Author: cybersec

1    Computer Fraud and Abuse Act

Any fraudulent access is punishable by law. We know CFAA (Computer Fraud and Abuse Act)  the United States cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law.

Aaron Swartz, who wrote in XML RSS, (RDF Site Summary) and rewrote Website Reddit in Python, was an activist and he would have been sentenced to 35 years in prison for CFAA, because he allegedly used a script to download scholarly research articles in excess of what JSTOR terms of service allowed.

The Resource Description Framework (RDF) is the basic tool proposed by W3C for the coding, exchange and reuse of structured metadata and allows for semantic interoperability between applications that share information on the Web. It consists of two components:

·         RDF Model and Syntax: exposes the structure of the RDF model, and describes a possible syntax.

·         RDF Schema: exposes the syntax to define schemas and vocabularies for metadata.

The RDF Data Model is based on three key principles:

1.    Anything can be identified by a Uniform Resource Identifier (URI).

2.    The least power: use the less expressive language to define anything.

3.   Anything can say anything about anything.

2    Computer Misuse Act

In 1990 Parliament of United Kingdom introduced the Computer Misuse Act,  the bill to punish any unauthorized access to computer material or its modification or to commit any criminal offence.The same bill inspired Canada and Eire Parliaments.

3    2013/40/EU

2013/40/EU  is the europen directive to establish the minimum rules about the definition of criminal offences to information systems, which are essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, such as power plants, transport networks or government networks, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions.

For the ORGANIZATIONAL DATA SECURITY FUNDAMENTALS , the Senior / Chief Decision Makers includes:

CEO: Decision maker (titolare in italian)

CFO: Budgeting and finance

CIO: ensures support with its technical know-how

ISO: Risk analysis and mitigation

Steering Committee: defines the objective risks and how to deal with them

Auditor: evaluate the Business Processes of Security Systems

Data Owner: classifies the data

Data Custodian: day by day deals with the “maintenance of data”

Network Administrator: ensures the availability of network resources

Security Administrator: responsible for all the security and associated tasks, with particular regard to “Confidentiality and Integrity”.

It would always be advisable to appoint a press officer.

DPO Data Protection Officer

European legislation has introduced new mandatory actors for the protection of personal data. The charge of the DPO is mandatory based on the provisions of art. 37 GDPR [14] against PA (Public Administration) without exceptions; in the case of treatments that require regular and systematic monitoring of large-scale data; when the processing involves sensitive personal data (Article 9) or data relating to criminal convictions and offenses referred to in Article 10 massive treaties. The DPO must act in the interests of the interested parties and of the entire community, not only of the CEO. Even if the charge of the DPO is not mandatory for the infrastructures not included in the cases contemplated by the Regulation, once the CEO has charged her/him (DPO), the rules set out in art. 37-39 of the GDRP must, in any case, be fully applied.

The European Directive 1148 of 2016,  which is come into force on 2018, obliges member states to adopt measures of resilience in the sectors that supply essential and digital services:

“For an effective response to the security challenges of networks and information systems it is, therefore, a global approach at Union level is needed, including the establishment of a common minimum capacity and minimum provisions on planning, information exchange, cooperation and common security obligations for operators of essential services and digital service providers. However, there shall be nothing to prevent the operators of essential services and digital service providers from applying security measures which are stricter than those required under this Directive. ”

Sectors of ICs identified by the European Commission listened in Communication 702 of 2004:

• energy plants and networks (power plants, gas, and oil production plants, depots and refineries, transmission and distribution systems)
• communication and technology information (for example, telecommunications, radio and television services, software, hardware and networks including the Internet)
• finance (for example, banks, financial instruments, and investments)
• the health system (for example, hospitals, health and blood collection services, laboratories, the pharmaceuticals sector and collection and rescue and emergency services)
• food supply (for example, the food industry, hygienic safety systems, production and wholesale distribution)
• water supply (e.g., basins, storage, treatment, aqueducts)
• transport i (e.g., port, airport, and intermodal services, collective rail transport systems, traffic control systems)
• production, storage, and transport of dangerous substances (e.g., chemical, biological, radiological and nuclear)
• administration (for example, crucial services, structures, information networks, assets and architectural and natural heritage).

The Enisa , an Agency established in 2004 with headquarters in Athens, is a center of competence in the field of information security to support every European Nation under cyberattack.

The 2013 PPD 21  Presidential Policy Directive of Barack Obama provides us with a list of critical infrastructures to be protected, identifying 16 sectors, in addition to defining the roles, responsibilities, and skills:

• Chemical: Sector-Specific -> Agency: Department of Homeland Security Master in Cyber
• Commercial Facilities: Sector-Specific Agency: Department of Homeland Security
• Communications: Sector-Specific Agency: Department of Homeland Security
• Critical Manufacturing: Sector-Specific Agency: Department of Homeland Security
• Dams: Sector-Specific Agency: Department of Homeland Security
• Defense Industrial Base: Sector-Specific Agency: Department of Defense
• Emergency Services: Sector-Specific Agency: Department of Homeland Security
• Energy: Sector-Specific Agency: Department of Energy
• Financial Services: Sector-Specific Agency: Department of the Treasury
• Food and Agriculture: Co-Sector-Specific Agencies: U.S. Department of Agriculture and Department of Health and Human Services
• Government Facilities: Co-Sector-Specific Agencies: Department of Homeland Security and General Services Administration
• Healthcare and Public Health: Sector-Specific Agency: Department of Health and Human Services
• Information Technology: Sector-Specific Agency: Department of Homeland Security
• Nuclear Reactors, Materials, and Waste: Sector-Specific Agency: Department of Homeland Security
• Transportation Systems: Co-Sector-Specific Agencies: Department of Homeland Security and Department of Transportation
• Water and Wastewater Systems: Sector-Specific Agency: Environmental Protection Agency

The meaning of this term, that we find codified in directive 21  of the USA president, by the European legislator in the NIS directive and in the Gentiloni decree , is the ability of a network or system to preserve its information and functions intact even after a successful cyber attack.

After evaluating the risk of a Data Breach with a relative penalty in EU zone (4% of the annual worldwide turnover), then Decision Makers must run for cover and apply the defense in depth composed by three elements:

• employees: bringing them to a level of awareness appropriate to the dangers to be avoided and they can watch also for perimeter protection,
• technology: we need to equip our IT infrastructures with cutting-edge technology anti-intrusion IDS / IPS, filtering outgoing and incoming traffic (with ROUTER, SWITCH and FIREEWALL and related access control list), Honeypot to hijack attacks on bait systems, TCP reset, Detect 0x90/Polymorphic Shellcode, antivirus, cryptography
• operating modes: such as SW Patching, OS and Firmware Update and Upgrade, Penetration Test, BC / DR: all periodic and repetitive activities, and adopting privacy by design and by default.

In our case it becomes very important to have a backup of Laptop HD , or of the main file stored in.

The 5 Core Functions identified by NIST  give us a strategic outlook of the life cycle risk management related to an organization’s IT security and should be taken as a reference milestone. Here is how to join with the 5 Functions:

1     Identify

Organizations must develop an understanding of environment to manage cybersecurity risk to systems, assets, data and capabilities. To comply with this Function, it is essential to have full visibility into our digital and physical assets and their interconnections, defined roles and responsibilities, understand our current risks and exposure and put policies and procedures into place to manage those risks.

2     Protect

Organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. To comply, our organization must control access to digital and physical assets, provide awareness education and training, put processes into place to secure data, maintain baselines of network configuration and operations to repair system components in a timely manner and deploy protective technology to ensure cyber resilience.

3     Detect

Organizations must implement the appropriate measures to quickly identify cybersecurity events. The adoption of continuous monitoring solutions that detect anomalous activity and other threats to operational continuity is required to comply with this Function. Our organization must have visibility into its networks to anticipate a cyber incident and have all information at hand to respond to one. Continuous monitoring and threat hunting are very effective ways to analyze and prevent cyber incidents in ICS (Internet Connection Sharing) networks.

4    Respond

Should a cyber incident occur, organizations must have the ability to contain the impact.To comply, our organization must craft a response plan, define communication lines among the appropriate parties, collect and analyze information about the event, perform all required activities to eradicate the incident and incorporate lessons learned into revised response strategies.

5    Recover

Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event. Our organization must have a recovery plan in place, be able to coordinate restoration activities with external parties and incorporate lessons learned into our updated recovery strategy. Defining a prioritized list of action points which can be used to undertake recovery activity is critical for a timely recovery.

Cyberspace, coined by William Gibson in his scifi novel  Neuromancer on 1984, consists of both interconnected network infrastructures that manage sites or devices with information circulating therein,  and the information itself and the human being to which information refer. Since 2009 the US military strategy recognizes Cyberspace as a warzone and the US Government established the United States Cyber Command (USCYBERCOM) for tasks related to cyber conflicts. The NATO has officially declared Cyberspace a warfare domain and confirmed that a cyberattack on any of its allies will be considered as an act of war. A cyberattack on one of the NATO member states would activate Article 5 and call for a response of the alliance, depending on the seriousness of the Cyberattack, where, behind these attacks, however there are always hidden economic and military interests.Now in modern geopolitics we have to protect digital borders and the Cyber ​​Space has become the 5th domain , after Air, Sea, Land and Space. To address cyberattacks we must apply cyber resilience.

1    Clearnet

The internet accessible by everyone and indexed by search engines.According to some estimates the Clear Web  represents about 6%  of the Internet. What we can reach with a Google search or by typing a website turns out to be nothing compared to the amount of all the data found online.

2    Deepweb

Deep Web generally means the entire part of the internet that is not directly accessible and that is not indexed by search engines.This part of the internet is thought to represent 94% of the total and consists of backup servers, Network Attached Storage (NAS), IoT like videosurvelliance systems or Split for Air conditioner and so on.

3    Darkweb

For Dark Web on the other hand, we mean an internet that is accessible only with special software and that usually guarantees user privacy: an example is the Tor network. It is a subset of the Deep Web to access the contents both legal (personal blogs, forums) and illegal (arms shop, drugs)

We are the weak link of all the cybersecurity chain and for that we have to protect our information inside laptop from internal attack and any abuse or  fraud access to avoid any economic and reputation damage for us, our company or worst for our Nation, increasing privacy protection. So analyzing the statistic of cyber-attacks we know that the 60% of them come from internal attacks. For NIST we have to configure systems to issue a log entry and alert on any successful and unsuccessful login to an administrative account. We tend to underestimate that a simple antivirus is enough to protect our laptop, but it is even a system. So  the aim is to give a tool helping us to be more resilient, to understand what happen around us and, completed the windows laptop boot, take a picture of whom is in front of the webcam and, if connected in internet, automatically send an email with the attached photo and the geo location of the laptop with its IP. Moreover, if the workstation is locked, at the 3rd failed login attempt typing wrong password, take a new photo, invoking the same procedure as before, sending the email with the captured photo and geographic location. It could happen, during lunch time, while our laptop is left unattended but locked with Kensington cable, somebody like stakeholder dare to stolen/read our developments (if we are programmers by customer in a project involving many companies) or our reserved documents as PM, so better to know who is and to set an alarm, and if somebody after shoulder surfing could have watched the password,  why not to set up an hour between 12:30 and 14:30 during which any successfully login is monitored with the same procedure , like an IDS, and motion detection. Everything written in python, xml for windows task scheduler and batch dos. It could be helpful, useful against Cyberbullying too.

For Cyber Security Strategy of the European Union we have to grant an Open, Safe and Secure Cyberspace, to ensure an high common level of network and information security across the Union. To understand the meaning of Cyber-security we need to analyze the origin of the term cybernetics, coming from ancient  greek κυβερνητική, (kybernētēs, steersman, governor, pilot, or rudder) that is “pilot art”, for pragma “ the art of piloting (Surfing) a boat (Device like laptop or smarthphone) through cyberspace ” or broadly  “ability to navigate without embarking on dangers and threats”.