The real Achilles heel of IT security (by Marco Strano- 2022)- Study Center for Legality Security and Justice

Report to the National Congress of the Aica Reggio Calabria, 27 October 2022.

My name is Marco Strano and I am a psychologist manager of the state police since 2020 and currently Senior Consultant of a police department in southern California. I dealt with Cyber ​​Criminology and Cyber ​​Security full -time from 1995 until 2005 and, in particular, from 2001 to 2005 I directed the Uaci (the analysis unit on IT crimes) of the Postal Police and Communications. Later I continued to deal with Cyber ​​Crime in the context of corporate consultancy both in Italy and abroad and I continued to do research especially in the field of companies.

Currently, despite the computer security activity, it has been very evolved both in qualitative terms but also in quantitative terms this in some ways did not contribute to limiting the risks. The reason is quite trivial: in recent years the company’s activities have increased exponentially, the management of public affairs and in general of the lives of individuals entrusted to IT systems.

Internet access the use of smartphones and computers and in general the procedures entrusted to digital technologies in the last 20 years have increased dramatically and therefore clear that the risks of IT crimes have also increased.

The transition from physical and documentary identity to digital identity for the performance of fundamental activities in the life of the individual and in the procedures of the organizations is also progressively achieving and this obviously offers an increase in computer offenses.

We do not have reliable statistical data available on the real number of IT attacks to individuals and public and private organizations. In fact, only a percentage of these offenses is denounced (because the organizations almost never want to make their vulnerability public) and often the victims of the attacks do not realize they have suffered them.

The scope of cybercrime where we have the possibility of having the most reliable data available is that of scams and fraud where the total volume seems to have increased considerably in recent years.

It is my opinion that the human factor still represents the cardinal element of IT security and its study must therefore necessarily be accompanied by the development of technologies and safety procedures.

The primary element in the human factor linked to cyber-siciness is obviously what is technically called “risk perception”. Greater or lesser perception of risk means that the user of computer technologies adopts a less than safe behavior, both in the field of organizations and at the level of the individual user.

The perception of the risk of IT attack is an element that specially trained psychologists are able to measure with analytical tools typical of their profession (tests, interviews, observation, etc.). In other risk contexts, and for example, I refer to work safety problems on construction sites, research or prevention activities related to the perception of risk are usually conducted.

While, as regards the risks in IT security, where the risks are obviously linked to the possibility of undergoing damage for an illicit, the assessments on the perception of risk in users and organizations are unfortunately still a residual activity in safety paths.

What seems to be (historically) further on compared to other areas is probably the banking sector that has the very rooted security factor in its organizational culture and in its business culture.

Another sector that is historically more advanced than the others is the military one where the concept of internal compartmentalization of information (to avoid the insiders attacks) obtained by adopting a specific training and effective security procedures also in the internal flow of information between components of the organization is something that has always been strongly rooted in its culture.

But other corporate sectors still seem to be a little behind compared to the concept of the human factor in cyber-security.

The organizations that want to adopt effective countermeasures to avoid illegal in digital contexts must therefore not only implement the countermeasures that are technically called “perimeter defenses”, that is to say technologies to prevent someone from the outside of an organization to be able to introduce themselves to their electronic system (what we all know as hacking activities) but must simultaneously improve the culture of security (Security Awareness) of the people) They operate within the organization and of course the safety procedures, taking an example from those public and private sectors that are later than others (military sector and banking sector).

Cybercrime and investigations

On the investigative side, the specialization of investigative departments or magistrates will become more and more anachronistic. Within a certain number of years, the postal and communications police will probably no longer exist or the electronic offenses section of the Carabinieri and the Guardia di Finanza because in any form of crime there will be something digital, computer scientist for which all the police forces, including the most remote carabinieri station or the most “peripheral” police station, will necessarily have to be able to put their nose in some offense that to do with the technologies with the technologies with the technologies with the technologies to do with the technologies. Digital because the world will become thus digital in the coming years that it will be impossible to reason by delimiting real worlds and virtual worlds. We will find ourselves in front of a single world with real components and strongly interconnected virtual components.

CRIMINAL PROFILING E CYBERCRIME

In the typical criminal profile of those who make computer attacks there has been a change in recent years. Knowing the profile of those who do the attacks is essential in my opinion to organize effective countermeasures. Only by knowing the behavior and profile of those who can attack you can we organize really effective defenses.

In the field of cyber-crime the attackers normally fall into two macro categories: the outsiders and the insiders, that is to say who attacks an organization or a single individual from the outside (the famous hackers) or who instead does the attack from the inside because it is a member of the organization or a person who lives near the individual who is attacked.

In profiling an important type/classification then concerns the level of criminal competence of the one who attacks and here and normally there are two macro categories: professionals (experts) and amateurs who have scarce skills but who can still be able to cause damage.

So the profile that is possible to achieve with respect to a cybercriminal is primarily a profile that considers the role in the organization (internal/external) and the level of techno-criminal competence. Inside the macro categories then there are infinite shades of course.

Regarding the personality profile of the attacker, we currently undergo a field research (in US university cities) that using semi -structured interviews with young hackers, is trying to outline the profile of these young criminals.

Vulnerability profile of the victim

Another type of profile that can be done in the field of cybersecurity concerns the possibilities that a single individual or an organization is therefore attacked an assessment of potential risk. This kind of profiles normally considers the two classic variables that are the vulnerability of the target and the palatability of the target but an evaluation based on these two elements obviously may seem trivial and therefore other analysis factors are used that are used to outline the trend over time of risk.

Over the years my research team has developed predictive analytical models that can evaluate which are levels of risk of cybercrime victimization for an organization and for a single individual.

To verify the safety of an organization for many years, specialized companies have made a vulnerability assessment that is used to identify risk situations. Normally in these checks several companies specialize in different risk areas intervene which, however, often do not communicate with each other. The approach designed by the writer initially during the period of service to the postal police and communications and then implemented in the civil sector through a research group, instead suggests an integrated approach where a single group of consultants (coordinated) analyzes at the same time all the critical areas of an organization. An integrated vulnerability assessment is therefore able to simultaneously evaluate the elements of risk of physical, computer and psychological intrusion within the organization by hostile or insiders external subjects.

The research protocol adopted by us for the development of our IVra (Integrated Vulnerability Risk Assessment) starts from a sample of companies/organizations and individual individuals by analyzing the situations in which the attacks have had or not success and the organizational, technological and psychological characteristics of the victim. The elements of palatability and vulnerability compatible with the success of illegal action evidently emerge from this kind of analysis.

Our Ivra was presented for the first time (in Beta version) at the 2014 edition of Bakutel, the prestigious convention on Information Technology which takes place every year in Azerbaijan and is made up of different operational tools for the evaluation and prevention of the risk of IT attacks in public and private organizations and in individuals. After more than 8 years of experimentation and field experiences, this method of analysis (IVra) has developed and is now available to public and private organizations. The costs of the instrument are also very low and administration times are very quick (about five days per 100 people). The intervention protocol provides for an initial measurement/evaluation phase and a subsequent phase of correction of vulnerability.

The CSLSG, the Study Center I presided, is one of the oldest in Italy, founded in 1999 which continues to carry out research on IT security, especially the one linked to the corporate world and is available for any type of in -depth study in the human factor of IT security of individuals organizations.