From Social Media Chaos to Social Business Security - Geneva 2014
1. (ISC)2 Workshop – Geneva, 18-02-2014
“From Social Media Chaos to Social Business Security”
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
2. From Social Media Chaos to Social Business Security
→ Who am I (in 60 seconds)
Andrea Zapparoli Manzoni
Founder, CEO, iDIALOGHI
«Cyberworld» WG Member at OSN/Ce.Mi.S.S.
APASS Board Member / Information Warfare lead res.
Assintel Board Member / ICT Security WG leader
Clusit Board Member / lecturer (SCADA, Social Media
Sec, Anti-fraud, DLP…)
Co-author of the Clusit Report (2012, 2013 and 2014)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
3. From Social Media Chaos to Social Business Security
→ Who am I (in 30 more seconds)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
4. From Social Media Chaos to Social Business Security
→ Who am I (last 30 seconds, I promise)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
5. From Social Media Chaos to Social Business Security
→ A (necessary) disclaimer
The views hereby expressed are those of the
Author / Speaker and do not reflect the views
of CLUSIT, nor those of the WG “Cyber World”
at OSN - Italian Ministry of Defense, nor those
of the private enterprises and security
communities I am working at/with and/or
supporting.
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
6. From Social Media Chaos to Social Business Security
→Why are we here?
2012: + 150% serious known cyberattacks in the world vs 2011
2012: +800% serious know cyberattacks against / through Social Media platforms
Huge growth of evil doers and of offensive capabilities all over the world
Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)
All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA, IoT, PoS…)
Traditional defenses are not working anymore
Return of Investment (ROI) for attackers is extremely high
Costs and Risks for attackers are still extremely low
Growing risk of systemic “Black Swans” (HILP)
Lack of effective legislation and tools for LEAs
How do we handle all these issues and mitigate these new threats?
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
8. From Social Media Chaos to Social Business Security
→ Reason # 1: ICT Products Security levels are not what you may think
!=
The Fiat was my first car, back in 1987 (it was built in 1968). I was very proud of it and,
after all, it worked. But it had NO built-in security whatsoever. No brakes, no seat belts,
no ABS, ESP, airbag, headrests, no passive security – nothing.
Today’s ICT is like my 1968 Fiat, in terms of built-in security.
As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect)
estimated cost of USD 388 Billions (that is, Denmark’s GDP).
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
9. From Social Media Chaos to Social Business Security
→ Reason # 2: Cybercrime is the “best” investment on the planet
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
10. From Social Media Chaos to Social Business Security
→ Reason # 2 So many ways to profit from a compromised device!
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
12. From Social Media Chaos to Social Business Security
→ OK. But what are Social Media?
Wikipedia: “A group of Internet-based applications that build on the ideological and
technological foundations of Web 2.0, and that allow the creation and exchange of
user-generated content”.
This is certainly true, but…
Why are they (mostly) free?
Who owns them (really)?
Who controls them (really)?
What do they do with everybody’s social graphs?
And with all the information?
And with all the pictures?
What’s written inside their EULAs ?
Are they filtered?
Are they neutral?
Are they secure?
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
13. From Social Media Chaos to Social Business Security
→ Social Media are also… weapons
Over the last 3 years Social Media have become “weapons”
in all respects, and are now part of the "cyber arsenal " at
the disposal of armies, intelligence services, police forces,
terrorists, mercenary groups, antagonistic groups and
corporations.
Some facts:
Actively used by Anonymous, S.E.A. (and similar groups)
Actively used by Governments (Iran, Syria, China, USA etc)
to PsyOps, OSINT, mass surveillance and target acquisition
Used by the "Arab Spring" rebels as C4ISR1 and by Special
Forces in Libya in support of NATO operations
Used by Corporations against competitors and hacktivists
1 Command, Control, Computers, Communications, Intelligence, Surveillance and Reconnaissance
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
14. From Social Media Chaos to Social Business Security
→ Social Media are also… targets (and SPoF)
Having become a weapon and a battlefield, Social Media inevitably also became
a target.
This means that at any time could be attacked, blocked and made inaccessible,
or unusable (i.e. by using swarms of “bots”, or by simply shutting them down).
In fact it has already happened, because of:
- Riots, insurrections and civil wars
- Cyber attacks of various kinds and purpose
- Sabotage and protest
- State censorship
Social Media platforms cannot (and shouldn’t) be trusted.
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
15. From Social Media Chaos to Social Business Security
→ Social Media are also… Cyber Crime Paradise
Today Social Media have become the main hunting ground
for trans-national organized cybercrime, which has reached
a "turnover" in 2012 (estimated) of $ 15 Billion, an increase
of 250% over the previous year.
In 2012, 74 million people have been victims of some sort of
cybercrime in the U.S. alone (1/3 via Social Media, 10 per
second) for $ 32 B of direct losses. In the world the
estimated direct losses in 2012 were over $ 110 B.
The total cost worldwide (direct losses + costs & time
devoted to remedy attacks) in 2012 was estimated at $ 388
B. It is more than the GDP of Vietnam, Ukraine and Romania
added! If this trend continues, in 2013 these costs will be
equal to half of the Italian GDP .... (1 Trillion USD).
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
16. From Social Media Chaos to Social Business Security
→ Social Media are also… a risk for their Users
We could make
thousands of
examples, every day
there are new ones….
I.E. taking advantage of the news of Bin Laden’s death,
tens of thousands of Facebook users were lured into
dowloading a trojan (not detected by antivirus
software) that stealed personal data and transformed
the PC of the victims into “zombies”…
Due to the nature of social media, cyber criminals
have the ability to infect millions of systems (PCs or
mobile) in a matter of a few hours ... For free.
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
17. From Social Media Chaos to Social Business Security
→ Social Media are also… a risk for Businesses
Social Media is an important source of business risk ... even for companies
that do not use them! Cyber attacks, fraud, data, IP and money theft, unfair
competition, damages to third parties and to the corporate image ...
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
18. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (latest Italian example)
120.000 Italian users exposed to Zeus malware for more than 48 hours on Alpitour’s hijacked FB page
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
19. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
Simple (but effective) social engineering attack for identity theft purposes
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
20. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
More Social Engineering (in these cases,
in order to spread botnet malware / RATs).
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
21. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
Phishing via rogue Facebook App
Andrea Zapparoli Manzoni - CEO iDialoghi
Spear Phishing via LinkedIn
Geneva 18-02 2014
22. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
Mal-advertising: paid malicious ADVs (hint: there’s no WhatsApp for PCs…)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
23. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
Social Media stolen credentials on sale on a (small) russian cybercriminal forum
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
24. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
Kaspersky 2013
Number of phishing attacks against Social Media users (august 2013)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
25. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
PsyOps via Twitter
(the “Syrian Electronic Army,” a pro-Assad mercenary group, hacked AP’s twitter account and then…)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
26. From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)
A single, well crafted fake tweet inflicted the NYSE a 53B USD loss in 5 minutes. What if …… ?
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
27. From Social Media Chaos to Social Business Security
→ The Path From Chaos to Security
Knowledge is power. In such a new and complex context it is necessary to set up
a continuous training process for Managers, End users, Decision Makers, LEAs,
Marketing staff, HR staff, ICT / Security staff, and so on.
Since incidents are only a matter of time, it is essential to
implement a set of processes for Risk Management / BIA,
harmonized and coordinated within an overall plan for
Social Media Security:
- Definition of specific Policies and Responsibilities
- Continuous Monitoring and Enforcement of the policies
- Cyber Threat Prevention / Cyber Intelligence
- Definition of Early Warning indicators
- Legal protection (proactive and reactive)
- Crisis Management (in real-time!)
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014
28. From Social Media Chaos to Social Business Security
→ Thank you!
Andrea Zapparoli Manzoni
a.zmanzoni@idialoghi.com
Andrea Zapparoli Manzoni - CEO iDialoghi
Geneva 18-02 2014