No title

An academic competence centre for ICT security. A course designed for computer security incident response team.

Hello Dario, let’s start with your academic experience. How did get started working with the University? What do you teach?

I started working with the Crema campus about three years ago when we began offering the first specialization courses in Digital Forensics. At that time no one talked about this particular discipline. It wasn’t in fashion. The faculty at the Crema campus have always been very forward-thinking and after the initial success I was given a teaching position. The degree program is going really well.

The online version filled up in just a few days. We didn’t expect such enthusiastic response from the students, also those who work. The degree program is oriented to “conventional” students and to those who are already working. It shares some basics with Information Science but then goes on to develop topics such as Secure Programming, Systems and “Secure” Networks, Risk Management, as well as legal aspects and more.

Crema is a small town but a very nice place for students. The campus is very modern and is growing steadily. Housing can be found at affordable prices and students receive a good deal of guidance. The really great thing about Crema is the international atmosphere. We have projects underway with the United States, Germany and Australia. We are really doing some high level work.

Your course is called “Incident Response”: this is currently an important theme for Italian companies who have often favored a product approach (antivirus, firewall) over a process-oriented or organizational approach. How do you see the situation?

I teach both about processes and about operations. The course has its theory section regarding organization and also its hands-on part where we use commercial or opensource tools. I’ve been involved in this discipline ever since I worked for the Police Force, and I would say that it is an absolutely contemporary and also obligatory subject matter. The main objective right now is to reduce reaction times to a minimum, both in the post attack and in the internal investigation phases.

As a consultant I have many high level clients, both in Italy and abroad, and the reorganization and incident response enhancement of their information processes has produced some very good results. An organizational approach is certainly better suited to an enterprise situation, but we have developed microframeworks for mid-sized organizations as well. I don’t think such a service is really indicated for small organizations except perhaps in response to an incident, where best practices for recovering data and hardening the compromised systems could be applied.

What would you suggest to someone who wanted to enroll in the university to become an expert in Information Security?

Universities like the one in Crema train future consultants and CTOs. A new student has to have a bit of patience and a lot of determination, especially during the initial period. Courses that might at first seem sterile will turn out to provide an invaluable basis for the student’s professional outlook. It is not easy to get into the program, but if you study at Crema you will be guaranteed the possibility to work directly with internationally known instructors who put a lot of stock into the professional success of each student.

Alongside the pursuit of the university coursework, I would recommend improving your English proficiency and seriously undertaking a third language pertinent to the emerging markets such as India or the Far East.

What about someone who is already working? What do you think of the “professional certifications” in information security?

I think that certification is very important as a sort of “access credentials”. I know a lot of headhunters, especially in the US, who require some certification as a requisite for getting an interview. There are very many sources of certification. ISACA, for example, offers excellent possibilities for auditors, while security managers can obtain first rate credentials via CISM, which is stealing “market share” from CISSP. You still have to be careful about the crediting process and the assessment of credentials. It is not always carried out in an exhaustive manner. In short, certifications represent a qualitative level that you then have to maintain through real actions.

You are a Certified Fraud Examiner (CFE). Please tell us what that means and how you obtain such certification.

I became interested in this certification, and I was one of the first in Italy to do so, when I was working with the Police Force. A fraud examiner is a professional specialized in a specific sector. He often comes from or works within the auditor realm and may also deal directly with the technology. The certification process is rather long and you need letters of recommendation from people who are already certified to vouch for the candidate’s degree of professionalism. I remember that when I asked to be admitted to the program my credentials were checked and cross-checked a number of times. CFE is currently opening a chapter in Italy as well. Personally, as a CFE I work on Digital Investigations and Computer Forensics.

Let’s talk about the IRItaly experience (Incident Response Italy) http://www.iritaly.org/ Is it a new version of the old University Cert groups or something more?

IRItaly is a project we started about two years ago in Crema. It involves about twenty people including instructors and students (also post-grads) working in the security lab. The project comprises three parts. The first part is a document of about 200 pages giving guidelines for what to do in the event of an incident. We developed this document in collaboration with other similar groups working around the world. The sources are constantly checked and the document is updated by the team. We are currently producing a second edition of the document reserved for specific accredited groups of users. Incidentally, IRItaly is the official textbook for my university course, which helps save the students a bit of money.

The second part of the project is a First Response CD-ROM, mainly LINUX-based, that contains a great number of tools for carrying out a first response on machines that are potentially compromised or otherwise needing examination. This work was initially was based on the well-known FIRE. But later, following discussions I had personally with the FIRE Project Manager, currently working in the AOL security department, we decided to move to Knoppix, with the result being the achievement of high stability. I have spoken about the project all over the world and it has met with enthusiastic response. Currently we are working with a number of universities to open a download mirror.

The third part of the project is a Honeynet. IRItaly is part of the Honeynet Project. We are now going into Generation III, which will be operative together with the new release of the departmental network. Additionally, some of the members of IRItaly have written an interface for one of the fundamental Honeynet tools (Sebek), which can be controlled via cellular phone.

What sort of response have you had from the market?

“Unfortunately” very positive. I mean I have personally found the document literally cut and pasted (without reference) into consulting work for which tens of thousands of euros were charged. This damages especially clients that end up using a completely decontextualized product with all the attendant risks. Because of this, we have decided to remove the document from the Web, to leave only certain parts generally available, and to provide the complete work only to accredited entities such as public administrations and the police force. We have begun information exchange with certain organizations in this sector.

IRItaly is not a CERT, but a group of people dedicated to Best Practices and first response tools. Furthermore, the Honeynet part lets us act as an early warning system for critical infrastructures. In the upcoming months we will begin creating training courses for anyone representing the above operators who needs them. Lastly, a group of vendors have expressed their desire to finance a translation of the manual into English.

It appears that a great deal of your professional experience was gained abroad. Is it important for someone in your position to be connected to an international network?

It depends on where you want to go with it. In Incident Response an international network of connections is absolutely essential, especially when you work with clients of a certain level. Of course there are circuits and then there are circuits. If you want to work at certain levels you have to dialog with CISO and develop a network over the years since this is a relatively closed and protective circuit based on trust and mutual support. Personally I travel between the United States and South America (nations where I have other important clients) at least 10 times a year. Face-to-face contact is essential. This obviously requires a big investment in terms of both time and money.

So what are you reading nowadays? Do you have something to recommend to our readers that you consider a “must” for someone working in this field?

I am reading very little “structured” stuff (books) and writing a great deal (in addition to the upcoming edition of the infosecurity management manual I am spending a lot of time working on a chapter for a technical book that will be published all over the world this coming February, and the reviewers are breathing down my neck). I would suggest that everyone read Tangled Web by Richard Power. It came out a couple of years ago. It’s not very technical but makes very clear the importance of Business Security. It is an excellent lever to use with management who have to allocate funds to security projects.

What about your private life? What are your hobbies and interests?

To tell the truth, I don’t have much free time and right now I’m traveling a lot more than usual (I am writing this on a Vancouver-Singapore flight). In any case, whether I am in New York or Milan, I try to spend time with my close friends and indulge in our shared love for nightclubs and jazz. I love cooking and fine wine (drink little but drink well). But my main passion is cars. I live in the country and I can’t deny that I love to spend my Sundays at home relaxing and reading about Porsches, Maseratis and Aston Martins…

Ciao Dario and thank you for the interview.

Thank you. My best regards to all the associates.