Risks and Trends in IT (Security and Compliance)

Transcription

1 Risks and Trends in IT 012 CliftonLarsonAllen LLP 20 (Security and Compliance) ACUIA Region 3 Meeting September

2 Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. 2

3 Presentation overview Emerging & Continuing Trends Industry Security Reports 12 Years of Information Security Audit, Assurance, and Incident Response Social Engineering The Cloud Mobile and Electronic Banking 3 Strategies and Key Controls

4 Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Confidentiality Integrity Availability ` Tools 4 4

5 Three Security Reports Trends: Sans 2009 Top Cyber Security Threats cyber security risks/ Intrusion Analysis: TrustWave (Annual) Intrusion Analysis: Verizon Business Services (Annual) 2010 report p p_ 10 DBIR combined reports_en_xg.pdf 2011 report a breach investigations report 2011_en_xg.pdf 5

6 SANS Client Side Vulnerabilities Client side vulnerabilities Missing operating system patches Missing application patches Objective is to get the users to Open the door Vulnerable Web sites Password guessing Attacks on application interfaces with input fields Recent Facebook example 6

7 TrustWave Intrusion Analysis Report Methods of Entry: Methods of Propagation: 7

8 TrustWave Intrusion Analysis Report Most of the compromised systems were managed by a third party 8

9 TrustWave Intrusion Analysis Report Incident Response Investigative Conclusions Window of Data Exposure Once inside, attackers have very little reason to think they will be detected The bad guys are inside for 1 ½ YEARS before anyone knows! 9

10 Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered d highly hl difficult. 10

11 Hackers, Fraudsters, and Victims Opportunistic Attacks Targeted Attacks 11

12 Verizon 2011 Anatomy of a data breach Opportunities 12

13 How do hackers and fraudsters break in? Social Engineering relies on the following: People want to help People want to trust Theappearance of authority People want to avoid inconvenience Timing, timing, timing 13

14 Pre text Phone Calls Hi, this is Randy from Comcast. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno babble Think telemarketers script Home Equity Line of Credit dit(heloc) fraud calls Recent string of high profile ACH frauds 14

15 Attacks Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web site Ask them to open an attachment or run update Examples Better Business Bureau complaint businessbureau target phishing scam/ Microsoft Security PatchDownload bogus microsoft patch spam/ 15

16 Phishing Targeted Attack Randall J. Romes Two or Three telltale signs Can you find them? 16

17 Phishing Targeted Attack Fewer tell tlltl tale signs on fake websites 17

18 Physical (Facility) Security Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Steal hardware (laptops) s how slick la shtml 18

19 Strategies to Combat Social Engineering (Ongoing) user awareness training Network perimeter security layers Mail filter, mail gateway, hardened workstations Antivirus software (3 places) and anti malware software Internet browser proxies and filtering Minimized user access rights Application white listing Logging and Monitoring capabilities (SIEM and DLP) The 3 R s : Recognize, React, Respond VALIDATION Periodic testing People, Rules, Tools, and Spaces 19

20 Questions? 20

21 Managing the Risks as You Outsource to the Cloud 012 CliftonLarsonAllen LLP 20Managing the Risks as You 2121

22 What is the Cloud? Is it a clever marketing term? Where is the cloud? 22

23 Cloud Services Describe types of Cloud Services List Cloud Services YOU currently use

24 What is the Cloud? The original cloud computing : Mainframes 24

25 What is the Cloud? The next generation: Thin Clients (Citrix, RDP, etc ) 25

26 What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 26

27 What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 27

28 What is the Cloud? National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009: Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 28

29 Examples of Cloud Services Hosted Hosted Exchange, Gmail Hosted productivity applicationsand and enterprise applications Google Apps, Amazon Web Services On line/cloud back up services Hosted infrastructure Private Clouds Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) 29

30 Benefits Low upfront/entry cost Pay as you go Reduced support needs Faster deployment speeds Simpler/easier upgrades Business agility ability to scale Reduced hardware costs Reduced software costs Reduced maintenance/service costs 30

31 Benefits Redundancy & Resiliency Disaster recovery and business continuity Specialized support expertise Compliance benefits Ability to focus on the core of your business 31

32 Risks Vendor Risks Vendor selection and due diligence Vendor viability Vendor management Governance Risks Risk Management Legal and compliance issues Life cycle management and portability Who has your data? Where is your data? Who has access to your data? 32

33 Risks Data Risks Data location Data segregation Data recovery Investigative support End User Risks Privileged user access Normal users Malicious insiders 33

34 Risks Technology Risks Quick scalability Pace of change Outage downtime Application level DDOS attacks (Hacker) ease of access 34

35 Examples in the news Megaupload story: SANS NewsBites Vol. 14 Num wiredefense hobbled/ A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data 25 petabytes are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture association i of America (MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets. 35

36 Examples closer to home Recent client experience 18 months ago we outsourced our to a cloud based solution with Company A 6 months ago Company A was purchased by Company B 2 months ago Company B was purchased by Company C I don t know where my data is I don t know who has access to my data I don t tknow where my dt data is backed up at any more I don t know 36

37 Examples closer to home Recent conference Betweensessions vendors describe their service offerings Company X offers online, secure back up to the cloud Company X has grown over 300% in the last year Best of all, Company X now provides online, secure, cloud based back up for Company Y one of the larger Core hosting company providers Where does the outsourcing chain end? How many using Company Y know where their data is 37

38 Things to do Risk Assessment Cost benefit analysis Vendor due diligence (Pre contract) Scrutinize i contracts t Ongoing vendor management Be disciplined about where your data is DOCUMENT IT an inventory! Understand dvendors responsibility and YOURS Remember basic security tenants 38

39 Questions? 39

40 Mobile Devices 012 CliftonLarsonAllen LLP 20 Understanding the Risks 4040

41 Mobile Computing Basics Mobile Devices are here to stay More people have (smart) phones than computers Mobile payments py are coming (already here?) Topic for another time 41

42 Mobile Banking Basics Different types of mobile banking SMS mobile banking Mobile web Mobile applications 42

43 Mobile Banking Basics Mobile banking applications (i.e. mobile apps ) Various mobile app market places itunes/apple App Store Android Market Verizon App Store BlackBerry App Store 43

44 Mobile Banking Basics Basic/common mobile banking infrastructure Mobile banking system atthethe bank 44

45 Mobile Banking Basics Basic/common mobile banking infrastructure Mobile banking system with third party vendor between customer and bank infrastructure 45

46 Vulnerabilities, Risks, & Controls Vulnerabilities and risks at each component Perform a risk assessment Risk Assessment Heat map Server Side Risks (Vendor Risks) Transmission Risks Mobile Device Risks Mobile App Risks End duser Risks 46

47 Vulnerabilities, Risks, & Controls Server Side Risks Essentially the same as traditional Internet banking website risks Insecure coding practices Default credentials Patch/update maintenance Certificate issues This is essentially a web server for the mobile devices to connect to. 47

48 Vulnerabilities, Risks, & Controls Vendor Risks Same risks as banks now outside of your direct control. Insecure coding practices Default credentials Patch/update maintenance Certificate issues Also need controls on the dedicated link This is essentially a web server for the mobile devices to connect to. 48

49 Vulnerabilities, Risks, & Controls Transmission Risks Most mobile devices have always on Internet connection Cellular (cell phone service provider) Wifi ( home, corporate, public ) Need encryption Common end user practices 49

50 Vulnerabilities, Risks, & Controls Mobile Device Risks Multiple hardware platforms & multiple operating systems 50

51 Vulnerabilities, Risks, & Controls Mobile App Risks Secure coding issues Installation of App Useand protection of credentials Storage of data Transmission of data 51

52 Vulnerabilities, Risks, & Controls End User Risks Losethe device Don t use passwords, or use easy to guess passwords Store passwords on the device Jail break the device Don t use security software Use/don t recognize insecure wireless networks Let their kids use the device 52

53 Vendor Due Diligence and Management All of the above applies to your vendor(s) Mobile banking application provider Mobile banking hosting provider Contracts with SLA s SSAE16 reviews Independent code review and testing 53

54 Questions? 54

55 Risks and Controls for 012 CliftonLarsonAllen LLP 20Risks and Controls for Electronic Banking 5555

56 Phishing and ACH In the News Google: ACH fraud suit Bank Sues Customer $800,000 fraudulent ACH transfer Bank retrieves $600,000 What happens to the other $200,000? 000? 56

57 Phishing and ACH In the News Customer Sues Bank $560,000 in fraudulent ACH transfers to bank accounts in Russia, Estonia, Scotland, Finland, China and the US; withdrawn soon after the deposits were made. Alleges that the bank failed to notice unusual activity. Until the fraudulent transactions were made customer had made just two wire transfers ever In just a three hour period, 47 wire transfers requests were made. 57 In addition, after customer became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.

58 Phishing and ACH Examples Finance person receives 2000 spam messages Later in the day, fraudsters make three ACH transfers all within 30 minutes: $8,000 to Houston Two transfers for $540,000 each to Romania In this case, business insists the following controls were not followed: Dollar limit/thresholds were exceeded Call back verification did not occur This one was just resolved 58

59 Updated Authentication Guidance Risk Assessment, Risk Assessment, Risk Assessment At least annually or after changes Changes in the internal and external threat environment, including those discussed in the Appendix of the Supplement Changes in the member base Changes in the member functionality At Actual lincidents id of security breaches, identity theft, or fraud experienced by the institution or industry 59

60 Updated Authentication Guidance Do not rely on single control Controls need to increase as risk increases Multi layer Additional controls at different points in transaction/interaction with member Technical (IT/systems) controls 60

61 Updated Authentication Guidance (2) Specific authentication guidance Device identification Challenge questions Multifactor and two factor authentication Out of band authentication 61

62 Controls for Layered Security Control of administrative functions Enhanced controls around payment authorization and verification Positive Pay features Dual authorization Call back verification Detection and response to suspicious activity 62

63 Controls for Layered Security (2) Member awareness and education Explanationof of protections provided and not provided How the financial institution may contact a member on an unsolicited basis A suggestion that commercial online banking members perform assessment and controls evaluation periodically A listing of alternative risk control mechanisms that members may consider implementing to mitigate their own risk A listing of financial institution contacts for members discretionary use to report suspected fraud 63

64 Questions? 64

65 Thank you! 012 CliftonLarsonAllen LLP 20 Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services com

66 Solutions From SANS Report 20 Critical Controls: r_effective_cyber_defense_cag.pdf 1. Inventory of Authorized and Unauthorized Devices Additional Critical Controls (not directly 2. Inventory of Authorized and Unauthorized Software supported by automated 3. Secure Configurations for Hardware and Software on measurement and validation): Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, 16. Secure Network Engineering Routers, and Switches 17. Penetration Tests and Red Team 5. Boundary Defense Exercises 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 18. Incident Response Capability 7. Application Software Security 19. Data Recovery Capability 8. Controlled Use of Administrative Privileges 20. Security Skills Assessment and 9. Controlled Access Based on Need to Know Appropriate Training to Fill Gaps 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 66

67 Common Compliance Requirements Compliance Matrix Resources: mpliance_wp_20.pdf pdf 67

68 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources Microsoft Security Checklists us/library/dd aspx Most of these will be from the BIG software and hardware providers 68

69 Resources In the News Privacy Rights <dot> org Resource for State Laws breach FAQ#10 69

70 References Bank Info Security: com/ FDIC ACH Advisories: i ndex.html SANS report (2009) cyber security risks/summary.php 70 70

71 References Michigan Company sues bank com/s/article/ /michigan sues _bank_over_theft_of_560_000_?taxonomyid=17 phish foiled 2 com/2010/02/comerica phish 2 factor protection/#more 973 Bank sues Texas company 71

72 Examples in the news Google: cloud service outage Microsoft Windows Azure Cloud Suffers Outage; BlameLeap Year... Feb 29, 2012 Microsoft Windows Azure, the software company's cloud computing service, has been suffering through a lengthy outage today, preventing... Amazon gets 'black eye' from cloud outage Computerworld Apr 21, 2011 Keith Shaw chats with Network World's Jon Brodkin about the Amazon EC2 cloud service outage that... 72

73 Examples in the news Chinese Gmail Attack Compromises Hundreds of Accounts June 3, 2012 Earlier this week, Google discovered that a number of its Gmail account user names and passwords of personal accounts bl belonging to senior government officials, i activists, and journalists, had been compromised. The hack appears to have originated from Jinan, China, although Google did not accuse any individuals or governments of orchestrating the attack. 73

74 Examples in the news Cloud Computing Service Outages in t h t / d ti /t /Cl d Computing Major Service Outages In 2011.htm Playstation Network 4/21/11 / 25 days Amazon Web Services 4/21/11 4 days Twitter 2/25, 3/16, 3/25, 3/27 hours at a time Gmail and Google Apps 2/27/11 2 days Intuit Service &Quickbooks 3/28/ days 74

75 References to Specific State Laws Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. State laws: For details, see the Open Security Foundation Datalossdb website: