IT Security – Page 27

March 21, 2014March 21, 2014

Security is not a process, is a product

No, I didn’t do a mistake. I actually meant that security is product and not – as the mantra we hear since decades – a process. Truth is that company departments are governed by this god called “budget” and failing to fully spend it means that at the next round the financial controller will bash it, thus lowering the status and the power of the involved IT or security manager.

So monies have to be spent but how? Not on consulting or security management, of course. When incidents happen (as they do, more often that we may imagine or hope) the barrel starts rolling and everybody in the company keep it rolling on somebody else’s shoulders. And here comes the catch: nobody will ever be fired for having purchased stacks of “security-branded” boxes like firewalls, intrusion detections tools etc. even if these boxes aren’t properly deployed.

It’s easy to address the incident meeting with the CEO, the HR head and the legals by saying: “look, we purchased the best things on the market, and to be sure that we were safe, we doubled all the components – you know, redundancy, high-availability and those other things required by our security certification. Unfortunately these fucking balcanian hackers know better then the devil itself. But I have already managed how to fix the problem: our supplier has been asked to provide its latest device that will protect us better than ever. BTW, since we’re talking about that, though I got a fair price cut, the thing is costly and I need my budget to be extended. Is for security sake!”

Now compare this statement with what follows: “well, as you know, we didn’t need to spend money on hardware. Our firewalls are still capable and fit, so I focused on the internal checks. I hired a consulting firm to do penetration test once-a-year (can’t do it more often because the company complained that these activities slow down the business), than I had another company to monitor and analyze the daily flow of the traffic we generate (but we have been prevented by the legals to dive much too deep into the origin of the connections, so we don’t actually know where did the trojan come from), I then hired an auditor to check the software installed on each computer in use, but the HR told us that we couldn’t do it on the high level management laptop.”

And here comes the final question: which one security manager is gonna be fired?

March 5, 2014March 5, 2014

Data Protection vs Data Retention

One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.

Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.

Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.

But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.

March 3, 2014

On Death and Corporate Culture

Giancarlo Livraghi, who passed awat last Feb. 22, is not only one of the Fathers of the Italian Internet and a civil rights advocate. He is one of the most influential player of the international advertising business.From 1980 to 1993, until he retired to focus himself on the cultural implication of the (then) newborn Internet, he founded and directed the Livraghi, Ogilvy&Mather, now just Ogilvy Italia.

The sad news made a fast round in the advertising community, but neither the Ogilvy corporate site nor the Italian spent a single word to say “good-bye” to one of its top men ever (at least: I thoroughly looked for, and found nothing, even through Google.) This fact reinforced a disturbing belief I’ve developed interacting with the US-based management style: when you’re gone, you’re gone, no matter how good you did for the company. After all, a human being is just a “resource”.

Then compare this approach to the management style of Adriano Olivetti. True, Olivetti ? – the company that, before Richard Stallman, invented the powerful concept of Open System Architecture – is no more than a vague name in the ICT business. But its management style is still an unsurpassed way to make people work together.

February 28, 2014February 28, 2014

Reverse Engineering of the gray world: Intelligence as a black-box

Back to one of my first love: next March 11 (Rome University La Sapienza) and 20 (Milan University Statale) I have been asked to talk about “Reverse Engineering of the gray world: Intelligence as a black-box” and “Use(less) online Open Source Intelligence”.

February 17, 2014February 17, 2014

Conversation on Evidence

“Discorsi sulla prova” (“Conversations on evidence”) is a conference that will be held in Milan, next Apr. 4.

Judges, philosophers, physicians and scientist will talk about the different meaning of the word “evidence” in their specific fields.

More info here.