Report & Events 2014-15

Cop OAI 2015

 

66 pages A4 format - Published in May, 2016 

Author: Marco R. A. Bozzetti 

In cooperation with : Polizia Postale e delle Telecomunicazioni

Publisher:  Soiel International  Srl 

Sponsor: Silver:  AIPSI, Sernet Group, Technology Estate, Trend Micro 

Patronage providersAICA, AIPSI, Assintel, Assolombarda, Aused, CDI Torino, CDTI Roma, ClubTI Centro, ClubTI Emilia Romagna, ClubTILiguria, ClubTI Milano, FIDA Inform, FTI, IEEE-Italian Chapter, Inforav,  itSMF

 

The Report is all in Italian, but it includes an Executive Summary  in English, in the following  reported.

For the complete Report, the related articles and presentations, all in Italian, please refer to the Italian web page (click at the top right to the Italian Flag).

 

Executive Summary  OAI Report 2015 

The present Report 2015 OAI (annual Observatory on Informatics Attacks in Italy), now in its fifth edition, provides an analysis of intentional attacks against informatics systems for organizations of every size and industry sector, including central and local public administrations, detected in 2013 and 2014. The analysis is based on the responses received via web from the questionnaire 2014 in January-March 2015, with a total of 424 respondents.

Since the web survey is not based on a specific sample of respondents, the resulting data can not have statistical significance. Given the number of responses and their good distribution in terms of size and industry sector, OAI survey provides accurate and contextual information on the phenomenon of cyber attacks in Italy; it is also useful to raise awareness about computer security as well as to be a reference for risk analysis. In *addition, the report analyzes what are the tools of prevention, protection and recovery to counteract such attacks, and how companies react in case of attack. Several considerations may emerge from
the data collected, in the following we summarize some of the most significant.

The macro-trends that emerged from the survey are listed in the following.


• The attacks in 2014 increased both in number and sophistication; the most common are “malware”, “social engineering”, saturation of resources (DoS and
DDoS) and theft of ICT devices, particularly the mobile one such as “smartphone” and “tablet” (fig. 4-5); these results are consistent with the data provided by
CNAIPIC-Postal Police (Table 4).
• These most common attacks are always in the top four for dissemination in all OAI reports (Fig. 4-6).
• All the types of attack considered in 2014 (Table 1) had an increase of diffusion compared to 2013 (Table 3), except for the theft of ICT devices, which still
remains an attack among the most popular in Italy. The largest increase is for the blackmail attacks, which can exploit ransomware, and for the sophisticated TA /APT, Targeted Attack / Advanced Persistent Threat.
• Normally each attack exploits one or more vulnerabilities, which can be technical, organizational or caused by people, be they end users or operators of computer systems; the most critical result from organizational problems or persons who by their actions, or no action, allowing the implementation of the attack; in most cases of successful attacks the weakest point in the safety chain is represented by the end user.
• With the technological evolution grow new technical vulnerabilities, for example, with virtualization, the cloud, and with the new more powerful mobile
devices. The vulnerabilities are sometimes not discovered and resolved in short from suppliers, and remain so exploitable by attackers for long times. Even with
updates to address the vulnerability software, the so-called “patch”, these are not always promptly installed; the causes may be different, but most often
are organizational: in particular the lack of knowledge of the availability of patches and updates, the lack of procedures for software testing, the non-renewal of
contracts for software maintenance, perhaps caused y the continuing economical crisis.
• The exploitation of technical vulnerabilities occurs mainly with web sites and their platforms. 

• The vulnerability of people, is based primarily on their availability and good faith to help, on their naivety or carelessness, on the lack of knowledge on how to use ICT tools in a secure way, on the lack of sensitivity and attention to computer security. Amplifiers and facilitators of personal vulnerability are social networks, e-mail, search engines, the more capable USB sticks, collaborative tools. They facilitate the ability to steal the digital identities and to acquire confidential information with which to carry out attacks and make computer fraud. In 2014, the phenomenon of the theft of digital identity has been so significant to define 2014 as the year of “data breach.”


Some aspects of the OAI survey are more specifically Italian, and include: 

 • 44.7% of the sample has detected attacks in 2014, compared to 37.5% in 2013, with an increase of 7.2% (Fig. 4-1); only as indicative trend, given the different basins of respondents in previous OAI surveys, the value of 2014 is the highest since 2008 (Fig. 4-2);
• the number of attacks and their frequency increases mainly for size of the organization: more organizations are big and internationally known, more they are an attractive target for cyber crime;
• some attacks can not be detected, but the reason of the relatively few attacks in Italy depends, in the opinion of the author, mainly by the prevalence in Italy of small and very small companies (Table A-1), which can not be a primary target for attackers;
• the impact of the attack is severe only in a limited number of cases (fig. 4-7); attacks which in 2014 had the largest and most severe impacts were attacks on physical security, unauthorized access to ICT systems and their applications, network attacks, the TA / APT (fig. 4-8);
• the non-seriousness of most of the attacks is confirmed by the fast recovery time: 68.4% of the cases is restored in the day, and only 4.1% of cases within one month (Fig. 5-5 and 5-6);
• regardless of the size and the product sector of the respondents, the majority of computer systems is technically updated (Fig. A-11), and a significant part of the sample has informatics architectures with high reliability (Fig. A-6);
• despite the non-availability of broadband in some parts of Italy, especially outside the big cities, almost 2/3 of respondents outsources part or all of its informatics system and its management (fig. A-13); slightly less than half uses solutions in the cloud (Fig. A-14);
• all respondents have Internet connections, and 63.6% use VPN;
• consumerization (BYOD) poses problems for computer security and 23.4% of the sample did not allow (fig. A-10);
• security measures and ICT governance are more technical than organizational, and they are based more on a reaction approach than a prevention one;
• the technical security measures, from the physical security to the data protection (from Fig. 6-1 to Fig. 6-7), are fairly common as basic tools and about one third of the respondents are using solutions of medium-high level. The major weaknesses emerged concerns the verification of secure code, the log of the operators, the periodic test of the disaster recovery plans, the protection of information;
• for a large or not negligible percentage of the sample, the organizational security is “less advanced” than the technical one;
• positive issues:

– nearly 70% of respondents defined, published and manages the ICT security “policy” and related organizational procedures; and 15% is developing a security policy (fig. 6-11) ;
– ICT auditing is carried by 52% of respondents (Fig. 6-22) and 56.7% of those carried out in a periodic way (fig. 6-24);

• critical issues:

– a specific CISO role is defined and implemented only by 38.7% of respondents;
– ICT risk analysis carried out by about ¼ of respondents (Fig. 6-8), and even less widespread insurance risk with the remaining 19.1% (Fig. 6-9);
– 43.1% of respondents carry out an analysis of the damage (Fig. 4-9) after an attack, but it is still embryonic, or limited to a few large companies its economic estimate;
– A clear separation of duties among the various actors of ICT security is not yet widespread, and this approach is followed by 35.3% of respondents (fig. 6-10);
– incidents and problems management are carried out by 31.8%, and Help / service desk is used by 31.2% of respondents (fig. 6-10);

– best practices such as ITIL and COBIT or standards such as ISO 27000 family (fig. 6-13 to Fig. 6-19) are very limited, and even more limited their certification at the corporate or personnel level; very limited, mostly to large organizations, the request suppliers to at least substantially follow these best practices and standards, or to have their certifications;
– limited requests for ICT security certificates both for internal staff (fig.6-20) and for the staff of suppliers (6-21).


Finally, 2014 will probably be remembered, worldwide, as the year of the data breach, typically for theft of data and digital identities.
The cyber attacks in 2014 confirm that sometimes severely impact both the attacked organizations and individuals who, directly or not, were involved: the impacts mainly concern financial losses and reputation. Critical ICT infrastructures will be more and more a target of terrorism.
Overall, up to now, Italy has suffered cyber crime and cyber war in a limited way, but is running a growing risk in the near future.

 

 

 

e-mail: oad@oadweb.it

© 2018 Malabo Srl All Rights Reserved.