Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Considerazioni su ITC Security e sui Cyber Attacks

seeweb
seeweb

This document discusses considerations around information and communication technology (ICT) security and cyber attacks. It notes that ICT security is a key element for ensuring business continuity and compliance with various standards, and that information resources should be protected as important business assets. The document also summarizes reports on the state of cyber attacks worldwide in 2013, including the growing threats from malware, social engineering, and targeted attacks, as well as trends involving mobile devices, cloud services, and the Internet of Things.

1 of 19
00 Some considerations on ICT security and cyber attacks Marco R. A. Bozzetti CEO Malabo Srl Member of the Board and Comms. Officer of AIPSI, Italian Chapter of ISSA CCIP, Chamber of Cooperation and Incentive for Partnership Security, Cybercrime and Fraud Milan, March 25 th 2014
11 Looking for computer security…. Social networks Consumerization (BYOD) personal/home environment working environment Cloud and outsourced services Cloud and outsourced services Informatics Systems (Enterprise and PA) Fixed + mobile Internet DCS VDS, PLC, A/D Conv. Internet of Things Domotics Smart city The absolute security does not exist and it is increasingly complex to manage All these aspects impact on the computer systems of banks
22 • ICT security is a key element for ensuring : - the Business Continuity » that is a business problem - compliance with the various standards and certifications » very demanding and heavy for banks • information and ICT resources are an enterprise asset and as such they should be protected and managed. The ICT security has to be governed (ICT governance)by the Board (top m anagers) and to be aligned with the business needs Computer security … not only a technical problem
33 Sponsor Patronage OAI, Osservatorio Attacchi Informatici in Italia Publisher Report 2013 OAI : 4° Edition of the OAI initiative in collaboration with Italian Postal Police
44 OAI 2013: Main ICT attacks 2012- First half 2013 (multiple answers) 0,0 10,0 20,0 30,0 40,0 50,0 60,0 70,0 M alware SocialEngineering ICT devices'theft DoS/DD oS Vulnerability exploitation Data theftby m obile System unauthorized access ICT Froud Netw ork attack Sw unauthorized access and/orm odification Data unauthorized access and/orm odification Data theftby fixed device Physicalsecurity attack Targeted Attack & APT ICT blackm ailO ther %respondents 2012 First half 2013 © OAI 2013 always the same as the first four places in all editions of OAI (1998- 2013)
55 69% 5% 20% 6% 65% 7% 21% 8% 1-10 cases with low impacts 1-10 cases with high impacts >10 cases with low impacts >10 cases with high impacts %respondents 2012 First half 2013 OAI 2013: Impacts after an attack © OAI 2013
66 43% 24% 6% 6% 4% 4% 4% 3% 2% 1% 1% Manufacture Industry Service- Distribution Local Public Administration Health Central Public Administration Telecom- Media Trasport- Logistic- Tourism Utility Finance-Bank- Insurance Instruction- R&D Primary Sector %respondents OAI 2013: Industry sectors of the respondents (299) © OAI 2013
77 Worldwide attacks status in 2013 Source: IBM X-Force Report 1Q2014
88 Data breach cost per capita Source: Ponemon Institute Research Report 2013
99 Total Online Banking Malware Infections , 2012 and 2013 Source: Trend Micro Labs Report 2013
1010 Malicious and High-Risk Mobile App Growth, 2013 Source: Trend Micro Labs Report 2013
1111 Top Mobile Phishing Targets, 2013 Source: Trend Micro Labs Report 2013
1212 Key Vulnerabilities (non-exhaustive list) • Threats and attacks are all based on technical and / or human-organizational vulnerabilities • Technical vulnerabilities (software systems and applications, architectures and configurations): - Operating systems and middleware - Web sites and collaborative platforms - Smartphones and mobility tablettes ++ 14,000 malware - Virtualized systems - Outsourcing and Cloud (XaaS) - Between 30 and 40% of software vulnerabilities has no patches from the development companies Zero Day vulnerability • Human Vulnerability : the ICT user's behavior - Social Engineering and Phishing - Use of social networks, even at the enterprise level • Organizational vulnerabilities - Lack or non-use of organizational procedures and informatics support - Inadequate or non-use of standards and best practices - Lack of training and awareness from top managers to end users - Lack of systematic monitoring and controls of the ICT resources - Limited or missing Risk analysis - Not effective control of providers - Limited or missing SoD, Separation of Duties
1313 Application vulnerabilities 2013 Source: IBM X-Force Report 1Q2014
1414 Black market and the cyber criminal ware prices
1515 49% 48% 43% 37% 35% 32% 27% 25% 21% 17% 16% 15% 14% 12% 1% M alw are IC T devices'theft D ata theftby m obile and fixed deviceD oS/D D oS SocialEngineering Physicalsec.attack Vulnerability exploitation N etw ork attack D ata unauth.access System unauth.accessIC T FroudTA & APT IC T blackm ail Sw unauth.access O ther %respondents OAI 2013: Most feared attacks in the next future © OAI 2013
1616 Threats and attacks: main trend worldwide (1) • A personal synthesis by recent reports of CSA, Enisa, Microsoft, IBM XForce, McAfee, Sophos, TrendMicro, Websense • Two main directions: • ++ Massive attacks: relatively simple, such as social engineering-phishing, virus, etc. • ++ Targeted attacks: very sophisticated, such as APT, Watering hole, etc. • ++ Malware • + New sophisticated • + revitalization of old ones and/or based on obsolete middleware still “in production” • + lock-screen ransomware • ++ cryptographic ransomware • +++ new sophisticated for mobile and apps (tablet and smartphone) • ++ Social engineering • +++ Digital identity theft • + Attacks to big data repositories • ++ DoS/DDoS, Denial of Service/ Distributed DoS
1717 Threats and attacks: main trend worldwide (2) • ++ DoS/DDoS, Denial of Service/ Distributed DoS • + exploitation of basic software vulnerabilities and in particular of HTML5 and Java • ++ attacks to cloud services (XaaS) - The Notorious Nine Top Threats: data breaches, data loss, account hijacking, insecure APIs, malicious insiders, abuse of cloud services, insufficient due diligence, shared technology issues • + consolidation of new exploit kits, such as Neutrino and Redkit, which will replace the well-known and popular Blackhole • ++ Internet of Things‘ attacks - Smart cities (Expo 2015) - Domotics • ++ TA and APT • + (?) attacks to Bitcoin and virtual coins - especially with the use of mobile devices
1818 References marco.bozzetti@malaboadvisoring.it www.malaboadvisoring.it

More Related Content

Considerazioni su ITC Security e sui Cyber Attacks

  • 1. 00 Some considerations on ICT security and cyber attacks Marco R. A. Bozzetti CEO Malabo Srl Member of the Board and Comms. Officer of AIPSI, Italian Chapter of ISSA CCIP, Chamber of Cooperation and Incentive for Partnership Security, Cybercrime and Fraud Milan, March 25 th 2014
  • 2. 11 Looking for computer security…. Social networks Consumerization (BYOD) personal/home environment working environment Cloud and outsourced services Cloud and outsourced services Informatics Systems (Enterprise and PA) Fixed + mobile Internet DCS VDS, PLC, A/D Conv. Internet of Things Domotics Smart city The absolute security does not exist and it is increasingly complex to manage All these aspects impact on the computer systems of banks
  • 3. 22 • ICT security is a key element for ensuring : - the Business Continuity » that is a business problem - compliance with the various standards and certifications » very demanding and heavy for banks • information and ICT resources are an enterprise asset and as such they should be protected and managed. The ICT security has to be governed (ICT governance)by the Board (top m anagers) and to be aligned with the business needs Computer security … not only a technical problem
  • 4. 33 Sponsor Patronage OAI, Osservatorio Attacchi Informatici in Italia Publisher Report 2013 OAI : 4° Edition of the OAI initiative in collaboration with Italian Postal Police
  • 5. 44 OAI 2013: Main ICT attacks 2012- First half 2013 (multiple answers) 0,0 10,0 20,0 30,0 40,0 50,0 60,0 70,0 M alware SocialEngineering ICT devices'theft DoS/DD oS Vulnerability exploitation Data theftby m obile System unauthorized access ICT Froud Netw ork attack Sw unauthorized access and/orm odification Data unauthorized access and/orm odification Data theftby fixed device Physicalsecurity attack Targeted Attack & APT ICT blackm ailO ther %respondents 2012 First half 2013 © OAI 2013 always the same as the first four places in all editions of OAI (1998- 2013)
  • 6. 55 69% 5% 20% 6% 65% 7% 21% 8% 1-10 cases with low impacts 1-10 cases with high impacts >10 cases with low impacts >10 cases with high impacts %respondents 2012 First half 2013 OAI 2013: Impacts after an attack © OAI 2013
  • 7. 66 43% 24% 6% 6% 4% 4% 4% 3% 2% 1% 1% Manufacture Industry Service- Distribution Local Public Administration Health Central Public Administration Telecom- Media Trasport- Logistic- Tourism Utility Finance-Bank- Insurance Instruction- R&D Primary Sector %respondents OAI 2013: Industry sectors of the respondents (299) © OAI 2013
  • 8. 77 Worldwide attacks status in 2013 Source: IBM X-Force Report 1Q2014
  • 9. 88 Data breach cost per capita Source: Ponemon Institute Research Report 2013
  • 10. 99 Total Online Banking Malware Infections , 2012 and 2013 Source: Trend Micro Labs Report 2013
  • 11. 1010 Malicious and High-Risk Mobile App Growth, 2013 Source: Trend Micro Labs Report 2013
  • 12. 1111 Top Mobile Phishing Targets, 2013 Source: Trend Micro Labs Report 2013
  • 13. 1212 Key Vulnerabilities (non-exhaustive list) • Threats and attacks are all based on technical and / or human-organizational vulnerabilities • Technical vulnerabilities (software systems and applications, architectures and configurations): - Operating systems and middleware - Web sites and collaborative platforms - Smartphones and mobility tablettes ++ 14,000 malware - Virtualized systems - Outsourcing and Cloud (XaaS) - Between 30 and 40% of software vulnerabilities has no patches from the development companies Zero Day vulnerability • Human Vulnerability : the ICT user's behavior - Social Engineering and Phishing - Use of social networks, even at the enterprise level • Organizational vulnerabilities - Lack or non-use of organizational procedures and informatics support - Inadequate or non-use of standards and best practices - Lack of training and awareness from top managers to end users - Lack of systematic monitoring and controls of the ICT resources - Limited or missing Risk analysis - Not effective control of providers - Limited or missing SoD, Separation of Duties
  • 15. 1414 Black market and the cyber criminal ware prices
  • 16. 1515 49% 48% 43% 37% 35% 32% 27% 25% 21% 17% 16% 15% 14% 12% 1% M alw are IC T devices'theft D ata theftby m obile and fixed deviceD oS/D D oS SocialEngineering Physicalsec.attack Vulnerability exploitation N etw ork attack D ata unauth.access System unauth.accessIC T FroudTA & APT IC T blackm ail Sw unauth.access O ther %respondents OAI 2013: Most feared attacks in the next future © OAI 2013
  • 17. 1616 Threats and attacks: main trend worldwide (1) • A personal synthesis by recent reports of CSA, Enisa, Microsoft, IBM XForce, McAfee, Sophos, TrendMicro, Websense • Two main directions: • ++ Massive attacks: relatively simple, such as social engineering-phishing, virus, etc. • ++ Targeted attacks: very sophisticated, such as APT, Watering hole, etc. • ++ Malware • + New sophisticated • + revitalization of old ones and/or based on obsolete middleware still “in production” • + lock-screen ransomware • ++ cryptographic ransomware • +++ new sophisticated for mobile and apps (tablet and smartphone) • ++ Social engineering • +++ Digital identity theft • + Attacks to big data repositories • ++ DoS/DDoS, Denial of Service/ Distributed DoS
  • 18. 1717 Threats and attacks: main trend worldwide (2) • ++ DoS/DDoS, Denial of Service/ Distributed DoS • + exploitation of basic software vulnerabilities and in particular of HTML5 and Java • ++ attacks to cloud services (XaaS) - The Notorious Nine Top Threats: data breaches, data loss, account hijacking, insecure APIs, malicious insiders, abuse of cloud services, insufficient due diligence, shared technology issues • + consolidation of new exploit kits, such as Neutrino and Redkit, which will replace the well-known and popular Blackhole • ++ Internet of Things‘ attacks - Smart cities (Expo 2015) - Domotics • ++ TA and APT • + (?) attacks to Bitcoin and virtual coins - especially with the use of mobile devices