martedì 25 ottobre 2011

Andrea Zapparoli Manzoni - 2011, InfoSec’s “Annus Horribilis”


The "Voci Amiche" section of Punto 1 starts again hosting contribution from other security experts.

I'm very happy to announce that we are beginning with a good friend of mine and a very capable expert: Andrea Zapparoli Manzoni.

His experience and passion in his work in the field of social media security make him a prominent figure among the Italian security experts.

I agreed with Andrea that his post will be divided in two parts so... stay tuned!!

Andrea, the floor is yours!

-----------------------------------------------------------------------------------------------
Social Business Insecurity: Espionage, Cyberwar and Trans-national Cybercrime

A 2008 report of the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency noted: ‘we began with one central finding: The United States must treat cybersecurity as one of most important national security challenges it faces’ (CSIS 2008). 
Let's admit it: three years later things didn’t get any better, on the contrary, they seriously worsened. Without fear of being dubbed as scaremongers, we can say that 2011 was a real "annus horribilis" for InfoSec, probably the worst ever, and that, at least until now, both industry self-regulation and law enforcement oversight have almost completely failed in the cyber security space. 
The same foundations of e-commerce, home banking and of any other sensitive online activity (including expressing dissent) have been shaken by the recent attacks on the Certification Authorities infrastructure (Comodo, DigiNotar and even RSA, in a sense), leaving us wondering whether we should completely rethink the trust model that is one of the cornerstones of the Internet today.  
The prevailing compliance-focused security model is showing all its shortcomings too, and has clearly become obsolete when compared to the evolution of threats: not only diffuse cyber-hacktivism has fully demonstrated its potential with LulzSec and Anonymous (ask Sony!), but high tech skills are now available for rent on a global scale to a variety of customers, including nation states, corporations and other interest groups (i.e. criminal cartels and terrorists), changing the security game forever. 
We're also witnessing the birth of trans-national cyber mercenary units and the unregulated proliferation of shadowy private contractors (the HBGary scandal being just a glimpse of what is brewing in the cyber-underworld, well beyond the reach of public scrutiny).
The feeling is that the situation is getting out of control, and that all the advantages that the new digital domain has brought to our everyday's lives are now at risk of being seriously hindered by the stupendous growth of cyber threats and of their intensity, if this trend isn’t somehow reversed.

Social Business Insecurity 

While Social Business is touted as the new frontier of economic activity, attracting huge investments and creating a lot of expectations, associated risks are completely underestimated.
The marketing hype surrounding the steep rise of Social Networks adoption has masked the reality of a corresponding growth in espionage, cyber crime and cybewarfare activities performed through them. 
The potential consequences of organized cybercrime, cyber-espionage and cyberwarfare activities coupled with Social Media platforms are, as of today, not well understood and mostly ignored.
With an estimated billion logged users per day, Social Media are the “place” where everything happens nowadays, almost in real time and without any serious monitoring capability in place. It is extremely hard, both economically and technically, to react to Social Media delivered threats in a timely and organized manner, which can then be amplified and spread to a world-wide audience in a few minutes.
Furthermore, it seems that the owners of Social Media platforms have no interest, or at least are not paying enough effort, into making their digital environments less prone to misuse.

Cyber-espionage (expecially from the far east) has reached never seen before levels of sophistication and is now the world's primary cause of intellectual property theft, becoming more aggressive by the day, while some analyst are already stating that we just entered a new “Cold Cyberwar” age.
With regards to cyberwar, many developed countries are loudly declaring that they are defining ad-hoc cyberwarfare doctrines and building up both offensive and defensive cyber capabilities, establishing military commands and special hybrid groups (military and civilian) for the purpose, while at the same time they are getting every day more vulnerable and susceptible to devastating cyber-attacks on their digital infrastructures, caught in a self fulfilling prophecy.

Meanwhile trans-national cybercrime is growing exponentially (+250% in 2011 compared to 2010), having reached an overall estimated 2011 turnover of 7Bn $ while inducing worldwide direct and indirect losses for 388Bn $ (a 55:1 ratio!), an amount of lost wealth that is bigger than Denmark’s GDP.
For their very nature, Social Media are not only affected by the usual Internet threats (frauds, scams, spam, phishing, whaling, identity theft, malvertising and infections hit tens of millions of users every year), but are also becoming the new tool of choice for OSInt and enemy groups infiltration, social engineering and PsyOps, unfair competition, surveillance and target acquisition (as was recently demonstrated in Lybia and during the “Arab Springs”). Social Media have now become not only the Arcadia of digital social interactions, but also the equivalent of a world-wide, free C4SIR for any antagonist group, a perfect cyberweapons delivery system and, of course, cybercrime’s preferred playground.
In this scenario it is clear how Social Media platforms themselves have become not only a major infection vector but at the same time a weapon, a battlefield and (therefore) a primary target, which makes them quite a dangerous environment for establishing large scale business operations.
Also, due to the fact that Social Media Security awareness is completely lacking, not only within the general population but also among law-makers and top managers, laws, policies and safe behaviours are also lagging years behind the adoption of the technology, in all environments. 
This creates a huge, nearly untractable problem for nowadays security teams, because of the sheer number of users involved, and because 
1) SN are intrinsically based upon a (mostly false) sense of trust between their members, 
2) SN authentication methods are weak to say the least and identity is not verifiable (nor verified), 
3) attacks are mostly performed at the semantic level, well above firewalls and antimalware defenses, and 
4) mobile devices and the “consumerization” of Enterprise IT (which is spreading also among the military!) are making traditional defenses unworkable. 
There are specific countermeasures that we can apply in order to mitigate Social Business related risks, but they require huge investments, a strong committment, diffuse education at all levels, organizational and technological radical changes, and the hard work of many skilled people (not only in the InfoSec field) in order to be effective. We’ll discuss them in the next article, stay tuned.
-------------------------------------------------------------------------------------------
Bio
Andrea Zapparoli Manzoni was born in Milan in 1968.
With a multidisciplinary background both in political science and in computer science, since 1997 he developed an active interest in ICT security, with particular reference to GRC (Governance, Risk and Compliance), cybercrime and cyber warfare issues.
Over the years he worked in the IDM, IAM, DLP, Anti Fraud, Security Intelligence, Forensics, Vulnerability Assessment & Management fields in Enterprise, Industrial, Central PA and Gov-Mil environments.
He writes articles and essays on InfoSec topics and follows very closely all developments in Cybersecurity, working as a trusted advisor with national and international organizations.
He partecipates to the activities of CLUSIT (Italian Association for Information Security) speaking at conferences, contributing papers (two ROSI patterns about IAM and DLP, seminars about SCADA Security and Social Media Security) and spreading the culture of IT Security in Italy.
In addition to collaborating with numerous Italian and foreign companies, he is the founder and CEO of iDialoghi, a consulting firm specializing in the design and implementation of advanced information security solutions, including the Social Business Security field.

Nessun commento:

Posta un commento

http://www.wikio.it