Cyber Fraud What can you do about it?

Similar documents
Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Must Have Items for Your Cybersecurity or IT Budget in 2018

NW NATURAL CYBER SECURITY 2016.JUNE.16

Combating Cyber Risk in the Supply Chain

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity The Evolving Landscape

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Cybersecurity and Nonprofit

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Defense in Depth Security in the Enterprise

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cybersecurity, safety and resilience - Airline perspective

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Cybersecurity in Higher Ed

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

External Supplier Control Obligations. Cyber Security

Cybowall Solution Overview

Designing and Building a Cybersecurity Program

mhealth SECURITY: STATS AND SOLUTIONS

CYBER RESILIENCE & INCIDENT RESPONSE

Protect Your Organization from Cyber Attacks

Cybersecurity for Health Care Providers

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Sage Data Security Services Directory

Certified Information Security Manager (CISM) Course Overview

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Building a Resilient Security Posture for Effective Breach Prevention

Cyber Resilience. Think18. Felicity March IBM Corporation

Emerging Issues: Cybersecurity. Directors College 2015

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Industry Best Practices for Securing Critical Infrastructure

Cyber Security Incident Response Fighting Fire with Fire

CYBERSECURITY SAVE YOUR BOTTOM LINE IBC Annual Convention Anne Benigsen, Bankers Bank of the West

Cybersecurity Today Avoid Becoming a News Headline

Changing the Game: An HPR Approach to Cyber CRM007

Altius IT Policy Collection Compliance and Standards Matrix

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Risks in the Boardroom Conference

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

K12 Cybersecurity Roadmap

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

ISACA West Florida Chapter - Cybersecurity Event

Background FAST FACTS

From Russia With Love

Automating the Top 20 CIS Critical Security Controls

To Audit Your IAM Program

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

The Cyber War on Small Business

How will cyber risk management affect tomorrow's business?

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

ANATOMY OF AN ATTACK!

CISO as Change Agent: Getting to Yes

Business continuity management and cyber resiliency

How Breaches Really Happen

TAN Jenny Partner PwC Singapore

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Heavy Vehicle Cyber Security Bulletin

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber Security Updates and Trends Affecting the Real Estate Industry

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Using international standards to improve US cybersecurity

Effective Strategies for Managing Cybersecurity Risks

Defending Our Digital Density.

Cybersecurity and Examinations

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

University of Pittsburgh Security Assessment Questionnaire (v1.7)

CloudSOC and Security.cloud for Microsoft Office 365

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Take Risks in Life, Not with Your Security

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Troubleshooting and Cyber Protection Josh Wheeler

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

Critical Hygiene for Preventing Major Breaches

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

FDIC InTREx What Documentation Are You Expected to Have?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

MIS5206-Section Protecting Information Assets-Exam 1

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Global Security Consulting Services, compliancy and risk asessment services

Transcription:

Cyber Fraud What can you do about it? Eric Wright Shareholder June 10, 2014 What is Cyber Fraud? NetLingo definition: Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain that occurs online Key: PROTECTING INFORMATION > Threats not limited to Internet hackers Social engineering Phishing Disgruntled employees Human error Theft Misuse Manipulation Damage Loss 2 1

What Cyber crimals Steal And Why Bank credentials Theft of funds Personally Identifiable Information (PII) Identity theft Debit/credit card data Access to credit, sale of data Intellectual property, data, other content Blackmail, sale of data, avoid paying IP royalties, sabotage 3 Verizon Data Breach Report Takeaways 92% of breaches came from outside the organization 55% from organized crime 19% affiliated with other state agencies 75% of breaches driven by financial motives 76% exploited weak or stolen credentials 69% discovered by external parties 66% took months or more to discover 4 2

Verizon Data Breach Report Other Takeaways 19% of attacks combined multiple techniques (phishing, malware, hacking, etc.) 75% of attacks were opportunistic (companies not targeted directly) 78% of intrusions took little or no special skills/resources 5 Verizon Data Breach Report Industry Dispersion 6 3

Verizon Data Breach Report Attack Origin 7 Verizon Data Breach Report Malware Sources 8 4

Attackers Time to Exploit Vulnerability versus Source: Verizon Risk 9 Organization s Ability to Defend Source: Verizon Risk 10 5

Notable Data Breaches in US History 2014 USX, ATI, UPMC, Westinghouse, Alcoa (Employee information and intellectual property) 2013 Target 110 million customers (40 million credit cards) 2013 Adobe Systems 130 million customers 2011 Sony 77 million customers 2008 Heartland Payment Systems 130 million customers 2007 TJX Companies 94 million customers (46 million credit card) 1984 TRW/Sears 90 million customers Source: CNN Money Where is this happening? Continent Percent of online Transactions hacked Sites Targeted Africa 7 % Online dating Retail Asia 5% Retail Online dating Gambling South America 4% Retail Online dating Data Stolen Identities Credit Cards Credit Cards Identities Gold farming Credit Cards Identities Europe 2% Evenly spread Identities North America 1% Retail Gaming Financial Services Credit Cards Identities Accounts 12 6

Target Breach 13 Target Response to Hack Target had already deployed $1.6 million malware detection tool (FireEye). Round the clock monitoring from security specialists in Bangalore November 30: FireEye detects loading of exfiltration software. Target security team in Minneapolis notified No action taken Mid December: Security experts monitoring underground markets for stolen data detect large influx of credit card information. US Department of Justice notified December 12: Target notified by Department of Justice of potential breach. December 15: Target confirms breach. December 19: Target releases public statement confirming breach. March 5: Target CIO Beth Jacob resigns 14 7

Target Control Failures 15 Target Breach Inherent Flaws Flaws in system design Lack of network segmentation Lack of encryption of credit card data while stored in RAM Flaws in internal control Lack of third party oversight and compliance Lack of monitoring and reaction 16 8

Target Breach Limitations in Audit Approach Audits take only a snapshot of an organization s security Auditors rely on the organization to provide timely, accurate and complete information about systems Inherent time/resource limitations Over reliance on PCI standard (Gartner analyst: PCI standard is weak ) Data in transit over a private network does not have to be encrypted Data at rest in RAM does not have to be encrypted 17 Is Your Organization Prepared? Source: IIA Tone at the Top; April 2014 9

What can you do to minimize your risks? Design and implement security plan Respond to threats Maintain vigilance and level of knowledge Identify, understand and respond to changes in your operating environment 19 Steps for an Effective Cybersecurity Defense 1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Establish Audit Objectives 5. Planning and Scoping 6. Perform the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh 20 10

1. Adopt a Framework Examples ISO 27000 Series Department of Energy Cybersecurity Capability Maturity Model (C2M2) Electronic Subsector (ES C2M2) Oil and Gas Subsector (ONG C2M2) National Institute of Standards and Technology (NIST) Cybersecurity Framework Roadmap for Improving Critical Infrastructure Cybersecurity National Initiative for Cybersecurity Education (NICE) Capability Maturity Model (CMM) ISACA Transforming Cybersecurity Using COBIT 5 1. Areas Covered in C2M2 Risk Management Asset, change, and configuration management Identity and access management Threat and vulnerability management Situational Awareness Information sharing and communications Event and incident response, continuity of operations Supply chain and external dependencies management Workforce management Cybersecurity program management 22 11

1. C2M2 Maturity Levels 23 1. C2M2 Recommended Approach 24 12

1. NIST Framework Objectives 1. NIST Framework Objectives Continued Identify Asset Management Governance Risk Assessment Protect ITGCs (Access Control) Awareness and Training Data Security Information/Asset Protection Maintenance Protective Technology Detect Monitoring Respond Planning Communications Analysis Mitigation Recover Improvement 26 13

Steps for an Effective Cybersecurity Defense 1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Establish Audit Objectives 5. Planning and Scoping 6. Perform the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh 27 2. Understand the Environment Operating environment Hardware type and location Applications Databases File systems Security Network architecture Third parties Middleware 28 14

2. Start with Asset Identification Identify all assets: Databases Files Servers Applications Hardware Web sites Asset classification Location Owner Usage Type Status Risk level 29 Steps for an Effective Cybersecurity Defense 1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Establish Audit Objectives 5. Planning and Scoping 6. Perform the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh 30 15

3. Assess Risk Identify risks (interviews, artifact review) Assign risk ranking Determine risk tolerance Address areas at or above threshold Isolate/note threats covered by standard ITGCs Look at external and internal threats, and differentiate between them Added emphasis on areas inherent to cybersecurity Identify recent/ongoing changes in the environment 3. Assessing Risk: Common Mistakes Not understanding the environment (see step 2) Avoiding unfamiliar technical content Underestimating the complexity of cybersecurity threats and/or overestimating management s knowledge of network architectures Not allocating sufficient time for a comprehensive review Making assumptions about IS s level of knowledge/proficiency (taking them at their word) 16

3. What s Wrong With This Picture? 33 3. Typical Network Security Audit Questions Security policy? Network diagram? Firewall and intrusion detection/prevention? DMZ? Anti virus/malware/spam Filters? Server and workstation hardening standards? Vulnerability scan and penetration test performed? Logging and monitoring? 34 17

Recommendation Tone at the top Create and reinforce the perception/understanding of cybersecurity threats Established, supported and communicated by senior management Establish awareness that controls and processes have been specifically designed to prevent attacks New hire orientation Ongoing awareness and communication Visible to the organization 35 Other Recommendations Ongoing Security Education and involvement of management and staff Integrate cyber risk strategy into the organization s strategic plan Have a team/person dedicated to managing cyber threats Identify areas of high risk and train internal/external resources to monitor and manage Automate as much as possible Collaborate internally AND externally 36 18

Questions 37 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback