Cyber Fraud What can you do about it?

Transcription

1 Cyber Fraud What can you do about it? Eric Wright Shareholder June 10, 2014 What is Cyber Fraud? NetLingo definition: Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain that occurs online Key: PROTECTING INFORMATION > Threats not limited to Internet hackers Social engineering Phishing Disgruntled employees Human error Theft Misuse Manipulation Damage Loss 2 1

2 What Cyber crimals Steal And Why Bank credentials Theft of funds Personally Identifiable Information (PII) Identity theft Debit/credit card data Access to credit, sale of data Intellectual property, data, other content Blackmail, sale of data, avoid paying IP royalties, sabotage 3 Verizon Data Breach Report Takeaways 92% of breaches came from outside the organization 55% from organized crime 19% affiliated with other state agencies 75% of breaches driven by financial motives 76% exploited weak or stolen credentials 69% discovered by external parties 66% took months or more to discover 4 2

3 Verizon Data Breach Report Other Takeaways 19% of attacks combined multiple techniques (phishing, malware, hacking, etc.) 75% of attacks were opportunistic (companies not targeted directly) 78% of intrusions took little or no special skills/resources 5 Verizon Data Breach Report Industry Dispersion 6 3

4 Verizon Data Breach Report Attack Origin 7 Verizon Data Breach Report Malware Sources 8 4

5 Attackers Time to Exploit Vulnerability versus Source: Verizon Risk 9 Organization s Ability to Defend Source: Verizon Risk 10 5

6 Notable Data Breaches in US History 2014 USX, ATI, UPMC, Westinghouse, Alcoa (Employee information and intellectual property) 2013 Target 110 million customers (40 million credit cards) 2013 Adobe Systems 130 million customers 2011 Sony 77 million customers 2008 Heartland Payment Systems 130 million customers 2007 TJX Companies 94 million customers (46 million credit card) 1984 TRW/Sears 90 million customers Source: CNN Money Where is this happening? Continent Percent of online Transactions hacked Sites Targeted Africa 7 % Online dating Retail Asia 5% Retail Online dating Gambling South America 4% Retail Online dating Data Stolen Identities Credit Cards Credit Cards Identities Gold farming Credit Cards Identities Europe 2% Evenly spread Identities North America 1% Retail Gaming Financial Services Credit Cards Identities Accounts 12 6

7 Target Breach 13 Target Response to Hack Target had already deployed $1.6 million malware detection tool (FireEye). Round the clock monitoring from security specialists in Bangalore November 30: FireEye detects loading of exfiltration software. Target security team in Minneapolis notified No action taken Mid December: Security experts monitoring underground markets for stolen data detect large influx of credit card information. US Department of Justice notified December 12: Target notified by Department of Justice of potential breach. December 15: Target confirms breach. December 19: Target releases public statement confirming breach. March 5: Target CIO Beth Jacob resigns 14 7

8 Target Control Failures 15 Target Breach Inherent Flaws Flaws in system design Lack of network segmentation Lack of encryption of credit card data while stored in RAM Flaws in internal control Lack of third party oversight and compliance Lack of monitoring and reaction 16 8

9 Target Breach Limitations in Audit Approach Audits take only a snapshot of an organization s security Auditors rely on the organization to provide timely, accurate and complete information about systems Inherent time/resource limitations Over reliance on PCI standard (Gartner analyst: PCI standard is weak ) Data in transit over a private network does not have to be encrypted Data at rest in RAM does not have to be encrypted 17 Is Your Organization Prepared? Source: IIA Tone at the Top; April

10 What can you do to minimize your risks? Design and implement security plan Respond to threats Maintain vigilance and level of knowledge Identify, understand and respond to changes in your operating environment 19 Steps for an Effective Cybersecurity Defense 1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Establish Audit Objectives 5. Planning and Scoping 6. Perform the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh 20 10

11 1. Adopt a Framework Examples ISO Series Department of Energy Cybersecurity Capability Maturity Model (C2M2) Electronic Subsector (ES C2M2) Oil and Gas Subsector (ONG C2M2) National Institute of Standards and Technology (NIST) Cybersecurity Framework Roadmap for Improving Critical Infrastructure Cybersecurity National Initiative for Cybersecurity Education (NICE) Capability Maturity Model (CMM) ISACA Transforming Cybersecurity Using COBIT 5 1. Areas Covered in C2M2 Risk Management Asset, change, and configuration management Identity and access management Threat and vulnerability management Situational Awareness Information sharing and communications Event and incident response, continuity of operations Supply chain and external dependencies management Workforce management Cybersecurity program management 22 11

12 1. C2M2 Maturity Levels C2M2 Recommended Approach 24 12

13 1. NIST Framework Objectives 1. NIST Framework Objectives Continued Identify Asset Management Governance Risk Assessment Protect ITGCs (Access Control) Awareness and Training Data Security Information/Asset Protection Maintenance Protective Technology Detect Monitoring Respond Planning Communications Analysis Mitigation Recover Improvement 26 13

14 Steps for an Effective Cybersecurity Defense 1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Establish Audit Objectives 5. Planning and Scoping 6. Perform the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh Understand the Environment Operating environment Hardware type and location Applications Databases File systems Security Network architecture Third parties Middleware 28 14

15 2. Start with Asset Identification Identify all assets: Databases Files Servers Applications Hardware Web sites Asset classification Location Owner Usage Type Status Risk level 29 Steps for an Effective Cybersecurity Defense 1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Establish Audit Objectives 5. Planning and Scoping 6. Perform the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh 30 15

16 3. Assess Risk Identify risks (interviews, artifact review) Assign risk ranking Determine risk tolerance Address areas at or above threshold Isolate/note threats covered by standard ITGCs Look at external and internal threats, and differentiate between them Added emphasis on areas inherent to cybersecurity Identify recent/ongoing changes in the environment 3. Assessing Risk: Common Mistakes Not understanding the environment (see step 2) Avoiding unfamiliar technical content Underestimating the complexity of cybersecurity threats and/or overestimating management s knowledge of network architectures Not allocating sufficient time for a comprehensive review Making assumptions about IS s level of knowledge/proficiency (taking them at their word) 16

17 3. What s Wrong With This Picture? Typical Network Security Audit Questions Security policy? Network diagram? Firewall and intrusion detection/prevention? DMZ? Anti virus/malware/spam Filters? Server and workstation hardening standards? Vulnerability scan and penetration test performed? Logging and monitoring? 34 17

18 Recommendation Tone at the top Create and reinforce the perception/understanding of cybersecurity threats Established, supported and communicated by senior management Establish awareness that controls and processes have been specifically designed to prevent attacks New hire orientation Ongoing awareness and communication Visible to the organization 35 Other Recommendations Ongoing Security Education and involvement of management and staff Integrate cyber risk strategy into the organization s strategic plan Have a team/person dedicated to managing cyber threats Identify areas of high risk and train internal/external resources to monitor and manage Automate as much as possible Collaborate internally AND externally 36 18

19 Questions 37 19