(ISC)2 Workshop – Geneva, 18-02-2014
“From Social Media Chaos to Social Business Security”

Andrea Zapparoli Manzoni - CEO...
From Social Media Chaos to Social Business Security
→ Who am I (in 60 seconds)

Andrea Zapparoli Manzoni


Founder, CEO, ...
From Social Media Chaos to Social Business Security
→ Who am I (in 30 more seconds)

Andrea Zapparoli Manzoni - CEO iDialo...
From Social Media Chaos to Social Business Security
→ Who am I (last 30 seconds, I promise)

Andrea Zapparoli Manzoni - CE...
From Social Media Chaos to Social Business Security
→ A (necessary) disclaimer

The views hereby expressed are those of th...
From Social Media Chaos to Social Business Security
→Why are we here?

 2012: + 150% serious known cyberattacks in the wo...
From Social Media Chaos to Social Business Security
→Cyber Insecurity is the New Norm

It’s a Jungle Out There

Internatio...
From Social Media Chaos to Social Business Security
→ Reason # 1: ICT Products Security levels are not what you may think
...
From Social Media Chaos to Social Business Security
→ Reason # 2: Cybercrime is the “best” investment on the planet

Andre...
From Social Media Chaos to Social Business Security
→ Reason # 2 So many ways to profit from a compromised device!

Andrea...
From Social Media Chaos to Social Business Security
→ Threats are growing expecially on Social Media

Threats to Online Se...
From Social Media Chaos to Social Business Security
→ OK. But what are Social Media?

Wikipedia: “A group of Internet-base...
From Social Media Chaos to Social Business Security
→ Social Media are also… weapons

Over the last 3 years Social Media h...
From Social Media Chaos to Social Business Security
→ Social Media are also… targets (and SPoF)

Having become a weapon an...
From Social Media Chaos to Social Business Security
→ Social Media are also… Cyber Crime Paradise

Today Social Media have...
From Social Media Chaos to Social Business Security
→ Social Media are also… a risk for their Users

We could make
thousan...
From Social Media Chaos to Social Business Security
→ Social Media are also… a risk for Businesses

Social Media is an imp...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (latest Italian example)

120...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

Simple (but ...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

More Social ...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

Phishing via...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

Mal-advertis...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

Social Media...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

Kaspersky 20...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

PsyOps via T...
From Social Media Chaos to Social Business Security
→ Social Media are a major attack vector (more examples)

A single, we...
From Social Media Chaos to Social Business Security
→ The Path From Chaos to Security

Knowledge is power. In such a new a...
From Social Media Chaos to Social Business Security
→ Thank you!

Andrea Zapparoli Manzoni
a.zmanzoni@idialoghi.com

Andre...
Upcoming SlideShare
Loading in …5
×

From Social Media Chaos to Social Business Security - Geneva 2014

297
-1

Published on

Published in: Social Media
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
297
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

From Social Media Chaos to Social Business Security - Geneva 2014

  1. 1. (ISC)2 Workshop – Geneva, 18-02-2014 “From Social Media Chaos to Social Business Security” Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  2. 2. From Social Media Chaos to Social Business Security → Who am I (in 60 seconds) Andrea Zapparoli Manzoni  Founder, CEO, iDIALOGHI  «Cyberworld» WG Member at OSN/Ce.Mi.S.S.  APASS Board Member / Information Warfare lead res.  Assintel Board Member / ICT Security WG leader  Clusit Board Member / lecturer (SCADA, Social Media Sec, Anti-fraud, DLP…)  Co-author of the Clusit Report (2012, 2013 and 2014) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  3. 3. From Social Media Chaos to Social Business Security → Who am I (in 30 more seconds) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  4. 4. From Social Media Chaos to Social Business Security → Who am I (last 30 seconds, I promise) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  5. 5. From Social Media Chaos to Social Business Security → A (necessary) disclaimer The views hereby expressed are those of the Author / Speaker and do not reflect the views of CLUSIT, nor those of the WG “Cyber World” at OSN - Italian Ministry of Defense, nor those of the private enterprises and security communities I am working at/with and/or supporting. Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  6. 6. From Social Media Chaos to Social Business Security →Why are we here?  2012: + 150% serious known cyberattacks in the world vs 2011  2012: +800% serious know cyberattacks against / through Social Media platforms  Huge growth of evil doers and of offensive capabilities all over the world  Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)  All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA, IoT, PoS…)  Traditional defenses are not working anymore  Return of Investment (ROI) for attackers is extremely high  Costs and Risks for attackers are still extremely low  Growing risk of systemic “Black Swans” (HILP)  Lack of effective legislation and tools for LEAs How do we handle all these issues and mitigate these new threats? Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  7. 7. From Social Media Chaos to Social Business Security →Cyber Insecurity is the New Norm It’s a Jungle Out There International Serious Cyber Attacks 800 700 Private Organizations spent USD 20B for “advanced” ICT Security systems in 2012, out of a USD 60B budget for ICT Security spending. Nothwistanding these efforts, Cyber Insecurity is becoming the norm. 600 500 400 300 200 100 0 1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013 © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update From our analyses, which are in line with those made by other observers (private and institutional), the rate of attacks against Companies and Government bodies in 2012 grew by 154% on average compared to 2011 (which was the worst year on record, until then). The speed of this growth has accelerated in 2013, too. Why? Andrea Zapparoli Manzoni - CEO iDialoghi © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia Geneva 18-02 2014
  8. 8. From Social Media Chaos to Social Business Security → Reason # 1: ICT Products Security levels are not what you may think != The Fiat was my first car, back in 1987 (it was built in 1968). I was very proud of it and, after all, it worked. But it had NO built-in security whatsoever. No brakes, no seat belts, no ABS, ESP, airbag, headrests, no passive security – nothing. Today’s ICT is like my 1968 Fiat, in terms of built-in security. As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect) estimated cost of USD 388 Billions (that is, Denmark’s GDP). Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  9. 9. From Social Media Chaos to Social Business Security → Reason # 2: Cybercrime is the “best” investment on the planet Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  10. 10. From Social Media Chaos to Social Business Security → Reason # 2 So many ways to profit from a compromised device! Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  11. 11. From Social Media Chaos to Social Business Security → Threats are growing expecially on Social Media Threats to Online Services, including Social Media and Cloud Services: +800% Y/Y VITTIME PER TIPOLOGIA 2011 2012 Variazioni 2012 su 2011 Gov - Mil - LEAs - Intelligence 153 374 244,44% Others 97 194 200,00% Entertainment / News 76 175 230,26% Online Services / Cloud 15 136 806,67% Research - Education 26 104 400,00% Banking / Finance 17 59 347,06% SW / HW Vendor 27 59 218,52% Telco 11 19 172,73% Gov. Contractors / Cons. 18 15 -16,67% Security 17 14 -17,65% Religion 0 14 1400,00% Health 10 11 110,00% Chemical / Medical 2 9 450,00% Critical Infrastructures - - - Automotive - - - Org / ONG - - - © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  12. 12. From Social Media Chaos to Social Business Security → OK. But what are Social Media? Wikipedia: “A group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user-generated content”. This is certainly true, but…  Why are they (mostly) free?  Who owns them (really)?  Who controls them (really)?  What do they do with everybody’s social graphs?  And with all the information?  And with all the pictures?  What’s written inside their EULAs ?  Are they filtered?  Are they neutral?  Are they secure? Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  13. 13. From Social Media Chaos to Social Business Security → Social Media are also… weapons Over the last 3 years Social Media have become “weapons” in all respects, and are now part of the "cyber arsenal " at the disposal of armies, intelligence services, police forces, terrorists, mercenary groups, antagonistic groups and corporations. Some facts:  Actively used by Anonymous, S.E.A. (and similar groups)  Actively used by Governments (Iran, Syria, China, USA etc) to PsyOps, OSINT, mass surveillance and target acquisition  Used by the "Arab Spring" rebels as C4ISR1 and by Special Forces in Libya in support of NATO operations  Used by Corporations against competitors and hacktivists 1 Command, Control, Computers, Communications, Intelligence, Surveillance and Reconnaissance Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  14. 14. From Social Media Chaos to Social Business Security → Social Media are also… targets (and SPoF) Having become a weapon and a battlefield, Social Media inevitably also became a target. This means that at any time could be attacked, blocked and made inaccessible, or unusable (i.e. by using swarms of “bots”, or by simply shutting them down). In fact it has already happened, because of: - Riots, insurrections and civil wars - Cyber ​attacks of various kinds and purpose - Sabotage and protest - State censorship Social Media platforms cannot (and shouldn’t) be trusted. Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  15. 15. From Social Media Chaos to Social Business Security → Social Media are also… Cyber Crime Paradise Today Social Media have become the main hunting ground for trans-national organized cybercrime, which has reached a "turnover" in 2012 (estimated) of $ 15 Billion, an increase of 250% over the previous year. In 2012, 74 million people have been victims of some sort of cybercrime in the U.S. alone (1/3 via Social Media, 10 per second) for $ 32 B of direct losses. In the world the estimated direct losses in 2012 were over $ 110 B. The total cost worldwide (direct losses + costs & time devoted to remedy attacks) in 2012 was estimated at $ 388 B. It is more than the GDP of Vietnam, Ukraine and Romania added! If this trend continues, in 2013 these costs will be equal to half of the Italian GDP .... (1 Trillion USD). Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  16. 16. From Social Media Chaos to Social Business Security → Social Media are also… a risk for their Users We could make thousands of examples, every day there are new ones…. I.E. taking advantage of the news of Bin Laden’s death, tens of thousands of Facebook users were lured into dowloading a trojan (not detected by antivirus software) that stealed personal data and transformed the PC of the victims into “zombies”… Due to the nature of social media, cyber criminals have the ability to infect millions of systems (PCs or mobile) in a matter of a few hours ... For free. Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  17. 17. From Social Media Chaos to Social Business Security → Social Media are also… a risk for Businesses Social Media is an important source of business risk ... even for companies that do not use them! Cyber ​attacks, fraud, data, IP and money theft, unfair competition, damages to third parties and to the corporate image ... Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  18. 18. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (latest Italian example) 120.000 Italian users exposed to Zeus malware for more than 48 hours on Alpitour’s hijacked FB page Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  19. 19. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) Simple (but effective) social engineering attack for identity theft purposes Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  20. 20. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) More Social Engineering (in these cases, in order to spread botnet malware / RATs). Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  21. 21. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) Phishing via rogue Facebook App Andrea Zapparoli Manzoni - CEO iDialoghi Spear Phishing via LinkedIn Geneva 18-02 2014
  22. 22. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) Mal-advertising: paid malicious ADVs (hint: there’s no WhatsApp for PCs…) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  23. 23. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) Social Media stolen credentials on sale on a (small) russian cybercriminal forum Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  24. 24. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) Kaspersky 2013 Number of phishing attacks against Social Media users (august 2013) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  25. 25. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) PsyOps via Twitter (the “Syrian Electronic Army,” a pro-Assad mercenary group, hacked AP’s twitter account and then…) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  26. 26. From Social Media Chaos to Social Business Security → Social Media are a major attack vector (more examples) A single, well crafted fake tweet inflicted the NYSE a 53B USD loss in 5 minutes. What if …… ? Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  27. 27. From Social Media Chaos to Social Business Security → The Path From Chaos to Security Knowledge is power. In such a new and complex context it is necessary to set up a continuous training process for Managers, End users, Decision Makers, LEAs, Marketing staff, HR staff, ICT / Security staff, and so on. Since incidents are only a matter of time, it is essential to implement a set of processes for Risk Management / BIA, harmonized and coordinated within an overall plan for Social Media Security: - Definition of specific Policies and Responsibilities - Continuous Monitoring and Enforcement of the policies - Cyber Threat Prevention / Cyber Intelligence - Definition of Early Warning indicators - Legal protection (proactive and reactive) - Crisis Management (in real-time!) Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  28. 28. From Social Media Chaos to Social Business Security → Thank you! Andrea Zapparoli Manzoni a.zmanzoni@idialoghi.com Andrea Zapparoli Manzoni - CEO iDialoghi Geneva 18-02 2014
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×