrokotsa, to what extent do you engage with the topic of security in your work and profession?

At the chair of Cybersecurity, we focus on all aspects of information and network security and especially on security and privacy issues of resource constrained communication. Our research interests are centered around information security and applied cryptography, with the larger goal of safeguarding communications and providing strong privacy guarantees. We are currently active on multiple research projects that focus on the design of provably secure cryptographic protocols and primitives that can be employed for reliable authentication, outsourcing computations in untrusted cloud servers, network security problems as well as secure and privacy-preserving machine learning.

Which dangers and security leakages exist in everyday life and in business?

With the increase of digitalization and the advances of ubiquitous computing, cyberattacks are also increasing considerably. Cyberattacks and leakage of information is an everyday danger for all of us and for businesses nowadays. The attacks may range from a denial of service (not being able to access your data in a server) to even impersonation of users, stolen identities, data breaches etc. Although it is very hard to have concrete figures, since often attacks are not reported, there is an estimate of a cyberattack every 39 seconds. For instance, we often hear about breaches of data of users (e.g. Facebook, Yahoo etc) as well as attacking password databases which remains a prime target of potential attackers and even large companies seem to struggle with these cyberattacks (e.g., an attack has led to a compromise of over 1 billion passwords). There has also been a significant number of malware incidents, with some involving encryption software (ransomware). Ransomware is a form of malware that encrypts the victim’s files. The attacker demands a ransom from the victim in order to restore access to the data upon payment (ranging from a few hunded CHF to six digit figures). Although the number of ransomware attacks is small compared to the number of fraud attempts, the potential damage is far greater. Ransomware now ranks first in the list of the most frequent cybersecurity incidents.

And how can they be addressed? Which possibilities exist to achieve more security for digital data?

There are multiple ways to safeguard communications and our data. This often entails the use of secure communication protocols (e.g., authentication and identification protocols) and cryptographic primitives (e.g. encryption schemes, digital signatures) even the use of protocols that allow us to outsource our data in an encrypted (encoded) form to untrusted parties (e.g. cloud servers) so that computations can be performed on the data without leaking any information about the data itself. From a network security there are multiple mechanisms for detecting and mitigating attacks at an early stage in order to limit their impact.

Are these measures being sufficiently implemented?

There is a long-term arms race between attacks and security mechanisms and protocols to secure communication. There is no doubt that there are many advances in cybersecurity research and often these are also adopted in everyday life. However, in many cases the proposed or existing countermeasures have not been implemented and adopted in a secure way leaving thus multiple vulnerabilities that attackers can exploit. Furthermore, in many cases users as well as businesses are unaware of how their data and personal information may be misused and how an attacker may exploit weaknesses leading to leakage of information and data breaches.

We hear and read a lot about terms as Cybersecurity, but what exactly does it entail, and which role does it play in business?

Cybersecurity incorporates a broad range of information security mechanisms and protocols to protect our communications, our systems and our data. Cybersecurity, as a first line of defense, involves preventive mechanisms such as the design of cryptographic primitives (e.g. encryption schemes) that can be used to achieve a specific objective (e.g., confidentiality of communications, integrity of data) and are employed in secure communication protocols (e.g. authentication, identification). These primitives and protocols need to be provably secure i.e., show that they are secure against very powerful attackers and if this is done, we can proceed with their implementation. In many cases cryptographic primitives and protocols are proven to be secure but their implementation is not done appropriately leaving weaknesses that attackers may use to launch attacks. In some cases, even if the implementations are done correctly other weaknesses may be identified later on or even the human factor may introduce vulnerabilities in the whole system. Furthermore, as a second line of defense, cybersecurity entails mechanisms that can be employed to detect attacks at an early stage e.g., using intrusion detection systems and safeguard communications and systems. Currently cybersecurity methods and mechanisms are indispensable in our life and businesses, and we use them every day even if we may think we do not. In the past cryptography was reserved for emperors and military generals but nowadays it is a necessity for all of us to guarantee secure and reliable communication e.g., in E-banking, messaging apps, online transactions, Wi-Fi connections, mobile phones etc.

And what about Cryptography? To what extent does it lead to more security and how is trust in such systems built?

Cryptography is one of the main cornerstones to achieve security. Without strong and provably secure cryptographic primitives and protocols, cybersecurity cannot be achieved. In cryptography related research, we are focusing on designing provably secure solutions this means that we are considering that the attacker is very powerful, and we design protocols and primitives that can be secure against all possible attack scenarios. When cryptographic protocols and primitives are being implemented and built, we need to have some way to check that the adopted cryptographic primitives (e.g., encryption algorithms, digital signatures, hash functions) are suitable to be employed. The ones that are best to be used in practice are usually being adopted by standardization parties such as NIST (National Institute of Standards) after a long and very thorough analysis of their security and properties. Thus, we can easily check if the employed cryptographic mechanisms in a solution are reliable or not. Be aware though when someone attempts to keep a cryptographic algorithm secret. Security via obscurity cannot be achieved.

To what extent is the University of St. Gallen involved in digital security and data protection? What could still be improved?

The University of St. Gallen is indeed prioritizing security of all users and employees. We see that often in our authentication attempts to the university’s services. Of course, there is always room for improvement, and we hear often on the news about incidents of cyberattacks in well-known companies, organizations and even universities (e.g. ransomware attacks being launched against even Swiss Universities). Being always ready and alert for possible cyberattacks by keeping consistently backups of our data as well as using strong authentication methods is among the simplest but also the most important ones for all of us.