Tuesday, November 20, 2007

Q&A with Estonia's Elion's head of security

In April and May 2007, Estonia came under sustained distributed denial of service (DDoS) attacks. The Estonian government was forced to close its sites to the outside world, while the country’s largest banks and major newspapers were also targeted. The attacks began after a diplomatic spat with Russia, whose government was seen by some Estonians as being behind the attacks given their scale and prolonged nature (see Total Telecom, July 2007).

NGN interviewed Aivo Jürgenson (pictured), head of security at Elion, Estonia’s biggest telecoms services provider.


Q. Estonia is mentioned as an advanced state when it comes to the use of wired and wireless technologies as well as e-sites. What can you cite that backs the claim?

Last year 81% of tax declarations were submitted electronically. Estonia was the first to use e-voting on the Local Government elections on 2005. Already 30,000 e-votes were given on the and Parliamentary elections on 2007, 63% of Estonian citizens between ages 15-74 use the Internet, people all over the country can access the Internet from over 700 Public Internet Access Points and there are more than 1,100 areas that currently provide high-speed wireless Internet access.

Elion itself has 150,000 broadband customers, which is about 40% of total market in Estonia (approximately 373 000 households own a computer). The portal hot.ee, which provides free e-mail, chat and other features to everybody, maintained by Elion, has about 400 000 active user accounts. The number of Elion's digital television customers has increased most rapidly in the world – in 2006 28 000 new clients were added, nearly 27 000 will be added this year.

The reliance on electronic commerce and communication is rather high in Estonia.

Q. The events of last April and May when Estonia came under cyber attack: Government sites, banking and telecommunication companies came under attack. Is that the full list of targets?

No, we have to add media companies as well. Almost every newspaper in Estonia has website as well, which includes the same content as in paper version and often even additional media, such as photos and videos of the news. Those portals also allow people to leave public comments to news, which is regularly used. During the attacks, these websites were simply overloaded with traffic and also the commenting part was exploited to publish spam so that it needed to be disabled for a while.

Estonian government believes that this was specifically chosen to create the "information blockade" for general public and to prevent other countries to get up-do-date information about what´s happening in Estonia.

Q. Is NGN correct in that Elion itself did not come under attack?

Elion itself wasn't targeted in the same scale as some other sites were. We did notice small-scale overloading attempts of our DNS servers and also identified a single attack to a few routers itself. However, our websites and other services did not come under attack.

As Elion provides the international peering to government networks and also many of the commercial targets were our clients, we had to cope with increased amount of incoming traffic in our network. Because the ISP network is usually built with redundancy and extra capacity in mind, luckily, we didn't suffer any service degradation because of that. If this would had been the case, we would had to work with our upstream providers and peering partners to limit the attack traffic already in their network.

Q. What was the conclusion following the attacks? NGN understands the attacks were relatively straightforward distributed denial of service (DDoS) albeit on a very large scale. Is that correct or is that downplaying the sophistication of the attacks?

Most of the attacks were in fact rather simple, when considering the traffic itself. However, when considering the campaign in total, the coordination of everything, selection of targets and launching many different attacks during those weeks, in total, it wasn't anything close to simple.

Q. Has Elion invested in its network to counter such potential vulnerabilities? If so, can you say in general terms what has been done?


In Elion, we cannot really identify single budget line, which could be considered as a defense against cyber attacks. As always, we have to consider that network links and devices could fail and therefore to plan extra capacity into the network and to build them in fault tolerant way. The network management, intelligence and analyzing capability was already in place before the May and we certainly continue investing in those areas as well. The government of Estonia has taken this lesson very seriously and they are currently looking over the cyber security strategy for the country. I believe that many issues will be discussed, which could help government and private sector work more closely together, when protecting national critical infrastructure. Estonian IT and security community has been working together for some time already and this was one of the things that enabled us to counter those attacks so successfully.

Q. Elion's view regarding security since the May incident - has it changed your view, and do you have a view as to how cyber attacks will evolve in the next year or two?

Technically, those attacks didn't use any new technology and all this was familiar to us even before. What was surprising, was the scale of the attack and the coordination of it.

As more and more commerce and general life is depending on the electronic transactions and Internet, criminal world is also exploring this to see if there could be some ways to exploit this. As we have seen in the last years, they are rather successful with this. In the same way, countries as a whole depend on the economy and the critical infrastructure to function, and in turn, they depend on computer networks and computer security to function. So, it has become possible to attack countries by attacking the computer networks as well. I'm afraid that the state of the cyber security will become worse in the years to come, before the attacks and defenses against them matures and stabilises.

Friday, November 16, 2007

Book: Cyber Security

I am reading Cyber Security by Ed Amoroso, chief security officer at AT&T as part of an upcoming technology briefing article for Total Telecom. This is a highly readable and informative book with lots of pointed anecdotes.

"Cyber Security" by Edward Amoroso
Silicon Press, 2007, pp 177