True, as per yesterday morning's news? False, as per the denial spread directly by Sogei's computer wizards yesterday afternoon? The alleged hacker attack on the Revenue Agency, with the usual ritual of threats to disseminate data stolen in the absence of a substantial ransom, is yet another bolt on the security of the large computer systems that today possess the essence of our lives. It happens, needless to deny it. Even the greats bow their heads and pay, experts say. How can this happen? Can even a theoretically overprotected system like that of the Italian tax control tower, created and managed by Sogei, an esteemed public IT giant, be vulnerable? Corrado Giustozzi, one of the leading Italian cybersecurity experts, journalist, writer, popularizer, pioneer of the first integrated solutions in the world of the web, replies to FIRSTonline.
Is any computer system exposed, or can anyone consider themselves safe?
The truth is that all computer systems are exposed to an attack. Their level of security can only be relative. If I have to defend myself from a work colleague, the barriers can be relatively low, if a secret service is attacking us, the barriers must be much higher. Here too is the eternal struggle between increasingly sophisticated attack and defense technologies. Nothing is certain, also because there is a lurking factor that is not easily controllable: human error. The problem is too often in the people, in the behaviors, in the carelessness that opens the breaches. I'm not talking about the specific problem concerning the attack on the Revenue Agency, real or presumed to be. Those who defend themselves are always at a disadvantage.
How is the Revenue Agency doing?
It is true what I said. The car is sophisticated. It is managed at the best levels. But that is not enough to keep it safe from any possible attack.
Are there examples to follow to raise security levels anyway?
Difficult to answer. Let's think of the big institutions that deal with security and we discover that even these subjects considered unassailable actually don't know. An example? A few years ago a criminal organization, because this is what it is about and I consider it improper to call them hackers, violated the CIA site by stealing data and applications which were then even used to develop new malware.
What more can or should be done to defend oneself, to at least contain the risk?
It is a question of finding the best compromise between needs and choices that are also very different from each other. Let's think about what has happened and is happening in local administrations and in their relations with the public administration: there are fears that small municipalities are not able to manage their IT systems and there are plans to centralize the management of their resources in a few national centres. to better control and protect them. But here's the flip side: all data is centralized in a few places. In short, all eggs in one basket. With the result of creating a preferential lane for those who want to attack these systems, who can concentrate on a few large nuclei even if theoretically better protected.
Is it better to go back to parcelling out IT resources?
No. This is precisely the example of the best compromise, in any case not a decisive one: centralizing is the lesser evil, even if it is not the perfect solution.
Never pay, the authorities recommend. But in the event of an attack, many give in, perhaps denying having done so. How can we be sure that victims do not pay the ransom, perhaps disguising it as advice to clean systems from hacking?
Gigantic problem, which has obvious analogies with that of kidnappings. With the difference that here it is really difficult to verify whether the ransom of the stolen data has been paid or not. There are bitcoin wallets, triangulations, precisely the masking with disinfection consultancy. In the hot days of kidnappings, a law was passed on the freezing of assets as a deterrent to the big business of kidnappings. Some are calling for a similar standard for the computer data sector. I am afraid it is difficult to implement. How to block the funds of a large company without immobilising it? I would pose the problem in another way: paying the ransom is the last resort and in any case one must not be unprepared for this eventuality. An eventuality that must however be taken into account. A bit like what happens, for example, for fire prevention. Because too often practices stop at prevention and not at preparing and planning the behaviors to adopt in the event of a successful attack. And here the guidelines are known but not everyone applies them with due care, starting with an effective and continuous data backup strategy. Which allows it to be restored anytime and anywhere. Thus the data is saved, however secure. Of course, the problem of diffusion by the person who stole them remains, which is the technique used by criminals in the latest cases of theft.
Precisely. What to do?
The only feasible security measure is the use of cryptography, an operation that is not simple and hastily invoked by many as a panacea. Here too, safety is far from guaranteed. If the hard disk is stolen at that moment off, if well encrypted it is practically inviolable. But if they steal data that is encrypted in its operational phase together with its encryption key, which is very often the case, security is not guaranteed at all.
