Corporate Security

Cybersecurity offensive, 'good hacker' patrols advance

The CEO of Italian start-up HN Security, Giannandrea Tateo, explains the costs and purposes of simulated cyber attacks to improve corporate security

7' min read

7' min read

The control tower of an Italian airport exchanges routine messages with the flight simulators that are training some pilots. Suddenly the messages derail from the routine and look decidedly strange, the pilots are astonished and wonder what the heck is going on. But the same astonishment shows on the faces of the air traffic controllers. It is a hacker attack, they guess. What they do not know, however, is that they are 'good hackers' or ethical hackers (in slang 'white hat', the white hats of western films) engaged in an Offensive security test, an oxymoron that encapsulates in a single word the activity of an expanding sector in the United States but also in Italy, in terms of services offered by specialised companies and professional training. In the increasingly strategic field of cybersecurity, which sees Italy growing but still lagging behind (we are in 11th place, for instance, in the MIT's Cyber Defence Index). The attack on the flight simulators is a real case, of the man in the middle type, explains Giannandrea Tateo, CEO of HN Security, a start-up founded in 2021, based in Turin with specialists also in Florence and Rome, and which is part of the Roman group Humanativa, of the entrepreneur Stefano Commini.

IA, Romano "Parlamento farà leggi su cybercrime e cybersecurity"

The 'white hats' of cybersecurity

.

The 'good hackers', explains Tateo, 'provide their expertise and passion to test organisations' IT infrastructures for robustness and resilience'. A passion that for the older ones was born in basements in the early 2000s when they had fun and competed in hacking servers and IT infrastructures of the most diverse organisations, sometimes even risking prosecution. "Over the last twenty years, some have lost their way, others have made it a profession by putting themselves at the service of companies within ICT departments, and still others, the most visionary, have created real companies offering Offensive Security services to their clients". Offensive Security is the name given to this discipline to differentiate it from Defence Security, that set of hardware and software infrastructures whose purpose is to protect IT infrastructures and - in the event of hacker attacks - detect threats and isolate them to protect corporate assets..

Loading...

Sweatshirt-wearing and tie-wearing managers

Ever since the days of Kevin Mitnik, alias 'Condor', who got out of an American prison in 2000 and founded his own security company, a planetary narrative has flourished around bad, good and 'converted' hackers over the last three decades, which the professionals working for HN security have certainly drunk from. "I know for a fact that some of my colleagues knew Mitnick personally, or H.D.Moore and others, but they do not boast about it in public. Our two senior technicians, Marco Ivaldi and Maurizio Agazzini,' says Tateo, 'are two of the most renowned white hats in this small but very specialised world of Offensive Security, where everyone knows and talks to each other. They both started in this sector in the 2000s, on infrastructures and systems that have now almost disappeared, then they had the ability and passion to adapt to the technological evolution. But in HN Security there are other younger white hats who are just as capable, especially on new technologies in the mobile field. How is the collaboration in the company between geeks in sweatshirts and management in ties? There is mutual respect and esteem, we complement each other, but by now I only wear the tie in some meetings with top management. Of course, when we have to go to a client and ask for business casual attire they tend to forget the business part...'.

How an offensive security startup is born and grows

HN Security was born three years ago precisely from the collaboration between these two 'souls', technical and entrepreneurial, or rather from the meeting between the president of Humanativa Stefano Commini and two of these pioneers of offensive security who developed their passion first in basements than in school desks. "Around them," Tateo recounts, "we built a group of friends and former colleagues animated by the same passion: identifying computer flaws and then suggesting the remedy. We have gone from a turnover of 700,000 euro in 2021 (with a positive Ebitda) to a forecast of 1,500 in 2024 and 2,000 in 2025 (with an Ebitda of 15%)'. Always investing heavily in people (today there are around 20 specialists) and training, which are strategic aspects of striving for excellence. "Our specialists follow an intense training programme and devote 20% of their time to research and development: one day a week in which they study while playing, sometimes competing against each other in an attempt to hack what comes their way, always within the limits of legality, of course. You have to be at least as good as your opponents to do our work'.

What kind of interventions and how much they cost

In addition to the man in the middle already seen, intervention types include the classic penetration test, a simulated authorised cyber attack on a computer system or network, performed to assess system protection. More comprehensive are Red team attacks, multi-layered simulations that aim to assess how a company's people, networks, applications and physical security controls are able to respond. "We are also pushing hard on activities that identify problems during the design and development of software, because detecting a flaw when it is already in production has an extremely high cost, up to 30 times. Our work stops with the production of a detailed report listing the vulnerabilities to which we associate 'Recommendations', i.e. actions to be taken to remove or mitigate the threat that should not be carried out by the same person (even if someone does). It's almost an ethical matter, I don't have to look for vulnerabilities in order to get more work afterwards'. An Offensive security project costs an average of 20 to 100 thousand Euros, but the cost to put in place remedies can be several orders of magnitude higher, making it very attractive to companies.

IL MERCATO DELLA CYBERSECURITY IN ITALIA

Loading...

The market: David and Goliath

The market is growing fast and is mainly dominated by large and unspecialised companies. How to find space for a start-up/sME? "With the support of technology advisors, we have been able to confirm that in this sector, customers are looking for small and medium-sized, highly specialised companies with which they can develop a strong relationship of trust, even on an individual level. To test IT infrastructures you need to get into the heart of the client companies. And with large, highly structured companies with high turnover this is not always possible. The market is growing rapidly and many companies are specialising in this discipline, but those that can boast the skill to deal with complex issues are still few.

Demand driven by banks and fintech

Over the past decade, the market has become more mature and many companies have realised how important it is to anticipate cyber attacks, rather than react to them. "For obvious reasons," explains the CEO of HN Security, "the market that is most sensitive to the issue is definitely the banking and fintech sector, but other sectors are also starting to emerge, especially those that have embraced digitisation to a greater extent. There is no doubt the value that digitisation is bringing to companies, but it is equally true that companies must have an appropriate security posture in order not to risk becoming targets. In recent years, themain driver for security has been the countless incidents caused by 'ransomware' gangs, which use a malicious programme to infect a digital device (PC but also smartphone), blocking access to files and then demanding a ransom. Many companies, both Italian and foreign, got burnt precisely because they always thought 'it won't happen to us'.

The Pa is trudging along

.

Especially in Lazio, the IT market is undoubtedly driven by the Public Administration, which, albeit a little late, has finally realised the value of security, perhaps also thanks to the recent incidents reported in the media. "Compared to the private market, which is much more mature and responsive, and with which it is easier to establish a direct relationship, the Public Administration is still rather slow and bureaucratised, tied to framework agreements with large groups that then use specialised companies like ours to carry out specific activities where very high competence is required," Tateo notes. "In addition, the now constant recourse to multi-year and all-inclusive tenders awarded through auctions at the lowest price certainly does not enhance the quality offered by SMEs. In England in the 1940s they coined the saying "you pay peanuts, you get monkeys", we are a bit late in grasping this concept. But there are signs of change. The health sector is the most sensitive in transposing safety recommendations and regulations'.

Offensive security and artificial intelligence

The real challenge we will face shortly when artificial intelligence becomes more widespread is security. 'Intentionally manipulating input data to fool a machine learning model,' explains Tateo, 'can lead it to make incorrect predictions or make unfair or discriminatory decisions. A potentially devastating type of attack is the so-called Adversarial Machine Learning (AML), which acts directly on machine learning systems. It is a new field, where evolutions are many and very fast, some of them like ChatGPT are already being used by hackers to make their attacks more sophisticated'.

Password private but not too much

Finally, from the security offensive comes an admonition to be cautious about passwords, the cross and blight of everyone's daily computer security. "Once,' concludes Tateo, 'a certain embarrassment arose when one of our specialists, exploiting a vulnerability in a customer's system, gained access to the passwords of a user who had accepted the recommendation to use so-called passphrases (a string of words used as passwords, such as "Go to the pharmacy to pick up the two medicines"), but using dialectal expressions, even of a sexual nature. Fortunately it all ended in a roaring collective laughter...'.

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti