Fraud and Social Engineering in Community Banks

Transcription

1 Fraud and Social Engineering in Community Banks Information Security Trends and Strategies October 2,

2 Our perspective LarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 20 in the U.S. 2

3 LarsonAllen Randy Romes Professional Student Pizza Guy High School Science Teacher Hacker Dad 3

4 Cub Scouts, IT Professionals, & Hackers Cub Scouts Be Prepared Camping Trip Preparation Road Trip!!! 4

5 Cub Scouts, IT Professionals, & Hackers Cub Scouts Camp Tomahawk Daily Routine Business as Usual 5

6 Cub Scouts, IT Professionals, & Hackers Cub Scouts Monday Morning NOT Business as usual Parking X Ecology Camp Sites Main Lodge 6

7 Secure System Defined: A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Tools ` 7

8 How do hackers and fraudsters break in? Social Engineering What is it? Social Engineering uses non-technical attacks to gain information or access to technical systems Examples abound in the following movies: Catch Me If You Can Oceans 11 8

9 How do hackers and fraudsters break in? Social Engineering relies on the following: People want to help People want to trust The appearance of authority People want to avoid inconvenience Timing, timing, timing 9

10 Pre-text Phone Calls Hi, this is Randy from Comcast. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno-babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Several phone calls over the course of 2-3 days Systematic mining of information Calls culminate in request to wire funds 10

11 Attacks - Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web-site Ask them to open an attachment or run update Examples Better Business Bureau complaint Microsoft Security Patch Download -warn-bogus-microsoft-patch-spam/ 11

12 Phishing Targeted Attack Randall J. Romes Two or Three telltale signs Can you find them? 12

13 Phishing Targeted Attack Fewer tell tale signs on fake websites 13

14 Physical Penetration Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Steal hardware (laptops)

15 How we stop the hackers and fraudsters? People Need to understand their role Need to understand policies/standards/procedures Rules Clear policies and standards Validate who people say they are Awareness training Tools filters, hardened workstations Visitor logs and service calendars 15

16 Examples of ACH Fraud Our client Transfers made on Wednesday and Thursday 39 transactions all under $??? What happened next Examples (in the news): Bank sues customer Customer sues bank 16

17 Examples of ACH Fraud Michigan Company sues bank es_bank_over_theft_of_560_000_?taxonomyid=17 factor-protection/#more-973 Bank sues Texas company 17

18 The Boy Scouts Motto: Be Prepared Incident Response Policy Documentation is readily available BEFORE hand High Level Defined Processes Structured Procedures Defined communication Chain of command Escalation procedures 18

19 10 Things Every Bank Should Have 1. Strong Policies Define what is expected 2. Defined user access roles and permissions 3. Vulnerability management process 4. Defined incident response plan and procedures Including Data leakage prevention and monitoring Forensic preparedness 5. Vendor management and due dilligence 19

20 10 Things Every Bank Should Have 6. Hardened internal systems (end points) 7. Encryption strategy (end points, mobile media) 8. Well defined perimeter security: Firewall Proxy integration for traffic in AND out gateway/filter Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) Network segments 9. Centralized audit logging, analysis, and automated alerting capabilities 10. Validation that it all works the way you expect (remember the definition?) These things should be documented 20

21 Summary A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules ` Tools 21

22 Summary Today s attack vectors: Phishing Websites with malicious code Social engineering Strategy: Strong policies Staff awareness Hardened systems Monitoring Validation 22

23 Questions? Randy Romes, CISSP, CRISC, MCP Principal LarsonAllen Slides available on our web site. 23

24 Resources - Social Engineering Defined Per the Hacker s Jargon Dictionary: Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords and other information that compromises a system s security. 24

25 Insider Threats - Attacks on Users Employees pose biggest security risk Simple Nomad SANS NewsBites July 16, 2007 Vol. 9, Num. 56 TOP OF THE NEWS T.svl=cmpnews1_1 SANS 2009 study and security report: 25

26 Resources Social Engineering: Attacks on Users Security Focus 2 part series: CERT Advisory CA SANS Institute: 26

27 References eaccounthijackingfsisacgreenbulletin_ _final.pdf Google: ACH positive pay 27

28 In the Media 9/10/fbi_cyber_gangs_stole_40mi.html mu_bank/ mitomo_cyber-heist_foiled/ 28

29 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor-neutral hardening resources Microsoft Security Checklists Most of these will be from the BIG software and hardware providers 29

30 Resources Computer Security Institute: Methods of Hacking: Social Engineering by Rick Nelson Computer Security Institute: 30

31 PCI Standards Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Quarterly test wireless network security Annual DSS Assessment By QSA if level 1 Annual Penetration Test (not vulnerability scan) External Internal And 31