Date post: | 06-May-2015 |
Category: |
Social Media |
Upload: | idialoghi |
View: | 182 times |
Download: | 0 times |
“From Social Media Chaos to Social Business Security”
(ISC)2 Workshop – Geneva, 18-02-2014
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
Andrea Zapparoli Manzoni
Founder, CEO, iDIALOGHI
«Cyberworld» WG Member at OSN/Ce.Mi.S.S.
APASS Board Member / Information Warfare lead res.
Assintel Board Member / ICT Security WG leader
Clusit Board Member / lecturer (SCADA, Social Media
Sec, Anti-fraud, DLP…)
Co-author of the Clusit Report (2012, 2013 and 2014)
→ Who am I (in 60 seconds)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Who am I (in 30 more seconds)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Who am I (last 30 seconds, I promise)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ A (necessary) disclaimer
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
The views hereby expressed are those of the Author / Speaker and do not reflect the views of CLUSIT, nor those of the WG “Cyber World” at OSN - Italian Ministry of Defense, nor those of the private enterprises and security communities I am working at/with and/or supporting.
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
2012: + 150% serious known cyberattacks in the world vs 2011
2012: +800% serious know cyberattacks against / through Social Media platforms
Huge growth of evil doers and of offensive capabilities all over the world
Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)
All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA, IoT, PoS…)
Traditional defenses are not working anymore
Return of Investment (ROI) for attackers is extremely high
Costs and Risks for attackers are still extremely low
Growing risk of systemic “Black Swans” (HILP)
Lack of effective legislation and tools for LEAs
How do we handle all these issues and mitigate these new threats?
→Why are we here?
It’s a Jungle Out There Private Organizations spent USD 20B for “advanced” ICT Security systems in 2012, out of a USD 60B budget for ICT Security spending. Nothwistanding these efforts, Cyber Insecurity is becoming the norm. From our analyses, which are in line with those made by other observers (private and institutional), the rate of attacks against Companies and Government bodies in 2012 grew by 154% on average compared to 2011 (which was the worst year on record, until then). The speed of this growth has accelerated in 2013, too. Why?
→Cyber Insecurity is the New Norm
0
100
200
300
400
500
600
700
800
1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013
International Serious Cyber Attacks
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
The Fiat was my first car, back in 1987 (it was built in 1968). I was very proud of it and,
after all, it worked. But it had NO built-in security whatsoever. No brakes, no seat belts,
no ABS, ESP, airbag, headrests, no passive security – nothing.
Today’s ICT is like my 1968 Fiat, in terms of built-in security.
As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect)
estimated cost of USD 388 Billions (that is, Denmark’s GDP).
→ Reason # 1: ICT Products Security levels are not what you may think
!=
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Reason # 2: Cybercrime is the “best” investment on the planet
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Reason # 2 So many ways to profit from a compromised device!
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Threats are growing expecially on Social Media
Threats to Online Services, including Social Media and Cloud Services: +800% Y/Y
VITTIME PER TIPOLOGIA 2011 2012 Variazioni 2012 su 2011
Gov - Mil - LEAs - Intelligence 153 374 244,44%
Others 97 194 200,00%
Entertainment / News 76 175 230,26%
Online Services / Cloud 15 136 806,67%
Research - Education 26 104 400,00%
Banking / Finance 17 59 347,06%
SW / HW Vendor 27 59 218,52%
Telco 11 19 172,73%
Gov. Contractors / Cons. 18 15 -16,67%
Security 17 14 -17,65%
Religion 0 14 1400,00%
Health 10 11 110,00%
Chemical / Medical 2 9 450,00%
Critical Infrastructures - - -
Automotive - - -
Org / ONG - - -
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ OK. But what are Social Media?
From Social Media Chaos to Social Business Security
Wikipedia: “A group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user-generated content”.
This is certainly true, but…
Why are they (mostly) free? Who owns them (really)? Who controls them (really)? What do they do with everybody’s social graphs? And with all the information? And with all the pictures? What’s written inside their EULAs ? Are they filtered? Are they neutral? Are they secure?
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are also… weapons
From Social Media Chaos to Social Business Security
Over the last 3 years Social Media have become “weapons” in all respects, and are now part of the "cyber arsenal " at the disposal of armies, intelligence services, police forces, terrorists, mercenary groups, antagonistic groups and corporations.
Some facts:
Actively used by Anonymous, S.E.A. (and similar groups)
Actively used by Governments (Iran, Syria, China, USA etc) to PsyOps, OSINT, mass surveillance and target acquisition
Used by the "Arab Spring" rebels as C4ISR1 and by Special Forces in Libya in support of NATO operations
Used by Corporations against competitors and hacktivists
1 Command, Control, Computers, Communications, Intelligence, Surveillance and Reconnaissance
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are also… targets (and SPoF)
From Social Media Chaos to Social Business Security
Having become a weapon and a battlefield, Social Media inevitably also became a target. This means that at any time could be attacked, blocked and made inaccessible, or unusable (i.e. by using swarms of “bots”, or by simply shutting them down). In fact it has already happened, because of: - Riots, insurrections and civil wars - Cyber attacks of various kinds and purpose - Sabotage and protest - State censorship
Social Media platforms cannot (and shouldn’t) be trusted.
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are also… Cyber Crime Paradise
From Social Media Chaos to Social Business Security
Today Social Media have become the main hunting ground for trans-national organized cybercrime, which has reached a "turnover" in 2012 (estimated) of $ 15 Billion, an increase of 250% over the previous year. In 2012, 74 million people have been victims of some sort of cybercrime in the U.S. alone (1/3 via Social Media, 10 per second) for $ 32 B of direct losses. In the world the estimated direct losses in 2012 were over $ 110 B. The total cost worldwide (direct losses + costs & time devoted to remedy attacks) in 2012 was estimated at $ 388 B. It is more than the GDP of Vietnam, Ukraine and Romania added! If this trend continues, in 2013 these costs will be equal to half of the Italian GDP .... (1 Trillion USD).
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are also… a risk for their Users
From Social Media Chaos to Social Business Security
I.E. taking advantage of the news of Bin Laden’s death, tens of thousands of Facebook users were lured into dowloading a trojan (not detected by antivirus software) that stealed personal data and transformed the PC of the victims into “zombies”… Due to the nature of social media, cyber criminals have the ability to infect millions of systems (PCs or mobile) in a matter of a few hours ... For free.
We could make thousands of examples, every day there are new ones….
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are also… a risk for Businesses
From Social Media Chaos to Social Business Security
Social Media is an important source of business risk ... even for companies that do not use them! Cyber attacks, fraud, data, IP and money theft, unfair competition, damages to third parties and to the corporate image ...
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are a major attack vector (latest Italian example)
From Social Media Chaos to Social Business Security
120.000 Italian users exposed to Zeus malware for more than 48 hours on Alpitour’s hijacked FB page
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Simple (but effective) social engineering attack for identity theft purposes
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
More Social Engineering (in these cases, in order to spread botnet malware / RATs).
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
Phishing via rogue Facebook App Spear Phishing via LinkedIn
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
Mal-advertising: paid malicious ADVs (hint: there’s no WhatsApp for PCs…)
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
Social Media stolen credentials on sale on a (small) russian cybercriminal forum
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
Number of phishing attacks against Social Media users (august 2013)
Kaspersky 2013
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
PsyOps via Twitter
(the “Syrian Electronic Army,” a pro-Assad mercenary group, hacked AP’s twitter account and then…)
→ Social Media are a major attack vector (more examples)
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
A single, well crafted fake tweet inflicted the NYSE a 53B USD loss in 5 minutes. What if …… ?
→ The Path From Chaos to Security
From Social Media Chaos to Social Business Security
Knowledge is power. In such a new and complex context it is necessary to set up a continuous training process for Managers, End users, Decision Makers, LEAs, Marketing staff, HR staff, ICT / Security staff, and so on. Since incidents are only a matter of time, it is essential to implement a set of processes for Risk Management / BIA, harmonized and coordinated within an overall plan for Social Media Security: - Definition of specific Policies and Responsibilities - Continuous Monitoring and Enforcement of the policies - Cyber Threat Prevention / Cyber Intelligence - Definition of Early Warning indicators - Legal protection (proactive and reactive) - Crisis Management (in real-time!)
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
Andrea Zapparoli Manzoni
→ Thank you!
From Social Media Chaos to Social Business Security
Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014