1. 00
Some considerations
on ICT security
and cyber attacks
Marco R. A. Bozzetti
CEO Malabo Srl
Member of the Board and Comms. Officer of AIPSI, Italian Chapter of ISSA
CCIP, Chamber of Cooperation and Incentive for Partnership
Security, Cybercrime and Fraud
Milan, March 25 th 2014

2. 11
Looking for computer security….
Social networks
Consumerization (BYOD)
personal/home
environment
working
environment
Cloud and
outsourced
services
Cloud and
outsourced
services
Informatics Systems
(Enterprise and PA)
Fixed + mobile
Internet
DCS
VDS, PLC, A/D Conv.
Internet of Things
Domotics
Smart city
The absolute security does not exist and it is increasingly complex to manage
All these aspects impact on the computer systems of banks

3. 22
• ICT security is a key element for ensuring :
- the Business Continuity
» that is a business problem
- compliance with the various standards and
certifications
» very demanding and heavy for banks
• information and ICT resources are an enterprise asset
and as such they should be protected and managed.
The
ICT
security
has
to
be
governed
(ICT
governance)by
the
Board
(top
m
anagers) and
to
be
aligned
with
the
business
needs
Computer security … not only a technical problem

4. 33
Sponsor
Patronage
OAI, Osservatorio Attacchi Informatici in Italia
Publisher
Report 2013 OAI : 4° Edition of the OAI initiative in
collaboration with Italian Postal Police

5. 44
OAI 2013: Main ICT attacks 2012- First half 2013
(multiple answers)
0,0
10,0
20,0
30,0
40,0
50,0
60,0
70,0
M
alware
SocialEngineering
ICT
devices'theft
DoS/DD
oS
Vulnerability
exploitation
Data
theftby
m
obile
System
unauthorized
access
ICT
Froud
Netw
ork
attack
Sw
unauthorized
access
and/orm
odification
Data
unauthorized
access
and/orm
odification
Data
theftby
fixed
device
Physicalsecurity
attack
Targeted
Attack
&
APT
ICT
blackm
ailO
ther
%respondents
2012
First half 2013
© OAI 2013
always the same as the first four
places in all editions of OAI (1998-
2013)

6. 55
69%
5%
20%
6%
65%
7%
21%
8%
1-10 cases with low
impacts
1-10 cases with high
impacts
>10 cases with low impacts
>10 cases with high
impacts
%respondents
2012 First half 2013
OAI 2013: Impacts after an attack
© OAI 2013

7. 66
43%
24%
6% 6%
4% 4% 4% 3% 2% 1% 1%
Manufacture
Industry
Service-
Distribution
Local Public
Administration
Health Central Public
Administration
Telecom-
Media
Trasport-
Logistic-
Tourism
Utility Finance-Bank-
Insurance
Instruction-
R&D
Primary Sector
%respondents
OAI 2013: Industry sectors of the respondents (299)
© OAI 2013

8. 77
Worldwide attacks status in 2013
Source: IBM X-Force Report 1Q2014

9. 88
Data breach cost per capita
Source: Ponemon Institute Research Report 2013

10. 99
Total Online Banking Malware Infections , 2012 and 2013
Source: Trend Micro Labs Report 2013

11. 1010
Malicious and High-Risk Mobile App Growth, 2013
Source: Trend Micro Labs Report 2013

12. 1111
Top Mobile Phishing Targets, 2013
Source: Trend Micro Labs Report 2013

13. 1212
Key Vulnerabilities (non-exhaustive list)
• Threats and attacks are all based on technical and / or human-organizational vulnerabilities
• Technical vulnerabilities (software systems and applications, architectures and configurations):
- Operating systems and middleware
- Web sites and collaborative platforms
- Smartphones and mobility tablettes ++ 14,000 malware
- Virtualized systems
- Outsourcing and Cloud (XaaS)
- Between 30 and 40% of software vulnerabilities has no patches from the development companies
Zero Day vulnerability
• Human Vulnerability : the ICT user's behavior
- Social Engineering and Phishing
- Use of social networks, even at the enterprise level
• Organizational vulnerabilities
- Lack or non-use of organizational procedures and informatics support
- Inadequate or non-use of standards and best practices
- Lack of training and awareness from top managers to end users
- Lack of systematic monitoring and controls of the ICT resources
- Limited or missing Risk analysis
- Not effective control of providers
- Limited or missing SoD, Separation of Duties

14. 1313
Application vulnerabilities 2013
Source: IBM X-Force Report 1Q2014

15. 1414
Black market and the cyber criminal ware prices

16. 1515
49% 48%
43%
37%
35%
32%
27%
25%
21%
17% 16% 15% 14%
12%
1%
M
alw
are
IC
T
devices'theft
D
ata
theftby
m
obile
and
fixed
deviceD
oS/D
D
oS
SocialEngineering
Physicalsec.attack
Vulnerability
exploitation
N
etw
ork
attack
D
ata
unauth.access
System
unauth.accessIC
T
FroudTA
&
APT
IC
T
blackm
ail
Sw
unauth.access
O
ther
%respondents
OAI 2013: Most feared attacks in the next future
© OAI 2013

17. 1616
Threats and attacks: main trend worldwide (1)
• A personal synthesis by recent reports of CSA, Enisa, Microsoft, IBM XForce,
McAfee, Sophos, TrendMicro, Websense
• Two main directions:
• ++ Massive attacks: relatively simple, such as social engineering-phishing,
virus, etc.
• ++ Targeted attacks: very sophisticated, such as APT, Watering hole, etc.
• ++ Malware
• + New sophisticated
• + revitalization of old ones and/or based on obsolete middleware still “in
production”
• + lock-screen ransomware
• ++ cryptographic ransomware
• +++ new sophisticated for mobile and apps (tablet and smartphone)
• ++ Social engineering
• +++ Digital identity theft
• + Attacks to big data repositories
• ++ DoS/DDoS, Denial of Service/ Distributed DoS

18. 1717
Threats and attacks: main trend worldwide (2)
• ++ DoS/DDoS, Denial of Service/ Distributed DoS
• + exploitation of basic software vulnerabilities and in particular of HTML5 and Java
• ++ attacks to cloud services (XaaS)
- The Notorious Nine Top Threats: data breaches, data loss, account hijacking,
insecure APIs, malicious insiders, abuse of cloud services, insufficient due
diligence, shared technology issues
• + consolidation of new exploit kits, such as Neutrino and Redkit, which will replace the
well-known and popular Blackhole
• ++ Internet of Things‘ attacks
- Smart cities (Expo 2015)
- Domotics
• ++ TA and APT
• + (?) attacks to Bitcoin and virtual coins
- especially with the use of mobile devices

19. 1818
References
marco.bozzetti@malaboadvisoring.it
www.malaboadvisoring.it