It is a pleasure to present a collaboration article with Fabrizio Cilli.
As a dedicated cybersecurity enthusiast and pioneer, Fabrizio’s journey has been marked by global experiences, from Rome to the most advanced innovation hubs of North America and Asia, and through historical transformative projects in the Middle East. At Telecom Italia, he played a key role in the early days of Security Operations Centers (SOC), setting the stage for leadership positions that influenced cybersecurity advancements across sectors.
Leading as the Chief Information Security Officer (CISO) at Open Fiber, Fabrizio was pivotal in building a robust cybersecurity framework from scratch, marking achievements like the formation of XIRT (Any Incident Response Team) and striving for ISO 27001 certification. His work extended globally with renowned firms such as Datamat, Accenture, RESI/IPS, and EMC, where he focused on integrating cloud security, managing mergers and acquisitions, conducting due diligence, and safeguarding critical infrastructure.
A passionate advocate for the integration of artificial intelligence in cybersecurity, Fabrizio collaborated with the Italian Digitalization Team (Team Digitale) and co-founded the collective CISOs4AI (together with yours truly) and other great minds, underlining his commitment to harnessing AI for overcoming security challenges. His career is a testament to overcoming challenges, pushing boundaries, and fostering innovation, with a clear mission to cultivate a security-first mindset, drive technological empowerment, and ensure cybersecurity serves as a foundation of trust and resilience in our digital age.
So without further ado…
23andMe, and Us?
It all started from a response letter by 23andMe legal department, after CISO and some other directors had sold their stock options before the incident disclosure.
Facing an onslaught of lawsuits, 23andMe is denying liability for millions of users’ genetic records leaked last fall.In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for any data that may have been exposed.
It would be fantastic to have oversight and complexity requirements in place. Requiring multiple authentication factors has always been a key tool to prevent breaches from occurring. Companies like Microsoft, Google, Amazon, telecoms, banks, insurers, and healthcare providers all carefully control account access. They do this not just for prevention, but also to demonstrate maximum diligence. This is in a context where co-responsibility between companies and users is inevitable.
And if the responsibility of the external user is passed on as a “charter of rights and duties” (perhaps in terms and conditions between company and user), should we then consider that in a company, if it is discovered that a breach originated from a weak password (one of those in the annual most common lists) of an employee user, the latter falls into a scope of “bad faith” such as to stimulate an investigation for administrative liability?
I mean, how much can responsibility be shifted to the user, given current standards for verifying the suitability of access control and administration measures (even more so for administrative accesses)?
Let’s talk about it, but if I think about Uber and SolarWinds, and then focus on 23andMe, and all the hospital ransomwares lately…I get a headache.
So if at the italian occurrence of attack to ASL1 L’Aquila, we understand that “it all started from a user with a weak password” or in the attack to MediBank Australia, a “user” propagated the attack, do we charge the 5 billion AUS Dollars to them and just move on? 👀😅
Such cases and similar situations, which we all know too well (and some scenarios we have experienced together, with some fellow CISO), where a user just leaves the doors open, what happens to these? Do we chase/investigate our own users? Could they be held responsible for the resulting damage? And on what rule and norm?
I want to clarify: full and robust user responsibility would be a breath of fresh air for most colleagues with millions users, but does this possibility even exist in current practice, that you are aware of? 👀
It is clear that the user who allows an attacker to use a “native” function is not ideal, but every low and slow attack and every APT we fight stems from the fact that we consider the user (I’m getting close to zero “user” trust theory) as potentially malicious or compromised.
So if a Sino-Russian-North Korean or Italo American criminal, with fake documents enters, and with that function manages to view data from thousands of other people, would we not notice? Is the system designed to prevent repeated abuse? Would GDPR minimization, applied to this processing, have required that it not be possible for example to “accumulate” sensitive data like this, but maybe only view genetic closeness, and then request direct contact? How did they design the registry at 23andMe?
When I say data is the lifeblood of a company I mean it seriously. If the lifeblood becomes poisoned, or too much comes out, the plant dies. 🌵🏜️
And then the dilemma: if one of “our” internal users blatantly violates a policy, procedure, and playbook, and leaves admin admin, while doing the ceremonial of an HSM, and we basically lose all our secrets?
Are we (the company) or is the user (colleague) administratively responsible? (And here the insurance systems on AdS come into play…)
It is certainly a good debate.
But in the end I believe there are various safe passes, both for users and colleagues, when it comes to access and management of technologies and privileges imposed on them.
The “good family man” remains the company, the multitude of individuals who manage the systems are its own, with its procedures and internal and external regulations. It is not a 1-to-1 relationship with the user, it is a many-to-1 or many-to-many relationship.
The Regulations we advertise, and for which we request flags, signatures etc., exist precisely to ensure they are not violated, due to boredom and lack of reading or reconciliation.
The Countermeasures we implement guarantee controls, and verify that the healthy behaviors we ask to assume are assumed, by those who use our systems and services, preventing them from circumventing them to facilitate the user experience.
Of course it is true that if we do not solve the problem of “passwords”, it is like having a low cipher forced by incompatibility, and not being able to apply a patch for life…
Perhaps this is what Sam Altman is aiming for with his WorldCoin startup: the full and unequivocal recognizability of the user… Will he make it?
And how will 23andMe end up?
There is very much at stake and an ongoing court case, that didn’t really start on the best terms.
Now, I don’t mean to make light of this situation, but the reality is that: Cybersecurity maturity needs to be embedded in a company’s very DNA. It requires integration, communication, and transparency primarily between the business itself and its clients.
Or it won’t work. In a fully digital world, you need fully digital cyber protection. Your business doesn’t sleep, crooks do not sleep, your clients are cycling around the world and guess what? They are not sleeping at the moment.
If it was enough to have “security” across the company, and “secure by design” software, today it’s about having a “secure by design company” and “software security” in place.
Word games? No, it’s the real deal.
You can get wiped out from the market.
And now the bombshell that will make you think: in such a scenario, even your competition can harm your core business by means of criminal hackers.
Resilience, and security by design with zero-trust: it’s worth it.
Recent Comments