|Newsletter n.12 / 2010|
Due to the expansion of the association outside Italy some articles will now be drafted in English.
The association is pleased to welcome:
ANSSAIF has been invited to participate to the Italian ICT Auditors Association’s National Congress, which was held in Siena, on Oct.21st and 22nd. Hereunder the President’s speech translated into English.
“Dear President, Dear participants,
I am happy being here especially because in this moment, of economic crisis, new threats and uncertainties, cooperation among associations is one of the most important things to do.
Before introducing you the guest speakers, let me tell you that nowadays I am worried.
Yes, I am quite worried. As most of you do know, I have more than 42 years of experience in the ICT arena and, in the last 10 years, particularly in Security and Business Continuity.
I have faced, as manager in charge of ICT in BNL, some of the most difficult moments for the continuity of the business: from the damages created by viruses like Nimda, Code Red, Gaobot, Slammer, to phishing attacks to our customers, not forgetting bomb threats and terrorist attacks in some Countries were we are present.
We succeeded in facing all those risks with success, as all other major banking groups did.
This time I am quite worried. I don’t know what you think: I would like to have your opinion.
Until now, we have faced cyber criminals. This time we have to face cyber warfare, cyber terrorism. We might have to face criminals paid by a foreign government!
Are you asking me if I am sure?
Let me cite some recent episodes.
Security experts, like Richard Clarke, told a magazine that he believes that cyber attacks and cyber war are already under way.
Italian MP Mr. Giuliano Amato wrote a half page article on the newspaper “Il Sole 24 Ore” (July 24th), saying that the Internal Intelligence (and Secret) Services must defend Italian Companies due to growing cyber attacks aimed at capturing companies’ confidential and secret information (he also cited the theft of an Italian Company’s patent probably by a foreign entity).
Some Countries are declaring that cyber warfare is a real menace.
What can we do? What can you do?
As auditors, I think you must be sure that your Company’s BC Plans take into consideration the unavailability of ICT systems and that mitigating measures have been designed and tested.
If not already done, it is not an easy task. Let me explain with an example.
I remember that while carrying out the Business Continuity programme, I interviewed the business units asking “what can you do if ICT systems are not available?”. They all replied saying: “no problem, we have a disaster recovery plan!”.
“But if, for example, a virus is blocking the network for a long time, what is going to be the impact?”. They stared at me as if I was out of my mind!
I patiently tried to discuss about possible alternatives, and, eventually the process owners indicated to me what they believed they would need to carry out the processes, even if at a minimum level of operability. They had an answer, they found the required answers, and they agreed that what they would need in case of the unavailability of ICT systems had to be prepared in advance, before the event happens! And most of the solutions they found were at a very low cost!
That’s why it is important to evaluate even the remote possibility of a total unavailability of the ICT systems.
You must be prepared in advance. If an unavailability of the network or of the systems happens, you must have in place what is needed to continue operations: can be an offline system with latest information, or an agreement with an external entity, or whatever. You must think in advance, otherwise the Company faces a big risk and you are lost.
You must think that if someone, high skilled, can get inside the systems, he can block them, working both on the production and backup files. Or can block the network.
It happened in the late years 70s. A company nearly went bankrupt. It happened in 2001 and 2002 when new viruses blocked the networks.
Security has improved since than, surely.
But, I want to underline that this time, if the alarm is true as it seems, we are not prepared as in the past!
This because it looks like we might have to fight also against foreign Governments or criminals financed by them! If they want to stop one Country's financial system, they only have to block two or three entities.
Therefore, this is my message:
Check Business Continuity Plans for completeness (inclusive of temporarily lack of ICT systems) and verify that they are up to date. Check the supply chain and, if necessary, review your company's outsourcing agreements.
What happened? Gossips site Gawker has been compromised and users' passwords have been captured and most of them published.
As people generally use the same password for the different web sites they have access into, some important Social Networks have recommended their customers to change their password.
What we can learn from the list of compromised passwords, it's that most users adopt very easy passwords. Some examples:
So customers cannot complain if their credentials have been captured!
What we have to recommend our clients it's not to use the same password when accessing their banking account. They should have at least two different passwords: one when making sensitive, critical, operations on Internet, and another when surfing web pages.
Note that ANSSAIF's 2011 plan includes also a remake of our 2007 pamphlet on suggestions to Italian citizens for a better protection of their identity.
We found of some interest an article by Joel F. Brenner, published on November issue of Communications of the ACM.
He starts remembering NSA's General Keith Alexander declaration that even U.S. Classified networks have been penetrated (you couldn't imagine, isn't it?), and nobody knows who they are!
In the recent past, every US President issued a Directive to fix the problem and then nothing happened.
Certainly a good question is: why nothing happened?
According to the author one of the major problems is represented by customers who don't want to pay for greater security, or wait for a new application until it has a better intrinsic security.
What must be done?
The author suggests 8 points, of which we found of some interest the followings:
We mostly agree on the author's approach, and we believe that a more constructive role by the Government and the Public Administration is needed to start fighting cyber criminals.
So far, we have assisted to declarations and nothing else.
In the mean time criminals succeed in getting inside our client's computers and, probably, ours, steeling sensitive data.
* * * * * *
wishes you all
a Merry Christmas and a Happy New