Cyber Agency

State databases hacked, information protected on multiple levels of control

New guidelines strengthen security on politicians and entrepreneurs: checks on internal users, searches performed and external suppliers

Database di Stato violati, informazioni protette su più livelli di controllo (stock.adobe.com)

4' min read

4' min read

What is certain is that in the exfiltration of confidential data from the most important State databases, such as the Interforce CED of the Ministry of the Interior or Siva, which collects anti-money laundering alerts (the so-called SOS), the 'human factor' would have been crucial. This is how they defined it at the Viminale, after the investigation by the Milan Public Prosecutor's Office into Enrico Pazzali's company Equalize shed light on the role of 'moles' within the institutions who were leaking secret information on people and companies.

A bit like Pasquale Striano, the lieutenant of the Guardia di Finanza, seconded to the SOS office of the National Anti-Mafia Directorate, who 'stole' financial reports on politicians or entrepreneurs to hand them over to journalists upon request. Crucial was the case of Defence Minister Guido Crosetto who, according to the Perugia magistrates coordinated by Prosecutor Raffaele Cantone, was one of the main 'targets' of the dossier.

Loading...

Unfaithful Functionaries

.

Investigative reconstructions that have triggered a profound reflection on databases and the way they are managed. The same Agency for National Cybersecurity (Acn), an intelligence body that reports to the Chigi Palace and is directed by Prefect Bruno Frattasi, has noted, among others, a fundamental 'criticality': most of the actions were perpetrated by the possibility of access to information thanks to the permissions assigned to public administration officials who were later found to be 'unfaithful'. People who allegedly played a double game for purposes that remain to be clarified and who - in the delicate case under examination by the Rome Public Prosecutor's Office - may have handed over confidential information to foreign parties interested in financial speculation in Italy.

Cybercrime, crescono gli attacchi alle Pmi: come difendersi?

In recent days, the NCA has issued a 19-page document with new guidelines 'for strengthening the protection of databases against the risk of misuse'. It was realised that the excessive scope of permissions granted to authorised users had triggered a phenomenon that had degenerated into the buying and selling of confidential information. Material that is useful for targeting a political or business enemy and that, inevitably, risks manipulating market trends.

"Robust"

Control

It was decided that structuring a consistent and robust control is 'the basis for ensuring that' access to databases 'is restricted to authorised personnel and users'. To this end, the digital identities of staff must be nominative and individual, not shared among several persons, also in order to be able to track access and unambiguously trace back to the internal and external staff making it.

User verification

.

Users, their privileges and credentials must be verified, updated, revoked and audited periodically, according to a time frame consistent with the risk analysis.

A centralised access management model must be implemented. Everyone, including remote accesses, must be logged and monitored. The security of systems and applications must be guaranteed by design and by default.

Criteria will therefore have to be defined to detect cases of improper use of databases by staff, such as the consultation of sensitive profiles or other profiles relevant to the protection of national security, such as the data of politically exposed persons; the exceeding of a threshold for queries by an individual user; the appreciable variation of the average number of searches made by a user calculated over a defined period of time; searches made by staff who do not hold positions of employment requiring certain information'.

Particular attention should be paid to the supply chain. According to the Agency, 'suppliers and third parties, especially if not very mature in terms of cybersecurity, can represent a point of vulnerability'. Suppliers, in fact, 'can represent an attack vector when compromised by malicious actors'.

"ANTI-TALPA RULES"

.

Access Control

.

Effective access control is the first level of defence to prevent misuse.

Authentication. Mandatory for all access to systems and databases, with mechanisms calibrated according to the criticality of the data managed.

Central management. Using platforms to continuously monitor and verify access, revoking obsolete credentials.

Access tracking. Every operation must be recorded in secure logs, archived for at least 24 months

Systems Development

.

The development cycle must be safety-oriented right from the design stage.

Environment separation.
Systems must operate in separate environments for development, testing and production, limiting access to real data.

Surface of attack.

Elimination of unnecessary components (software, services) and integration
of monitoring and alarm systems already at the design stage.

Identity. Introduction of complex passwords to protect automated access.

Systems Cycle

.

The security of systems and applications must be guaranteed at all stages of their life cycle, from design to decommissioning.

Maintenance. Every intervention, whether local or remote, must be recorded and traced.

Updates. Before implementing patches or critical updates, these must be tested in dedicated environments

Disposal. Deletion of data and encryption keys from obsolete
storage devices, with compliant disposal.

Suppliers

.

Suppliers and third parties represent a significant point
of vulnerability.

Classification of suppliers. Updated inventory and classification of suppliers according to the cyber risks associated with their activities.

Contracts. Every agreement must include clauses that clearly define the required security standards.

Diversification of suppliers. Ensure that the compromise of a supplier does not lead to a complete loss of operational capacity by providing alternatives for critical services.


Copyright reserved ©
  • Ivan Cimmarustigiornalista

    Luogo: Roma

    Lingue parlate: Italiano, inglese

    Argomenti: Sicurezza, giudiziaria, inchieste, giustizia tributaria

    Premi: Nel 2011 tra i vincitori del Premio Internazionale Antimafia Livatino-Saetta

Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti