04-05-2012

“The new Challenges faced by ICT Security” by Claudio De Paoli, ICT Security Manager

​04/05/2012

In today’s world, which is permeated by ongoing technological progress and the constant evolution of IT tools that are readily available to everyone, IT security is a “good” the protection of which is becoming more and more important. The greater the criticality of the information, in case of damage or theft, the higher the degree of protection the asset deserves and, consequently, the more effective the preventive and corrective security measures should be.

In this respect, we must speak of “active defense”, meaning the introduction of conduct guidelines, measures and actions aimed at preventing and opposing any potentially damaging events or illegal activities, undertaken for the purpose of jeopardizing the perimeter and stability of organizations, businesses, countries.

Security Governance, Risk and Compliance

 

In the last few years, businesses have become more and more aware of how information security can enhance the value of their Organization, by minimizing any losses due to events that can seriously impact security, by making sure that any security incidents and violations do not have harmful effects.

 

This awareness has increased also as a result of the introduction of various regulations, by both the single countries and internationally, such as Legislative Decrees 196/2003 or 231/2001, the Sarbanes Oxley Act 2002, and a number of sectorial regulations, such as the Data Security Standard issued by the Payment Card Industry (PCI-DSS), which oblige businesses and government entities to put into place technical and organizational measures suited to protecting the security of certain types of data.

 

 

Managing compliance with these regulations requires successfully tackling a number of challenges:

• involving all the organizational units and the management in the definition of new processes
• analyzing the impact of the regulations on the ICT systems
• identifying and implementing the countermeasures capable of effectively responding to the technical requirements
• constantly verifying the effectiveness of the compliance processes and the proper implementation of the countermeasures
• activating escalation processes for tackling any high-risk non-conformities.

 

 
Generally speaking, if we replace the concept of regulation with a policy defined by the company itself, and based on an analysis of the risks of a different nature, compared to those affecting the organization, the considerations on the compliance challenges to policy should be similar to those described.

IT security, therefore, has become one of the key issues that need to be addressed by the top managements of private and public enterprises, and requires knowledge and expertise in a range of different fields, from business processes to the vulnerability of the new technologies, from HR organization to IT management procedures.

 

Fraud, Cybercrime and Critical Infrastructures

 

Communication and the exchange of information and use of new Web-based online services has changed our habits enormously, as well as the risk scenarios related to the security of people, organizations, companies and even entire countries.

 

The development of the Internet has also contributed to changing the scenario of international crime. The offences committed by exploiting IT instruments, in fact, have changed considerably in the last two decades: from the espionage of the early Nineties and the demonstrative actions carried out by a limited number of people with very vertical technical skills, to a huge black market dominated by a large number of people and criminal organizations.

These black market activities are constantly on the rise and have become a real threat for the general public, businesses, banks and financial institutions. All professionals in this sector are aware of the increase in the number of attacks made using simple toolkits that can be procured by anyone online, at a very low cost (such as Zeus, for example). These toolkits can simplify the creation of malware, such as Trojans, and escape even the most sophisticated home banking authentication and authorization systems. But they can also spread malware (like Stuxnet) in PLC-based industrial control systems, “spying on” an industrial plant or altering its behavior: new forms of attack to industrial systems that are a true threat to the security of entire countries.

 

A further impending threat for public and private enterprises is fraud. In fact, there has been an increase in the number of incidents, from theft of information to the use of data illegally collected online to commit offences and “cash in” on them. There has also been an increase in loss, in both economic and image-related terms, by public institutions and private businesses.

 

Recently, the Italian Parliamentary Committee on Homeland Security (COPASIR), in its “Report on the possible implications and threats for homeland security posed by cybercrime”, has conducted a detailed survey of these issues and declared that the defense of the cyberspace must become the focus of the protection strategies implemented by all countries worldwide, for the protection of a common good, just like the other “spaces”, such as, for example, the atmosphere or international waters.

 

Obviously, the cyberspace may become the weak link of the entire protection chain developed over the years, by both the national security and defense bodies and private businesses, as a means for protecting their economic interests. It is equally clear that the development of Cyberspace protection strategies is an emergency for all those concerned, given the absolute relevance of this space in today’s world.

 

Development of ICT solutions and services and new threats

 

Another important requirement of businesses and government is adapting their security strategies to the continuously changing Information & Communication Technology market.

 

Social networks, the extraordinary increase of smartphone users, the advent of cloud computing technologies are all obvious examples of the speed with which the world of ICT is evolving.

 

Each of these scenarios brings with it a series of threats and related security requirements:

• the proliferation of social networks has considerably boosted the circulation of personal details, increasing identity theft
• the increasingly vast use of smartphones is enhancing the development, by the world of cybercrime, of tools and instruments similar to Trojans and to Malware, capable of escaping the security systems of these devices
• cloud computing, which has significantly simplified the management of the information systems of businesses, is raising a series of important issues with respect to data confidentiality, compliance with the data protection regulations in force in the specific countries, the providers’ capacity to ensure the operational continuity of the specific processes of a certain business sector, and how this can be effectively achieved.

 

Therefore, the challenges posed by IT security are strongly related to the development of ICT market technologies, as well as to the changes in the offering models of this market: the key challenge is to effectively and speedily adapt the skills and organization to this continuous transformation.