considerazioni su itc security e sui cyber attacks
Post on 19-Oct-2014
169 views
DESCRIPTION
TRANSCRIPT
00
Some considerationson ICT security
and cyber attacks
Marco R. A. BozzettiCEO Malabo Srl
Member of the Board and Comms. Officer of AIPSI, It alian Chapter of ISSA
CCIP, Chamber of Cooperation and Incentive for Partners hip
Security, Cybercrime and FraudMilan, March 25 th 2014
11
Looking for computer security….
Social networks
Consumerization (BYOD)
personal/homeenvironment
workingenvironment
Cloud andoutsourced
services
Cloud andoutsourced
services
Informatics Systems(Enterprise and PA)
Fixed + mobile
Internet
DCS
VDS, PLC, A/D Conv.
Internet of Things
Domotics
Smart city
The absolute security does not exist and it i
s increasingly complex to manage
All these aspects impact on the computer systems of banks
22
• ICT security is a key element for ensuring : - the Business Continuity
» that is a business problem - compliance with the various standards and
certifications» very demanding and heavy for banks
• information and ICT resources are an enterprise ass et and as such they should be protected and managed.The IC
T security has to
be governed (IC
T
governance)b
y the B
oard (to
p managers) a
nd
to be aligned w
ith th
e business needs
Computer security … not only a technical problem
33
Sponsor
Patronage
OAI, Osservatorio Attacchi Informatici in Italia
Publisher
Report 2013 OAI : 4° Edition of the OAI initiative in collaboration with Italian Postal Police
44
OAI 2013: Main ICT attacks 2012- First half 2013 (multiple answers)
0,0
10,0
20,0
30,0
40,0
50,0
60,0
70,0
Malw
are
Socia
l Eng
ineer
ing
ICT d
evice
s' th
eft
DoS/DDoS
Vulner
abilit
y ex
ploitatio
n
Data th
eft b
y mobil
e
Syste
m unau
thor
ized
acce
ssIC
T Fro
ud
Networ
k atta
ck
Sw una
uthor
ized
acce
ss a
nd/or
mod
ificati
on
Data un
auth
orize
d ac
cess
and/
or m
odific
ation
Data th
eft b
y fix
ed d
evice
Physic
al sec
urity a
ttack
Targe
ted
Attack
& A
PT
ICT b
lackm
ailOth
er
% r
espo
nden
ts
2012
First half 2013
© OAI 2013
always the same as the first four places in all editions of OAI (1998-
2013)
55
69%
5%
20%
6%
65%
7%
21%
8%
1-10 cases with lowimpacts
1-10 cases with highimpacts
>10 cases with low impacts
>10 cases with highimpacts
% respondents
2012 First half 2013
OAI 2013: Impacts after an attack
© OAI 2013
66
43%
24%
6% 6%4% 4% 4% 3% 2% 1% 1%
ManufactureIndustry
Service-Distribution
Local PublicAdministration
Health Central PublicAdministration
Telecom-Media
Trasport-Logistic-Tourism
Utility Finance-Bank-Insurance
Instruction-R&D
Primary Sector
% re
spon
dent
s
OAI 2013: Industry sectors of the respondents (299)
© OAI 2013
77
Worldwide attacks status in 2013
Source: IBM X-Force Report 1Q2014
88
Data breach cost per capita
Source: Ponemon Institute Research Report 2013
99
Total Online Banking Malware Infections , 2012 and 20 13
Source: Trend Micro Labs Report 2013
1010
Malicious and High-Risk Mobile App Growth, 2013
Source: Trend Micro Labs Report 2013
1111
Top Mobile Phishing Targets, 2013
Source: Trend Micro Labs Report 2013
1212
Key Vulnerabilities (non-exhaustive list)
• Threats and attacks are all based on technical and / or human-organizational vulnerabilities
• Technical vulnerabilities (software systems and applications, architectures a nd configurations):- Operating systems and middleware - Web sites and collaborative platforms - Smartphones and mobility tablettes ���� ++ 14,000 malware - Virtualized systems - Outsourcing and Cloud (XaaS) - Between 30 and 40% of software vulnerabilities has no patches from the development companies
���� Zero Day vulnerability
• Human Vulnerability : the ICT user's behavior- Social Engineering and Phishing - Use of social networks, even at the enterprise leve l
• Organizational vulnerabilities- Lack or non-use of organizational procedures and in formatics support- Inadequate or non-use of standards and best practic es - Lack of training and awareness from top managers to end users - Lack of systematic monitoring and controls of the I CT resources- Limited or missing Risk analysis - Not effective control of providers- Limited or missing SoD, Separation of Duties
1313
Application vulnerabilities 2013
Source: IBM X-Force Report 1Q2014
1414
Black market and the cyber criminal ware prices
1515
49% 48%43%
37%35% 32%
27% 25%21%
17% 16% 15% 14% 12%
1%
Mal
ware
ICT d
evice
s' th
eft
Data
thef
t by
mob
ile a
nd fi
xed
devic
eDoS
/DDoS
Socia
l Eng
ineer
ing
Physic
al sec
. atta
ck
Vulne
rabi
lity e
xploi
tatio
n
Networ
k atta
ck
Data
unau
th. a
cces
s
Syste
m u
naut
h. a
cces
sIC
T Fro
udTA &
APT
ICT b
lack
Sw unau
th. a
cces
sO
ther
% re
spon
dent
s
OAI 2013: Most feared attacks in the next future
© OAI 2013
1616
Threats and attacks: main trend worldwide (1)
• A personal synthesis by recent reports of CSA, Enisa, Microsoft, IBM XForce, McAfee, Sophos, TrendMicro, Websense
• Two main directions: • ++ Massive attacks : relatively simple, such as social engineering-phishing,
virus, etc. • ++ Targeted attacks : very sophisticated, such as APT, Watering hole, etc.
• ++ Malware• + New sophisticated • + revitalization of old ones and/or based on obsolete middleware still “in
production”• + lock-screen ransomware• ++ cryptographic ransomware• +++ new sophisticated for mobile and apps (tablet and smartphone)
• ++ Social engineering
• +++ Digital identity theft
• + Attacks to big data repositories
• ++ DoS/DDoS, Denial of Service/ Distributed DoS
1717
Threats and attacks: main trend worldwide (2)
• ++ DoS/DDoS, Denial of Service/ Distributed DoS
• + exploitation of basic software vulnerabilities and in particular of HTML5 and Java
• ++ attacks to cloud services (XaaS)- The Notorious Nine Top Threats: data breaches, data loss, account hijacking,
insecure APIs, malicious insiders, abuse of cloud services, insufficient due diligence, shared technology issues
• + consolidation of new exploit kits , such as Neutrino and Redkit, which will replace the well-known and popular Blackhole
• ++ Internet of Things ‘ attacks- Smart cities (Expo 2015) - Domotics
• ++ TA and APT
• + (?) attacks to Bitcoin and virtual coins- especially with the use of mobile devices