IT Security – Page 24

March 26, 2014

The Italian Approach on Cyberwarfare: paper-based security

From time to time, cyberwarfare surfaces on the ocean of the useless Italian political and sub-political talks.

Last week, waiting my turn to talk in a conference, I’ve heard a speaker claiming to “knows best” ? that said that in five year Italy will have its set of actual guidelines to enforce ENISA standards, advocating a stronger tie between industries and a government committee on critical infrastructure and all the usual vaporware that comes with the topic.

I stayed speechless while losing the count of the times that – in about 27 years on the field – I’ve heard such kind of nonsenses. These people care about the colour of the windows’ curtains while there a house still to be built. They think in term of “national committee”, “global report”, “breach notification” while they still have to succeed in convincing people in not leaving passwords on a monitor-stuck post-it. This reminds me a sketch from “I Maniaci“, an Italian movie from the Sixties, where His Excellence Micozzi, ministry of defense (actor Raimondo Vianello) alwyas followed the journalists questions’ by saying “we shall appoint a committee to look further into the matter”, even the day he was cautioned for alleged wrongdoing.

While the movie was supposed to by a comedy, seeing it today doesn’t elicit a laugh. The security issue ? is serious because, when the Echelon scandal exploded, we could claim that it was a relative threat to Italy since our communication infrastructure and our reliance upon were from stone-age. But now things have changed enough to allow an attack(er) to actually endanger Italy as a country. And I can’t stop thinking of ? the Italian approach being like a politburo of some (former) Eastern Block country, talking about Marxist orthodoxy while people in the squares was taking down Lenin’s statues.

We shall appoint a committee to look further into the matter.

March 21, 2014March 21, 2014

Security is not a process, is a product

No, I didn’t do a mistake. I actually meant that security is product and not – as the mantra we hear since decades – a process. Truth is that company departments are governed by this god called “budget” and failing to fully spend it means that at the next round the financial controller will bash it, thus lowering the status and the power of the involved IT or security manager.

So monies have to be spent but how? Not on consulting or security management, of course. When incidents happen (as they do, more often that we may imagine or hope) the barrel starts rolling and everybody in the company keep it rolling on somebody else’s shoulders. And here comes the catch: nobody will ever be fired for having purchased stacks of “security-branded” boxes like firewalls, intrusion detections tools etc. even if these boxes aren’t properly deployed.

It’s easy to address the incident meeting with the CEO, the HR head and the legals by saying: “look, we purchased the best things on the market, and to be sure that we were safe, we doubled all the components – you know, redundancy, high-availability and those other things required by our security certification. Unfortunately these fucking balcanian hackers know better then the devil itself. But I have already managed how to fix the problem: our supplier has been asked to provide its latest device that will protect us better than ever. BTW, since we’re talking about that, though I got a fair price cut, the thing is costly and I need my budget to be extended. Is for security sake!”

Now compare this statement with what follows: “well, as you know, we didn’t need to spend money on hardware. Our firewalls are still capable and fit, so I focused on the internal checks. I hired a consulting firm to do penetration test once-a-year (can’t do it more often because the company complained that these activities slow down the business), than I had another company to monitor and analyze the daily flow of the traffic we generate (but we have been prevented by the legals to dive much too deep into the origin of the connections, so we don’t actually know where did the trojan come from), I then hired an auditor to check the software installed on each computer in use, but the HR told us that we couldn’t do it on the high level management laptop.”

And here comes the final question: which one security manager is gonna be fired?

March 5, 2014March 5, 2014

Data Protection vs Data Retention

One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.

Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.

Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.

But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.

March 3, 2014

On Death and Corporate Culture

Giancarlo Livraghi, who passed awat last Feb. 22, is not only one of the Fathers of the Italian Internet and a civil rights advocate. He is one of the most influential player of the international advertising business.From 1980 to 1993, until he retired to focus himself on the cultural implication of the (then) newborn Internet, he founded and directed the Livraghi, Ogilvy&Mather, now just Ogilvy Italia.

The sad news made a fast round in the advertising community, but neither the Ogilvy corporate site nor the Italian spent a single word to say “good-bye” to one of its top men ever (at least: I thoroughly looked for, and found nothing, even through Google.) This fact reinforced a disturbing belief I’ve developed interacting with the US-based management style: when you’re gone, you’re gone, no matter how good you did for the company. After all, a human being is just a “resource”.

Then compare this approach to the management style of Adriano Olivetti. True, Olivetti ? – the company that, before Richard Stallman, invented the powerful concept of Open System Architecture – is no more than a vague name in the ICT business. But its management style is still an unsurpassed way to make people work together.

February 28, 2014February 28, 2014

Reverse Engineering of the gray world: Intelligence as a black-box

Back to one of my first love: next March 11 (Rome University La Sapienza) and 20 (Milan University Statale) I have been asked to talk about “Reverse Engineering of the gray world: Intelligence as a black-box” and “Use(less) online Open Source Intelligence”.