Considerazioni su ITC Security e sui Cyber Attacks
1. 00
Some considerations
on ICT security
and cyber attacks
Marco R. A. Bozzetti
CEO Malabo Srl
Member of the Board and Comms. Officer of AIPSI, Italian Chapter of ISSA
CCIP, Chamber of Cooperation and Incentive for Partnership
Security, Cybercrime and Fraud
Milan, March 25 th 2014
2. 11
Looking for computer security….
Social networks
Consumerization (BYOD)
personal/home
environment
working
environment
Cloud and
outsourced
services
Cloud and
outsourced
services
Informatics Systems
(Enterprise and PA)
Fixed + mobile
Internet
DCS
VDS, PLC, A/D Conv.
Internet of Things
Domotics
Smart city
The absolute security does not exist and it is increasingly complex to manage
All these aspects impact on the computer systems of banks
3. 22
• ICT security is a key element for ensuring :
- the Business Continuity
» that is a business problem
- compliance with the various standards and
certifications
» very demanding and heavy for banks
• information and ICT resources are an enterprise asset
and as such they should be protected and managed.
The
ICT
security
has
to
be
governed
(ICT
governance)by
the
Board
(top
m
anagers) and
to
be
aligned
with
the
business
needs
Computer security … not only a technical problem
13. 1212
Key Vulnerabilities (non-exhaustive list)
• Threats and attacks are all based on technical and / or human-organizational vulnerabilities
• Technical vulnerabilities (software systems and applications, architectures and configurations):
- Operating systems and middleware
- Web sites and collaborative platforms
- Smartphones and mobility tablettes ++ 14,000 malware
- Virtualized systems
- Outsourcing and Cloud (XaaS)
- Between 30 and 40% of software vulnerabilities has no patches from the development companies
Zero Day vulnerability
• Human Vulnerability : the ICT user's behavior
- Social Engineering and Phishing
- Use of social networks, even at the enterprise level
• Organizational vulnerabilities
- Lack or non-use of organizational procedures and informatics support
- Inadequate or non-use of standards and best practices
- Lack of training and awareness from top managers to end users
- Lack of systematic monitoring and controls of the ICT resources
- Limited or missing Risk analysis
- Not effective control of providers
- Limited or missing SoD, Separation of Duties
17. 1616
Threats and attacks: main trend worldwide (1)
• A personal synthesis by recent reports of CSA, Enisa, Microsoft, IBM XForce,
McAfee, Sophos, TrendMicro, Websense
• Two main directions:
• ++ Massive attacks: relatively simple, such as social engineering-phishing,
virus, etc.
• ++ Targeted attacks: very sophisticated, such as APT, Watering hole, etc.
• ++ Malware
• + New sophisticated
• + revitalization of old ones and/or based on obsolete middleware still “in
production”
• + lock-screen ransomware
• ++ cryptographic ransomware
• +++ new sophisticated for mobile and apps (tablet and smartphone)
• ++ Social engineering
• +++ Digital identity theft
• + Attacks to big data repositories
• ++ DoS/DDoS, Denial of Service/ Distributed DoS
18. 1717
Threats and attacks: main trend worldwide (2)
• ++ DoS/DDoS, Denial of Service/ Distributed DoS
• + exploitation of basic software vulnerabilities and in particular of HTML5 and Java
• ++ attacks to cloud services (XaaS)
- The Notorious Nine Top Threats: data breaches, data loss, account hijacking,
insecure APIs, malicious insiders, abuse of cloud services, insufficient due
diligence, shared technology issues
• + consolidation of new exploit kits, such as Neutrino and Redkit, which will replace the
well-known and popular Blackhole
• ++ Internet of Things‘ attacks
- Smart cities (Expo 2015)
- Domotics
• ++ TA and APT
• + (?) attacks to Bitcoin and virtual coins
- especially with the use of mobile devices
