The lost war on information security

8 Aprile 2016, Sala del Perugino

Francesco Ongaro, is a security expert and hacker who works for  ISGroup an enterprise which works on the IT located in Verona.
“What is security and why we’ve lost this war?” – declared Ongaro.
This is the main question , which gave the input to the whole conversation of this panel focused on the explanation of what security is, how we can provide to maintain it ,its weaknesses.
Today the Cloud- which is a server-  has augmented the risk of maintain a total security control on our software. More specifically, the Cloud increases the percentage of vulnerability that so affects  security.
Which are the main features of vulnerability? Without any doubt we can identify them in : weak passwords, improper design, unsafe deployment.
“Why is the software so vulnerable?”. As everything created by human beings who make mistakes, this mistakes implement bugs, some of which have a huge  impact on data security.
More complex is the software more it’s vulnerable. ” We should consider a miracle the software working within all the bugs generated on it”- said Ongaro.
What save us from total-failure is: compartmentation, separation duties, layered security and deep defense.
We should try to follow the rule #86 which says to do not mix trusted data with untrusted data and trusted sources with untrusted sources, as well as the rule #471 on good design. This last one is about to limit the visibility of administrative intercaces ant to compartmentalize at the lower level, both horizontally and vertically.
The digital disruption happened between the 1960-2016 is already happened and we can’t go back. We’re in the Cloud era and everybody is inspiring on the cloud bandwagon.
In this conference Francesco Ongaro made a specific explanation of the process which leaded us where we now are and also classified the main issues which should be avoided  for reducing the vulnerability mentioned before.
We’re talking about immaturity, that is a main feature of the startups which invest on marketing, which cause more collateral damage; Visibility, which is an huge exposure for getting hacked even for the huge companies; palatability, confidentiality , accountability and privacy; identity management and opacity and last but not least jurisdiction : where is my data? who is the owner of the data? what delete data means in the cloud?
Data should be protected  under the law and be accessible only under search warrant.
Their  job is to try to maintain customer security and they’re trying to facing their fail and to improve their capacity of reduce risks of vulnerability to the minimum.

Noemi Distefano