Protecting Your Religious Organization Against Cybercrime

Transcription

1 Protecting Your Religious Organization Against Cybercrime A State of the Union CLAconnect.com

2 Disclaimers The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, or tax advice or opinion provided by CliftonLarsonAllen LLP to the user. The user also is cautioned that this material may not be applicable to, or suitable for, the user s specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The user should contact his or her CliftonLarsonAllen LLP or other tax professional prior to taking any action based upon this information. CliftonLarsonAllen LLP assumes no obligation to inform the user of any changes in tax laws or other factors that could affect the information contained herein.

3 Housekeeping If you are experiencing technical difficulties, please dial: Q&A session will be held at the end of the presentation. Your questions can be submitted via the Questions Function at any time during the presentation. The PowerPoint presentation, as well as the webinar recording, will be sent to you within the next 10 business days. Please complete our online survey.

4 About CliftonLarsonAllen A professional services firm with three distinct business lines Wealth Advisory Outsourcing Audit, Tax, and Consulting 3,600 employees Offices coast to coast Nonprofit group serves 6,000 clients across the country

5 Speaker Introduction Randy Romes Consultant for over 16 years with a strong background in computer technology, physics, and education. Leads a team of technology and industry specialists providing IT audits and security assessments for clients in a wide range of industries and diverse operating environments. Involved in the development of many leading edge hacking/testing methods and the development of numerous security service offerings Featured speaker at national conferences and training sessions related to information and security management

6 Learning Objectives At the end of this webinar, you will be able to: Recognize the most common methods of cyberattack Identify the signs of spear phishing and ransomware, and the impact it might have on your organization Evaluate what steps you can take to protect your organization, parishioners /donors, and employees against cyberattack 6

7 Risk Themes Hackers have monetized their activity More hacking More sophistication More hands-on effort Smaller organizations targeted Hackers targeting small and medium sized organizations Religious organizations are NOT exempt 7

8 Mitigation Themes Employees that are aware and savvy Networks and computers systems that are resistant to malware Relationships with banks maximized 8

9 Three Largest Trends Organized Crime Wholesale theft of personal financial information and identity information CATO Corporate Account Takeover Use of online credentials for ACH, CC and wire fraud NOT just corporations anyone with online banking/cash management (i.e. electronic payroll) Ransomware 9

10 Theft of PFI Target Home Depot Goodwill/Jimmy Johns University of Maryland University of Indiana Neiman Marcus PF Chang Dairy Queen Sally Beauty Harbor Freight Southern MN Medical Center Community Health Systems Anthem 10

11 Stolen Card Data Carder or Carding websites Dumps vs CVV s A peek inside a carding operation: 11

12 Corporate Account Takeover What do the following all have in common? Catholic church parish Public university system Lutheran college Main Street newspaper stand Electrical contractor Trade association Rural hospital Community college Large mid-west Archdiocese On and on and on and on.. 12

13 CATO Lawsuits - UCC a payment order received by the [bank] is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. 13

14 CATO Lawsuits - UCC Tennessee Electric vs TriSummit Bank $327,804 stolen via ACH through CATO Internet banking site was down DOS? Tennessee Electric asserting TriSummit processed bogus ACH file without any call back 14

15 CATO Lawsuits - UCC Choice Escrow vs BancorpSouth $440,000 stolen via single wire through CATO CE passed on dual control offered by the bank Court ruled in favor of bank CE attorneys failed to demonstrate bank s procedures were not commercially reasonable 15

16 CATO Defensive Measures Multi-layer authentication Multi-factor authentication Out of band authentication Positive pay ACH block and filter IP address filtering Dual control Activity monitoring 16

17 Ransomware Malware encrypts everything it can interact with i.e. anything the infected user has access to CryptoLocker Kovter Also displays and adds child pornography images 17

18 Ransomware May 20, 2014 Ransomware attacks doubled in last month (7,000 to 15,000) cryptolocker-goes-spear-phishing-infections-soarwarns-knowbe4-a html 18

19 Ransomware Zip file is preferred delivery method Helps evade virus protection Working (tested) backups are key 19

20 The Cost? Norton/Symantec Corp: Cost of global cybercrime: $388 billion Global black market in marijuana, cocaine and heroin combined: $288 billion 2014 Ponemon Institute Research Report Cost per stolen record increased from $188 to $201 Total Average Cost paid by organizations increased from $5.4M to $5.9M Average # of breached records is 29,087 20

21 Intrusion Analysis Blocking and tackling Intrusion Analysis: TrustWave Annual breach analysis report Intrusion Analysis: Verizon Business Services Annual breach analysis report Intrusions are preventable with simple and/or intermediate controls! 21

22 Keys to Successful Breaches

23 Keys to Successful Breaches Reliance/dependence on 3 rd party service providers is at root of most breaches 23

24 Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered highly difficult. 24

25 Spear Phishing Second Generation phishing Goal is to root the network Install malware Log system activity to harvest passwords Use automated tools to execute fraudulent payments Trick users into supplying credentials (passwords) 25

26 SANS Client Side Vulnerabilities Client side vulnerabilities Missing operating system patches Missing application patches Apple QuickTime Java Vulnerabilities MS Office Applications Adobe Vulnerabilities (PDF, Flash, etc ) Objective is to get the users to Open the door 26

27 Spear Phishing Success Factors With so much money at stake hackers are putting in more effort to increase the likelihood that the ed link will be followed: Spoof the to appear that it comes from someone in authority Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking) 27

28 Phishing Targeted Attack Randall J. Romes Two or Three telltale signs Can you find them? 28

29 Phishing Targeted Attack Randall J. Romes Two or Three telltale signs Can you find them? 29

30 Phishing Targeted Attack Fewer tell tale signs on fake websites 30

31 Phishing Targeted Attack Fewer tell tale signs on fake websites 31

32 Phishing Common Attack 32

33 10 Key Defensive Measures Training is Critical (but not easy) CLAconnect.com

34 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks and computer systems that are resistant to malware Relationship with our FI is maximized 34

35 Ten Keys to Mitigate Risk 1. Strong Policies - use Website links Removable media Business operations Insurance 35

36 Ten Keys to Mitigate Risk 2. Defined user access roles and permissions Principal of minimum access and least privilege Users should NOT have system administrator rights Local Admin in Windows should be removed (if practical) NO or internet browsing with Admin credentials 36

37 Ten Keys to Mitigate Risk 3. Hardened internal systems (end points) Hardening checklists (see references/resources) Turn off unneeded services Change default password Use Strong Passwords 37

38 Ten Keys to Mitigate Risk 4. Encryption strategy data centered Laptops and desktops Thumb drives enabled cell phones Mobile media Data at rest??? Donor data 38

39 Ten Keys to Mitigate Risk 5. Vulnerability management process IT needs dedicated time and resources Operating system patches Application patches Testing to validate effectiveness belt and suspenders 39

40 Ten Keys to Mitigate Risk 6. Well defined security layers: Network segments gateway/filter Firewall Proxy integration for traffic in AND out Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) 40

41 Ten Keys to Mitigate Risk 7. Centralized audit logging, analysis, and automated alerting capabilities Routing infrastructure Authentication Servers Applications 41

42 Ten Keys to Mitigate Risk 8. Defined Incident Response Be prepared Including data leakage prevention and monitoring Up to date documentation Forensic preparedness 42

43 Ten Keys to Mitigate Risk 9. Know / use Online Banking Tools Multi-factor authentication Dual control / verification Out of band verification / call back thresholds ACH positive pay ACH blocks and filters Review contracts relative to all these Monitor account activity daily Isolate the PC used for wires/ach 43

44 Ten Keys to Mitigate Risk 10. Test, Test, Test Belt and suspenders approach Penetration testing Internal and external Social engineering testing Simulate spear phishing Application testing Test the tools with your bank Test internal processes 44

45 Questions? Randy Romes, Principal Information Security Services Group *** (612)

46 Three Security Reports Trends: Sans 2009 Top Cyber Security Threats Intrusion Analysis: TrustWave (Annual) Intrusion Analysis: Verizon Business Services (Annual) 46

47 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor-neutral hardening resources Microsoft Security Checklists Most of these will be from the BIG software and hardware providers 47

48 Thank you Randy Romes, Principal CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 48