Andrei Sabelfeld is the researcher who thinks daily about how to stop cyber attacks and make our IT systems more secure. Privately, however, he takes the digital threats in stride.
- I definitely have a security mindset when I install programs and apps, but I'm not a paranoid person.
When the personal data of tens of thousands of students was leaked from Gothenburg's teacher platform and put up for sale on the internet, it was Andrei Sabelfeld that the journalists called. In his role as professor of information security, he is well aware of everything related to cyber security.
"I think information security is incredibly exciting because it is such a dynamic field. We have a moving target that we must attack in a fundamental way to achieve a long-term protection", says Andrei Sabelfeld.
Project to create more secure apps
Since 2017, Andrei Sabelfeld has been part of the large project WASP* where he, among other things, runs WASP NEST CyberSecIT. The project, which involves both Chalmers, KTH and Umeå University, is about cybersecurity for IoT apps, where researchers create new solutions to improve the security of the apps.
"IoT, Internet of Things, is about connecting digital, physical devices with other devices or program, which entails many security challenges and issues such as: Who controls the network? Who creates the code? The IoT apps control the logic behind the calculations, they decide what will happen to these units. Our focus in this is to ensure that the software itself becomes secure," says Andrei Sabelfeld.
Safety should come first in the process
"To create secure software, we use technology from programming languages and data analysis to try to introduce security as early as possible in the construction phase. So what we are dealing with is security through the construction of the software itself."
Andrei Sabelfeld often returns to the fact that the most important security measure when it comes to cyber security is to build security right from the start. But the challenges with cyber security are many and the threats come from different directions. An example of something that risks creating major problems is so-called "malicious apps".
"The worst thing that can happen when you install such an app is that your user data is hijacked and that the app then pretends to be you. This is exactly what happened recently when a web extension that looked like Chat-GPT actually aimed to hijack user data on Facebook. It was only discovered when the web extension was already released and users had started downloading it."
Cyber attacks will become more common in the future
In recent years, the media have periodically reported on various types of IT attacks against authorities and companies in Sweden. An incident that caused quite a stir was the cyber attack on Coop a couple of years ago that knocked out the entire food chain's checkout system.
"Unfortunately, we see that this type of threat will become more common in the future. This is largely due to the fact that our systems are becoming more and more interconnected and control more and more of our infrastructure. If you add AI, it makes the challenges even greater. Already today, AI is used for, for example, spam emails or what we call spear phishing – targeted attacks against people with sought-after information", says Andrei Sabelfeld, adding that the vulnerability of our systems depends to some extent on the attitude in our society.
"The most important thing to get at this type of attack is a changed mentality. We can no longer think that safety comes last."
However, if you fail to build security into the software, the race is not completely over. Andrei notes that security has several layers of defense, and that different situations require different defenses.
"The main type of defense starts in the build phase of the software but it does not solve all security problems. Therefore, you also need to have a mechanism to detect problems, what we call intrusion detection. Then we have another level which is about mitigating the problem in the event of an attack."
"Finally, if all else has failed, we need to have a good follow-up to ensure that a similar attack cannot happen again. How can we design our systems based on the knowledge we have now to prevent the attack from happening again?"
Assessing the attack is one of the biggest challenges
One of the biggest challenges, Andrei Sabelfeld continues, is to know where the attackers will try to attack.
"It may be the case that you have a number of security devices in place, encryption, network protection and so on, but that outsiders still get hold of secret information and leak it. The challenge there is how we analyze the code and make sure it doesn't enable these kinds of leaks. The hardest part is dealing with software written in several different programming languages - analyzing these and making sure we trace the flow of information."
Andrei Sabelfeld believes that the complexity of creating secure systems is one of the reasons focus on safety should be included from the start, and he states that we still have work to do.
"Many companies have to learn this the hard way. Microsoft had this kind of problem a couple of years ago but they have now revised their process and introduced security at an earlier level. Unfortunately, that's often how we operate - in many cases, it's only when problems arise that we really address security properly."
Think before you install anything
Andrei Sabelfeld advises to use common sense.
- You should think before installing apps on your devices and read the terms and conditions properly. If an app for a flashlight wants your location information, for example, then one should ask why such an app needs that information.
- Simply think one more time before installing anything!
Andrei Sabelfeld talks about his research (link to YouTube)
Tips for your own cyber security
https://ssd.eff.org
https://www.appcensus.io
Explore more
- Full Professor, Computing Science, Computer Science and Engineering