Risks of hacking attacks: Ransomware – Cryptolocker and tutorials for Italian SMEs in the light of the Network and Information Security (NIS) Directive.

Pierluigi Paganini July 06, 2017

As was anticipated by Minister Pier Carlo Padoan, the Taormina G7, he would have to face, inter alia, the overwhelming problem of Web security and the protection of sensitive data.

The issue is much more urgent in the light of cyber attacks on computer systems of some key service providers in several EU Member States and in the UK, including the National Public Health Service (public body) or Against that of Renault in France (private body) that had the effect of completely blocking both the structures mentioned and not only.

These attacks, in fact, have been carried out on a large scale and involved hundreds of computer systems at the European level. Ransomware technology, a type of malware used in this case by hackers, has already been used on several occasions and is spreading very rapidly so that it may become, as early as 2017, a serious problem as DDoS attacks ( Distributed Denial of Service) (source: David Gubiani, Check Point Security Engineering Manager).

Even at a non-Community level, the UN Security Council has dealt with this issue with Resolution 2341/2017, in which United Nations Member States have been encouraged to co-ordinate each other by exchanging their knowledge about each other to attacks perpetrated via the Web.

On this point, it is interesting to note that Jurgen Stock (Head of Interpol) has complained of a structural disconnection that exists at present between the United Nations Members States.

And as Professor Pierluigi Paganini, Chief Technologist of CyberSec Enterprise, said in his speech: “From the Wannacry case to the NIS Directive, critical infrastructures are still too vulnerable:” While in Europe there is a debate about the need to calibrate infrastructures, criticisms and adopting security measures that will make them resilient to cyberattacks, and such events demonstrate how vulnerable network infrastructure is exposed to small-scale threats.

Think of the potential large-scale impact of a ransomware such as WannaCry that exploits a zero-day flaw, which is not known at the time of the attack and is therefore extremely dangerous. ”

In the debate on Resolution 2341/2017, particular interest can be attributed to the point where it has been shown that the key role in cyber attack prevention lies in cooperation between public and private sectors; It was therefore hoped that a Memorandum of Understanding would be established between the Member States regarding the information on the acquired data.

It appears that ictu oculi – as in the NIS Directive at Community level and in UN Security Council Resolution 2341/2017 – the phrase “wishes cooperation between the Member States” stresses how information exchange can prove to be crucial and limited cyber attacks, which can provide effective prevention and, consequently, limitations of related harm to IT systems.

However, the appearance that is particularly alarming is that for such attacks, hackers used a Ransomware called “WannaCry” a virus that, like Cryptocker, was created by scammers with high-level knowledge in the field of computer programming.

Scammers can infiltrate a PC in a variety of ways, for example through an attachment of an infected mail or through the browser, when a website is infected with this kind of malware. The word ransom means requiring a ransom, to be paid to remove the limitation and to get the possibility of access to the PC (source Avast), actually doing a real extortion by the use of the computer system. It is therefore evident that there is a consequent risk for those who give up on what is required by extortionists to feed a funding channel for occult criminal organizations and terrorist organizations (Europol sources).

However, 2016, as Gabriele Faggioli, Legal, Ceo Partners4innovation said, with the NIS Directive of the Parliament and the European Council of July 6, will be remembered as the year that will mark the course of the decades on the issue of computer security.

The future of this issue in Europe is essentially due to the rules of a broad package of will be remembered as the year that will mark the course of the next decades on the issue of computer security.

The future of this issue in Europe is essentially attributable to the rules of a large EU reform package, which has been in force and in part already applicable since this year as Regulation no. 679/2016, General Data Protection Regulation (RGPD). This legislation, which entered into force on 24 May and applicable from 24 May 2018, replaces Directive 95/46 / EC. There is, moreover, Directive n. 1148/2016, the Network and Information Security Directive (NIS Directive), which entered into force on 8 August, laying down measures for a common high level of network security and information systems in the Union.

The text of the Directive states that Member States shall ensure that public administrations and market operators take appropriate technical and organizational measures to manage network security risks and the information systems that control and use in their operations.

Given the state of the art attacks, these measures must ensure a level of safety appropriate to the actual level of risk involved.

In particular, measures should be taken to prevent and minimize the impact of accidents attacks affecting their network and the information systems on the basic services they provide and, therefore, to ensure the continuity of the services incurred by these networks and information systems.

The Legislator has undertaken to ensure that the contents of these provisions are effective, work in practice, and last for at least a generation. The provisions are dense with technical-informational references and address the challenges imposed by new technologies in data protection and system and network security.

As Antonello Salerno said, “The future of cybersecurity in Italy could be decided on two key aspects: the role of the PA as an example and a spur for the private and the training of excellence skills remaining in the country.here” Of course, there are adequate investments to protect critical infrastructures. To reach this goal, the implementation of the European Network and Information Security Directive will be important.

If, from a formal point of view, the NIS Directive, which was adopted in July, is yet to be adopted (the deadline for transposition is by May 2018), Italy has already substantially aligned with many of the requirements of the new Community legislation, and can now focus on details to make the strategy more effective.

The hubs are those of the Decree of the President of the Council of Ministers of 24 January 2013, which contains a first model of cybersecurity governance and indicates in the DSI or DIS  (Department of Security Information) and in the CISR (Interministerial Security Committee of the Republic) the main coordinating references. a

Under the NIS Directive, you will need to identify the essential service providers. The legislator could only point to the obligation to notify the attacks only for large national players, leaving the majority of Italian business fabric (mainly composed of SMEs) or, as it may be desirable, extend this obligation also to actors of relatively small size, such as many municipal or local companies, but which rely on large user bases and whose contribution on a national scale could be extremely significant.

The specific methods of allocating these resources will depend on the effectiveness of the Italian action on computer security. “The opportunity – emphasizes Andrea Rigoni (cybersecurity expert and partner of Intellium, strategic consultancy for NATO), governments and large infrastructures – is that with the adoption of the NIS directive we are back with the plan and it is decided to allocate more clearly and timely the funding for network security.”

Particularly interesting will be the role of the Public Administration, as has happened in the past on other occasions, starting with electronic billing, for example, can make a changeover for the private, thanks to compliance mechanisms. While on the one hand, the public has to make their own infrastructures and management systems compliant with international standards that the Government is required to identify and detail, and on the other hand, it may ask the same security standards for companies interested in working with the Public Administration, thus triggering a virtuous circle that will involve the private sector through the certification of the PA chain.

The risk for companies operating in any economic sector is high as evidenced by the outcome of a study that says Prof. Pierluigi Paganini is “surprising”, only 3 threats have been designed with the intent of striking critical industrial systems and infrastructures – Stuxnet, Havex, and BlackEnergy2. That data continues Paganini, “confirms that industrial systems today continue to be most exposed to generic threats, given alarming if we think an attack designed to hit these systems could have disastrous effects.

Stuxnet first, and the latest attacks in Ukraine with BlackEnergy malware have demonstrated the effectiveness of a malware in an offensive against an industrial system in a critical infrastructure. ”

From what has just been reported, additional business risks seem to derive from the use of computer media such as smartphones and tablets. Many companies, both public and private, provide computer support to their employees. With a 394% increase in smartphone and 1700% of the tablet in the past four years, it’s no wonder that mobile attacks are steadily increasing. According to the Check Point Security Report 2016, a five-person employee will be the author of a violation of his business data via mobile malware or malicious Wi-Fi, both highly effective attack devices on mobile devices.

As this trend is steadily growing, Check Point points out that mobile business-related violations is becoming an increasingly significant problem for a company’s security since these computer-based media are particularly vulnerable and vulnerable to an absence of a frequent update of the antivirus used.

Recent attacks involving some of the journalists’ phones show how attack techniques are “in the wild” and that we should expect more and more to see criminal bands using them. However, mobile security remains a challenge for businesses, a push-pull between productivity, privacy and protection.

In 2017, organizations should take into account the spread of cyber attacks through the “Industrial Internet of Things”, not only through smartphones and corporate tablets, but also, for example, by printers or other types of devices.

Convergence between IT and Operational Technology (OT) is making both the most vulnerable environments and therefore it will be necessary to extend physical control systems and physical security to logical space and implement threat prevention solutions in IT and OT environments. Critical infrastructures, including nuclear power plants, electricity and telecommunications networks, remain highly vulnerable to possible cyber attacks. Almost all infrastructures have been designed and built before the threat of cyber attacks and for this reason, even the simplest computer security principles in most cases have not been taken into account within the projects.

In this regard, it is interesting and also worrying as it has emerged in the quoted work of Prof. Pierluigi Paganini, which, as revealed by the research of the US – ICS CERT, states that: “… the energy sector is one of the most sought after and confirmed in the many attacks that have been observed over recent months by groups of criminals and nation-state actors. According to a recent analysis released by IBM Managed Security Services, the number of attacks against industrial systems has increased by 110% compared to last year. IBM experts observed a significant increase in brute-force attacks against SCADA systems. … The US leads  the rankings of the five major nations affected by the attacks, not surprising if we consider the largest number of ICS systems in the United States. ”

Only at the beginning of 2016 was the first intentional blackout caused by a computer attack.

Critical Infrastructure Security Officers must, therefore, be prepared for their networks and systems to be systematically attacked by different actors: other States, terrorists and organized crime.

Check Point’s Security Report 2016 revealed that the number of unknown malware volumes that attack organizations is nearly 10,000, with about 12 million new malware variants identified each month.

In the Security report, it is evident that: “These technologies are in fact part of our business and cybercriminals have consequently innovated their hacking techniques.”

“Hackers have become smarter when it comes to malware and ransomware, releasing every minute new variations.”

“The era of signature-based antivirus to detect malware is far away.”

“With these predictions, companies can develop their IT security plans to keep them one step ahead of emerging threats by preventing attacks before they can cause damage.”

To ensure convergence in the implementation of Article 14, Member States of the U.E. encourage the use of network standards and/or technical specifications and information security.

Just to counter the risks of attacks on computer systems, as has been previously stressed, 2016 is remembered not only for the NIS Directive but also for privacy legislation.

Member States’ legislation identifies competent authorities both in the protection of sensitive data and in identifying the Computer Security Incident Response Team (CSIRT), but the NIS Directive, since many incidents compromise personal data, also provides that the competent authority should operate in close cooperation with the authorities that supervise the protection of data in cases of incidents involving personal data breaches.

However, the two disciplines cannot be confused, as they are directed to regulate the activities of distinct subjects. It is foreseen that NIS will only be applied to providers of essential services and Internet service providers, while the privacy and data protection regulations also apply to individuals.

However, the rules in question may overlap in cases where a computer incedent also involves a violation of personal data. In this case, the affected parties will have to act to report the incidents under the two directives, either they will have to report both the incidents referred to in the NIS Directive and the notification of the violation of personal data provided by the RGPD.

The hope is that, in a juncture and in the process of transposition into our legal order of both Directives, the Authorities responsible for the surveillance and management of cyberattacks and on the protection of the preservation of personal data examine  the guidelines which can help businesses cope with security incidents, so as to ensure and insure compliance with both regulations.

Notwithstanding the NIS Directive applies only to “macro categories” i.e. to essential service operators (energy, transport, banking, health, etc.), while Regulation NIS no. 679/2016 applies to all companies, it is to be noted that the business fabric present on Italian territory is predominantly made up of SMEs which as such cannot benefit from the protection provided by the NIS; therefore, it would be desirable, in addition to an either convergence of the norms now cited, and the creation within the various trade associations (such as Confindustria, Confagricoltori, Confartigianato), of structures capable of receiving news of any incidents  that have occurred to their associates and then, in turn, communicating them and CSIRT.

The constituent entity, within the category of associations, should essentially reflect the structure of the CSIRTs as set out in the NIS Directive, assuming a dual function: first, the protection of small and medium-sized enterprises from potential cyber attacks that could hurt or even blocking production by violating the informative and sensitive data present in the servers of the companies themselves; and second the assessment of the reliability of affiliated companies, in that way, for the development of a sort of “computer reliability rating” both on the prevention of computer accidents and on the contrary, and by ensuring a high level of protection of sensitive data.

It is believed that any user of the services produced by the subjects concerned should be able to know whether the company to which it is addressed is substantially reliable from a computer point of view and to know how to hold sensitive data on the servers of the company itself. Think, for example, of the case of a clinic and a patient who may be affected by a disease, a condition that, if spread, could severely damage the patient’s reputation. Or the case of a large company that would like to take advantage of the collaboration of a company for the development of the inductor: it is evident that it is useful to be aware of the reliability of the computer systems used.

To ensure the full operation of the description, it would be necessary to have the “mini CSIRT or CSIRT category” within each category association linked to a national CSIRT, which is then connected to the CSIRT network at a community level.

In addition, in a top-down view, the “CSIRT category”, present within each category association, are linked to a national CSIRT, which is then linked to the CSIRT network at Community again at a community level.

Furthermore, in a top-down view, the “CSIRT category”, if aware of an incident that happened to one of its associates, must report the incident not only to the national CSIRT but also to the other members of the association, avoiding possibly spreading the name of the affected affiliate for reasons of company reputation.

Companies will also have to set up a biennial plan to prevent computer attacks and protect sensitive data contained in their servers.

Consequently, every two years, the CSIRT category will list a list of associated companies by providing a rating of their reliability based on the level of prevention from computer incidents reached. This will greatly contribute to protecting the members of the association and improving prevention against cyber attacks and supporting actions in the event of a wasted attack.

Such a system, which, moreover, refers to a duty of cooperation enshrined in the world as well as in the community, can guarantee to public companies, private individuals and users of the services produced, more and more secure computer systems and the capability of dealing with hacker attacks while not abandoning victims and their users to their destiny, without specific reference points.

I conclude by making the conclusions of Prof. Pierluigi Paganini in his intervention “From the Wannacry case to the NIS Directive, critical infrastructures are still too vulnerable” in which it was expressly stated that: “… recalling that the security of our infrastructures also depends on the posture of the citizens. We need to learn about computer threats and how to defend ourselves from them. We are the knot of a global network with which we exchange a huge amount of information filtering or configuration errors in the systems we use every day could lead to risk situations for the entire community. ”

WannaCrypt ransomware

And I would add that as for the contrast to the offenses committed by minors in the Network, the aspect of education and prevention is the most important thing for the prevention. One has to enter once and for all in the perspective for which no small or large world player (physical and/or juridical persons) can feel immune to attacks and therefore have to be cyber protectors while never underestimating the risk and it’s results. We must also educate ourselves that what is happening in the virtual world has more and more serious repercussions on the real world and on the fate of the cyber attack victim.

Author Attorney Marco Mariscoli

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – ransomware , cybercrime)

[adrotate banner=”13″]



you might also like

leave a comment