CyberSec.Cafe

Brewing Cybersecurity Insights

Author: CyberSec_Cafe (Page 4 of 4)

Unraveling the Chat GPT Block in Italy

April 3, 2023 / / 2 Comments

Geopolitics, AI Regulation, Inconsistencies, and Constitutionality

Photo by Andrew Neel

On Friday, March 31st, the Italian Data Protection Authority (Garante della Privacy) announced the temporary restriction of Italian users’ data processing by OpenAI, resulting in the blocking of Chat GPT access for Italian users later that evening. Many people in Italy woke up on April 1st to find Chat GPT not working and, given the date, mistakenly assumed it was an elaborate April Fool’s Day prank. The situation is more complex than that. Here are some key insights: 

  1. Geopolitical implications: The EU is working on comprehensive AI regulation, including the Artificial Intelligence Act, which aims to create a legal framework for AI in Europe. However, Europe and the US have been slow to regulate AI. There is a deeper reason for that, as I mentioned in this LinkedIn post, EU and US regulations will not deter China and Russia, who could use AI advancements as a competitive advantage. The ongoing US-China tech rivalry and concerns over AI’s potential dual-use capabilities for military and civilian purposes may influence global AI regulation. So why US and EU should slow down to allow the competitors to gain advantage? This Politico article provides an interesting perspective on the issue.   
  2. Post-Brexit European dynamics: With Germany and France as the main European powers, Italy aims to assert itself as the third power, influencing the balance when Germany and France disagree. 
  3. Italy’s move to restrict OpenAI could be an attempt to establish itself as a key player in European and global political chessboard, aiming to be seen as a precursor to broader EU regulations, potentially influencing the direction of the upcoming policies and to project soft power in the technology domain, showcasing its ability to take decisive action and influence the global AI landscape. 
  4. Timing is always a factor, Elon Musk earlier last week asked to stop AI development to regulate it. Elon Musk, one of the original founders of OpenAI, left the organization in 2018. Microsoft has since invested $10 billion in OpenAI, and while not the direct owner, its influence is significant. This may be a factor in Musk’s call to stop AI research, as I discussed in this LinkedIn post
  5. Another relevant point is that no other Data Protection Authority took action, which led to complaints considering that the GDPR has a broader scope than just Italy. The event highlights the importance of international collaboration in Data Protection and AI regulation to avoid fragmentation and inconsistencies. Establishing global norms and standards for AI technologies can foster responsible development and deployment across countries 
  6. The block is akin to block the wind with the hands, users can still access Chat GPT via VPNs, (such as NordVPN, which currently offers a 40% discount on their plans), as I mentioned in this LinkedIn post, or with alternative access means: Bing allows access to Chat GPT, and Microsoft manages GDPR requirements properly. Additionally, some creative minds have developed PizzaGPT, using the original APIs of Chat GPT. 
  7. One of the Garante’s concerns was the protection of minors. However, it is unclear why the same level of scrutiny is not applied to platforms like TikTok and WhatsApp. 
  8. Another point to consider is the potential violation of the ‘right of information,’ as stated in Article 21 of the Italian Constitution. By blocking Chat GPT, the Garante could be infringing upon this fundamental right, as it restricts citizens’ access to a tool that can provide valuable information and insights. It raises the question of whether the Garante’s decision may be overstepping its mandate and interfering with citizens’ constitutional rights.

In conclusion, the situation surrounding Chat GPT in Italy is multifaceted, involving geopolitical dynamics, European power struggles, and questions around the consistency of data protection measures. It’s crucial to consider all these factors when examining this event and its implications for Data Protection and AI regulation and international relations. 

Why MFA as you know it is not enough in 2023

April 2, 2023 / / 0 Comments
Why MFA as you know it is not enough in 2023

Due to the overwhelming response and engagement on my recent LinkedIn article about MFA, I’ve decided to reprise it here for completeness.

As online threats continue to evolve, it’s more important than ever to protect your accounts with multi-factor authentication (MFA). But not all methods are the same.

Traditional MFA methods like SMS codes are no longer secure enough to prevent sophisticated attacks. Even advanced MFA methods like push notifications have their own drawbacks. So, what’s the best way to defend yourself against online threats? According to the National Cyber Security Centre (NCSC), using Fido2 keys has been shown to be a secure and convenient MFA option. Nice to know that they share my view 😊

Why MFA is necessary: In today’s digital world, passwords alone are not enough to secure online accounts. With data breaches and hacking attempts on the rise, it’s essential to add an extra layer of protection to your accounts. MFA does just that by requiring users to provide multiple forms of authentication to access their accounts. By combining something you know (like a password) with something you have (like a physical key or token) or something you are (like a footprint), MFA makes it much harder for attackers to gain access to your accounts.

Traditional MFA methods such as SMS codes are no longer secure. While SMS-based MFA has been a popular choice in the past, it’s no longer considered a secure option. The U.S. National Institute of Standards and Technology (NIST) removed SMS-based MFA from its list of recommended authentication methods in 2021 due to its vulnerabilities. According to cybersecurity expert Brian Krebs, “SMS-based 2FA [two-factor authentication] is not only less secure than other forms of 2FA, it’s not really 2FA at all.”

Even advanced MFA methods such as push notifications have problems. Push-based MFA has become more popular in recent years, but it still has its own limitations. According to the European Union Agency for Cybersecurity (ENISA), push-based MFA can be vulnerable to man-in-the-middle attacks (an attacker intercepts communications between two parties), MFA bombing (attackers repeatedly push second-factor authentication requests to the target victim for them to approve it) and may not provide sufficient protection against social engineering tactics. ENISA recommends that users consider using hardware tokens or biometric authentication instead.

So back to Fido 2, why is it more secure? Fido2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, password theft and replay attacks. According to the World Economic Forum, FIDO-based authentication solutions are more providing greater protection against phishing and man-in-the-middle attacks (nice to know that they also share my view 😊). Google use it and has reported that it has not had a single confirmed account takeover since it started requiring its employees to use Fido2 keys in 2017.

In conclusion, the importance of using strong MFA to protect your online accounts cannot be overstated. Traditional MFA methods like SMS codes are no longer secure, and even advanced methods like push notifications have their own limitations. Use the strongest method you can. By using MFA method like Fido2 keys, you can significantly reduce the risk of your accounts being compromised. Don’t wait until it’s too late – take action now to improve your online security with MFA.

Disclaimer: I do not have any financial or professional interest in promoting FIDO 2 technology or any specific security solution. My views on the importance of MFA and the vulnerabilities of traditional authentication methods are based on my professional experience in cybersecurity and my analysis of industry research and best practices.

My Top 10 Popular Linkedin Blog Posts for March 2023 

March 31, 2023 / / 0 Comments

LinkedIn is an excellent platform for professionals to share their thoughts, experiences, and insights. And I share a great quantity of information in there. 

Each month, we compile a list of the top ten LinkedIn posts, highlighting the most engaging content you may not find here.

So, without further ado, let’s dive into this month’s top posts! 

  1. My opinion on the Ferrari data breach: I discuss how Ferrari’s transparent communication strategy helped maintain brand equity after a recent data breach.
  2. How failure helped me to be a leader and a better man: I reflect on an resignation of a key employee in 2018 that taught me the importance of employee appreciation and recognition.
  3. Is ad-blocking technology ethically acceptable?: I explore the debate around ad-blocking technology and the responsibility of ad providers in ensuring ads are safe.
  4. Interview on Exercise and Preparedness:  I discuss the importance of regular security exercises for organizational resilience.
  5. Why Multi-Factor Authentication as you know it is not enough in 2023: My first LinkedIn article that led to the creation of CyberSec.Cafè. 
  6.  Comment on people telling anyone their passwords: I advocate for investing in Cyberculture and FIDO 2 Keys. (Ok, you should have understood by now that this is one of my fetishes)
  7. “how could we possibly …?” (repost of David Owen): I share insights on why known cyber vulnerabilities can go unaddressed for years (TL/DR: nobody was looking).
  8. My Speech at Security4Busiless: alongside of brilliant personalities. I recount my speech on business continuity and cybersecurity and how they are linked, which ,after several perils, I can say that it was the first flame that brought thoughts, to the creation of this blog.
  9. European Parliament bans TikTok from staff phones I discuss the significance of this decision for data privacy and compliance.
  10. True Story“: yes just 2 words – A simple, relatable comment on a repost that sparked further discussion. The original post content helped however…

I’m not considering contents such as the creation of this blog (it’s wild, it’s my top linkedin post in terms of views – I was afraid nobody would have visited this blog) or the article on Zero Trust as, even if you find those on LinkedIn these are contents of this blog.

Commentary: This month’s top ten LinkedIn posts showcase the diverse range of topics and insights within the cybersecurity and technology industries. From the technological topics (Zero Trust and Multi Factor Authentication), to my approach on winning the talent war (learned in the University of Life) to thought-provoking discussions on emerging risks and challenges, these posts demonstrate the importance of staying informed and engaging with thought leaders.  

Be sure to check back next month for another roundup of the most popular LinkedIn posts! 

Why Zero Trust is the present and Future of Cybersecurity

March 29, 2023 / / 0 Comments
Photo by Tima Miroshnichenko from Pexels

As cyber threats continue to evolve and become more sophisticated, traditional security models are no longer sufficient to protect organizations from data breaches and other security incidents.

Zero trust, an approach to security that assumes all users, devices, and applications are untrusted and continuously verifies access, is gaining popularity as a more effective way to reduce risk and protect sensitive data.

To implement a Zero Trust strategy, you must assume to be compromised: One of the main tenets of zero trust is to assume that the infrastructure is already compromised. This means that the architecture must be designed in a way that even if compromised, the risk is still reduced as much as possible.

Here are some key points to consider when implementing a zero trust architecture:

  1. VPNs are a thing of the past: Traditional VPNs provide a secure connection to the corporate network, but they also create a large attack surface and can be a source of vulnerabilities. Zero trust alternatives, such as software-defined perimeters, provide a more secure way to access resources without exposing the network to potential threats.
  2. Zero trust applies to devices and identities: Zero trust is not just about securing the network perimeter; it also includes securing individual devices and verifying user identities. This can be achieved through technologies such as risk-based multi-factor authentication and device trust.
  3. Zero trust can and should be integrated with Extended Detection and Response (XDR) to allow an improvement of detection and response capabilities. The integration of XDR with Zero Trust is a topic that deserves its own in-depth exploration. Stay tuned for a follow-up article dedicated to exploring the benefits and considerations of integrating Zero Trust with XDR.
  4. Integration with Secure Access Service Edge (SASE): Zero trust is just one piece of the puzzle when it comes to securing the modern workplace. It should be integrated with other capabilities, such as cloud security, web filtering, and threat detection, within a Secure Access Service Edge (SASE) to provide a comprehensive security solution.

Is Zero Trust the Cybersecurity Silver Bullet We All Needed?

Unfortunately, that’s not the case.

Zero trust is not just a set of tools or technologies; it requires a fundamental shift in the way organizations approach architectures, infrastructure, and security. It involves questioning assumptions about who and what can be trusted and implementing security controls that continuously monitor and verify access.

Additionally, implementing a zero trust architecture is not a one-off project. It requires ongoing monitoring and assessment to ensure that security controls remain effective and adapt to changing threats.

The good thing is that if properly implemented, zero trust will both make the organization more secure and improve user experience: Traditional security models can be cumbersome for users, but zero trust can actually enhance user experience by enabling more seamless and secure access to resources from anywhere, on any trusted device.

In conclusion, zero trust is a powerful approach to security that can help organizations reduce risk and protect sensitive data in an increasingly complex threat landscape. By implementing a zero trust architecture that includes a shift in mindset, continuous monitoring and assessment, integration with XDR, and other security capabilities within a SASE, organizations can stay ahead of potential threats and provide a more secure environment for their employees and customers.

The Journey Begins  

March 28, 2023 / / 0 Comments

Why I Started My Cybersecurity Blog

Photo by Josh Hild from Pexels

Hello and welcome to my cybersecurity blog! My name is Andrea Succi, and I am a passionate cybersecurity professional with a deep interest in sharing my knowledge and experiences with others. In this first blog post, I want to share with you my reasons for starting this blog, what you can expect from it, and how I hope it will benefit you. 

Why I Started This Blog:

  1. Sharing knowledge and experiences: Throughout my career, I have had the privilege of working on various cybersecurity projects and initiatives for many organizations, including Fortune 500 companies, government agencies, and startups. I have learned a great deal from these experiences, and I believe that sharing my insights can help others in the field. This blog will serve as a platform for me to discuss my thoughts, ideas, and experiences related to cybersecurity. 
  2. Building a community: I believe that the cybersecurity community can benefit greatly from collaboration and knowledge sharing. By starting this blog, I hope to foster a sense of camaraderie and encourage discussions among professionals, enthusiasts, and anyone interested in cybersecurity. 
  3. Staying current: The field of cybersecurity is constantly evolving, with new threats and technologies emerging every day. Writing about cybersecurity will help me stay up-to-date with the latest developments and ensure that I am always learning and growing as a professional. 
  4. Personal growth: Writing is a powerful tool for self-reflection and personal growth. By sharing my thoughts and experiences in a public forum, I hope to gain new insights, challenge my beliefs, and continue to grow as a cybersecurity professional. 

What You Can Expect:

In this blog, you can expect to find a variety of content related to cybersecurity, including: 

  • In-depth articles on various cybersecurity topics 
  • Analysis of current events and emerging threats 
  • Tips and best practices for staying secure 
  • Personal reflections and experiences from my career 
  • Interviews with other cybersecurity professionals 

My hope is that this blog will serve as a valuable resource for anyone interested in cybersecurity, whether you are a seasoned professional or just starting your journey in the field. 

Thank you for joining me on this journey. I look forward to sharing my thoughts and experiences with you. Please feel free to leave comments on my LinkedIn posts, share your own experiences, or reach out with any questions or suggestions. Together, we can make the cybersecurity community stronger and more resilient. 

Newer posts »

© 2025 CyberSec.Cafe