Compliance with General Data Protection Regulation (GSPR) and ISO. May 25th has arrived, but most of the work is still to be done. Make yourself comfortable and relax. We will hear about GDPR for much longer. It’s the year of cybersecurity.
If you hadn’t noticed the hundreds of emails and notifications, the General Data Protection Regulation entered into force on the 25th of May. But this is only the beginning, the great changes regarding the personal data protection will be developed over time.
The General Data Protection Regulation is a regulation for the processing of personal data of citizens and residents of the European Union, both within and outside EU borders. But we want to talk also about defense against malware, DDoS, access management, anti-fraud. Perimeter, application and infrastructure prevention and protection. The opportunity is propitious (?) to take stock of the ICT security challenges with Claudio de Rossi, head of Spindox’s Cybersecurity service line.
From our company to our home, from smartphones to cars: everything around us is cyber today. And, at the same time, exposed to cyber attacks. For this reason, security is now a cross-cutting issue that we can no longer avoid facing. In private and professional life.
In Spindox we have been dealing with cybersecurity for a long time, going through all the end-to-end business management: on the one hand compliance, on the other the technology. “Two worlds in Spindox’s offer that come together in a holistic consulting proposal for the customer.” We are talking about a service line entirely dedicated to Cyber security, like Claudio de Rossi tells us. Claudio has a background as web application developer and ethical hacker, Project Manager, consultant and cybersecurity expert. Today, he is the head of the new Spindox cybersecurity proposal.
Introducing Cybersecurity
Producing software means facing potential vulnerabilities. For this reason, the supply of application security services becomes fundamental. This means an effective consultancy on the introduction of SSDLC excellent practices (Secure Software Development LifeCycle) within the software development life cycle. “There are methodologies created specifically to manage and monitor the application life cycle with an eye on security, among these the OWASP (Open Web Application Security Project), a non-profit association in which experts operate worldwide to codifie, define and keep updated the guidelines for developing software in a safe way” says de Rossi.
GDPR, risk management, regulations, security, methodologies. The basic idea of Spindox’s offer is to oversee the two opposite cybersecurity poles, to go through end-to-end business management: on the one hand, compliance with rules, regulations and processes; on the other the technology. Between these two poles there is everything that can help us improve and increase safety levels. “These two worlds in Spindox’s offer come together in a holistic consulting proposal for the customer”, de Rossi always observes.
As part of the technical adjustments required by European regulations and international guidelines, Spindox provides a series of consultancy services in the field of data governance, identity and access management, industrial IoT and ICS security, network security, security analytics and cloud security.
May 25th has passed but our need for security has just begun
Data Governance is the management of the data life cycle, from when it enters the company to when it becomes obsolete. From archiving to the loss prevention of valuable data. Companies are investing large sums in this field since, if it is not yet clear, it is no longer possible to stall. “Take care of the data you process, classify it to protect it adequately. As the GDPR says”. Claudio de Rossi explains.
In this regard, it is necessary to make a contribution to companies in terms of policies and processes: it is not enough to implement software tools, it is necessary to educate people and establish a policy within the company, but above all harmony, on security issues. Only in this way is it possible to convey its importance. The advice is to develop a solid Data Loss Prevention system interposed between the company and third parties, in order to avoid information leaking from the company.
Awareness, prevention, training
In terms of IT security, the awareness level of Italian companies is still low. The Clusit 2018 Report is clear: in Italy only 1.5% of the IT budget is spent on prevention, against 6% of the world average. But in 2017 the number of serious attacks recorded in our country was 1,100.
As for costs, globally, those generated only by cybercriminal activities have quintupled. Moving from just over 100 billion dollars in 2011 to over 500 billion in 2017. According to the World Economic Forum, hacking represents one of the five major global risks of the economy.
Achieving and maintaining adequate levels of safety depend largely on people’s awareness. This is why the work Spindox is doing, is first of all a cultural one. And the fundamental tool for raising awareness remains training in any case. Companies must continue to invest in training in this area.
The European GDPR regulation, regulatory compliance, embedded systems, the Data Protection Officer
Cybersecurity is a vast field, but some fronts are particularly hot today. The most imminent is certainly regulatory compliance, given the entry into force of the GDPR; then the security of embedded systems, especially in the automotive sector, and the design of SOC (security operation center, for monitoring all the events that can constitute a source of threat).
The GDPR is the evolution of a series of European regulations and experiences in the personal data management by companies. “In 2003, a law already existed in Italy that required the application and mapping of data: it was required to identify who used them, where, why and how long they would keep them. The European regulation is now perceived by many as a huge investment, but in reality as early as 2003 the programmatic document on security (DPS) was mandatory. Subsequently, following Law Decree no. 5 of 9th February 2012, converted by law no. 35 of 4th April 2012, things changed”, explains de Rossi.
Those who have been forward-looking have kept the DPS up to date and today are far ahead of the GDPR adaptation activity. Those who have not bothered to carry out this activity, however, are doing the job from the beginning. But it is good to underline that the DPS is not enough to be compliant with the GDPR. The main area of intervention of the GDPR is then similar to the activity that is carried out on Data Governance: it is necessary to know when the data enters, how long it is kept, who keeps it, who accesses it and for how long. The principles of Accountability, Privacy By Design and Privacy By Default must permeate the corporate personal data management.
For several companies, the figure of the Data Protection Officer (DPO), a consultancy figure to the Data Controller, will be mandatory. “In my experience I have seen that a medium-small customer has an interest in having an external person who is able to cover both the legal and governance management (processes, compliance), as well as the management of security from a technological point of view”, specifies Claudio. From a technological point of view, the implementation of security systems to limit exposure to cyber threats is essential to increase corporate internal security. With this in mind, Spindox customizes the service based on customer needs by building the offer that best suits it. May 25th has passed, but the need for security remains.
Manage digital identity
Problems generated by rootkits are well known: it’s a malicious software that infiltrate unauthorized areas inside computers or parts of it, hiding their identity. After discovering the credentials of a user and obtaining root or administrator permissions, using social engineering techniques for example, it is possible to check the infected system by modifying those software that should have identified the root and report its presence.
Another type of cyber attack that aims to falsify identity and information is the so-called “spoofing” (of which there are different types, which act at different levels: network access layer, internet layer, transport layer, application layer, etc.), used by “phishers” or social media scammers. The phenomenon of phishing is one of the possible online scams, which always aims to steal confidential information, data, access codes.
For the management of users’digital identities, there are technical and organizational solutions aimed at rationalizing resources and optimizing the result. The activity consists in the implementation of IAM (Identity & Access Management) solutions and PAM (Privileged Access Management) systems. In this regard, Claudio de Rossi exemplifies this: “there are companies that have to manage 40 thousand domain users that access all company applications. Imagine when you retire, quit or, on the contrary, enter the company for the first time: those who deal with it must be able to create and manage a user, profilable in all systems. This can happen thanks to IAM systems, which allow you to centrally administer these activities”.
A very useful tool in corporate IT governance is PAM (?): administrative users on the most important systems can be managed through a system that intervenes between the administrator user, and a server accessible only by certain people with certain access privileges. “PAM let you profiling without using credentials. When you access PAM, the system shows you where to go. So it’s a very complex system, which together with Identity Access Management, allows you to have user ID management and administrative access management in a centralized tool”, says de Rossi.
IoT and Security
Companies today are called to redefine the paradigms of their analysis activities and to continuously monitor the entire infrastructure. Signature-based antimalware protection (known patterns) is no longer sufficient. Today an effective protection strategy is based on behavior analysis tools (behavior analytics systems), which allow you to evaluate if what is happening on an endpoint or within the network, can be an attack.
There are many software vendors and many companies that resell licenses, but few manage an end-to-end project in full compatibility with their corporate and business ecosystem. In this sense, Spindox deals with security assessment and infrastructure upgrading, implementation of monitoring systems and prevention of advanced attacks such as malware, ransomware and APT (advanced persistent threat).
“Cybersecurity is transversal”
In 2009, a malware that penetrated the Natanz Iranian nuclear power plant via an infected USB stick, managed to get to the industrial control systems of the system’s centrifuges, endangering the safety of the entire nuclear power plant. This malware, Stuxnet, marked an epoch-making turnaround in the way cybersecurity entered our lives. De Rossi says: “All of us, every day, manage digital assets and delegate part of our information and lives to them. In a global context in which we are all overexposed to cyber threats that come from anywhere in the world, Spindox offers itself as a consultancy partner to increase awareness and protection of companies in their business”.
Then he concludes: “Spindox, within the Cybersecurity service line, has decided to adopt a holistic approach to the offer: start from processes, arrive at technologies. Covering all the corporate levels of its customers”.