Cyber Security nel Settore Assicurativo: Minacce e Opportunità Location: Milan Date: 07 March 2017 http://www.assolombarda.it/servizi/digital/cyber-security-nel-settore-assicurativo-minacce-e-opportunita Assolombarda Confindustria Milano Monza e Brianza in collaboration with Confindustria Digitale, Global Cyber Security Center e Gartner Consulting will organize the workshop "Cyber Security nel Settore Assicurativo: Minacce e Opportunità", that will be held in Milan on 7 March 2017. During the workshop insurance companies and enterprises will discuss the priorities on the issue of cyber security and risk assessment in the full recognition that the issue is not only a threat but also an opportunity to be seized. In addition, the workshop will provide an overview on the prospects of a rapidly evolving and revolution market. Will be discussed the definition of the risk profiles of companies and the basis on which the insurance companies will ensure enterprises taking into account the ecosystem that surrounds it. Will be analysed, finally the guidelines that the regulator is putting in place, alto at European level. Security Summit Location: Milan Date: 14-16 March 2017 https://www.securitysummit.it/ Security Summit is the event dedicated to the information security of networks and information systems that, for years, have impassioned participants with content and insights on the technological evolution of the market. Now in its ninth edition, the Security Summit is considered, and is recognized by the market, such as the Event of excellence in the Italian market thanks to the high quality of the speakers and the large public participation in increasingly qualified. Also in 2017 confirmed these values: a structure articulated in plenary sessions, training, technology workshops, round tables and technical seminars. Certified by the large group of speakers (more than 400 have intervened in recent editions) from the world of research, the

Health and Cyber Security Medical devices continue to transform treatments and long term disease. As we may read and see in this area technology continues to evolve, this factor means that also threats to the security and reliability of these devices are increasing. Time to time we have warning on pacemaker that can be used for killing people. Although these warnings are fictional, this scenario is going to be quite realistic and there is the necessity of public awareness on these issues. When we are thinking to medical devices we have to bear in mind that they can be vulnerable, like any other computer systems. Vulnerability and security breaches, may potentially impact the safety and effectiveness of these devices. This vulnerability increases as medical devices are more and more connected to Internet, hospital networks, and to other medical devices. For sure the increased use of wireless technology, software in medical devices may increases the risks of potential cyber security threats, but we have also to balance that with the fact that these features improve health care and increase the ability of health care providers to treat patients. Also in this area is very important that manufacturers, hospitals and facilities start to work and share together in order to reduce information security risks. Of course bearing in mind that cyber security threats cannot be completely eliminated. The challenge here is to balance patient safety and the development of innovative technologies. In parallel hospitals and health care facilities should evaluate their network security and protect their hospital systems. The Food and Drug Administration’s (FDA) 2016 draft guidance on post-market management of cyber security of medical devices seeks to provide recommendations for ensuring cyber security in devices already in use.

FDA applies a sober, rational and systematic approach to understand and mitigate security risks. In the FDA approach we found many of the topics that we are addressing toward IT security; identify process and assets that need protections, protect, detect and formulate a response and recovery plan. In other word due to the fact that cyber security issues are emergent, the inevitability of zero day vulnerabilities is requiring that security is addressed over the entire useful life of medical devices. This reality is a necessary outworking of innovation and should be embraced by providers, device manufactures, app and software developers and security engineers. Nicola Sotira General Manager GCSEC  

events

editorial

2017 February

As a meta-standard can help an organization to improve its cyber security level by Elena Mena Agresti, GCSEC Cyber security in Italy: increased awareness but limited budget by Massimiliano Cannata - Technology innovation, training and security culture Reporter

Usually people consider standards as something boring that should be respected only by law or to comply with a directive. Instead, standards are very helpful instruments.

Our life is based on standards more then we can imagine. Standards are common reference documents that contribute to bring order to the world and make life easier, safer, and more productive.

If you think at a T-shirt size, you can choose L or M or S because this size is based on a standard. People know their shoes size, because the measures of the footwear are "Normalized. For example the standard EN 13402 is the European standard for labelling clothes sizes.

In the same way, we communicate with others thanks to a set of rules that put in correspondence words, expressions or gestures with certain meanings. We can communicate only with these rules. There are a lot of languages in the world; each of these is based on a standard (grammar and vocabulary) without which we couldn’t communicate. If everybody had his own and not-shared language standard, how would we communicate and understand each other?

Standards play a key role also in the digital world. Digital services based on ICT infrastructures, are interoperable and interconnected and require the adoption of common approaches.

Many organizations like ISO, IEC, ITU, NIST, CENELEC, NERC, IEEE, publish new standards or review existing one every year. Thousand of experts around the world analyse and discuss specific topics at different level (i.e. technical level, operational level, process level) with aim to publish standards dedicated to digital services, ICT sector, cyber or information security.

If the large number of published standard responds to the growing need to adopt common approaches, in the other hand in some cases this proliferation can due negative effects.

Different standards can contain requirements at different detail’s level or provide discordant requirements. In other cases, to complex organizations that operate in many sectors is required more effort because should demonstrate compliance to several sector specific standards and regulation.

For these reasons in the last years many organizations have published meta-standards that collect the best requirements and controls in a specific matter.

University, associations, consultancy, institutions and enterprises, the event was attended by over 14,000 participants, and been issued about 8,000 certificates valid for the allocation of more than 14,000 credits. Boosting the ever-connected enterprise Location: Milan Date: 21 March 2017 goo.gl/uW4wvC The mobile enterprise ecosystem extension from traditional devices (smartphones, tablets, laptops) to wearable, augmented reality and especially the Internet of Things - both in terms of devices that app - establishes definitively the transition from the concept of "enterprise" mobile than the "ever-connected enterprise," a new model of enterprise where mobile devices, IoT sensors, intelligent platforms, AR / VR technologies and people throughout the territory form and nurture a network can broaden horizons applications and increase the flow of information from which to extract value. Cognitive Security: Act Now Location: Milan Date: 6 April 2017 goo.gl/GQVmq0 Cyber crime is an insidious threat that has reached levels never seen before. According to IDC estimates, the cost of cybercrime to the entire global economy was in fact about $ 650 billion in 2016 and is expected to exceed 1 trillion by 2020. No geography or industry is immune. And also in 2017 confirms a constant: the risk exposure fronts are and will be growing. (FutureScape IDC: Worldwide Security Products and Services 2017 Predictions). All that remains is to continue to increase intelligence capabilities, only answer that can allow a real change of pace, thanks to cutting-edge technologies to analyze data sources not previously considered and provide a real cognitive intelligence to support analysts and safety professionals. The Cognitive Security or the application of principles and cognitive computing to the field of security technologies is the new frontier in the fight against cybercrime refining and automating intuitive abilities and intellectual. According to IDC, by 2018 globally 70% of the security environments by cyberminacce incorporate cognitive technologies to support professionals in governing the increasing scale of complexity and risk.

A group of Iraqi hackers called Pro_Mast3r defaced a Trump website http://securityaffairs.co/wordpress/56466/hacking/trump-website-hacked.html A group of hackers who is calling themselves “Pro_Mast3r” has defaced a website associated with President Donald Trump’s presidential campaign fundraising on Sunday. The website was hosted on the server secure2.donaldjtrump.com that is managed by the Cloudflare content management and

As a meta-standard can help an organization to improve its cyber security level

by Elena Mena Agresti, GCSEC

in this number

news

GCSEC developed, in collaboration with an energy utility, a meta-standard for security in industrial control systems in energy sector to identify the state-of-the-art security of practices and countermeasures developed and achieved by leading international bodies and institutions which have been focusing and engaged on this topic.

ICS systems are used in modern manufacturing and industrial processes, mining industries, public and private utilities and the main national critical operators use them to manage and control their infrastructures. SCADA systems are in places like power stations, nuclear power plants and water treatment facilities where the organizations should guarantee a high level of security.

Taking in consideration that SCADA systems coexist with traditional IT systems and the architecture contains old and new generation element, the scope of the analysis was extended also to standard related to information systems.

GCSEC analysed the main standards published by international organizations like API, IEC, IEEE, ISO, NERC and the most relevant guidelines and policies provided by AGA, GAO, NIST, SANDIA, UK CPNI and U.S. Departments of Energy, Homeland Security and Nuclear Regulatory Commission both for energy sector, information systems and industrial control systems.

These official publications (i.e. standards, recommendations, guiding policies, guidelines, …) issued by pertinent and remarkable institutes have been retrieved, classified, sorted out according a given structured collection model that allowed us to select the most effective measures for each official document.

The project was composed of four phases:

1. Standards collection and categorization: main documents published at international level were collected and categorized respect their main focus like industrial control system, energy sector, information system.

2. Controls classification and analysis: security requirements and controls of each document were identified and mapped across specific dimensions maintaining the overarching distinction between governance requirements (regarding strategies, roles and responsibilities, processes, practices) and technical requirements (network, system, application, technology, communication security and all other security technical fields). The set of requirements and controls was organized in according to the main domains of ISO/IEC 27001 framework as shown in the following picture.

security platform. The website is not directly linked from the Trump Pence campaign’s home page. According to the Ars website, the hacked machine is an actual Trump campaign server that uses a legitimate certificate. “But it does appear to be an actual Trump campaign server—its certificate is legitimate, but a reference to an image on another site is insecure, prompting a warning on Chrome and Firefox that the connection is not secure.” states Ars. Operation BugDrop – Hackers siphoned 600GB taking control of PC microphones http://securityaffairs.co/wordpress/56517/intelligence/operation-bugdrop-ukraine.html Researchers at Security firm CyberX have discovered a cyber espionage campaign that siphoned more than 600 gigabytes from about 70 targets in several industries, including critical infrastructure and news media. The list of targets includes:

• A company that designs remote monitoring systems for oil and gas pipelines

• An international organization that monitors human rights, counter-terrorism, and computer attacks on Ukrainian critical infrastructure

• An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants

• A scientific research institute • Editors of Ukrainian newspapers

The experts have dubbed this espionage campaign Operation BugDrop because attackers use the PC microphones to bug targets and capture the audio and other sensitive data. Office Loader leverages malicious macros to deliver multiple malware http://securityaffairs.co/wordpress/56251/malware/office-loader-malware.html The researchers analyzed more than 650 unique samples of this specific loader since early December 2016, accounting for 12,000 phishing email targeting numerous industries. Most affected industries are High Tech, Professional and Legal Services, and Government. The Office loader is being delivered via spam messages and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to infected the target. “The loader itself is primarily delivered via email and makes use of heavily obfuscated malicious macros as well as a user account control (UAC) bypass technique that was originally discovered in August 2016.” reads the analysis published PaloAlto Networks. The phishing messages used several malicious documents masqueraded as invoices, product lists, deposit slips, or document scans, and more. The Office loader was used to drop several malware such as LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.

3. Normalization and best practices definition: controls collected for each dimensions (i.e. security program, organization of security, …) were normalized and redundancies eliminated and / or standardized. The mapping was conducted considering the detail level of requirements provided by each document. The same requirement provided by different standards has been analysed in its more exhaustive description. In case of discordant requirements or gap of information, the experts of the working team identified the best requirements based of their expertise, experiences and knowledge.

4. Meta-standard definition: all requirements were collected in the meta-standard and a control matrix was created. For each area was provided the list of mandatory and suggested controls, the related assets involved and threats and vulnerabilities associated.

The methodology provided also a classification of standards, best practices and international policies relevance in each area of analysis, in accordance with the following level of classification:

• 0 - Null: standard/best practice/policy doesn't contain any requirements or practices

• 1 - Generic: standard/best practice/policy contains general requirements or practices

Users Can Secure Their IoT Devices; But Will They? https://www.infosecurity-magazine.com/opinions/users-secure-iot-devices On an increasingly massive scale, cybercriminals are repurposing connected Internet of Things (IoT) devices installed within our homes. These hackers use malware to enlist our smart thermostats, speakers, lights, and more as soldiers for their botnet armies – used in coordinated massive attacks causing security breaches that threaten the integrity of the internet. They’ve used these IoT botnets to target major websites and even forced entire countries to go offline. With the IoT primed for exponential growth through the next decade, the inherent vulnerabilities of these smart devices – combined with the capabilities of IoT-based botnets – create formidable cybersecurity challenges and risks. I believe that the party best positioned to prevent or stop malicious attacks is the consumer. Those who use IoT devices in their own homes have the power to vote with their wallets, and could choose to buy devices with more effective security. However, without awareness of the risks posed to other parties, or direct impact upon their own individual use, why would consumers change their behavior? Watering hole attacks on Polish Banks Linked to Lazarus Group http://securityaffairs.co/wordpress/56235/apt/lazarus-group-polish-bank.html Last week, several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority. The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week. The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware. A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks. In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.” The malware-based attack was confirmed by a number of banks that are currently investigating the security breach. At the time I was writing there is no evidence that attackers successfully stolen money from Polish banks or their customers, but some of the target organizations confirmed to have noticed large outgoing data transfers. IBM Watson is ready to take on the cybercriminals http://www.wired.co.uk/article/ibm-watson-artificial-intelligence At the start of January, an insurance firm in Japan replaced more than 30 employees with an artificial intelligence system. Based

• 2 - Specific: standard/best practice/policy contains essential requirements or practices

• 3 - Detailed: standard/best practice/policy contains detailed requirements or practices

A meta-standard like this created by GCSEC can help the organization to verify in the same time the compliance of an organization and its architectures to main international standard and regulations in one or more specify area.

on IBM Watson Explorer, the cognitive technology that processes and can understand reams of data, the system was introduced to increase productivity by 30 per cent, and will give the firm a return on its investment in less than two years.While it seems brutal to make 34 employees redundant to make way for artificial intelligence, this could become commonplace in certain industries over the coming years. And as IBM Watson's supercomputer gets smarter, soon it won’t be the robots thinking like humans, but the humans learning to think like robots. Aside from its threat to jobs, Watson has made some incredible breakthroughs in terms of science, technology and culture, proving that AI and its capabilities are here to stay.

"After one hundred and sixty years from the Italian Unification the nine states from which modern Italy was born aren't still balanced at economical and social level. The result is that we have a country fragmented into many realities which do not communicate with each other. Some northern regions can boast production standards and average living standards comparable to the most developed regions of Central Europe, in contrast with southern regions that remain distant from the development. Political representatives in response are increasingly self-referential, uninterested in dialogue and discussion, have lost sight of the fate of the territories and the communities of which they would have to worry. "

It's 'a' "polymorphic Italy" what is shown by the Report Italy 2017 Eurispes, presented in Rome in the prestigious site of the National Library of Castro Pretorio. A nation distressed - explains the Chairman Gian Maria Fara - for increasing levels of poverty (an Italian out of four think that the cause of all may be mainly the job loss) which sees half of the families in difficulties and many young people ( about 13%) "forced" to return at home in the absence of employment. "

As every year, many social and economic phenomena under analysis and study. Innovation and ICT world is one of the great topics of the discussion.

The cyberspace: an asset to be protected

As the Report reveals in the digital society the cyber security has become a priority for the states that must defend the national interest, lives of citizens and for critical infrastructure and companies committed to protect their strategic assets.

According to forecasts of the Global Risks Report 2014 of the World Economic Forum in 2020, the economic losses caused by cyber attacks could be up to three trillion dollars.

Certainly individual initiatives are not enough to address a so serious emergency we need comprehensive strategic plans involving public, private and research, to carry out an effective IT risk governance.

The Cyber attacks cause damage only to Italian companies for € 9 billion per year. Power and fragility are touching the size of the "infosphere", valuable area that contains confidential and sensitive information data, as well known to cyber crime, which is confirmed as the leading cause of severe attacks globally, amounting to 68% of cases in 2015 (it was 60% in 2014). The Cybercrime in the first six months of 2015 increased by 30% compared to 2014, until he established the cause of 66% of serious cyber attacks. Increasingly, the actions of criminals are targeting critical infrastructures, such as, for example, energy distribution networks and the telecommunications: while on a global scale in the second half of 2014 have been registered only two attacks, in the first half of 2015 twenty attacks with an increase of 900% (source: Based on Eurispes Clusit data, 2016).

The potential victims of cyber attacks include both public institutions and companies. The small and medium enterprises are the most vulnerable because they do not always have the capacity to address the cyber security costs needed for the adoption of an effective protection system. We shouldn't underestimated the economic and reputational damages after a cyber attack.

The different types of attack

In our country, according to surveys by Clusit Report, the sectors most affected by cyber attacks were: information and

Cyber security in Italy: increased awareness but limited budget

by Massimiliano Cannata - Technology innovation, training and security culture Reporter

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy http://www.gcsec.org

 

play: attacks against online media, blogging and gaming platforms in 2015 increased of 79% compared to 2014; automotive: the attacks in 2015 were about 67% more than the previous year; Research and education: sector in which attacks increased of 50%, mostly with espionage purposes; hospitality, hotels, restaurants, residences and communities: this sector has been registered in Clusit Report for the first time.

A closer look, in these cases the attacks are against end users. Each month, one in three attack is successful and is discovered late. In 66% of cases the presence of an attack is often discovered after months (the global average is 51%), in 7% of cases (such as the global average) violations are identified after days and in 16% of cases after weeks (the global average is 22% - source Development Eurispes, of Accenture data, "High Performance Security Report, 2016). According to research provided by Accenture, HfS emerges also that organisations have not enough budget to invest in the recruitment of appropriately trained employees to defend itself against cyber attacks.

For 42% of respondents, in fact, it is necessary to increase funds to hiring cyber security professionals as well as to train the employees within the company that for more than half of respondents (54%), are sufficiently trained to prevent the occurrence of security breaches. It is also interesting the findings of the fourth international Zurich survey on the risk of cyber attacks that highlights the effects of the most feared attacks against small and medium-sized enterprises: customer data theft (20%), company reputation (17%), theft of money (11.5%), identity theft (7.5%) and theft of employee's data (6.5%).

The commitment on cyber security

In spite of the seriousness of a growing phenomenon must be said that only 19% of large companies are so aware to have a long-term vision on security and to develop concrete plans with defined technological approaches and organisational roles, while 48% is at an early stage in cyber security path. The most widespread threats in the last two years were: malware (80%), phishing (70%), spam (58%), ransomware (37% attack) and fraud (37%). The most common vulnerabilities were: the awareness of employees on policies and behavioural good practices (79%), distraction (56%), remote access to business information (45%), presence of personal mobile devices (33% ).

Enterprises have developed, in particular, the need to assign an internal managerial responsibility for cyber security strategies. However, today, less than half of large enterprises (42%) has within the figure of Chief Information Security Officer (CISO), responsible for defining the strategic vision, implement programs to protect the information assets and mitigate risks, while in 10% of cases it is expected to be introduced in the next 12 months. (Source: Observatory Information Security & Privacy in the School of Management of Politecnico di Milano).

In 36% of cases the Information security is assigned to other roles within the company, such as the security officer. 12% of companies have not a dedicated figure and has no plans to introduce it in the short term. The growing data and the heterogeneity of information sources make required the adoption of specific professionals for the management of privacy issues. The new European Regulation on data protection introduces the figure of the Data Protection Officer (DPO), whose presence is planned as mandatory for public bodies and public administrations and other specific cases provided by the new EU legislation. The DPO is the professional with legal skills, information technology, business process risk management and analysis which implements the processing of personal data management policy to comply with relevant regulations.

The biggest obstacles

The main limitations with which today's Italian companies to effectively prevent cyber attacks remain: Professional skills: companies denounce the lack of funds to invest in the training and recruitment of specialized professionals where the training and cultural awareness are essential to protect yourself from cyber crime; budget: cyber security requires investments in human resources training, but also in technology (applications involving cognitive computing and artificial intelligence and platforms for data encryption); quality of management: often the executive management considers the cyber security an unnecessary expense and should define a real strategy for cyber security, which takes into account the business priorities, including the protection of its business reputation and the data protection.