Cyber Security CATO Seminar Presented by: Jon Waldman CISA, CRISC

Transcription

1 Cyber Security CATO Seminar Presented by: Jon Waldman CISA, CRISC Secure Banking Solutions

2 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Phone: Secure Banking Solutions

3 Dakota State Nationally Recognized National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years National Center of Excellence in Information Assurance Secure Banking Solutions

4 Agenda How is security changing in today s world? What is Commercial Account Takeover? How is this happening and why? How can I protect my business? What should I do next to improve security? Secure Banking Solutions

5 Cybersecurity State of the Union Trends (new technologies, greater adoption) $96,000 of sales are made on Amazon every minute $612,000 is spent online by consumers every minute Year of the Data Breach New and widespread vulnerabilities Cybercrime increasing rapidly! Commercial Account Takeover New Law on the way? (CISPA) 4/28/2015 Secure Banking Solutions, LLC 5

6 The evolution of Cyber Crime Used to be the hacker Now, it s Organized Crime Overseas operations Want $$$ to fund their organization Using Low Tech Attacks Target PEOPLE They purchase specialized software Marketing Material Secure Banking Solutions

7 Value of Hacked PC Secure Banking Solutions

8 Verizon DATA BREACH INVESTIGATIONS REPORT (DBIR) 1367 confirmed data breaches (2014) 63,437 security incidents (2014) 92% stemmed from external agents Organized criminal group 55% 55% utilized some form of hacking 29% utilized some form of social engineering 40% incorporated malware 75% of victims were opportunistic attacks 97% of breaches were avoidable through simple or intermediate controls (*2012) Secure Banking Solutions

9 Target (Nov/Dec 2013) 40M Credit/Debit Cards Card data for sale online. 70M Customer Records names, mailing addresses, phone numbers or addresses Malware-laced phishing attack sent to employees at an HVAC firm (which supported Target) From HVAC company, accessed Target s Vendor Portal Jumped inside the network and infected many Point of Sale systems Secure Banking Solutions

10 Recent Data Breaches Home Depot icloud Dozens of Healthcare institutions JP Morgan Chase The Food Service Industry (DQ, Jimmy Johns, Dominos, PF Chang s, etc.) Neiman Marcus Goodwill (18 MONTHS!) Anthem Sony Secure Banking Solutions

11 Secure Banking Solutions

12 Hacking made easy Default Passwords Hacking Tools Hacking Toolkits Caller ID Spoofing Social Engineer Toolkit Secure Banking Solutions

13 What is this Commercial Account Takeover? Commercial Account Takeover is when cyber-thieves gain control of a business bank account by stealing the business valid online banking credentials. There are several methods being employed to steal credentials, the most prevalent involves malware that infects a business computer workstations or laptops. - NACHA Secure Banking Solutions

14 Commercial Account Takeover around 85% of cyber attacks are now targeting small businesses. - Howard Schmidt (White House Cybersecurity Coordinator) 32 percent of respondents say their companies experienced a loss of more than $5,000 due to online banking fraud Ponemon Institute The FDIC lists this as #1 on its top 5 fraud threats list and states that it is responsible for millions of dollars in losses, frayed business relationships, and litigation affecting both banks and commercial accounts. Secure Banking Solutions

15 Commercial Banking Allow customers to access services of a financial institution via the internet. Bill Pay Funds transfer between other customers or banks Wire Transfers ACH Transactions Payroll Investments Loan applications and transactions Bank statements Secure Banking Solutions

16 How does CA Takeover Work? The bad guys Malicious software Small and medium size businesses, with computers and networks Financial Institutions Online Banking products MONEY! Secure Banking Solutions

17 Secure Banking Solutions

18 Money Mules Secure Banking Solutions

19 Where does it come from? Secure Banking Solutions

20 Types of Internet Traffic Secure Banking Solutions

21 Commercial Banking Fraud April 2013 Chelan County Public Hospital (Washington) lost $1.03 Million after attackers accessed payroll accounts and transferred the money into 96 different bank accounts (through the use of money mules) across the Midwest and east coast. Currently suing Bank of America: Secure Banking Solutions

22 Commercial Banking Fraud North Carolina fuel distributor JT Alexander & Son lost $800,000 in May Attackers were able to access the Bank s commercial internet banking account and initiate additional payroll ACH transactions remotely. The attackers again sent these payroll transactions to money mules distributed throughout the Midwest and east coast. Secure Banking Solutions

23 Commercial Banking Fraud Efficient Services Escrow Firm lost $1.5 million between December 2012 and February 2013 via three fraudulent international wire transfers to Russia and China. Efficient Services Escrow declared bankruptcy and was forced to lay off its entire staff in January Escrow Firm s network was compromised by a remote access Trojan prior to the fraudulent transfers. Secure Banking Solutions

24 Commercial Banking Fraud Village View Escrow lost $465,000 in March 2010 to an online hack The Catholic Diocese of Des Moines, Iowa, lost $600,000 in fraudulent ACH transactions August Experi-Metal Inc. of Sterling Heights, MI had $1.9M stolen, of which $560,000 was not recoverable due to 47 wires in one day to foreign and domestic accounts which EMI never wire to before PATCO Construction of Maine lost more than $500,000 due to Commercial Account Takeover in 2009 (probably the most public and infamous case, due to the lawsuits and outspoken owner) Choice Escrow and Land Title of Missouri lost $440,000 due to fraudulent wire transfers in 2009; courts ruled in favor of Bank in March of 2013, stating that the Bank had offered commercially reasonable security to Choice Escrow, but the business turned down the additional security features. So many more! Secure Banking Solutions

25 Secure Small Businesses BOTTOM LINE: Hackers are targeting small businesses. 70% of small business lack the 10 basic security controls. The bank has implemented controls to help protect your transactions. Your responsibility is to protect your business, funds, IT systems, and information. Secure Banking Solutions

26 So, what can we do about CATO? Make sure you have a relationship with your bank! Community Banks that have quality relationships with their customers tend to be more secure than larger, corporate financial institutions that do not have such relationships Work with your bank regularly to establish normal patterns of transactions Learn about Commercial Account Takeover Implement additional security controls within your business and on your network! Secure Banking Solutions

27 What does do to prevent CATO? MSA Hardware Token Required at Login Tokens can be required by customers for other user logons ACH filters and blocks (no charge!) Positive Pay including wire transfers (no charge!) Set and monitor ACH Limits Call-back verification for ACH transactions beyond limits Encourage Dual Approval of ACH processing and wires Build out a personal relationship with your and your business Happy to talk with you about how security controls work for businesses and what might be best for your business Encourage the use of a separate workstation or device for Online Banking

28 Small Business Information Security: The Fundamentals October 2009 NIST 7621 was released Assist small business management in understanding how to provide basic security for their information, systems, and networks. Provides commercially reasonable security measures which will reduce the likeliness of a security incident. Three basic areas which may reduce likeliness: Absolutely Necessary (todays focus) Highly Recommended Other Considerations Secure Banking Solutions

29 Exercise in Security Review the 10 Absolutely Necessary controls Rate how you have implemented the controls as we go over the controls Calculate your score Identify a plan to remediate security issues Secure Banking Solutions

30 1) Malware - Virus, Trojans, Spyware If your networks access the internet, then you have risk from Malware (Malicious Software). Secure Banking Solutions

31 1) My organization uses anti-virus and antispyware (malware) software: 1) I am not aware of what kind of software we use 2) We do not use this type of software 3) We have it on some computers 4) We have it on all computers but it is not updated on a regular basis and I question the quality of the product 5) We update our software and scan all computers daily with a quality product Secure Banking Solutions

32 2) Hardware Firewall Most small businesses have a broadband (high speed) internet connection which is always on. This leaves the network susceptible to network attacks on a 24/7 basis. Secure Banking Solutions

33 2) My organization secures our internet connection with a hardware firewall: 1) I am not aware if we have a hardware firewall 2) We do not use a hardware firewall 3) We have a hardware firewall but I am not sure on its quality 4) We have a commercial grade hardware firewall 5) We have a commercial grade hardware firewall that has all default security settings changed Secure Banking Solutions

34 3) Software Firewall In addition to hardware firewalls, software firewalls should be used on all workstations. Software firewalls protect workstations from each other. Microsoft provides built in firewall Secure Banking Solutions

35 3) My organization has a software firewall on all computers: 1) I am not aware if we have any software firewalls 2) We do not use a software firewall 3) We have a software firewall installed on a few computers 4) We have a software firewall installed on all computers 5) We have a commercial grade software firewall installed on all computers Secure Banking Solutions

36 4) Software Patching All operating systems such as Microsoft Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be installed on a regular basis. Most software products require patches, including Microsoft Office, Adobe, Java, QuickTime, Firefox. These patches fix compatibility issues and known security vulnerabilities, not applying them leaves you vulnerable. Secure Banking Solutions

37 4) My organization applies security patches and updates to software programs: 1) I am not aware if we address security patches and updates 2) We do not patch or update any software 3) We patch and update some computers intermittently 4) We have Microsoft updates set to automatically install on all computers 5) We automatically update Microsoft and regularly update other critical programs on all computers Secure Banking Solutions

38 5) Backup Data Backing up your data protects it from numerous threats: Hackers destroying your computer Malware corrupting your data Fire and other natural disaster destroying your systems Many other threats Include all your critical data, backup often. Store a copy offsite. Test your backup process to know you can restore data. Secure Banking Solutions

39 5) My organization creates electronic backup copies of important data/information: 1) I am not aware if any information is backed up electronically 2) We do not create electronic backup copies of any information 3) We create backup copies of some important data intermittently 4) We create backups of all important data on a weekly basis 5) We backup all critical data weekly, test it monthly, and keep a copy off-site Secure Banking Solutions

40 6) Physical Access Security Secure each entrance point Monitor areas for unauthorized people Escort visitors around the building Secure documents, computers, servers from theft Secure? Secure? Secure Banking Solutions

41 6) My organization controls unauthorized physical access to protect our computers and important information: 1) I am not aware how we control physical security 2) We allow anyone to walk into our organization s sensitive areas unchallenged 3) We might sometimes challenge people who we do not recognize 4) We identify and challenge all third parties entering our organization s sensitive areas and lock all secondary entrances 5) We identify and challenge all third parties entering our organization s sensitive areas, lock all secondary entrances and also consider the placement of paper documents and computer monitors to protect information Secure Banking Solutions

42 7) Wireless Security Do not use wireless unless required for business Securely configure all wireless devices and access points. Most users implement with default settings Default passwords - WEP encryption can be hacked in hours (use WPA2!) Security vulnerabilities in wireless technology Update wireless software and firmware Users connect wireless devices to unsecured wireless, then conduct business. Secure Banking Solutions

43 7) My organization secures our wireless access points: 1) I am not aware if we have wireless 2) We bought a wireless access point and just connected it to our internal network 3) We use some type of security settings on our wireless 4) We use strong security settings and changed default settings on our wireless 5) We strictly prohibit wireless technology from being connected to our network Secure Banking Solutions

44 8) Security Awareness Training Employees should read security policies Employees should sign Acceptable Use Agreement Employees should receive training on security threats: Malware Phishing Social Engineering Unauthorized Access Percentage of illegitimate traffic 2013 Secure Banking Solutions

45 Phishing s Secure Banking Solutions

46 8) My organization trains our employees on basic security principles: 1) I am not aware of what training on security principles is done 2) We do not provide any training 3) We require employees handling sensitive information to watch webinars, read articles, and go to seminars on information security 4) We train employees when hired and on a regular basis by informed security personnel 5) We train employees when hired and on a regular basis by informed security personnel and we require all employees sign a statement that they understand our organization s security policies Secure Banking Solutions

47 9) Unique User Accounts Users should have a unique login to all computers, programs, and websites. Users should not be administrators on their local machine. If users can install software, then malware can install itself to the computer when clicked. Complex passwords - the password Spring08 can be cracked with on a normal computer in 24 seconds. Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. If its easy to remember, its easy to guess. Try mnemonics: Proud to be an American + birth year = PtbaA!(*) where the birth year 1980 is typed in using the shift key Secure Banking Solutions

48 9) My organization has unique user accounts for each employee on computers and applications: 1) I am not aware if we have unique user accounts 2) We use unique usernames on some computers and programs 3) We use unique usernames on some computers and programs with passwords 4) We use unique usernames on all computers and programs with good passwords (8 characters consisting of random letters, numbers, and special characters) 5) We use unique usernames on all computers and programs with good passwords that are changed every 3 months plus users do not have administrative privileges Secure Banking Solutions

49 10) Limit Access to Data For all employees, provide access to only those systems and only to the specific information that they need to do their jobs. Do not allow a single individual to both initiate and approve a transaction (financial or otherwise). Limited access reduces the exposure of data to malware and hackers. Also reduces the impacts of malicious insiders. Secure Banking Solutions

50 10) My organization limits employee access to data and information: 1) I am not aware if we limit access to data or information 2) We allow employees to access any system and have access to all information 3) We allow employees to access any system but control access to some information 4) We allow employees to access systems and information that is only necessary for their job 5) We allow employees to access systems and information that is only necessary for their job and require two employees initiating and approving transactions (financial or otherwise) Secure Banking Solutions

51 Rate Your level of Defense Identify where you are Take steps to improve your security controls Good security does not guarantee protection Points Percent Correct 45 90% 40 80% 35 70% 30 60% Secure Banking Solutions

52 Security Lifecycle 1. Assess Risk 2. Implement Controls 3. Audit Controls Vulnerability Assessment Penetration Testing Social Engineering Security Audit Secure Banking Solutions

53 IT Audit Check your overall security program Identify other risk you may not have considered Outline basic components specific to your business Highlight best practices Secure Banking Solutions

54 Vulnerability Assessment Check Software Patching Check Malware Check Default Security Settings Workstations Hackers Internet Servers Bank Firewall Vulnerability Assessment Penetration Test Secure Banking Solutions

55 Penetration test Replicates a Hackers Actions to Break-in Check Hardware Firewall Workstations Hackers Internet Servers Bank Firewall Vulnerability Assessment Penetration Test Secure Banking Solutions

56 Social Engineering Test your people Check effectiveness of training program Types Include: Phishing s Phone Impersonation Physical Impersonation Dumpster Diving Secure Banking Solutions

57 Social Engineering Secure Banking Solutions

58 Remember Security is everyone s issue! Take steps to secure YOUR financial information on YOUR networks, just as the Bank has taken steps to ensure security on their end Work with your Bank to establish normal patterns of banking CATO is a lose-lose situation Let s try to prevent it from happening by working together! Secure Banking Solutions

59 Questions? Thanks for taking time out of your busy day to spend with us learning about Commercial Account Takeover. Let us know how we can help! Presenter: Jon Waldman, Secure Banking Solutions Park Bank: Samuel Huntingon, VP Treasury Management Secure Banking Solutions