Cybersecurity: let’s take stock with Red Hot Cyber
Cybersecurity is an increasingly topical issue, not only for the quantity of daily attacks perpetrated at various levels, but for the variety of contexts affected, ranging from the individual citizen to large corporate groups, from public bodies to industrial supply chains. What’s missing, and not only in our country, is adequate widespread training and the awareness of the impact that cybercrime can have on citizens’ bank accounts, on companies’ turnovers and on the national GDP.
M.C.
ItaliaImballaggio tackles the question with Pietro Melillo, CISO - Chief Information Security Officer of the leading manufacturing company Würth Italia, as well as a PhD student and responsible for the Threat Intelligence activities of Red Hot Cyber, the online magazine specialized in information technology and security.
The publication is recognised as one of the most authoritative sources of information and dissemination on the theme of cybersecurity and considers the sharing information and raising awareness about risk as two fundamental objectives of its journalistic activity based on the contribution of specialists in disciplines related to software piracy.
«Packaging lines are often a very delicate context», Melillo begins «and the problems are nearly always found between the desk and the chair, where human error is lurking. This doesn’t mean blaming the individual, but establishing the need for constant monitoring of systems and user privileges designed to identify the problem at its first manifestation.
A machine blockage of the supply chain may occur due to a non-conforming use of company tools, the installation of non-authorised software which conflicts with the applications used for packaging and disk saturation caused by the exchange media from a smartphone. One of the solutions to these problems is to use a correct user profiling (The Principle of Least Privilege - PoLP) and to limit accesses to systems, such as, for example, the disabling of USB ports as mass storage, CMD blocking and Powershell...
The segmentation of networks is another protection tool, making it possible to reinforce security controls on the single sub-networks and limit the lateral movement of any attackers. To avoid machine stoppage, the company should set up continuous monitoring solutions that make it possible to identify a threat, neutralise it and restore the compromised systems in a few moments, to then continue to use the latest functioning configuration».
Markets and countries under attack: Italy’s (also cultural) fragility
The definition of a long-term strategy requires the presence of specialised professionals inside and outside the company. It’s an essential step also for small enterprises in which cybersecurity awareness is even more necessary because it is not always so obvious. This shortcoming gives rise to evident vulnerabilities if we look at the numbers and sectors most affected by criminal actions in 2022.
«In the list of the victims of attacks, manufacturing is one of the most targeted sectors, followed by health, with the sale of data in the dark web, and by the training sector. Health is one of the top victims because it is the most inclined to pay, given that the risks connected with an attack are significant also for the lives of people. Two cases of death have, in fact, been reported: in Düsseldorf a person died for the lack of a dialysis after an attack that delayed the patient’s access; in Alabama, a little girl born with a serious malformation was unable to receive adequate care due to the lack of necessary information. In Italy, a famous case among many, occurred in the Lazio Region with a 50 million ransom demand…».
These are impressive data which Melillo highlights to demonstrate how crucial the cybersecurity sector is and how well t criminal sector is organised, created a business empire run by authentic enterprises that pay salaries, have a chain of command and often have top management figures at the top who, from their privileged position are able to provide essential information with which to launch attacks with returns in the millions. The iconography is therefore a long way from the nerdy kid from War Games, giving way to an authentic organised crime sector, operating throughout the world.
«Among the countries most attacked by the ransomware phenomenon in 2022, Melillo continues, the United States stand out with 994 attacks, followed by the United Kingdom with 145, Germany 117 and Italy in fourth place with 107 attacks. They are followed by Canada with 103, France 96, Spain 79, Brazil 50, Australia 45, India 3 and Switzerland 41».
The fourth place occupied by our country represents an enormous number in terms of impact on GDP and number of inhabitants. Looking at the sectors, manufacturing is in first place with 179 attacks, followed by health with 151, the construction industry 140, education 118 and government 113. The figure of 90 attacks against the software sector, from whom an intrinsic sensitivity to the issue would be expected, is particularly interesting, as against the 50 against finance and insurance, occupying lower positions in the classification.
The risks and possible solutions
Our country’s cybersecurity management strategy arrived late. The establishment of the ACN, the cybersecurity agency, as recently as September 2021 is an example of this. According to Melillo, this is because the question is perceived as an option, which does not justify, except with difficulty, greater investments in tools, people and strategies.
There is a lack of culture on which to invest training and organise courses to reduce the percentages of risks connected with phishing which today represents 93% of cyberattacks on systems and institutions. On this point, referring to the manufacturing sector, Melillo continues:
«It’s necessary to organise basic training courses, but also speak about the evolution of attack strategies because one of the main problems is a general underestimation of the extent of the risk, with superficial practices such as the hybrid use of company tools and an inadequate approach to system updating. A manufacturing company that generates huge quantities of data, for example, requires a strategy that includes knowing how soon it can regain access to the data in the event of an attack. These questions need to be answered to define a technical strategy, establishing a plan of action, making rules and instructions available in order to face the different types of attack, malware and ransomware, the setting up of an emergency team and, in general, a strategy constantly updated every two or three months to understand if what has been decided is still valid in the light of new means of attack and their continuous evolution ».
The solution lies in the updating of people and systems
Cybersecurity awareness is an important key, precisely because people make the difference.
«A recent training course, he continues, allowed us to significantly reduce risk, in which with 1.5 hours of practical examples we were able to obtain a positive result of 57 out of 60 in the phishing test, designed to verify the real understanding of the themes of the course. One very important aspect, for this type of initiative, is their provision face-to-face, in which it is possible to get people involved, show examples and push people to reflect on what they do. At a company level, it would be beneficial to communicate all the phishing campaigns so that staff have a daily reference on this front and know how to proceed ».
From the training of employees, let’s move on to the means for active defence: first and foremost, what appears to be the most banal, is the updating of systems. As Melillo reminds us:
«I have met companies with Microsoft Windows Server 2012 still widely used for all business activities. This implies the almost certainty of an attack. More evolved activities are also needed, such as continuous VAPTS (Vulnerability Assessment Penetration Tests), which make it possible to set up procedures for the mitigation of risk on software and hardware and integrate Threat Intelligence services. Unfortunately, in Italy, the tendency is to turn to these tools upon the occurrence of an attack or in the event of an audit, while they should form part of daily business. This demonstrates how our country has widespread digital illiteracy in which phishing via mail, smishing via text messages and QRLjacking (scams via QRcodes) are inevitably very common ».
Some of the big risks and the tools of defence
Ransomware monitor is a Cyber Threat Intelligence project developed as part of the ongoing research doctorate in the University of Sannio, in collaboration with two thesis students and supervised by Professor Aaron Corrado Visaggio. «The monitor analyses the victims of the ransomware phenomenon and makes it possible to send alerts to companies belonging to particularly sensitive sectors in a given moment. The system also provides updated information on the supply chain associated with a possible attack, to avoid the involvement of third parties. To identify the aggressors, moreover, it’s necessary to follow the financial flows. This is why, with the ransomware monitor, we have activated also a wallet tracker function that looks at the use of the group’s reference cryptocurrency, tracking movements in a graph and identifying the recipients. The tool was conceived for research purposes and could undergo subsequent developments ».
The Polizia Postale (postal and telecommunications police) offers free support to enterprises and business associations, an area on which Melillo concludes: « The memorandum of understanding with the Polizia Postale provides support in the event of attack and a flow of indicators of compromise useful for increasing detection capacity of defence tools ».