From Social Media Chaos to Social Business Security - Geneva 2014

(ISC)2 Workshop – Geneva, 18-02-2014
“From Social Media Chaos to Social Business Security”

Andrea Zapparoli Manzoni - CEO iDialoghi

Geneva 18-02 2014

From Social Media Chaos to Social Business Security
→ Who am I (in 60 seconds)

Andrea Zapparoli Manzoni


Founder, CEO, iDIALOGHI



«Cyberworld» WG Member at OSN/Ce.Mi.S.S.



APASS Board Member / Information Warfare lead res.



Assintel Board Member / ICT Security WG leader



Clusit Board Member / lecturer (SCADA, Social Media
Sec, Anti-fraud, DLP…)



Co-author of the Clusit Report (2012, 2013 and 2014)


Geneva 18-02 2014

→ Who am I (in 30 more seconds)


Geneva 18-02 2014

→ Who am I (last 30 seconds, I promise)


Geneva 18-02 2014

→ A (necessary) disclaimer

The views hereby expressed are those of the
Author / Speaker and do not reflect the views
of CLUSIT, nor those of the WG “Cyber World”
at OSN - Italian Ministry of Defense, nor those
of the private enterprises and security
communities I am working at/with and/or
supporting.


Geneva 18-02 2014

→Why are we here?

 2012: + 150% serious known cyberattacks in the world vs 2011
 2012: +800% serious know cyberattacks against / through Social Media platforms
 Huge growth of evil doers and of offensive capabilities all over the world
 Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)
 All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA, IoT, PoS…)
 Traditional defenses are not working anymore
 Return of Investment (ROI) for attackers is extremely high
 Costs and Risks for attackers are still extremely low
 Growing risk of systemic “Black Swans” (HILP)
 Lack of effective legislation and tools for LEAs
How do we handle all these issues and mitigate these new threats?


Geneva 18-02 2014

→Cyber Insecurity is the New Norm

It’s a Jungle Out There

International Serious Cyber Attacks
800
700

Private Organizations spent USD 20B for
“advanced” ICT Security systems in 2012,
out of a USD 60B budget for ICT Security
spending. Nothwistanding these efforts,
Cyber Insecurity is becoming the norm.

600
500
400
300
200
100
0
1 H 2011

2 H 2011

1 H 2012

2 H 2012

1 H 2013

© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update

From our analyses, which are in line with
those made by other observers (private and
institutional), the rate of attacks against
Companies and Government bodies in 2012
grew by 154% on average compared to
2011 (which was the worst year on record,
until then). The speed of this growth has
accelerated in 2013, too. Why?

© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia

Geneva 18-02 2014

→ Reason # 1: ICT Products Security levels are not what you may think

!=

The Fiat was my first car, back in 1987 (it was built in 1968). I was very proud of it and,
after all, it worked. But it had NO built-in security whatsoever. No brakes, no seat belts,
no ABS, ESP, airbag, headrests, no passive security – nothing.
Today’s ICT is like my 1968 Fiat, in terms of built-in security.
As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect)
estimated cost of USD 388 Billions (that is, Denmark’s GDP).

Geneva 18-02 2014

→ Reason # 2: Cybercrime is the “best” investment on the planet


Geneva 18-02 2014

→ Reason # 2 So many ways to profit from a compromised device!


Geneva 18-02 2014

→ Threats are growing expecially on Social Media

Threats to Online Services, including Social Media and Cloud Services: +800% Y/Y
VITTIME PER TIPOLOGIA

2011

2012

Variazioni 2012 su 2011

Gov - Mil - LEAs - Intelligence

153

374

244,44%

Others

97

194

200,00%

Entertainment / News

76

175

230,26%

Online Services / Cloud

15

136

806,67%

Research - Education

26

104

400,00%

Banking / Finance

17

59

347,06%

SW / HW Vendor

27

59

218,52%

Telco

11

19

172,73%

Gov. Contractors / Cons.

18

15

-16,67%

Security

17

14

-17,65%

Religion

0

14

1400,00%

Health

10

11

110,00%

Chemical / Medical

2

9

450,00%

Critical Infrastructures

-

-

-

Automotive

-

-

-

Org / ONG

-

-

-

© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia


Geneva 18-02 2014

→ OK. But what are Social Media?

Wikipedia: “A group of Internet-based applications that build on the ideological and
technological foundations of Web 2.0, and that allow the creation and exchange of
user-generated content”.
This is certainly true, but…
 Why are they (mostly) free?
 Who owns them (really)?
 Who controls them (really)?
 What do they do with everybody’s social graphs?
 And with all the information?
 And with all the pictures?
 What’s written inside their EULAs ?
 Are they filtered?
 Are they neutral?
 Are they secure?

Geneva 18-02 2014

→ Social Media are also… weapons

Over the last 3 years Social Media have become “weapons”
in all respects, and are now part of the "cyber arsenal " at
the disposal of armies, intelligence services, police forces,
terrorists, mercenary groups, antagonistic groups and
corporations.
Some facts:
 Actively used by Anonymous, S.E.A. (and similar groups)
 Actively used by Governments (Iran, Syria, China, USA etc)
to PsyOps, OSINT, mass surveillance and target acquisition
 Used by the "Arab Spring" rebels as C4ISR1 and by Special
Forces in Libya in support of NATO operations
 Used by Corporations against competitors and hacktivists
1 Command, Control, Computers, Communications, Intelligence, Surveillance and Reconnaissance


Geneva 18-02 2014

→ Social Media are also… targets (and SPoF)

Having become a weapon and a battlefield, Social Media inevitably also became
a target.
This means that at any time could be attacked, blocked and made inaccessible,
or unusable (i.e. by using swarms of “bots”, or by simply shutting them down).
In fact it has already happened, because of:
- Riots, insurrections and civil wars
- Cyber attacks of various kinds and purpose
- Sabotage and protest
- State censorship
Social Media platforms cannot (and shouldn’t) be trusted.


Geneva 18-02 2014

→ Social Media are also… Cyber Crime Paradise

Today Social Media have become the main hunting ground
for trans-national organized cybercrime, which has reached
a "turnover" in 2012 (estimated) of $ 15 Billion, an increase
of 250% over the previous year.
In 2012, 74 million people have been victims of some sort of
cybercrime in the U.S. alone (1/3 via Social Media, 10 per
second) for $ 32 B of direct losses. In the world the
estimated direct losses in 2012 were over $ 110 B.
The total cost worldwide (direct losses + costs & time
devoted to remedy attacks) in 2012 was estimated at $ 388
B. It is more than the GDP of Vietnam, Ukraine and Romania
added! If this trend continues, in 2013 these costs will be
equal to half of the Italian GDP .... (1 Trillion USD).


Geneva 18-02 2014

→ Social Media are also… a risk for their Users

We could make
thousands of
examples, every day
there are new ones….

I.E. taking advantage of the news of Bin Laden’s death,
tens of thousands of Facebook users were lured into
dowloading a trojan (not detected by antivirus
software) that stealed personal data and transformed
the PC of the victims into “zombies”…
Due to the nature of social media, cyber criminals
have the ability to infect millions of systems (PCs or
mobile) in a matter of a few hours ... For free.

Geneva 18-02 2014

→ Social Media are also… a risk for Businesses

Social Media is an important source of business risk ... even for companies
that do not use them! Cyber attacks, fraud, data, IP and money theft, unfair
competition, damages to third parties and to the corporate image ...


Geneva 18-02 2014

→ Social Media are a major attack vector (latest Italian example)

120.000 Italian users exposed to Zeus malware for more than 48 hours on Alpitour’s hijacked FB page

Geneva 18-02 2014

→ Social Media are a major attack vector (more examples)

Simple (but effective) social engineering attack for identity theft purposes


Geneva 18-02 2014


More Social Engineering (in these cases,
in order to spread botnet malware / RATs).


Geneva 18-02 2014


Phishing via rogue Facebook App


Spear Phishing via LinkedIn

Geneva 18-02 2014


Mal-advertising: paid malicious ADVs (hint: there’s no WhatsApp for PCs…)


Geneva 18-02 2014


Social Media stolen credentials on sale on a (small) russian cybercriminal forum


Geneva 18-02 2014


Kaspersky 2013

Number of phishing attacks against Social Media users (august 2013)


Geneva 18-02 2014


PsyOps via Twitter

(the “Syrian Electronic Army,” a pro-Assad mercenary group, hacked AP’s twitter account and then…)

Geneva 18-02 2014


A single, well crafted fake tweet inflicted the NYSE a 53B USD loss in 5 minutes. What if …… ?

Geneva 18-02 2014

→ The Path From Chaos to Security

Knowledge is power. In such a new and complex context it is necessary to set up
a continuous training process for Managers, End users, Decision Makers, LEAs,
Marketing staff, HR staff, ICT / Security staff, and so on.
Since incidents are only a matter of time, it is essential to
implement a set of processes for Risk Management / BIA,
harmonized and coordinated within an overall plan for
Social Media Security:
- Definition of specific Policies and Responsibilities
- Continuous Monitoring and Enforcement of the policies
- Cyber Threat Prevention / Cyber Intelligence
- Definition of Early Warning indicators
- Legal protection (proactive and reactive)
- Crisis Management (in real-time!)

Geneva 18-02 2014

→ Thank you!

Andrea Zapparoli Manzoni
a.zmanzoni@idialoghi.com


Geneva 18-02 2014

From Social Media Chaos to Social Business Security - Geneva 2014

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (14)

Destaque

Destaque (19)

Semelhante a From Social Media Chaos to Social Business Security - Geneva 2014

Semelhante a From Social Media Chaos to Social Business Security - Geneva 2014 (20)

Último

Último (20)

From Social Media Chaos to Social Business Security - Geneva 2014