Fabrizio Baiardi

Fabrizio Baiardi

Fabrizio Baiardi is a Full Professor at Università di Pisa where he has chaired one of the first degree on security of ICT infrastructures. His main research interests are formal approaches to risk assessment and resilience of critical ICT infrastructures. Fabrizio Baiardi has been involved in the risk assessment and management of several systems and of industrial control systems with SCADA components. He has authored several papers on ICT security and currently teaches university courses on security related topics.

Money, cyber robustness and hacking (aka Money makes the cyber go around)

Nowadays, one of the most popular and dangerous idea in the security world is that once you have learned to think like an hacker you will also be able to build robust system. This is the idea lying at the foundations of those capture the flag exercise where someone teach some poor students to crash a system. In this way the students will also learn, in some esoteric and mysterious way, how to build an unhackable system.
There are bad news for the supporters of this idea because the elite cia unit to develop hacking tools failed to secure its own system and this resulted in a massive leak of these tools. Furthermore, according to The Washington Post –

“Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force concluded.”

This interesting counterexample remind us that a command team that can destroy a bridge is not the best team to build one. For some mysterious reason, this trivial, widely accepted engineering principle should not hold for cyber security. To solve this mystery we should consider that we know how to build a robust system, we have tool to measure this robustness but these approaches are more expensive and less romantic than asking for some expert 🙂 opinion from hackers or penetrator testers. 
If something goes wrong, we will claim that “any system can be attacked”.



More to explore

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *