Current Italian media hype is pumped by the “Telecom Italia scandal”. The criminal investigation is handled by the Public Prosecutor of Milan that invetigates the alleged theft of confidential information and hack of major Italian and foreign companies. Recently, the Public Prosecutor findings led to preemptive jail custody Telecom Italia high-level security officers, employees and out firm security experts hired as consultants. The defendants are charged of running “covert black-ops” on their own, unbeknownst to their employer.
Apart from the merit of the investigation (that belongs to the Court and will likely be ruled not before several years), this criminal investigation itruly demonstrates how the ICT security business in Italy actually works. Companies (big ones, first) don’t really care about IT security. Top management leaves all the relevant decisions to the “IT guys”, while not caring about their own compliance to the security policies.
The result – should the Public Prosecutor investigation be confirmed – is that one of the biggest (maybe THE biggest) computer crime in Italy wasn’t committed through “sophisticated attack tools” or “exoteric computer techniques” ran by “deadly skilled computer professionals”. For all is known, the hack has been committed through a “simple” malware attached to an e-mail, like one of the thousand’s that comes with everybody’s daily SPAM supply . That’s it. Nothing else.
Then comes the question: how it is possible that the huge amount of money spent on firewall, identity management systems, intrusion detection systems, anti-virus softwares etc. still allows that ridiculous kind of attack?
(Possible) answer n. 1: because the human factor is the weak link of the chain. Managers, executives and simple employees just think that IT security is not actually their own business. All they want is “paper-based security” (i.e.: “just-give-me-this-stack-of-policies-and-get lost approach”.)
(Possible) answer n. 2: ICT security market in Italy is mainly organised through a series of sub-sub-sub-sub-sub-sub contractors.
This leads to two obvious consequences:
- The first: each step down in the sub contracting chain, reduces the (yet light) controls over the people who actually perform the job. That way, people with “questionable” criminal records, or carrying other kind of potential infidelities (need for quick money, drug addiction etc.) can easily access otherwise unreachble “sancta santorum”.
- The second: people who actually perform the job is (often) the same. One day a vulnerability assessment in a bank, the day after a penetration test in a Telco, and the day after a “counseling session” in a major insurance company. Just a quick “change of hat” and the trick is done!
Do I need to say more?