advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

November/December 2005 issue

Italy: One of the gang
Ian Grant

La dolce vita may be losing some of its sweetness as harmonisation with global standards sweeps through the Italian infosecurity community.

Most people are likely to greet the news of a posting to the Italian office with delight. After all, the land of la dolce vita is also home to the world’s favourite food, the best cinema, the most stylish fashion, the most desirable cars and the only woman for whom I have walked into a lamp post.

But it also has one of the world’s most active underground economies. Some economists estimate the grey/black economy to contribute one-quarter to one-third of the national GDP. The US FBI believes organised crime gangs such as the Mafia and the Camorra have infiltrated almost every sphere of Italian society and business. Counterfeiting and smuggling of people and goods are endemic in some towns. Corporate frauds such as Parmalat, a labyrinthine bureaucracy, common-place tax avoidance and money laundering, and widespread political bribery and corruption point to a business climate far removed from strait-laced Northern Europe.

Italy is nevertheless striving to become “normal”. Just like the rest of us, it has pretty much standardised on the Wintel offering for desktop computers and servers. As a result, it faces the same computer-mediated threats such as distributed denials of service, hacking, phishing and spam. Claudio Cilli, a computer science professor, infosecurity consultant and chairman of the Rome branch of the Information Systems Audit and Control Association (ISACA), reckons Italy is “homogenous” with Europe with respect to such threats.
Dave Emm, senior technology consultant at antivirus vendor Kaspersky Labs’ UK office, agrees. “There’s nothing going on in Italy (with respect to infothreats) that’s not going on elsewhere,” he says.

However, the Italian government is determined to fit the country for the networked world, and in particular, e-commerce. It has introduced tough legislation covering data privacy and made spamming a criminal offence. (For a detailed assessment of Italy’s primary legislation that covers data protection and e-commerce issues see Baker & McKenzie’s website.

It has also just passed a bill permitting telephone taps in pursuit of organised criminals, child pornographers and other law-breakers. This has drawn the Garante (data privacy authority) into asking for clarification of how this will work and for safeguards for the innocent.

As well as passing enabling legislation, the Communications Ministry is introducing Quality of Service standards for operators at every level. These will be built into their operating licences, with hefty penalties for missing and not fixing shortfalls.

Awareness still low
In addition, the ministry is trying to raise awareness levels of the need for infosecurity. It will sponsor a conference on the political and technical challenges of network and information security in Rome on 2-4 November. Aimed at government and technical experts, the conference aims to give practical advice and guidance based on experience gained worldwide.

“The implementation of a high level of communication network security is even more important when the focus is to ensure an adequate level of quality of service for the security functionalities of infrastructures that are critical for everyday life in a modern country, such as business-related services and critical infrastructures operations,” it says.Cilli is unconvinced that this will make a difference. Italians seem unconcerned with security threats posed by identity theft, for example, he says. “I hope their attitude will change,” he says.

In Cilli’s opinion, the way to win hearts and minds is to legislate it. He points out that companies paid lip service, if that, to infosecurity until 1 January 2004. This was when Italy’s harmonised data protection code came into force.

“Most companies changed their security measures then only because this mandated minimum security measures to protect personal data,” he says. “Unless the government puts things into law, it is very difficult to achieve such targets,” he adds.

Referring to legislation passed outside Italy, such as Sarbanes-Oxley and Basel II, Cilli says he’s seen no change in local practices. “We tend to follow rather than lead,” he says.

E-crime changes tack

Around two years ago, Eugene Kaspersky, boss of antivirus vendor Kaspersky Labs, warned that the Mafia was starting to exploit the Internet. At the time, there wasn’t much hard public evidence, and that remains the case. However, Kaspersky’s senior technical consultant David Emm, says there’s been a qualitative change in the nature of exploits.

“There’s a close link between exploits and money these days,” he says. “In the old days people used to prove they could crack systems by leaving obvious signs of their exploit. Now they try to stay under cover and to go after money, personal data or company secrets. That suggests a more deliberate criminal intent.”

A further pointer, says Emm, comes from an experiment the lab set up last year. It set up several fake websites with apparently genuine personal information. The sites were hacked, and Kaspersky was later able to trace the stolen information to a different group to the one that hacked the site.
“This suggests there is an active trade in information,” says Emm. There is also competition in providing such information, he adds.

Some of these activities could lead to blackmail and extortion, or to illegal gathering of competitive intelligence on commercial firms. “We’ve already seen gambling sites hit with denial of service attacks unless they’ve paid up,” says Emm.

However, Italy is “not a particular hotbed” of cybercrime, he notes. “It’s a small world; an attack can originate anywhere. Just recently we’ve seen a lot of activity in South America, Russia and Eastern Europe, as well as cooperation between virus-writing gangs like 29A, which has members in Russia, Spain and other places.”

Italian sources interviewed for this article were quick to separate infosecurity from cybercrime issues. “There’s little evidence that organised crime gangs in Italy are into cybercrime,” said one.

Calls to the Italian state police were not returned, and Interpol declined to comment, saying this is up to each jurisdiction.

Spammers in the dock
But that may be changing. Since the data privacy law came into force there have been close to 2,000 complaints against spammers. Around 40 were fined, and one received a 15,000 euro fine and still faces a criminal prosecution.

Italian universities are deeply involved with top level security research projects, many funded by the European Commission. In addition, universities in Rome, Ancona, Milan, and Pisa, among others, have modules in security as part of their computer science undergraduate degrees, and others are joining up.

Italian researchers are also active in European Commission research projects. These include biometrics for secure authentication, satellite-based tracking systems, quantum cryptography, security policies for networks, post-G£ mobile and wireless networks, and secure multi-function, multi-access consumer terminals, to name just some.

In addition, the European Commission sited the Joint Research Centre on Transnational Crime (Transcrime) at the universities of Milan and Trento. The main research areas are business security, cybercrimes, transnational crime
and urban security.

As far as professional certification goes, the most respected is ISACA’s CISA (Certified Information System Auditor) ticket, Cilli says. Others are acknowledged but are seldom specified in job advertisements. “Courses from vendors such as Microsoft and Cisco are also good to have, but not essential,” he says.

Ian Grant is a freelance writer and editor

Spread the word

Luisa Franchina is director general of the Institute of Communications, the Italian government’s sword and shield against infosecurity threats. Everyone should join in, she says.

Infosecurity: What are the main challenges you face as director general? What changes are you happy with, and what are your priorities for the next two years?

Luisa Franchina: In the fields you are interested in, the main challenge I face is to build up government-driven information sharing initiatives. The following list is not exhaustive.

Firstly we aim to transfer information security knowledge and best practices from highly qualified Italian actors (namely, former monopolists in telecommunications network operators, energy suppliers, historical critical information infrastructures, civil protection departments, public centres of excellence, etc) to the private sector, small and medium enterprises, other public administration sectors, and even to home users.

These activities aim to build up a common minimum infosecurity defence, widespread in the country, with special focus on the role of the network operator in providing adequate network and information security.

To do this I set up round table meetings, grouping more than 100 public and private entities that together are developing guidelines on specific issues. Three such guidelines are already published and five are in an advanced state of elaboration. The three out now cover

• Quality of Service in telecommunication networks (gives parameters, values and measurements methods also for security)
• Risk analysis and management
• CIIP (Critical Information Infrastructure Protection) and their dependency on telecommunications networks.

They are available at www.iscom.gov.it and will be published in English by November.

Next, we want to spread throughout the country (in both the public and the private sectors) the culture and the practice of information security “third party” certifications, and, in particular, those systems and products that are based on the Common Criteria (ISO 15408) security certification.

In my capacity as director of OCSI, the Italian Common Criteria certification body, we set up a special strategy to deal with system security certification. We are sharing this strategy through various initiatives with international partners such as EU countries, NATO, the G8, etc.

We do this by organising international workshops and conferences. The next one will be held in Rome from 2 to 4 November. It is co-hosted by ISCOM (Institute for Communications, the body for which I am Director General), FUB (Fondazione Ugo Bordoni, an Italian high level research institute on telecommunications), and ENISA (the EU Agency on network security). The aim is to promote and coordinate Italian initiatives in the international ring, with special regards of EU initiatives.

I’m also the ENISA management board representative for Italy, where I actively support ENISA’s work in Italy. Finally, my job is to push for better regulations on information security at government and Italian Parliament levels.

Infosecurity awareness among businesses and consumers in Europe varies considerably. Where would you rate Italy in terms of awareness and practice? What more should the government do now?

Our infosecurity awareness initiatives are in an advanced state of completion, especially if compared with similar initiatives taken in other EU countries. Of course, a lot of work should be done more, especially in translating information sharing and awareness initiatives into practical realizations of best practices. In this regard, one of the main issues we have to address is to spread best practices to private companies, and, in particular, to CIIPs.

E-commerce and e-banking transactions are rising in most countries, as are problems such as spam, hacking and identity theft. What are the trends in Italy, and is the government happy to see this? What measures should government take to ensure that e-transactions are fair, legal, judicially actionable and transparent to, for example, the tax authorities? Do you believe that e-commerce will accelerate moves towards a truly level economic playing field in Europe, and would this be a desirable outcome?

The security of e-commerce, e-banking, etc, can be reached if and only if a large variety of actors (ISPs, telecommunications companies, government, private and public actors, etc) set up a common strategy against spam, hacking and identity theft.

Our main work in this field is to build up a common understanding of the above problems and a common strategy. The main route we are following is the international cooperation with EU countries, and we participate actively in all major EU initiatives in these fields. We believe that regional or local solutions to the above problems are inadequate, especially if they are not properly part of a wider context.

Given the growing importance of electronically-mediated transactions, what is the government doing to increase the number of uitably qualified infosecurity professionals?

As a major consequence of the activities of OCSI cited before, we are producing highly qualified professionals in the field of Common Criteria security certification. We are also promoting national synergies between Common Criteria and BS7799 certification bodies.

In addition, ISCOM is the leading body in a security awareness program that will involve all public sector staff (more than 60,000 people) from the chief executive of the various directorates to the “simple” public sector end user.



 

 

Search this Site:
Google Custom Search



Click here...