Even if the computer is not important to us, we may find
that we do not have electricity at home due to a hacker attack. And our
unawareness could cause serious damage to our companies. Let's find out why
ignoring cyber security is a lightness that nobody can afford today.
The alarm has not sounded and the lamp next to the bedside
table does not light. Go to the bathroom and the hot water does not arrive. Try
making yourself a coffee with the machine that looks dead and then you realize
that the house is cold and that the TV remains silent. What happened? There is
no electricity . What you will discover a few hours later is that the national
electricity grid has been hit by a cyber attack that has literally turned the
country off. Meanwhile, the phone has downloaded and in the following hours you
will discover chaos in the streets, worse than during a storm.
Cyber attacks on
electrical networks
It is not an unlikely scenario. In recent months, cyber
security companies have detected patterns of attack on national electricity
grids in several European countries. Some failed, and we knew nothing about it,
but we found out about it.
It has already happened, in Ukraine and in Estonia. These
types of attacks are organized by actors known as APT, Advanced Persistent
Threat, persistent IT threats, which borrow their name from the technique they
use: they sneak into the target's computer systems, even for years, and only
after acquiring the data and the information he needs launches their
devastating attack.
Since they are well organized and funded groups, we often
talk about Nation state actors, sponsored by rogue states, and their actions
seem to have more to do with cyber warfare, the one fought by states in
cyberspace, rather than with the everyday life of our connected life.
Yet methods and tools are the same as those of groups of
cyber criminals who are more interested in profit than politics. Indeed, the
same groups often devote themselves to cybercrime only to finance the
development of new cyber-weapons.
We will also talk about this at IBM Think Milan - Security
Session on 11 June.
Because cyber
security concerns everyone
In any case, a normal citizen should not worry about it
since he is dealing with bigger things, and then, after all, there are the
specialists who deal with it. Or not? The point is that it is often the simple
citizen who opens the main door to these attackers, in his role as worker,
consumer, volunteer or activist. Maybe he just made the mistake of opening an
infected email; maybe he will have let the children use the phone with which he
accesses the company network; from the computer he clicked a strange pop-up; or
he used a trivial password to protect the social account he uses to work and
chat. Criminals often fish haphazardly, but sometimes even this is a technique
to hit you, a journalist, a government consultant, preside over a parliamentary
commission or go to deal with mergers and acquisitions for a high-level client.
Or more simply, you are one who works for a large company but has not been taught
anything about computer security.
But a cyber attacker just has to violate personal access to
the corporate network to undermine an entire organization: the human factor is
always the weak link in cybersecurity .
Yet cybe rsecurity is only spoken when something happens.
Remember the Meltdown and Specter case? 2018 opened with the bug alarm in the
Intel and AMD hardware processors, which ended with the Intel CEO's suspicions
of insider trading that knowing the flaw ahead of time he would be able to get rid
of corporate actions before the flaw was disclosed.
Then came the case of Cambridge Analytica which made us
discover that someone was able to use the profiling of personal tastes and
trends not to sell us books, shampoos and travel, but even candidates for
elections.
Cloud Security: here
are the strategies to protect multi-cloud environments
The year before, in 2017, the Wannacry ransomware , had
blocked 300 thousand computers in 150 countries and put on its knees for a few
days logistics companies like Maersk and the whole Healthcare of the United
Kingdom. The previous one, 2016, had brought to the forefront of the news an
attack on the Dyn servers that had brought the Internet to its knees on the
entire American east coast, making it impossible to access Twitter, Amazon,
Netflix and the New York Times. It was built using an army of 100,000 smart
objects connected in a network by the Mirai botnet. A variant of it was then
used to attack the Deutsche Telekom network, preventing several million Germans
from using phones and computers.
We could continue with the examples, these attacks are the
order of the day, but it is only the big things that are told by the newscasts.
The price of insecurity
According to the latest reports, companies and institutions
are not prepared to deal with cyber threats in the form of DDoS attacks , malware,
phishing , zero-days, backdoors and other exploits.
McAfee claims that cybercrime damage to the economy amounts
to $ 600 billion a year, 0.8% of global GDP. Other reports speak of different
figures, but it is only because they have a different way of assessing the
damage.
According to the CLUSIT association, cybercrime in Italy is
worth at least 10 billion and according to Fastweb an Italian citizen is hit by
a cyber attack every five minutes. Confcommercio has estimated that in 2017
Italian businesses have suffered damages of 2 billion euros due to cyber
attacks.
What must be understood is that every industrial sector is
at risk and that for this reason the necessary safety measures must be taken.
Starting from an awareness: safety is an investment and is not a cost.
Yet according to a report by the Bank of Italy in 2016, to
prevent cyber attacks, the median company spent a modest sum, amounting to
4,530 euros: 15% of the gross annual salary of a representative worker.
However, the average values range from € 3,120 for small businesses to €
19,080 for those in the ICT sector and € 44,590 for large companies.
Rather little, don't you think?
Prepare to defend the perimeter
A successful cyber attack could represent the point of no
return for the credibility of a company or do so much damage by putting it
first on its knees and then out of the market. The road is not to deny the
successful attack, but to be prepared to face it by minimizing the damage. The
question is not in fact whether we will be attacked but when and the best
defense strategy is to make the attack expensive and complex, because
preventing it will not always be possible.
Some companies have begun to understand this and know that
the first line of defense with respect to cyber attacks is made up of trained
personnel and a good organization capable of evaluating and securing corporate
IT assets, preparing tools for proper risk management , and have a disaster
recovery plan.
To assess IT security, it is necessary to identify the
threats, vulnerabilities and risks associated with IT assets , to protect them
from loss or attacks. The so-called risk analysis starts from the
identification of the assets to be protected, to then evaluate the possible
threats in terms of probability, occurrence, and severity of the damage. Based
on the risk estimate, it is decided whether, how and which security
countermeasures to adopt (Risk management).
These processes are important because the attacker's goal is
not the IT systems themselves, but the data they contain. Computer security
must therefore take care to prevent access to both unauthorized users and
subjects with limited privileges, to prevent the data belonging to the computer
system from being copied, modified, deleted or "filtered".
Violations can be multiple: there may be unauthorized
attempts to access restricted areas, digital identity theft or confidential
files; use of resources that the user should not be able to use. IT security
also takes care of preventing any denial of service situations with the aim of making
certain resources unusable so as to damage system users: customers, suppliers,
users.
Damages are often caused accidentally by the user himself
due to a bad implementation of hardware and software, or by service
interruptions or unexpected failures.
To avoid accidental events, there are no unique solutions: a
first remedy is system, data and application backup, a crucial procedure for
so-called "disaster recovery".
Intentional attacks instead belong to the category of theft,
damage, and sabotage, and include unauthorized access to data, systems,
information. They are the most dangerous. This is why it is important to be
prepared, to exchange information constantly and to share knowledge and skills
at the highest levels by having security experts talk with company management
and to collaborate with the bodies and institutions in charge of defending and
managing critical infrastructures and digital services from whose functioning
depends on daily life.
In computer security it is good to remember that technical,
organizational, legal and human elements are always involved. The European
directive on the processing of GDPR data and that of NIS network and
information security are a step forward in the development of this awareness,
but, as is known, companies are late and the government is no less.
It's time to take care of it. Before it's too late.
