FIRST Conference Date: 12-17 June 2016 Location: Seoul https://www.first.org/conference/2016 The Annual FIRST Conference promotes worldwide coordination and cooperation among Computer Security Incident Response Teams (CSIRTs). You don't have to be a FIRST member in order to attend the conference which provides a forum for sharing goals, ideas and information on how to improve global computer security. This five-day event includes incident response, management and technical tracks, featured invited and keynote presentations, special interest groups (SIGs) & birds of a eeather (BoFs), lightning talks, vendor showcase and exhibits and networking opportunities Past participants have included IT managers, system and network administrators, software and hardware vendors, security solutions providers, ISPs, telecommunication providers and general computer and network security personnel. 2nd International conference on Security of Smart cities, Industrial Control System and Communications (SSIC 2016) Date: 18-19 July Location: Paris http://www.ssic-conf.org/2016 The conference will provide an international forum for scientists, researchers, professionals, industry practitioners, policy makers, and users to exchange ideas, techniques and tools, and share experience related to all practical and theoretical aspects of communications and network security. SSIC’2016 will take place on July 18 - 19, 2016, in Paris, France. SSIC'2016 conference is technically co-sponsored by IEEE. All accepted papers will be published in IEEE Xplore and indexed by Ei Compendex. SSIC 2016 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass not only all practical and theoretical aspects of communications, and network security, but also security mechanism put into some critical applications. APPSEC Europe Date: 27 June – 1 July, 2016 Location: Rome http://2016.appsec.eu OWASP AppSec conference brings together industry, government, security researchers, and

EU2016 Cyber Security Meeting pills I had the pleasure to be invited at the Cyber Security Meeting, organized by Netherlands Presidency of the Council of the European Union. Two days in a sunny Amsterdam, we interactively discussed critical infrastructure security, vulnerability disclosure and, in general, how to deal with the increasing IT complexity in products and services,. One important topic was Public-Private cooperation, I strongly believe in the added value of this partnership and knowledge exchange in the field of cyber security for all industry sectors. IT Systems are so interdependent that cooperation has become a need and GCSEC, from the beginning, has focused its activities on this direction participating in working group and EU projects. People need to understand better Cyber Security, the Internet of Things and the risks associated. For this reason, I appreciate that the social debate is starting in EU to help citizens to understand what is happening, what the risks are, what they can do against them. A social debate that will involve also GCSEC with awareness projects during this year. Cooperation Public-Private is relevant such as cooperation at EU levels. When it comes to Cyber Security we cannot compete one against the other. We have to face big threats posed by malignant parties and we cannot win this fight alone. We need to work together. Information and best practices about threats management should be shared with all the stakeholders and requires the adoption of a common framework. We need collaboration between companies and a coherent European policy. Harmonize laws and regulations on cyber security and privacy will be a step forward for EU and will contribute to boost the European economy. Management responsibility was another meeting keyword and I’m expecting that Members of the Boards of Directors will include cyber security among their targets. The Board of Directors itself must be aware of cyber security issue, the map of the risk and ensure that these are managed

properly. We discussed also about the meaning of critical infrastructure, we have to bear in mind that by 2020 the number of connected devices will raise 25 billion and the amount of data produced will reach 35 Zettabytes. It means that more analogue devices will become digital and begin to communicate trough the cyberspace. What will be critical in the next years? May we consider the car as a critical infrastructure? We are going to have all the cars connected soon, today most of the cars are connected and soon they could be a critical infrastructure. Maybe we are going to talk about infrastructure and how to maintain security over it. We need to talk about Security for Everybody and for Everything, as explain Neelie Kroes (StartupDelta NL), and I share the same vision. Responsible disclosure was one the topic discussed by Cris Van’t Hof (Internet Researcher). Netherlands is a leader on this subject and likes to resolve conflicts through a process of general consultation. Hackers who discover a flaw are not necessarily cybercriminals but are often people who want to help to improve cyber security. Responsible disclosure manifesto signed here is moving a step forward in this direction. GCSEC is working on many of these topics and we believe that a lack of security in the digital domain will affect our economy and prosperity because it concerns everybody. In particular for this reason, we are promoting projects and awareness in this domain and we will support the creation of a common responsibility to create a true cyber security culture. Nicola Sotira General Manager GCSEC  

events

editorial

2016 May

How to Get More Out of Your Cyber Threat Intelligence By Scott Simkin, Palo Alto Network Is information sharing a Priority? by Massimo Cappelli, GCSEC The present and future of application security By F5 Networks HQ Seattle A Phishing Awareness Campaign: approach and measurable outcomes By Mattia Cafiero, Leonardo Cont, Chiara Noto, Lutech Group A good governance of security to revive the economy Interview with Nobel Prize in Economic Sciences Amartya Sen - by Massimiliano Cannata, Reporter

The idea that cyber threat intelligence should be kept private or sold as a branded, exclusive service is wildly outdated in the age of advanced persistent threats. When vendors and individuals attempt to keep threat intelligence private, they limit the ability of the entire group to identify and mitigate new threats as they are developed and launched against organizations.

The days when IPS signatures and host-based anti-malware products were enough to secure your network are long gone. Sophisticated adversaries are constantly deploying new methods of evading detection. Whether this is in the form of new exploits, rapidly changing malware, or new attack vectors, it is clear that successful data breaches continue to escalate.The velocity of attacks also continues to increase— meaning the quicker your security solutions gain access to relevant intelligence, the safer you become. Specifically, your cybersecurity solutions must be able to turn indicator sets on campaigns and adversary groups into new prevention mechanisms to stop attacks. This is an important distinction, as malware is so easily changed, that simply adding new signatures that look for a specific file is not nearly enough. In contrast, Indicators of Compromise (IOCs), such as the IP address for an attacker’s command-and-control communication infrastructure, are common across entire campaigns or attack groups. Being Aware of Threats Has Limited Value if it Cannot be Applied to Prevent Threats Thanks to how connected the Internet has made us all, stolen user credentials and easy to obtain, automated tools for conducting cyber attacks are available to anyone with a Bitcoin account. This has led to a rise in the number of network breaches and their financial impact. In 2015, the Ponemon Institute reported an 82 percent increase in the cost of cyberattacks over the last six years. In light of this, organizations are looking to increase their knowledgebase of threat intelligence data to better equip their security teams with the latest information on new and existing attack methods and how to stop them. Many organizations, in order to ensure they getting as much intel as possible, subscribe to multiple threat intelligence feeds and spend hundreds of thousands of dollars every year on subscription fees. But in the rush to sign up for the latest and greatest threat subscription, most organizations probably don’t have a good plan for ensuring the information from their multiple feeds can be turned into new protections within their security devices. If all that “data in” can’t be made actionable for security teams that have limited time and resources as it is, the ROI for their subscription payments may be extremely low. Additionally, multiple subscriptions mean multiple daily threat updates, many of which may be redundant, which can lead to wasted time as security teams try to consolidate

practitioners to discuss the state of the art in application security. The conference represents the largest AppSEc efforts to advance our mission of spreading security knowledge. Five days conference includes technical talks by security experts, panels to debate tough topics, training sessions on learning in top security areas, keynotes from industry leaders and vendor booths to promote the latest advances in security technology.

From the Netherlands Presidency of the EU Council: Coordinated vulnerability disclosure Manifesto signed https://www.enisa.europa.eu/news/member-states/from-the-netherlands-presidency-of-the-eu-council-coordinated-vulnerability-disclosure-manifesto-signed Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or they plan to do so soon. By signing the manifesto, the participating organisations acknowledge the importance of efforts of the research and the white-hats communities to make the internet and our society safer. Facebook Open Sources its Capture the Flag (CTF) Platform http://thehackernews.com/2016/05/facebook-capture-the-flag-ctf.html Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practice. CTF competition hosts a series of security challenges, where participants have to hack into defined targets and then defending them from other skilled hackers. The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised. New Attack Reported by Swift Global Bank Network https://www.theguardian.com/technology/2016/may/13/second-bank-hit-by-sophisticated-malware-attack-says-swift Swift, the global financial messaging network that banks use to move billions of dollars every day, warned on Thursday of a second malware attack similar to the one that led to February’s $81 million cyberheist at the Bangladesh central bank. The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. In both cases Swift said insiders or cyber attackers had succeeded in penetrating the targeted banks’ systems, obtaining user credentials and submitting fraudulent Swift messages that correspond with transfers of money. In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.

“How to Get More Out of Your Cyber Threat Intelligence” by Scott Simkin, Palo Alto Networks

in this number

news

the information received from multiple sources into their existing security architecture. In an effort to be thorough and to limit their liability, most threat intelligence feeds tend to report each new cyberthreat as a serious security risk, which is simply not the case. In some highly publicized examples, that reporting has been the difference between a successful breach and the prevention of a breach, because security teams did not know what cyber threat flags to prioritize. The reality: The vast majority of threats are known attacks. When all threats are classified as serious, security teams have little context to work from as they try to analyze inbound threats and triage them in order of risk potential. Further complicating the situation is the fact that with some slight changes to the malware, cyberattackers can make existing threats appear to be “new,” when in reality they are from the same malware family. For traditional feeds, even the slightest change would result in another alert, even though only the filename, hash, or some other easily changed variable has shifted. Organizations using threat subscriptions should ask the following questions: 1. If using multiple threat subscriptions, does my security team know how much

redundancy exists between them? 2. Is it easy to integrate the intelligence received from my subscriptions into my

existing security infrastructure? Can the security team evaluate inbound threat intelligence and convert it into an actual security policy quickly and without the need for manual configuration?

3. Do my threat subscriptions provide enough information to put the severity of each threat in the proper context?

4. Does my threat subscription track cyber threats specifically targeting my industry? If you answered “No,” to any of the above you should conduct a thorough audit of threat intelligence subscriptions Organizations should also find out how they can automate the application of threat intelligence to their security architecture. Doing so would allow most threats to be resolved in real time and without the need for slower, more costly human intervention. Adding threat intelligence to your security posture is a strong solution for keeping a network protected against new and existing cyberthreats, but only if an organization takes the necessary steps to quickly and easily apply that intelligence to actual security policy.

The power of shared intelligence As a security leader, what if your vendor told you they could only stop 10 percent of all possible attacks? Would you be satisfied with that response? Now consider the value security vendors could provide to the security community if they shared threat intelligence in a free and open manner. Here’s another way to think about it: Attackers do not care which product you have protecting your network. Your security posture should not be limited by this. Fortunately, in 2016 more security vendors, even those that are direct competitors in a cutthroat market, are joining the industry-wide trend toward intelligence sharing. The Cyber Threat Alliance, of which Palo Alto Networks, Fortinet, Intel Security and Symantec are founding members, is one group of security vendors that have banded together in good faith to share threat intelligence on advanced attacks – including on attackers and their motivations – such that we might leverage a fuller body of intelligence to better protect our customers and inform the business community. I encourage you to learn more about the CTA and consider other ways to share intelligence with your peers.

New text of European Regulations on Data protection http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=IT New text of European Regulations on Data protection has been published on the Official Journal of the European Union. This is the final step for the entry into force of the new "Data Protection Package", the normative set that defines a common framework for the protection of personal data for all EU Member States. The Regulation shall enter into force on the twentieth day following that of the publication. European Central Bank creates cyber attack real-time alert system http://www.ft.com/intl/cms/s/0/5113afae-1833-11e6-bb7d-ee563a5a1cc1.html - axzz48X64Ufqj Eurozone banks will be obliged to inform regulators of “significant” cyber attacks, under a pioneering real-time alert service by the European Central Bank to tackle the growing threat of digital theft. ECB officials told the Financial Times they have been collecting data on significant cyber incidents at 18 of the eurozone’s biggest banks since February. While the project is in a pilot phase, the cyber database is due to be rolled out to the 130 banks the ECB regulates next year. Cyber attacks on Islamic State use tools others also have: U.S. defense chief http://www.reuters.com/article/us-cyber-defense-isis-idUSKCN0Y302F Cyber attack techniques used by the U.S.-led coalition against Islamic State could also be used by other countries, U.S. Defense Secretary Ashton Carter said. Speaking in California, Carter told reporters that the U.S.-led coalition used electronic techniques to disrupt and degrade the jihadist force's ability to organize and said an unspecified number of other countries could do the same in other conflicts. "These are not capabilities that only we have," Carter said at a news conference at the Santa Clara headquarters of Intel Corp's security wing. "That is why good, strong cyber defenses are essential for us."

Information sharing is a continuous dilemma for private and public sector. In the last few years, a lot of words have been spent on the importance to exchange information to strengthen the protection of digital services. “Be an Isle” in cyber security is not a wise approach. Even if organizations are working on it, signing Memorandum of Understanding (often “write in Water”, just to cite the words engraved on Keats Tomb Stone), or signing contracts with intelligence service providers to receive insights on threats and vulnerabilities, it seems that something is still not working as we expect. The report “Information sharing and common taxonomies between CSIRTs and Law Enforcement”1, published by ENISA in December 2015, is a clear evidence that in 2016 international organizations are still debating on the right taxonomy to use and potential methodology of sharing.

If we take a general example of Intelligence cycle, Information sharing could be considered the 5th step, the last one. The taxonomy useful to classify information could be considered probably part of the 3rd and 4th step. The relevant side of the continuous dilemma is when and how to share the information. The exchange is currently performed during the 2nd phase or maximum the 4th phase. Information/IT security departments receive a large amount of analysis, data, and reports that are not operationally effective. They need to be properly understood and process. In a cyber perspective, this time-lag could prolong the incident response activity. While a SOC or CSIRT, monitoring network activities, should have something immediately useful to detect a potential APT inside their network. Information Security Managers and IT Security Managers often focus on the container and not on the content when they arrange Information Sharing Agreements. A typical example is represented by Critical Infrastructure Owners.

They have agreements with Law Enforcement Agencies, National Security Agencies, National CERT, Information Sharing and Analysis Centre, International Working Groups, other Critical Infrastructure Owners, suppliers, clients and so on. All the stakeholders sign MoU or Agreements that are not always transformed in tactical actions. The most common reference for the information exchange is the Traffic Light Protocol model but this is also a feature ascribable to the container and not so much to the content. The complexity of Information Sharing system is also augmented by internal segregation between Information Security Departments that maintain contacts with external institutions and SOC operators, usually within IT Security Departments, often acquired as a service by an external supplier (other critical factor but out of the scope of this article). All the parties involved have different background, different competencies, different capabilities but we hope a common goal that is to protect their company. GCSEC retains vital to promote a common language to classify and share information between stakeholders. The starting point will be on analyzing and sharing Cyber Threat Intelligence. In fact, while attackers reuse attacks (techniques, tactics and procedures - TTP), defenders collect and share information but through manual process, with different levels of details, context and terms and in ways comprehensible only inside some working groups. GCSEC doesn’t intend to re-invent the wheel. The idea is not to start with a working group to create a standard or to debate which one to adopt. Thanks also to the partnership already in place with some information security experts, GCSEC is starting a path to involve companies to consider the adoption of 2 standards: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated Exchange of Indicator Information). STIX is a language for modeling and representing cyber threat intelligence. It is structured with a language for automation, designed for sharing and analysis with an active community of developers and analysts. TAXII is a protocol for exchanging cyber threat intelligence that supports a wide variety of sharing models with also an automated machine-to-machine sharing over HTTP capability. They are International Standards, developed by DHS and MITRE in collaboration with US Government, Financial Sector, Critical Infrastructure Sector and International industry and government, and already in place in information exchange platform and tools (http://stixproject.github.io/supporters/). GCSEC will not develop a tool on them but will start a series of initiatives, putting together security analysts and SOC operators, to aware and train them on these 2 International Standards.

In conclusion: Information sharing is a priority? The answer is yes but not the most relevant. The first priority is to build a common layer of knowledge between operators in order to talk a common effective language. Stay tuned.

                                                                                                                         1 https://www.enisa.europa.eu/publications/information-sharing-and-common-taxonomies-between-csirts-and-law-enforcement

Is information sharing a priority? by Massimo Cappelli, GCSEC

In today’s application-centric world, there’s truly an app for everything. Organizations offer applications with data access to employees and consumers to drive greater productivity, meet business demands, and ultimately achieve a competitive advantage. But as organizations deliver more and more sensitive data through applications, they’re also introducing everincreasing risk. That’s because today’s users are everywhere—frequently outside the corporate network—and the apps they rely on can be anywhere, from private data centers to the public cloud. The result is less visibility and control for the organization. It’s no surprise that cybercriminals are taking advantage of this exposure by targeting these applications, which exist largely outside the sphere of traditional security protections like firewalls, antivirus software, and TLS/SSL encryption.

Whether it’s a volumetric denial-of-service (DoS) attack, browser-based malware, or an advanced persistent threat, today’s application attacks are really gambits to obtain or compromise corporate data. As more and more data is encrypted traffic, the majority of today’s security tools are running blind, unable to decrypt that data to ensure it’s not malicious. Traditionally, the approach to application security has been focused on the software development lifecycle (SDLC), trying to ensure developers are following best practices for secure coding. While secure code is still a core piece of the overall security puzzle, it’s not the whole picture. The old security perimeter continues to dissolve as more endpoints and networks fall outside of conventional enterprise network footprints, while the risks to applications and sensitive corporate data continue to evolve. Security measures must be enhanced to ensure apps are secured everywhere. The vast majority of attacks today target the application level—but enterprises are not making corresponding security investments at that level. It’s time for organizations to come to terms with a new reality: Security needs to be more focused at the app level.

Look at application security from this risk-based perspective enables organizations to focus on component failures and helps provide the most robust security for the data that’s the ultimate target of most attacks.

By analyzing all the components that make up an application, organizations can develop a strategy that delivers the strongest, most appropriate security to the app as a whole. Because compromising one component of an app or the network delivering it-whether a code vulnerability, network availability, or DNS-endangers the entire application, as well as the data it houses. It’s vital for organizations to deploy the strongest possible set of application security controls to reduce the risk of sensitive data being compromised by an application-level attack. Key components of a proactive, defense-in-depth security posture for the application perimeter include application security testing, firewall services, access controls, and specific protection against various types of threats. Organizations must ensure that new websites and software are coded securely, but they must also address the countless vulnerabilities already present in existing websites that were built without a secure software development lifecycle. Software security is still a cornerstone of an overall application protection strategy. It’s important to remember that finding and fixing vulnerabilities isn’t an academic exercise; it’s all about keeping a sentient attacker out of enterprise systems and away from the data those systems protect. But without a clear picture of the adversaries and their tactics, security professionals will have a difficult time developing effective strategies to defeat them. Going forward, it will be imperative that more people working in the security community better understand software-and software security. Vulnerability scanners help identify and mitigate software issues, whether they are found before or after new websites and web applications go live online.

Organizations can obtain the best protection, however, by integrating a robust vulnerability scanner with a full proxy web application firewall. Today, a robust and agile web application firewall isn’t a luxury-it’s a necessity. The growth of cloud-hosted web applications has been accompanied by increasingly sophisticated security attacks and risks that threaten enterprise data. A hybrid web application firewall can help enterprises defend themselves against OWASP Top 10 threats, application vulnerabilities, and zero-day attacks—no matter where applications are located. Strong layer 7 distributed denial-of service (DDoS) defenses, detection and mitigation techniques, virtual patching, and granular attack visibility can thwart even the most sophisticated threats before they reach network servers.

“The Present and Future of Application Protection” by F5 Networks HQ Seattle

In addition, having the ability to detect and block attackers before they access an enterprise data center provides a major advantage. A powerful web application firewall that can stop malicious activity at the earliest stage of a potential attack allows organizations to significantly reduce risk as well as increase data center efficiency by eliminating the resources spent processing unwanted traffic. Enterprises should look for a web application firewall that:

• Provides a proactive defense against automated attack networks

• Integrates with leading dynamic application security testing (DAST) scanners for immediate patching of vulnerabilities. Identifies suspicious events by correlating malicious activity with violations

• Delivers easy-to-read reports to help streamline compliance with key regulatory standards such as the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and Sarbanes-Oxley.

Today, SSL is everywhere. Analysts predict that encrypted traffic will jump to nearly 64 percent of all North American online traffic in 2016, up from just 29 percent in 20152. Organizations are scrambling to encrypt the majority of traffic, including everything from email and social media to streaming video. The level of security provided by SSL is enticing, but at the same time, it has become a vulnerability vector as attackers use SSL as a way to hide malware from security devices that cannot see encrypted traffic.

Enterprise security solutions must gain visibility into this encrypted traffic to ensure that it is not bringing malware into the network. One way to battle these encrypted threats is to deploy an SSL “air gap” solution, which consists of placing an Application Delivery Controller (ADC) on either side of the visibility chain.

The ADC closest to the users decrypts outbound traffic and sends the decrypted communications through the security devices. These devices, which can now see the content, apply policies and controls, detecting and neutralizing malware. At the other end of the chain, another ADC re-encrypts the traffic as it leaves the data center. This solution provides the flexibility of keeping security devices in line while ensuring that they can do the job they were built for.

Most apps are Internet based, so a volumetric DDoS attack can cripple—or even take down—an application. DDoS attacks are increasing in scale and complexity, threatening to overwhelm the internal resources of enterprises around the world. These attacks combine high-volume traffic clogging with stealthy, application-targeted techniques—all with the intent of disrupting service for legitimate users.

Organizations must ensure they have a robust DDoS protection strategy in place to ensure the availability of their critical applications. Consider solutions that offer comprehensive, multi-layered L3 through L7 protection and can stop DDoS attacks in the cloud before they reach the network and the data center. While not a part of the traditional, secure-coding view of application security, an enterprise’s DNS strategy plays a huge role in the security and availability of its applications. DNS is the backbone of the Internet, as well as one of the most vulnerable points in an organization’s network. Organizations must protect against an ever-growing variety of DNS attacks, including DNS amplification query floods, dictionary attacks, and DNS poisoning. An enterprise can ensure that customers-and employees-can access critical web, application, and database services whenever they need them with a solution that intelligently manages global traffic, mitigates complex threats by blocking access to malicious IP domains, and integrates seamlessly with third-party vendors for implementation, centralized management, and secure handling of DNSSEC keys. Some solutions deliver high-performance DNS, which can scale quickly to better absorb DDoS attacks. Fifty years ago, if you wanted to rob a bank, you had to actually go to the bank. Now, you can rob a bank from 5,000 miles away. The global nature of the Internet means that everything is equidistant to the adversary, and financial institutions are some of the highest-value targets on the Internet. To effectively combat the perils of fraud, organizations that offer financial services over the Internet must defend their businesses with a combination of security technologies. Consider a solution that helps protect against a full range of fraud threat vectors, preventing attackers from spoofing, disabling, or otherwise bypassing security checks. Organizations can thereby reduce the risk of financial and intellectual property loss—and feel secure with proactive protection against emerging web threats and fraud. Some of the most recent and damaging security breaches have been due to compromised user and administrator credentials. These breaches may have been thwarted by authenticating and authorizing the right people to the right information and ensuring secure connectivity to applications with single sign-on and multi-factor authentication technologies. Furthermore, identity and access controls centralized by the enterprise can provide secure authentication between the enterprise network and applications based in the cloud or as Software as a Service (SaaS). Application protection is fraught with complexity, and with the exponential growth of the Internet of Things and the applications that go along with it, the issues are only growing. In 2010, there were 200 million web apps; today, there are nearly a billion3. In 2020, that could easily be five billion. All those applications are vulnerability vectors—and many of them contain critical data that could be the target of attackers. By enhancing existing security portfolios with solutions and services focused on the application level, organizations can better protect the applications that can expose their sensitive data. Ensuring that applications are protected no matter where they reside is critical—and the stakes are high. It’s time to broaden the view of application security so that organizations are in a better position to effectively secure all the components that make up their critical apps, safeguard their data, and protect their businesses.

                                                                                                                         2 Sandvine, Global Internet Phenomena Spotlight: Internet Traffic Encryption, 2015

3 Internet Live Stats

Public and private organizations are increasingly victims of external attacks to their systems and continually exposed to the risk of loss of sensitive business information. Attacks that are attempted in order to steal data and sensitive information, take advantage of the "human factor ", so you need to adopt technologies to detect and combat cyber attacks; it is also necessary to transfer the culture of information security to human resources through awareness activities and initiatives. The safety systems, alone, are not enough to protect information if people do not adopt appropriate and safety-related behaviour. Today phishing is still the main vector of cyber attacks and data breach (information theft). The phishing is a "social engineering" attack that exploits the "naivete" of users deceived and tricked into providing personal information, and access codes to the attacker ("phisher") or installing malicious software. In particular phishing is used to:

• steal personal information and user authentication credentials to access to confidential data; • spread malware causing the victim to open documents that contain macros or scripts through which you are downloading

the malicious code that is installed on the workstation.

The edition Verizon4"Data Breach Investigations Report" 2016 emphasized the growth of phishing in the last year as one of the techniques most used by cyber-criminals to implement the theft of sensitive data. 30% of phishing messages have been opened by users (an increase compared 2015, 23%) and 12% of these went on to click the malicious attachment or link, allowing the infiltration of a malware and access by cyber-criminals. The report also showed that during 2015 the tendency to use phishing to spread permanent malware is growing.

From Verizon Report 2016, we learn that the most common attack are made up of "three steps". The first step is to send a phishing email in which there is a link to a malicious website or attachment containing malware. The second step is to download and install malware on the user's PC, which will be used to locate secret documents, steal sensitive information or encrypt files for extortion. The third step is related to the use of possibly stolen user credentials for future attacks, such as access, for example, e-banking or e-commerce sites. The Clusit 2016 Report about ICT Security in Italy5 highlighted that ransomware phenomenon represented the most discussed attack modality in the course of 2015. Ransomware belongs to a malware family that encrypts documents of end-user requiring a ransom, usually payable t hrough the use of bitcoins, in order to decrypt the encrypted documents.

The Phishlabs organization during 2015 identified 893 brands from 593 companies that were targeted by consumer-focused phishing attacks. These data represent an increase from 2014, where phishing attacks targeted 842 different brands from 564 companies. The next picture shows that the industrial and commercial sectors were more susceptible to phishing campaigns6. The most targeted industry in 2015 was the financial industry, followed by cloud storage/file hosting web sites, webmail and online services, ecommerce sites, and payment services.

                                                                                                                         4 Verizon 2016 Data Breach Investigations Report 5 Clusit - Report 2016 on ICT Security in Italy 6 2016 Phishing Trends & Intelligence Report: Hacking the Human (phishlabs)  www.phishlabs.com    

“A Phishing Awareness Campaign: approach and measurable outcomes” By Mattia Cafiero, Leonardo Cont, Chiara Noto, Lutech Group

Picture 1 - Source: 2016 Phishing Trends and Intelligence Report: Hacking the Human (phishlabs)

The healthcare sector has been one the most targeted in the first months of 2016 by cyber criminals, due to the sensitivity of the data managed. For example, we can recall the recent cases of ransomware that affected, in February 2016, the Hollywood Presbyterian Medical Center forced to pay a ransom of 40 Bitcoin (about $ 17,000) and the one occurred to the MedStar Health Society, in April 2016, which were asked to pay a ransom of 3 Bitcoin to unlock a single computer and 45 bitcoins to unlock all systems. Last year the growth of computer phishing attacks, demonstrates the importance of awareness initiatives inside the organizations, in order to ensure information security. Awareness campaigns are an efficient instrument which have to be used in order to: identify weaknesses in companies that manage and protect sensitive information from external factors, identify areas of improvement in information management and train employees about the proper use of information and tools, in order to prevent and combat cyber threats. On the wave of these events, Lutech started different awareness campaign about phishing phenomenon, which involved especially the healthcare industry, with the main scope to educate users about Phishing and Security matters. Phishing Awareness campaign is made up by the simulation of a real world scenario attack. More in depth, Phishing Awareness campaigns are delivered with the following step by step procedure:

1. Preparation and transmission of the engagement e-mail to the identified targets with the link to an external or internal fake service (for example: company intranet, webmail access, etc. ) in order to ask the user to insert his authentication credentials. This request will be adequately explained and legitimized (for example: a request about changing password in order to be compliant with the company’s security policies).

2. If the user doesn’t recognize the phishing attempt and clicks on the provided link inside the email, he will be redirect to a fake web page where he can insert his credentials.

3. If the user provides his credential (which will be not saved in any way) through the fake login form, then he will be redirect to another web page which will contains an awareness message about the campaign and, also, he will be asked to accept the terms of that campaign. After that, the user will be redirect to another “thanks page” for the attendance.

4. The platform will record, inside it’s database, only the information about the number of the clicks made by the users, so it can be possible to elaborate that numbers understanding the preparation level of the involved users.

PS. Neither personal nor company data are transmitted or saved for further scopes.

There is also another way to deliver the phishing awareness campaign, which can be also made by sending emails to the users, asking them to open an ad-hoc document or executing an especially forged program. The “Awareness Campaign” is provided with the following project approach:

1. Identification of the target and his main characteristic; 2. Definition of the message that have to be delivered through the awareness campaign; 3. Setup of the Awareness Campaign (installation and configuration of the security awareness platform, arrangement of the

email and phishing web pages); 4. Start of the campaign; 5. Monitoring and closure of the campaign; 6. Results analysis; 7. Report delivery.

Through the analysis of the campaign results, it can be possible to obtain information about the grade of user’s company awareness on the phishing matter. More in depth, it is possible to identify the exact number of users which have been cheated by that simulation and have clicked on the fake link, and the number of users who recognized the phishing attack and avoided to click on that. After an in-depth analysis of the 2015-2016 campaign, it was revealed that even after the first click on the fake link, often the attack has not been recognized on the web page and the users continued “the chain” inserting his credential into the fake form. Just in “rare and sporadic cases” an email to the IT support infrastructure has been sent by the users in order to inform the company about the recognized phishing web page. Generally, over the 20% of the users followed the entire process, clicking on the fake link inside the email. The graph highlights that:

§ 78% of the users did not follow the instructions provided inside the fake email; § 22% followed the instructions provided by email clicking on the fake link, and:

} 3% of them just clicked the link; } 9% of them clicked the link, inserted and sent his credential to the fake web page } 9% of them clicked the link, inserted and sent his credential to the fake web page, also accepting the final agreement to the awareness campaign.

The PEAK of the clicks on the provided link did not happen during the FIRST DAY (even if the emails were sent during working hours), but it spread out during the 2 days subsequent to the first, with some exceptions (about 15%) that has been registered in the successive days too. It can be supposed that users didn’t communicate by themselves in order to inform company about the anomaly.

With the main goal for the organization of minimize risks determined by the phishing phenomenon, it’s really important to remember the each user to follow some simple indications, such as set the filtering system of his personal mailbox, always testing his efficiency. But filters are just not enough to block attacks: it’s fundamental to spread out a real “security culture” inside the organization, in order to provide to human resources any instrument that will make them to be able to recognize attacks attempt, avoiding to be a victim of this phenomenon. It’s also important for companies to segment their network, to implement strong authentication methods and to crypt data in order to make difficult for the attackers to access sensible information. It’s also always necessary to classify information managed by the company and define treatment policies about the use, storage and transmission of data over the network and, also, govern security processes of information systems (such as: hardening, patching, user management, etc.)

Picture2 | Overall results about the awareness campaigns (2015-2016)

Picture3 | Overall trend of the click on the fake link provided by email.

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy http://www.gcsec.org

Identity is a tricky business, if we think to affirm it in absolute way, the conflict will be inevitable and without solutions. We are experiencing an economic crisis that seems unsolvable, there are many critical points: the environmental threat, terrorism, global violence and especially the inequality, which is widening the gaps between countries and inside the nations. It seems clear, even if don’t talk enough, that without a good governance of the security it is impossible to talk about development. Amartya Sen, who was awarded the Nobel Memorial Prize in Economic Sciences, present in Italy for a series of meetings, launches a specific warning on the major contradictions that go through our time. She says that responsibility and social ethics should guide public policies in reaching of collective prosperity. "Otherwise - he clarifies - we will not be able to emerge from the global mess." The idea of justice (Mondadori) is an impressive book where you face the great questions that agitate our time. Professor, the world is passing from one crisis to other, what future awaits us? In my research, I try to suggest an agreement on how to implement the principle of justice despite the diversity of our ideas on the state of things. Yesterday the problems seemed far away, today everything concerns us, because we live in a system made of interconnected economies. The totalitarianisms of the

twentieth century, the real socialism regimes, the terrible experience of Nazism and Fascism should have taught something to who is responsible of governing. The "isms", that dominated the twentieth century and nation states are waned, but despite this, the war has remained a constant of history. We have to tackle of this dramatic dimension that concerns most of people. The policy of confrontation is perceived as a corollary of existing cultural and religious divisions in a world considered a federation of religions and cultures, ignoring all other ways in which individuals see themselves. Ours is a multifaceted universe that constantly requires choices. Violence finds room when we decide to give priority to a single face of our identity and a single context. We are "otherwise different." This principle that informed the legal doctrine, the natural law and the philosophy, is constantly trampled.

The relationship between poverty, violence and "human development"

Your economic analysis is based on the centrality of the individual. In this perspective, you have proposed to overcome the only indicator of the GDP to measure the wealth of nations, for what purpose? The Human Development Index (HDI) that I theorized is been designed for developing countries. It allows comparisons with China, India, Cuba, but it also offers us interesting results regarding the United States and countries with great social inequality. We cannot accept the prospect of a tight reductionism that identifies the political instability exclusively in an economic perspective. The relationship of cause and effect, which also exists between poverty and violence, should be reconsidered in a structure of more complex relationships. In many poor economies, where not occurring disorders, it is evident that the two factors are not bound by an implication. Poverty can coexist with peace and with an intrinsic weakness that I would not hesitate to define ethical weakness. Sicily and Southern Italy can be an example of this political and moral deficit. To understand this passage we must refer to a concept of poverty that in several of your writings, such as Ethics and Economics, Globalization and Freedom, Identity and Violence, have defined as "deprivation of human capabilities." What are the political consequences of a so strong idea? To treat the condition of fragility, not much in economic but ontological term, we should investigate all the factors that undermine the geopolitical balance. Take the case of terrorism: the terrorists are not without resources, yet embody in our imagination the global threat to order and security with effects on the lives of everyone. Bin Laden yesterday, today ISIS, in the poverty have found soldiers ready to sacrifice themselves for a death plan and destabilization. That's in addition to the decline, perhaps more serious, of the values of democracy and equality.

The need for a security governance

Europe can play a role in building of a real and lasting peace? We should be concerned that the benefits of globalization are widely shared, because the perception of exclusion, of live in a shadow away from the development and progress is a potential factor in wars and conflicts. Reduce inequality is not enough because it will be crucial to reshape the architecture of international institutions. First of all, all developing countries should have a representative in the negotiations. We have to take into account the requests of the poorest. Africa remains too neglected. For the same reason, it will be important to rethink the role of the EU in a moment in which Eurozone economy seems checkmated. This perspective requires a cultural effort, a complex political action, a governance of security able to evaluate without prejudice case by case the social contrast reasons that threat the peace and balance of the planet.

Inequality is the drama of our time. Why considering opportunities for reflection is there a poor awareness in world public opinion? We have an institutional need: recognizing plurality, we can not “miniaturize” the individual. To rediscover the right awareness we have to recover social justice dimension, which influences the political in that can address the choice of the appropriate instruments to achieve the objectives of growth and development. Kant, Habermas, Rawls, especially Smith, from which I inspired my last essay, are authors that help us to rediscover the sense of universal responsibility. This situation requires the construction of a global civil society. I mean something other than military initiatives and strategic activities. It is a compelling project from which it will depend our capacity to face challenges, our tomorrow and the future for all mankind.

 

“A good governance of security to revive the economy" - Interview to Amartya Sen, Nobel Prize in Economic Sciences

by Massimiliano Cannata, Technology innovation, training and security culture Reporter