From Social Media Chaos to Social Business Security - Geneva 2014

“From Social Media Chaos to Social Business Security”

(ISC)2 Workshop – Geneva, 18-02-2014

Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014

Andrea Zapparoli Manzoni

Founder, CEO, iDIALOGHI

«Cyberworld» WG Member at OSN/Ce.Mi.S.S.

APASS Board Member / Information Warfare lead res.

Assintel Board Member / ICT Security WG leader

Clusit Board Member / lecturer (SCADA, Social Media

Sec, Anti-fraud, DLP…)

Co-author of the Clusit Report (2012, 2013 and 2014)

→ Who am I (in 60 seconds)

From Social Media Chaos to Social Business Security


→ Who am I (in 30 more seconds)



→ Who am I (last 30 seconds, I promise)



→ A (necessary) disclaimer



The views hereby expressed are those of the Author / Speaker and do not reflect the views of CLUSIT, nor those of the WG “Cyber World” at OSN - Italian Ministry of Defense, nor those of the private enterprises and security communities I am working at/with and/or supporting.



2012: + 150% serious known cyberattacks in the world vs 2011

2012: +800% serious know cyberattacks against / through Social Media platforms

Huge growth of evil doers and of offensive capabilities all over the world

Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)

All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA, IoT, PoS…)

Traditional defenses are not working anymore

Return of Investment (ROI) for attackers is extremely high

Costs and Risks for attackers are still extremely low

Growing risk of systemic “Black Swans” (HILP)

Lack of effective legislation and tools for LEAs

How do we handle all these issues and mitigate these new threats?

→Why are we here?

It’s a Jungle Out There Private Organizations spent USD 20B for “advanced” ICT Security systems in 2012, out of a USD 60B budget for ICT Security spending. Nothwistanding these efforts, Cyber Insecurity is becoming the norm. From our analyses, which are in line with those made by other observers (private and institutional), the rate of attacks against Companies and Government bodies in 2012 grew by 154% on average compared to 2011 (which was the worst year on record, until then). The speed of this growth has accelerated in 2013, too. Why?

→Cyber Insecurity is the New Norm

0

100

200

300

400

500

600

700

800

1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013

International Serious Cyber Attacks

© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update

© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia



The Fiat was my first car, back in 1987 (it was built in 1968). I was very proud of it and,

after all, it worked. But it had NO built-in security whatsoever. No brakes, no seat belts,

no ABS, ESP, airbag, headrests, no passive security – nothing.

Today’s ICT is like my 1968 Fiat, in terms of built-in security.

As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect)

estimated cost of USD 388 Billions (that is, Denmark’s GDP).

→ Reason # 1: ICT Products Security levels are not what you may think

!=



→ Reason # 2: Cybercrime is the “best” investment on the planet



→ Reason # 2 So many ways to profit from a compromised device!



→ Threats are growing expecially on Social Media

Threats to Online Services, including Social Media and Cloud Services: +800% Y/Y

VITTIME PER TIPOLOGIA 2011 2012 Variazioni 2012 su 2011

Gov - Mil - LEAs - Intelligence 153 374 244,44%

Others 97 194 200,00%

Entertainment / News 76 175 230,26%

Online Services / Cloud 15 136 806,67%

Research - Education 26 104 400,00%

Banking / Finance 17 59 347,06%

SW / HW Vendor 27 59 218,52%

Telco 11 19 172,73%

Gov. Contractors / Cons. 18 15 -16,67%

Security 17 14 -17,65%

Religion 0 14 1400,00%

Health 10 11 110,00%

Chemical / Medical 2 9 450,00%

Critical Infrastructures - - -

Automotive - - -

Org / ONG - - -

© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia



→ OK. But what are Social Media?


Wikipedia: “A group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user-generated content”.

This is certainly true, but…

Why are they (mostly) free? Who owns them (really)? Who controls them (really)? What do they do with everybody’s social graphs? And with all the information? And with all the pictures? What’s written inside their EULAs ? Are they filtered? Are they neutral? Are they secure?


→ Social Media are also… weapons


Over the last 3 years Social Media have become “weapons” in all respects, and are now part of the "cyber arsenal " at the disposal of armies, intelligence services, police forces, terrorists, mercenary groups, antagonistic groups and corporations.

Some facts:

Actively used by Anonymous, S.E.A. (and similar groups)

Actively used by Governments (Iran, Syria, China, USA etc) to PsyOps, OSINT, mass surveillance and target acquisition

Used by the "Arab Spring" rebels as C4ISR1 and by Special Forces in Libya in support of NATO operations

Used by Corporations against competitors and hacktivists

1 Command, Control, Computers, Communications, Intelligence, Surveillance and Reconnaissance


→ Social Media are also… targets (and SPoF)


Having become a weapon and a battlefield, Social Media inevitably also became a target. This means that at any time could be attacked, blocked and made inaccessible, or unusable (i.e. by using swarms of “bots”, or by simply shutting them down). In fact it has already happened, because of: - Riots, insurrections and civil wars - Cyber attacks of various kinds and purpose - Sabotage and protest - State censorship

Social Media platforms cannot (and shouldn’t) be trusted.


→ Social Media are also… Cyber Crime Paradise


Today Social Media have become the main hunting ground for trans-national organized cybercrime, which has reached a "turnover" in 2012 (estimated) of $ 15 Billion, an increase of 250% over the previous year. In 2012, 74 million people have been victims of some sort of cybercrime in the U.S. alone (1/3 via Social Media, 10 per second) for $ 32 B of direct losses. In the world the estimated direct losses in 2012 were over $ 110 B. The total cost worldwide (direct losses + costs & time devoted to remedy attacks) in 2012 was estimated at $ 388 B. It is more than the GDP of Vietnam, Ukraine and Romania added! If this trend continues, in 2013 these costs will be equal to half of the Italian GDP .... (1 Trillion USD).


→ Social Media are also… a risk for their Users


I.E. taking advantage of the news of Bin Laden’s death, tens of thousands of Facebook users were lured into dowloading a trojan (not detected by antivirus software) that stealed personal data and transformed the PC of the victims into “zombies”… Due to the nature of social media, cyber criminals have the ability to infect millions of systems (PCs or mobile) in a matter of a few hours ... For free.

We could make thousands of examples, every day there are new ones….


→ Social Media are also… a risk for Businesses


Social Media is an important source of business risk ... even for companies that do not use them! Cyber attacks, fraud, data, IP and money theft, unfair competition, damages to third parties and to the corporate image ...


→ Social Media are a major attack vector (latest Italian example)


120.000 Italian users exposed to Zeus malware for more than 48 hours on Alpitour’s hijacked FB page


→ Social Media are a major attack vector (more examples)


Simple (but effective) social engineering attack for identity theft purposes




More Social Engineering (in these cases, in order to spread botnet malware / RATs).





Phishing via rogue Facebook App Spear Phishing via LinkedIn




Mal-advertising: paid malicious ADVs (hint: there’s no WhatsApp for PCs…)




Social Media stolen credentials on sale on a (small) russian cybercriminal forum




Number of phishing attacks against Social Media users (august 2013)

Kaspersky 2013




PsyOps via Twitter

(the “Syrian Electronic Army,” a pro-Assad mercenary group, hacked AP’s twitter account and then…)




A single, well crafted fake tweet inflicted the NYSE a 53B USD loss in 5 minutes. What if …… ?

→ The Path From Chaos to Security


Knowledge is power. In such a new and complex context it is necessary to set up a continuous training process for Managers, End users, Decision Makers, LEAs, Marketing staff, HR staff, ICT / Security staff, and so on. Since incidents are only a matter of time, it is essential to implement a set of processes for Risk Management / BIA, harmonized and coordinated within an overall plan for Social Media Security: - Definition of specific Policies and Responsibilities - Continuous Monitoring and Enforcement of the policies - Cyber Threat Prevention / Cyber Intelligence - Definition of Early Warning indicators - Legal protection (proactive and reactive) - Crisis Management (in real-time!)


Andrea Zapparoli Manzoni

[email protected]

→ Thank you!



Date post:	06-May-2015
Category:	Social Media
Upload:	idialoghi
View:	182 times
Download:	0 times