Embed Size (px)
Citation preview
Cybersecurity standardization Location: Brussels, Belgium Date: January 21, 2020 https://www.enisa.europa.eu/events/cybersecurity_standardisation/cybersecurity_standardisation The draft “EU Cybersecurity Act”, proposed one year ago, intends to establish a European cybersecurity certification framework for ICT products, services and processes. Standardisation will play an important role in the new framework. It is therefore crucial for all stakeholders (standardizers, policy makers, industry) to check where we stand today. The conference has discussed the remaining challenges in the standardisation landscape for Cybersecurity in light of the new Act. The consequences for policy makers, industry, citizens, certification bodies, and the European Standardization System were be also covered. Sans threat hunting London Summit & Training 2020 Location: London Date: January 13-19, 2020 https://www.sans.org/event/threat-hunting-europe-2020?ref=infosec-conferences.com Chances are very high that hidden threats already exist inside your organization's networks. No matter how thorough and sophisticated your security precautions may be, you cannot assume your security measures are impenetrable. By themselves, prevention systems are insufficient to counter focused human adversaries who know how to get around today’s advanced security and monitoring tools. It takes highly skilled and focused defenders to defeat these persistent adversaries. The one-day Summit brings together prominent security practitioners for in-depth talks focused on techniques that can be used to successfully identify, contain, and eliminate adversaries targeting your networks. As an attendee, you’ll walk away from this Summit with new tools and methods to leverage as soon as you return to work.
Live OnLife The expression “OnLife” is a neologism coined in 2013 by Prof. Luciano Floridi to define the new digital society. A word that indicates the link between our digital and physical life experience (Online and Offline). A world with new rules with liquid responsibilities shared between instruments and people, where the distinction between real and virtual is increasingly imperceptible. A relationship with technologies marked by the change in our habits as the CENSIS underline in its Report. Actually, the report stresses how one Italian out of two controls the smartphone before he falls asleep and just wakes up, while one out of four does not leave the house without a power bank (a spare battery). Numbers that should not surprise since now our entry HUB to the digital world is represented by this object that we continue, by addiction, to call phone. A digital metamorphosis that is changing our habits and our interfaces, a digital future on which also ShoShana Zuboff, Professor at Harvard Business School and author of the book "The Capitalism of surveillance", wonder about. In the first pages the author opens the book with one question: "Can the digital future be our home?” A question that remains open in a scenario in which the digital world takes over and the idea of a predictable future slowly fades away. The knowledge factor becomes fundamental in this era, both as regards of the education of new generations and for the use of digital tools and security issues.
The acceleration of digital technology has highlighted how the problem of cyber security is today one of the problems that have to be mitigated to ensure a successful transition. Institutions and organizations has higher probability to receive phishing or ransomware attacks today and many of their employees and / or clients do not even know what these two names mean. In a context where access to information is unlimited, a worrying number of employees of organizations are not equipped to counter the growing number of attackers who target their workplaces every day, thus representing the weak connection in the system. A continuous training program on cyber-security awareness and on the aware use of digital technologies can guarantee to organizations and the country that resilience, essential for survival in this digital domain. Obviously, we are talking about continuous training because of the evolution of attack tools and attackers will always find new methods to fit into the systems and differences could be so difficult to understand requiring constantly updated skills. The advantages of these programs are immediately visible, the increase resilience in organizational mitigates the security risk by reducing human error and process inefficiencies. Living OnLife in a conscious way is the step to achieve a transformation more and more suitable for men. Enjoy the lecture… Nicola Sotira General Manager GCSEC
events
editorial
2019 December
The importance of Business Continuity for every business and organizations By Roberta Calderazzo - Researcher at the Intelligence Lab, University of Calabria From IT Security to Cyber-Security, have VSEs and SMEs misunderstood this paradigm shift? By Didier Spella – President at MIRAT DI NERIDE
Convergence and complementarity between national cyber security perimeter and NIS directive By Gianluca Bocci – Security Professional Master, Poste Italiane SPA
In recent years Business continuity (BC) has become a priority for the corporate management. Due to the increasingly interconnected and integrated global economy, one disruption to one service could represent a threat for the entire business. In current times organizations have to face ever more complex threats, both internal and external like terrorism, natural calamities, fire, flooding, power outage, IT systems failures because of unforeseen circumstances. The interruption of services usually impacts on the capability of the organization to perform its normal activities and consequently it has effects on customers or other stakeholders, adding more costs and creating the potential for losses in financial and even social terms.
Every organization has realized the importance and the value of maintaining a business continuity and a disaster recovery plan to avoid outage to its services and operations. Unexpected events can have severe effect on small and medium enterprises business continuity until make it impossible to keep the normal day-to-day activities.
According to the definition given by the BS ISO 22301 business continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident. Business continuity management has become a keyword for those companies and governments that give more attention on how fast the processes and the services recover in case of critical events.
Business Continuity management (BCM) is also defined by the International Standards Organization as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. The definition above-given can be applied from the public to the private sector, from the banking to the technological sector. Business continuity is also important when, in case of disruption, the normal operation of essential services for citizens is the interest to protect. With reference to this we can say that business continuity is strategic also for the Public Administration. Despite the Italian legislator has repealed a regulation1 that provided for the public administration to draw up the business continuity and the disaster recovery plan, it is mandatory to preserve and control IT documents in order to minimize the risks of, destruction, loss or unauthorized access2. Cybersecurity attacks, social media disinformation, malware spread, ransomware, trojan, worm, event disruptions and other similar scenarios could represent potential risks for the organizations. On the one hand, operative mistakes made by workface could compromise the business continuity through inaccurate data entry or deletion.
Cyber Security for Critical Assets Conference Returns to Dubai for the 4th Edition of the MENA Series Location: Dubai Date: January 20-21, 2020 https://mena.cs4ca.com/ #CS4CA MENA is the regions leading cyber security conference, promoting in-depth knowledge and collaboration among senior IT & OT Security leaders. The conference unites major critical asset owners from Oil & Gas, Chemical, Aviation, Mining, Transport and other critical industries. While geopolitics shape the security outlook of the region, the growing appetite for IIoT presents a complex risk environment for stakeholders. This has caused the security of industrial operations to take centre stage in the C-suite.
ENISA proposes Best Practices and Techniques for Pseudonymisation https://www.enisa.europa.eu/news/enisa-news/enisa-proposes-best-practices-and-techniques-for-pseudonymisation The European Union Agency for Cybersecurity (ENISA) published a new report on “Pseudonymisation Techniques and Best Practices”, which explores the basic notions of pseudonymisation, as well as technical solutions that can support implementation in practice. In the light of the General Data Protection Regulation (GDPR), the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organisations across Europe. The ENISA ‘Pseudonymisation techniques and best practices report’, amongst other, especially discusses the parameters that may influence the choice of pseudonymisation techniques in practice, such as data protection, utility, scalability and recovery. It also builds on specific use cases for the pseudonymisation of certain types of identifiers (IP address, email addresses, complex data sets). Europol Shuts Down Over 30,500 Piracy Websites in Global Operation https://thehackernews.com/2019/12/counterfeit-piracy-websites.html In a coordinated global law enforcement operation, Europol has taken down more than 30,500 websites for distributing
1 Article 50 of Digital Administration Code (CAD) 2 Article 51 of CAD
in this issue
news
The importance of Business Continuity for every business and organizations by Roberta Calderazzo - Researcher at the Intelligence Lab, University of Calabria
On the other hand, malicious act could be carried out to compromise the availability, integrity and confidentiality of information. The research and development of tools to prevent adverse circumstances highlights the need for the companies to manage their own organization in a perspective not only of protection but also of prevention. Planning a business continuity management process helps organizations to identify potential risks, makes preparations for emergency, tests how its business is ready to cope in case of disaster so to preserve the corporate value. BCM has a strategic relevance as it allows to restore operational continuity. By the use of a BCM system, organizations are able to predict the threats created by incidents and its potential risks, reducing or even removing the costs or losses that would have emerged. A business continuity plan therefore allows the recovery of infrastructures, data and integrated system, developing options and actions to enhance opportunities and reduce threats in reasonable time and at sustainable cost. The Business Impact Analysis (BIA) is the most important tool of a business continuity plan; The BIA helps organizations to identify its critical areas and evaluate how they could be affected by different threats. The BIA is preceded by Risk Analysis that aims to analyze and valuate any vulnerabilities to develop strategies to mitigate risks. The attention progressively given to the business continuity issue has moved the European legislative process to adopt a new European framework that includes articles entirely dedicated to the business continuity. For example, the Network and Information Security directive (NIS) EU 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union has introduced security measures and incident reporting obligations for Operators of Essential Services (OES) and Digital Service Providers (DSP)3. Business continuity and data availability are central points as well for the General Data Protection Regulation (EU) 2016/679 (GDPR). In fact, according to the article 32, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Case Study: How Maersk survived to a cyber-attack In order to better understand the importance of a business continuity management system, we want to summarize how Maersk, one of the world’s biggest shipping company, survived from a cyber-attack. Maersk’s operations and services were disrupted but the company showed the capability to partially recover the normal business avoiding a reputational damage and reducing financial losses. In June 2017, the A.P. Moller – Maersk, known as Maersk, the giant Danish shipping company has been hit by a massive cyber-attack caused by the NotPetya malware,
which in the same year damaged several organizations globally. As consequence of the attack, an outage of Maersk’s transport and logistic activities occurred, causing an unjustified crash.
Although the recovery of IT system was fast, the attack forced Maersk’s
container ships to stand still in the sea and its 76 terminals were arrested globally. The attack costs up to 300 million of dollars to cover IT recovery, loss of revenue and other costs connected to restore many operations. This case describes a typical situation where a human error in cybersecurity can lead to huge damages that can severely compromise the whole system. The NotPetya malware spread when an employee in Ukraine answered to an e-mail that contained the malware. So the system was affected and all the operations disrupted including the system recovery. In spite of a series of security measures taken by the Maersk, the cyber-attack was conducted successfully. It’s curious that the organization stated that the attention was direct to improvements of cyber resilience and focus on business
counterfeit and pirated items over the Internet and arrested three suspects. Among other things, the seized domains reportedly offered various counterfeit goods and pirated products and services, including pirated movies, illegal television streaming, music, electronics, cracked software downloads, counterfeit pharmaceuticals, and other illicit products. Modern Intel CPUs Plagued By Plundervolt Attack https://threatpost.com/intel-cpus-plundervolt-attack/151006/ The Intel attack uses a similar technique that gamers commonly use to overclock their CPUs. Researchers have discovered a new attack impacting modern Intel CPUs, which could allow an attacker to extract highly-sensitive information – such as encryption keys – from affected processors by altering their voltage. The attack, dubbed “Plundervolt,” centers around Intel Software Guard Extensions (SGX), a set of security-related instruction codes that are built into Intel CPUs. Intel SGX shields sensitive data – such as AES encryption keys – inside “enclaves,” which are physically separate from other CPU memory and are protected by software encryption. However, researchers uncovered a way to target the safeguards used by PC operating systems (OS) to control processor voltage and frequency, tampering with then to alter the bits held inside Intel SGX and create exploitable glitches. CVE-2019-14899 flaw allows hijacking VPN connections on Linux, Unix systems https://securityaffairs.co/wordpress/94764/hacking/cve-2019-14899-vpn- Researchers discovered a vulnerability tracked as CVE-2019-14899 that can be exploited to hijack active TCP connections in a VPN tunnel Researchers from the University of New Mexico have discovered a vulnerability, tracked as CVE-2019-14899, that can be exploited by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel. The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. The experts explained that in this way, it is possible to hijack active connections within the VPN tunnel. DNS over HTTPS’ threat to enterprise security https://www.helpnetsecurity.com/2019/12/09/dns-over-https/ DNS over HTTPS (DoH) is here, regardless who likes it or not. Unfortunately, a majority of guidance surrounding DoH is centered around individual consumer perspectives. For
3 Article 16 “Security requirements and incident notification” DIRECTIVE (EU) 2016/1148
continuity management in the event that IT systems, despite their efforts, would have been affected. The incident was severe but the organization quickly reacted, under the control of CEO and the top management, from the IT experts to the communication team that handled in an excellent way the communication from the start of the incident to the restoration of the systems. The company to manage the crisis took some actions. Above all the CEO involved to all meetings in order to take immediate decisions. The internal and the external communications were managed through daily updates to various stakeholders. After the cyber-attack Maersk adopted a new cyber security model to improve it cyber resilience, to enhance the IT infrastructure platform and IT service continuity and reinforce business continuity plans. From this case it’s possible to learn some lessons. A possibility that a cyber threat is successful remains high despite the efforts of the organization to cope with it. For this reason, it’s important to maintain a cyber resilience organization and be prepared for emergency. The role played by the top management and the decisions taken are strategic both for the communication strategy and for the business continuity. The security awareness of all workface at all levels is fundamental and disaster recovery and response plans have to be tested to find always new mitigation actions against eventual cyber threats. The success of Maersk's answer arises from a combination of mechanisms: the way the company managed the communication is one of the major success of the crisis management. Maersk has also faced up the crisis, showing the guidelines to contain the damages. When a company fells victim of a cyber-attack, protecting its employees and customers and preventing similar incidents for the future is a priority.
Conclusions This brief analysis leads to some conclusions about the importance of business continuity as a method of improvement for all organizations in the digital era. Any type of incident, from the natural calamities to a cyber-attack able to cause a disruption of IT systems of an organization could bring serious damages and a consequent loss of profit undermining it reputation. A company capable of ensuring an adequate level of information security and a business continuity management system increases its own value. Before of implementing emergency measures to reduce damages belonging from a crisis, the companies should think how to implement its organization to avoid the crisis, adopting preventive actions. An organization that wants to develop and enhance risk management capabilities should implement international best practices in a perspective of continuous improvement. Business continuity is an holistic discipline that involves all areas of an organization. Information security and employee behavior is a central aspect of a business continuity system. Provide information and training to employees about security risks is not only a regulatory obligation but it is fundamental in a perspective of prevention. If we consider that 80% of cyber incidents are caused by human error, it is obvious that the security awareness of employees becomes essential for the resilience of the organization. Security awareness training educates users for common cyber threats and helps them recognize the importance of basic security precautions.
The case study above analyzed is a positive example of crisis management, while many organizations do not have back up systems able to restore IT systems in case of incident. The development of resilience to deal with common threats needs planning of human
and economic resources to avoid an increase of costs and a loss of confidence among stakeholders during an emergency.
enterprise security leaders looking to manage the risks of DoH, that hasn’t been entirely helpful. To clarify the impacts of DoH on enterprise networks and how to manage them, I recently spoke with Chairman and CEO of Farsight Security, Paul Vixie. Below is a summary of the main points we covered. In the year since the Internet Engineering Task Force (IETF) first published it as a standard, its impact on security and network operations has rightly been the subject of debate and discussion. Despite this, a number of browser vendors have already rolled out support for DoH, including Chrome and Firefox. Their official goal? To add privacy to internet communications. Microsoft has also announced DoH support in its Windows operating system, though in a different way than the browsers. TrickBot Trojan Abuses Google Suite, Baits With Annual Bonuses https://www.bleepingcomputer.com/news/security/trickbot-trojan-abuses-google-suite-baits-with-annual-bonuses/ A recently active malicious campaign baited targets with phishing messages promising annual bonuses, abusing Google Suite cloud services to infect them with Trickbot banking Trojan payloads. TrickBot (aka TrickLoader, Trickster, and TheTrick) is a modular information stealer regularly upgraded with new capabilities and modules since October 2016 when it was first spotted in the wild by Malwarebytes Labs' malware analyst Jérôme Segura. This campaign's bait emails were sent using the legitimate SendGrid cloud-based email delivery platform in an attempt to conceal their malicious nature, as well as to obfuscate the links used throughout the infection chain as researchers at Palo Alto Networks' Unit 42 found. Microsoft details the most clever phishing techniques it saw in 2019 https://www.zdnet.com/article/microsoft-details-the-most-clever-phishing-techniques-it-saw-in-2019/ Earlier this month, Microsoft released a report on this year's malware and cyber-security trends. Among the few trends highlighted in the report was that phishing was one of the few attack vectors that saw a rise in activity over the past two years. Microsoft said that phishing attempts grew from under 0.2% in January 2018 to around 0.6% in October 2019, where 0.6% represented the percentage of phishing emails detected out of the total volume of emails the company analyzed. While phishing attacks increased, the number of ransomware, crypto-mining, and other malware infections went down, the company said at the time.
The days when cyber attacks hit a few unlucky SMEs are over. Very profitable for cybercriminals because they are easier to attack than large groups, they have now become a prime target. In the last 12 months, 21% have been victims of a cyber attack. If the cost of these rarely exceeds €10,000, it can happen in very rare cases that the victim company does not recover, especially when the case becomes public. (01/02/2019 - Damien Bancal) (1).
A "beautiful order..." Another one of those sunny mornings that make this region so charming. It is time to go to the oyster beds because the tide is not waiting. This morning, René, our oyster farmer, has a big order to ship. Last night, he received a special request by email from his regular sponsor, but he replied that he would do everything in his power to honour it. When the oysters return from the parks, it only takes a few hours to crate the 2 tons of oysters and the delivery person is already ready to drive to Spain. This time, the place of delivery has changed, but hey, these things happen. The day continues, it remains to send the invoice... Two days later, on Thursday, a new order from its sponsor. René takes the opportunity to call him.... "How was your Tuesday order? Did you like it?"
"What order? I haven't ordered anything from you in three weeks? "But what of your message on Monday, the 2 tons of oysters?" .... "I never sent you a message on Monday, I had been in Morocco since Saturday. I came home Tuesday night. I even put pictures on my Facebook page " René begins to realize that he has just been swindled.... Someone pretended to be his sponsor. By looking back the email address of his order, he realizes that it is slightly different Yes, another identity theft... The cyber criminal observed the exchanges of this entrepreneur, monitored the sponsor...
From IT Security to Cyber-Security, have VSEs and SMEs misunderstood this paradigm shift? By Didier Spella - President at MIRAT DI NERIDE
We are dealing with a fairly classic crime case, and a small business. We could also have encrypted the data on his computer and asked him for a ransom...
1. The context
Whether they are Small and Medium Enterprises (SMEs) or Very Small Enterprises (VSEs), their common feature is the centralization of the management of the company. They make them a real competitive advantage because, with limited human resources, these companies are much more responsive and flexible than structures belonging to large groups.
To really contextualize VSEs and SMEs, they must be defined. To do this, we will use the definitions published in "Economie Magazine".
1.1. A technical distinction
Often, we tend to confuse the VSE with the SME. However, these two notions are really different.
But let's start with Very Small Business. It is customary to qualify as VSEs all structures with legal personality, whose maximum number of employees is less than ten. In addition, the annual turnover or balance sheet total of these VSEs must not exceed the ceiling of two million euros. This form of company is in the vast majority of cases a sole proprietorship, i.e. without employees. It is also called "microenterprise". It corresponds here to the needs of self-employed workers such as craftsmen, traders or the liberal professions. Thus, since the start-up of this type of business does not require many resources, both human and financial, VSEs are the main source of business start-ups in France. Indeed, according to statistics, nearly 93% of the companies created in France are microenterprises. The particularity reserved for microenterprises concerns their tax regime, which is specific.
Compared to the VSE, the Small and Medium Enterprise stands out for its size. To date, there is no precise definition of these types of companies, but the definition that seems to be required is that of European Recommendation 96/280/EC of 3 April 1996, amended by Recommendation 2003/361/EC of 6 May 2003. These texts organize a classification of companies according to two combined data: their size and their turnover. Therefore, companies are defined as small enterprises if they have between ten and fifty employees and whose turnover and balance sheet total does not exceed ten million euros per year.
Between fifty-one and two hundred and fifty employees, we can define "medium-sized enterprises" whose turnover will be less than fifty million euros and the annual balance sheet total at forty-three million euros.
Over two hundred and fifty employees, we will then speak of a "large company".
1.2. A few figures....
According to a PWC study, for less than a third of French companies, cyber security is an issue today. On the other hand, two thirds consider that the risk of a cyber threat in their company is not significant. It emerges, perhaps the most serious, that 2 out of 10 companies feel fully capable of handling a cyber attack. To complete this picture, less than one in five companies has actually implemented possible protective measures. Finally, 95% of companies do not plan to hire a person dedicated to cyber security in the next 12 months (2).
Two very worrying graphics from PWC's report "Les entreprises face aux enjeux de la cybersécurité" (October 2018) ©PWC France
1.3. What are those cyber risks?
Cyber risks are of two kinds: • direct risks on the technical environment of Information and Communication Technologies (ICTs), • more "classic" risks that concern environments using ICTs.
It is clear that the problem cannot be reduced to a strengthening of ICTs.
1.4. The digital space
First of all, it is necessary to define what the digital space covers. We will give this definition: all the paradigms that are used to provide the service expected of a digital machine. These paradigms, from which the digital space has developed, are four in number:
The first is electricity, in the sense of positive and negative "ions", and all the properties that result from it: energy transport,
but also electromagnetism, radio waves, radiation, etc... The second is the paradigm of any digital machine that uses all or part of the standard architecture defined by von Neumann. The third concerns communication. It can be summarized as follows: the transmission of a message requires having a
transmitter and a receiver, which encode and decode the transmitted message through a transmission channel. The fourth is the data whose 3 properties we will take over: availability, confidentiality and finally integrity.
2. Computer Security....
When the digital world is created, we are faced with imposing digital machines that require positioning in dedicated locations. They are expensive, as well as all the peripherals associated with them. They are administered by qualified personnel and require continuous monitoring. Their logical accesses are reduced due to the lack of access potentials and very limited throughput. It appears that only the functions that can be digitized are developed and processed on these machines, which have limited resources.
Next-gen "bunkers" : Mount 10, a.k.a. "Swiss Fort Knox", a server bunker made from a former Swiss Army secret base ©Mount10
We are ten in the presence of computer centers, real physical "bunkers", which will mainly offer electrical protection in terms of availability. A large and qualified staff is employed there. Users of the system are at best connected by wire to process some information. At worst, they initiate processing operations that are returned to them in the form of printed documents (listings). No processing resources are relocated. Network protocols are rigid and complex, but easily traceable. Flow rates are limited. The main priority in terms of data is availability. We are in a technical, cumbersome, resource-intensive and specialized environment. In fact, a fairly closed world whose users "attached" to a processing center must respect its rules and constraints. Our four paradigms then appear as pillars. We are really in a physical and technical security, which is used by a technical world, implemented by specialists. For VSEs and SMEs, digital investment is rare and specific. Machines must be installed by experienced service providers. The entire system management is entrusted to a specialist for larger structures or totally outsourced to a service provider.
3. ...To cyber security
3.1 A definition of Cybersecurity Cybersecurity (according to ANSSI) is the desired state of an information system that enables it to resist cyberspace events that could compromise the availability, integrity or confidentiality of stored, processed or transmitted data and related services that these systems offer or make accessible. Cybersecurity uses information system security techniques and is based on the fight against cybercrime and the establishment of cyber defence.
3.2 The evolutions Over the last 20 years, the 4 paradigms have undergone changes. Electricity has seen its properties developed and used, particularly in terms of energy consumption, its electromagnetic properties, its radiation properties, its undulation properties... The von Neumann machine could be reduced, miniaturized and reinforced. It fits into very small, portable and portable machines. They are more robust and do not require regulated environments. In addition, the systems can be preconfigured on the machine. Their costs are becoming increasingly lower. Distributed in "general public" shops, they can be implemented by non-specialists. Communications have undergone phenomenal evolutions, in terms of support, whose speeds are increasing and protocols are simpler. The combined package then allows "cloudy" diffusions making all forms of cable obsolete. We no longer need network expertise to implement these communications. As far as data is concerned, while its availability is ensured by increasingly efficient, miniaturized and inexpensive media, its confidentiality seems fairly simple to ensure. In fact, its integrity becomes the new security issue. These developments have led to a complete popularization of this digital technology, which then appears simple and inexpensive. We can digitize everything, so everything is digitized. The power that was over the computer system moves from experts and specialists to end users who no longer need to know these technologies. All management of the digital world is vested in the end user. Technologies have evolved to enable it to manage this, but they open up new avenues for fraudulent activities around this digital world. Gone are the secure bunkers where the processing machines were positioned. Gone are the protocols that made it possible to follow the progress of the frames. We are in an open technological world, implemented by users. Faced with the evolution of these paradigms, we can understand the confusion of business leaders in very small and small businesses. The 4 pillars of digital technology have become the 4 riders of the apocalypse.
4. How to move from IT security to cyber security After this heavy observation, it is time to identify some areas of evolution in order to bring business leaders to better understand these evolutions. It is therefore necessary to address the problem of Cybersecurity, not as a technical problem but as a societal problem. The company manager must therefore take it over, involving the IT manager for those who have one, and/or their service providers for the others. They are key players in this process. However, they are not the only ones who should be involved in this process.
Risk-cost-protection basic scheme © Eidebally
4.1. Acceptable objectives - risk It is first up to the company manager to identify all his risks. For all areas of the company, this approach will require a detailed analysis. Depending on this, the manager of a company will have to start by improving his safety and then his security, in order to reduce all the risks initially identified. It may even transfer some of these risks to an insurer specialized in the field concerned. His risk then becomes acceptable.
4.2. Acceptable objectives - cost All the solutions that the business leader will have to implement will have a cost for his company. He will have to compare these costs with those of a claim, due to the risks assessed at the time of the analysis. This approach makes the cost acceptable.
4.3. Acceptable objectives - protection The means implemented must be accepted by all the company's internal and external stakeholders. If protection is not accepted by all employees, we will then develop a "Katangese" effect and the means implemented will be dreadfully ineffective. We can see that these objectives can only be defined by the entrepreneur and this is perhaps where there is a strong contradiction for him. On the one hand, the protection of a technical world can only be achieved through non-specialist approaches. On the other hand, whether for risks or protection, all employees are concerned. It is therefore necessary to have a "human" approach to these problems. It is the term of protection that becomes acceptable...
5. An implementation.... Beyond the technical solutions that will be built and implemented by specialists in the field (and here we find in part, our IT security), it will be necessary to review the company's organization. All digital components that may be personal or professional, as well as their uses and context of use, then present the risk of no longer being protected by the technical equipment used in the professional environment. It will therefore be necessary to review the rules of use of all these "digital" components. It will be necessary to educate employees in order to develop a collective awareness within the company. All this clearly shows all the problems faced by our VSEs and SMEs. Focused on productivity that is essential to their survival, they use a technology that has evolved along divergent lines. This requires them to reflect not only on a technological aspect but also on a societal one. Our awareness must focus on these aspects in order to help business leaders better understand their approach to cyber security.
Convergence and complementarity between national cyber security perimeter and NIS directive
Only 6 months have passed since the publication of the latest article on cyber security, with which I outlined the main aspects of the new Regulation (EU) 2019/881 of the European Parliament and the Council, the so-called "Cybersecurity Act"4. Recent legislative interventions lead us once again to deepen how cyber security ecosystem of our country is evolving. Last September 21st, the decree law No 105 was published in the G.U., bearing "Urgent provisions on the National Cyber Security Perimeter", on November 8, the decree of the Presidency of the Council of Ministers bearing "Provisions on the organization and operation of the computer security incident response team - Italian CSIRT" and finally on November 20, 20195, the Law No 133/09, bearing "Urgent provisions on the National Cyber Security Perimeter and the regulation of special powers in areas of strategic importance6". With the latter measure it was converted with related changes made by the Chamber of Deputies and the Senate of the Republic, the aforementioned decree law No 105. These are measures of great interest and relevance to our country, able to stimulate in their complex, reflections and considerations on the evolution of our cyber security ecosystem, starting from the national cyber security perimeter, as well as the relationship that exists with the so-called NIS directive and its national implementation based on the legislative decree No. 65 of May 18th 2018. National Cyber Security Perimeter With the conversion into law of the decree law No 105 of 21 September 2019, the national cyber security perimeter is established and at the same time the special powers of the Government in the sectors of strategic importance are regulated. Before going into the substance of the main elements that characterize the national cyber security perimeter, we want to remember, albeit briefly, how it was born and then evolved in recent years, the cyber security architecture that is of reference in our country, on which the perimeter and the NIS directive rest. With the decree of the Presidency of the Council of Ministers of 24 January 2013, the so-called Monti decree, was formed the architecture designated for the protection of the national security of critical material and intangible infrastructures, with particular reference to cyber protection, specifying and assigning the tasks of each identified component, as well as useful procedures to limit vulnerabilities, prevent risks, to respond promptly to attacks and to restore, as quickly as possible, the functionality of the impacted systems. Pursuant of the decree of the Presidency of the Council of Ministers, it followed the publication of the "National Strategic Framework for Cyber Space Security" and the "National Plan for Cyber Protection and Information Security", which set out the objectives that the Government had set for itself, and as already in part mentioned, they simultaneously attributed roles and responsibilities to all the parties involved, so that they could guarantee an effective and efficient cyber protection capacity in a coordinated manner. With the decree of the Presidency of the Council of Ministers of 17 February 2017, the so-called Gentiloni Decree, and in light of the NIS Directive, the architecture was revisited, especially in terms of roles and responsibilities, which it found in the intelligence area, with the Department of Information for Security (DIS), the new center of gravity of the government of functional processes for cyber protection. Taking advantage of this complex organizational machine, already available and oriented to cyber security issues, they found breeding ground for to be accepted:
• the Directive (EU) 2016/1148 of the European Parliament and of the Council, previously indicated as a NIS directive which, implemented in Italy with Legislative Decree No. 65 of May 18, 2018, sets the goal, at EU level, to increase the cyber security of all those who provide and in this sense can guarantee the supply of those services essential for the maintenance of social and / or economic activities on which citizens, businesses companies and markets in general depend. It’s precisely at this juncture, with an adaptation of7 the national cyber security architecture, the Italian CSIRT is established, at the Presidency of the Council of Ministers, with the primary purpose of managing notifications of cyber incidents by operators of essential services, activities previously carried out by the National CERT8 for business companies and citizens and cert-PA9 for the subjects belonging to the Public Administration. The organizational aspects of the Italian CSIRT are regulated precisely in the recent Decree of the Presidency of the Council of Ministers published on November
4 https://www.cybertrends.it/cybersecurity-act-un-nuovo-tassello-nella-strategia-cyber-sec-dellunione-europea/ 5 https://www.gazzettaufficiale.it/eli/id/2019/11/20/19G00140/sg 6 Pointed out what has changed with the conversion into law 7 https://www.csirt-ita.it/ 8 https://www.certnazionale.it/ 9 https://www.cert-pa.it/
Convergence and complementarity between national cyber security perimeter and NIS directive By Gianluca Bocci – Security Professional Master, Poste Italiane SPA
8, 2019, bearing " Provisions on the organization and operation of the Computer security incident response team - Italian CSIRT".
• the legislative decree n° 105 of 21 September 2019 which, converted into law on 14 November 2019, defines the "National Cyber Security Perimeter ", which, unlike what is indicated in the previous point, instead focuses and aims to ensure a high level of security of the networks, information systems and it services of subjects on which the exercise of an essential function of the State depends and with the services provided may jeopardize national security.
Figure 1- Holistic ecosystem for the protection of the Country System cyber space
The objectives to be pursued with the National Cyber Security Perimeter and the NIS Directive are therefore substantially different. Whilst the NIS Directive focuses on all those essential elements for which the centric role towards "market security10" is evident, the National Cyber Security Perimeter it is centric towards "state security11", which is why for the latter case are clear and unequivocal the references to the protection of 5G networks and the expansion of Golden Power with extension of the Government's special powers over technologically advanced sectors. For these reasons, the National Cyber Security Perimeter gives the ecosystem for cyber security of our country a "holistic" character, extending technical, organizational and procedural indications for raising cyber security levels of networks and systems (inspired by the National Framework for Cyber Security and Data Protection12), even to those companies and public and private entities that, not included in NIS Directive, anyway have a relationship with the essential functions of the State and the national security; in other words, the National Cyber Security Perimeter, leveraging a principle of complementarity to the NIS Directive, extends and strengthens more generally the cyber defense capability of the Country System.
Conclusion Thus, with the establishment of the National Cybernetic Security Perimeter, a circle that remained open closes, in fact the obligations for raising the security of services are now extended to all those operators that, although not formally included among those for the provision of essential services, registered according to the standard criteria established at European level by the NIS Directive, play a crucial role for the safety of the country and should therefore guarantee even higher levels of safety.
10 Directive (EU) 2016/1148 of the European Parliament and of the Council, Art. 1, "This directive establishes measures aimed at achieving a common high level
of network and information system security in the Union in order to improve the functioning of the internal market"; similarly the legislative decree 18 May 2018, n. 65, with which the Directive is implemented in Italy, in art. 4 points out that among the criteria for identifying operators of essential services is that for which the subject must provide a service that is essential for the maintenance of fundamental social and / or economic activities.
11 Decree law No. 105 of September 21, 2019, Art.1, "In order to ensure a high level security of networks, information systems and IT services of the public administration, national bodies and operators, public and private, on which depends the exercise of an essential function of the State, that is the performance of an essential service to maintaining civilian , social or economic activities that are fundamental for the of interests for the State and since whose malfunction, interruption, even partial, that is misuse, could arise a prejudice to national security, the cyber national security perimeter is established”.
12 https://www.cybersecurityframework.it/
GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy
https://www.gcsec.org
GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy
https://www.gcsec.org
