Considerazioni su ITC Security e sui Cyber Attacks

00

Some considerationson ICT security

and cyber attacks

Marco R. A. BozzettiCEO Malabo Srl

Member of the Board and Comms. Officer of AIPSI, It alian Chapter of ISSA

CCIP, Chamber of Cooperation and Incentive for Partners hip

Security, Cybercrime and FraudMilan, March 25 th 2014

11

Looking for computer security….

Social networks

Consumerization (BYOD)

personal/homeenvironment

workingenvironment

Cloud andoutsourced

services

Cloud andoutsourced

services

Informatics Systems(Enterprise and PA)

Fixed + mobile

Internet

DCS

VDS, PLC, A/D Conv.

Internet of Things

Domotics

Smart city

The absolute security does not exist and it i

s increasingly complex to manage

All these aspects impact on the computer systems of banks

22

• ICT security is a key element for ensuring : - the Business Continuity

» that is a business problem - compliance with the various standards and

certifications» very demanding and heavy for banks

• information and ICT resources are an enterprise ass et and as such they should be protected and managed.The IC

T security has to

be governed (IC

T

governance)b

y the B

oard (to

p managers) a

nd

to be aligned w

ith th

e business needs

Computer security … not only a technical problem

33

Sponsor

Patronage

OAI, Osservatorio Attacchi Informatici in Italia

Publisher

Report 2013 OAI : 4° Edition of the OAI initiative in collaboration with Italian Postal Police

44

OAI 2013: Main ICT attacks 2012- First half 2013 (multiple answers)

0,0

10,0

20,0

30,0

40,0

50,0

60,0

70,0

Malw

are

Socia

l Eng

ineer

ing

ICT d

evice

s' th

eft

DoS/DDoS

Vulner

abilit

y ex

ploitatio

n

Data th

eft b

y mobil

e

Syste

m unau

thor

ized

acce

ssIC

T Fro

ud

Networ

k atta

ck

Sw una

uthor

ized

acce

ss a

nd/or

mod

ificati

on

Data un

auth

orize

d ac

cess

and/

or m

odific

ation

Data th

eft b

y fix

ed d

evice

Physic

al sec

urity a

ttack

Targe

ted

Attack

& A

PT

ICT b

lackm

ailOth

er

% r

espo

nden

ts

2012

First half 2013

© OAI 2013

always the same as the first four places in all editions of OAI (1998-

2013)

55

69%

5%

20%

6%

65%

7%

21%

8%

1-10 cases with lowimpacts

1-10 cases with highimpacts

>10 cases with low impacts

>10 cases with highimpacts

% respondents

2012 First half 2013

OAI 2013: Impacts after an attack

© OAI 2013

66

43%

24%

6% 6%4% 4% 4% 3% 2% 1% 1%

ManufactureIndustry

Service-Distribution

Local PublicAdministration

Health Central PublicAdministration

Telecom-Media

Trasport-Logistic-Tourism

Utility Finance-Bank-Insurance

Instruction-R&D

Primary Sector

% re

spon

dent

s

OAI 2013: Industry sectors of the respondents (299)

© OAI 2013

77

Worldwide attacks status in 2013

Source: IBM X-Force Report 1Q2014

88

Data breach cost per capita

Source: Ponemon Institute Research Report 2013

99

Total Online Banking Malware Infections , 2012 and 20 13

Source: Trend Micro Labs Report 2013

1010

Malicious and High-Risk Mobile App Growth, 2013

Source: Trend Micro Labs Report 2013

1111

Top Mobile Phishing Targets, 2013

Source: Trend Micro Labs Report 2013

1212

Key Vulnerabilities (non-exhaustive list)

• Threats and attacks are all based on technical and / or human-organizational vulnerabilities

• Technical vulnerabilities (software systems and applications, architectures a nd configurations):- Operating systems and middleware - Web sites and collaborative platforms - Smartphones and mobility tablettes ���� ++ 14,000 malware - Virtualized systems - Outsourcing and Cloud (XaaS) - Between 30 and 40% of software vulnerabilities has no patches from the development companies

���� Zero Day vulnerability

• Human Vulnerability : the ICT user's behavior- Social Engineering and Phishing - Use of social networks, even at the enterprise leve l

• Organizational vulnerabilities- Lack or non-use of organizational procedures and in formatics support- Inadequate or non-use of standards and best practic es - Lack of training and awareness from top managers to end users - Lack of systematic monitoring and controls of the I CT resources- Limited or missing Risk analysis - Not effective control of providers- Limited or missing SoD, Separation of Duties

1313

Application vulnerabilities 2013

Source: IBM X-Force Report 1Q2014

1414

Black market and the cyber criminal ware prices

1515

49% 48%43%

37%35% 32%

27% 25%21%

17% 16% 15% 14% 12%

1%

Mal

ware

ICT d

evice

s' th

eft

Data

thef

t by

mob

ile a

nd fi

xed

devic

eDoS

/DDoS

Socia

l Eng

ineer

ing

Physic

al sec

. atta

ck

Vulne

rabi

lity e

xploi

tatio

n

Networ

k atta

ck

Data

unau

th. a

cces

s

Syste

m u

naut

h. a

cces

sIC

T Fro

udTA &

APT

ICT b

lack

mail

Sw unau

th. a

cces

sO

ther

% re

spon

dent

s

OAI 2013: Most feared attacks in the next future

© OAI 2013

1616

Threats and attacks: main trend worldwide (1)

• A personal synthesis by recent reports of CSA, Enisa, Microsoft, IBM XForce, McAfee, Sophos, TrendMicro, Websense

• Two main directions: • ++ Massive attacks : relatively simple, such as social engineering-phishing,

virus, etc. • ++ Targeted attacks : very sophisticated, such as APT, Watering hole, etc.

• ++ Malware• + New sophisticated • + revitalization of old ones and/or based on obsolete middleware still “in

production”• + lock-screen ransomware• ++ cryptographic ransomware• +++ new sophisticated for mobile and apps (tablet and smartphone)

• ++ Social engineering

• +++ Digital identity theft

• + Attacks to big data repositories

• ++ DoS/DDoS, Denial of Service/ Distributed DoS

1717

Threats and attacks: main trend worldwide (2)

• ++ DoS/DDoS, Denial of Service/ Distributed DoS

• + exploitation of basic software vulnerabilities and in particular of HTML5 and Java

• ++ attacks to cloud services (XaaS)- The Notorious Nine Top Threats: data breaches, data loss, account hijacking,

insecure APIs, malicious insiders, abuse of cloud services, insufficient due diligence, shared technology issues

• + consolidation of new exploit kits , such as Neutrino and Redkit, which will replace the well-known and popular Blackhole

• ++ Internet of Things ‘ attacks- Smart cities (Expo 2015) - Domotics

• ++ TA and APT

• + (?) attacks to Bitcoin and virtual coins- especially with the use of mobile devices

1818

References

marco.bozzetti@malaboadvisoring.itwww.malaboadvisoring.it