Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

Size: px

Start display at page:

Download "Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training"

Priscilla Robertson
5 years ago
Views:

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training Copyright Sage Data Security 2017-2018

1 Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training Copyright Sage Data Security All Rights Reserved Presented by: John H Rogers, CISSP Director of Advisory Services john.rogers@sagedatasecurity.com

2 Agenda The Internet Environment : Foundations of Knowledge Threat Update Recognizing Fraud Pentucket Bank Customer Fraud Protections Social Engineering : The Human Factor Defense in Depth Questions & Answers

3 The Internet Environment

4 Foundational Principle The Internet is a shared resource and securing it is ~ Our Shared Responsibility ~ No individual, business or government entity is solely responsible for securing the Internet. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Individual actions have a collective impact and when we use the Internet safely we make it more secure for everyone.

5 Background: The Real Internet Every two days now we create as much information as we did from the dawn of civilization up until 2003, according to Eric Schmidt of Google.

6 Internet Analogies US Highway System Think of the Internet as a 65,000+ lane highway. Each lane (actually called a port ), of the first 1000, is assigned to a specific service: lane (port) 110 receiving, port 25 for sending Web: lane (port) 80 for browsing, port 443 for secure browsing

7 Internet Analogies US Postal Service Data moves through the Internet like regular mail: Sender address Recipient address Datagrams Packets of information travel across thousands of routes to arrive at their destination and/or connection point.

8 Internet Analogies The Phone Book Domain Name Service (DNS, Port 53) First, your browser asks DNS to find the website you want to visit. You type a name, e.g., DNS knows the website's IP Address, and tells your browser, e.g., (IP Address) That website is at this address

9 Threat Update

10 Adversaries Insider Financial Gain Grievance Targeted Hacker Bragging rights Opportunist ic Cyber Criminal Financial Gain Opportunist ic Cyber Hacktivist Grievance Targeted Cyber Terrorist Political warfare Targeted

11 Threats Unauthorized Access Disruption of Service or Productivity Data Leakage Data Loss Misuse of Privilege

12 Today s Hacker Media Fantasy 12

13 Today s Hacker - Reality 13

14 Threat Landscape DDoS Attack Zero Day Vulnerability Exploit Ransomware Remote Access Exploits

15 Recognizing Fraud

16 Fraud Compromise Fraud: Schemes in which criminals compromise the accounts of victims to send fraudulent wire transfer instructions to financial institutions in order to misappropriate funds. The main types of compromise fraud include: Business Compromise Targets a financial institution s commercial customers Account Compromise Targets personal accounts *FinCEN Advisory FIN-2016-A003 Financial Crimes Enforcement Network

Email Fraud Stage 1 Compromising Victim Information and E-mail Accounts: Criminals first unlawfully access a victim s e-mail account through social engineering 3 or computer intrusion techniques.

Stage 2 Transmitting Fraudulent Transaction Instructions: Criminals then use the victim s stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner

Stage 3 Executing Unauthorized Transactions: Criminals trick the victim s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized.

17 Fraud Stage 1 Compromising Victim Information and Accounts: Criminals first unlawfully access a victim s account through social engineering 3 or computer intrusion techniques. Criminals subsequently exploit the victim s account to obtain information on the victim s financial institutions, account details, contacts, and related information. Stage 2 Transmitting Fraudulent Transaction Instructions: Criminals then use the victim s stolen information to fraudulent wire transfer instructions to the financial institution in a manner appearing to be from the victim. To this end, criminals will use either the victim s actual account they now control or create a fake account resembling the victim s . Stage 3 Executing Unauthorized Transactions: Criminals trick the victim s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals domestic or foreign bank accounts. Banks in Asia particularly in China and Hong Kong are common destinations for these fraudulent transactions. *FinCEN Advisory FIN-2016-A003 Financial Crimes Enforcement Network

18 Fraud - Account Compromise Scenario 1 Lending/Brokerage Services: A criminal hacks into and uses the account of a financial services professional (such as a broker or accountant) to fraudulent instructions, allegedly on behalf of a client, to the client s bank or brokerage to wire-transfer client s funds to an account controlled by the criminal. Scenario 2 Real Estate Services: A criminal compromises the account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, a criminal hacks into and uses a realtor s address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal. Scenario 3 Legal Services: A criminal compromises an attorney s account to access client information and related transactions. The criminal then s fraudulent transaction payment instructions to the attorney s financial institution. Alternatively, the criminal may compromise a client s account to request wire transfers from trust and escrow accounts the client s attorney manages. *FinCEN Advisory FIN-2016-A003 Financial Crimes Enforcement Network

Email Fraud Other Examples of Email Fraud *FinCEN

19 Fraud Other Examples of Fraud *FinCEN Advisory FIN-2016-A003 Financial Crimes Enforcement Network

20 Website Fraud Other Examples of Fraud *FinCEN Advisory FIN-2016-A003 Financial Crimes Enforcement Network

21 Website Fraud Other Examples of Fraud *FinCEN Advisory FIN-2016-A003 Financial Crimes Enforcement Network

22 Personal Webmail Sites Malicious Code: When you use personal webmail from a corporate network, you are circumventing internal controls that protect you against malicious code/viruses. Webmail services have an exponentially higher amount of fraud and infected content than corporate systems. External Administration: Personal webmail sites are not hardened by internal IT staff, and therefore, the controls are not up to internal security standards, and are user-configurable. Accidental Exposure of sensitive or personal information - It is a common error to accidentally copy/paste sensitive information into a personal webmail message, and send it unsecured to an unintended recipient.

23 Pentucket Bank: Customer Fraud Protections

24 Pentucket Bank Customer Fraud Protections Calls backs to verify wire transfer requests and ACH batch totals Call backs using alternative communication method to answer questions about transactions or provide confirmations Secure messaging within the online banking portal One-time passcodes sent to a phone for authentication Shorter password expiration times for changes Session timeouts Periodic account activity assessments for Merchant Capture Registered license keys for Merchant Capture Software

25 Social Engineering : The Human Factor

The Human Factor Why We re All Vulnerable Goal of Social Engineering is the acquisition

the building of trusted or intimidating relationship with insiders.

the tendency to trust people. the fear of getting into trouble.

26 The Human Factor Why We re All Vulnerable Goal of Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider based upon the building of trusted or intimidating relationship with insiders. Social Engineering preys on qualities of human nature: the desire to be helpful. the tendency to trust people. the fear of getting into trouble. The sign of a truly successful social engineer is that they receive information without raising any suspicion as to what they were doing.

27 The Human Factor Common Attacks Delivery Channels o Phishing: Posing as a legitimate business/service o Vendor Spoofing: Posing as a vendor on a service call o IT/IS Spoofing: Posing as internal IT or IS department staff o Website Spoofing: Creating phony websites that appear to be legitimate o Phone Spoofing: Caller ID

28 Defense = Situational Awareness Can I call you back? Did I initiate this? Forward Slash, two dots back Am I expecting this?

29 Defense in Depth

30 Foundation: Institutional Memory Opposite of practical knowledge, aka Tribal knowledge. Information about operations people keep in their heads. The real information behind a static written procedure or process can walk out the door at anytime Cost is hard to quantify, but it is significant Real dollars to train Real dollars in lost productivity Time spent updating severely outdated documents Can cause significant disruption up to and including replacing whole systems

31 Foundation: Institutional Memory Definition: Active organizational documentation (hard copy and/or digital), including: Policy Procedure Guideline Asset inventories Change documentation Network infrastructure diagrams Data flow diagrams Continuity of Operations Plans BCP/DR IRP Vendor Management Pandemic

32 Protecting Your Business (and everyone else) Layered approach to Cybersecurity : Defense In Depth Perimeter preventative controls Firewall Each rule documented with business purpose Configuration backups HA synchronization Critical services segmentation Daily log review Patching and updates IDS/IPS Strategic sensor locations external and internal Network based Regular updating

33 Protecting Your Business (and everyone else) Layered approach to Cybersecurity : Defense In Depth Perimeter preventative controls Zero-day protection Appliance or agent based software Daily activity review Multi-factor authentication for remote-access At minimum for all administrator activity Not to be confused with multi-layer Certificates IP Restriction

34 Protecting Your Business (and everyone else) Layered approach to Cybersecurity : Defense In Depth Internal network preventative controls IDS/IPS Host-based / application layer for critical services, web applications Web/Internet filtering Documented approved sites Exception list Data Leakage Prevention (DLP) Removable media control security NPPI Inventory control Antivirus software Central management Updated as often as tool allows Not configurable by users

35 Questions and Answers

36 Thank you! Presented by: John H Rogers, CISSP Director of Advisory Services john.rogers@sagedatasecurity.com

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW May 2018 Ed Plawecki General Counsel & Director of Government Relations UHY LLP Jamie See Manager UHY LLP Iowa Public