Fraud and Social Engineering in Community Banks

Similar documents
2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.

Cyber Crime and Online Payment Fraud Trends

Cyber Crime and Payment Fraud Trends

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Risks and Trends in IT (Security and Compliance)

Protecting Your Religious Organization Against Cybercrime

Cyber Crime and Payment Fraud Trends

Ethical Hackers Perspective Things that Make a Hacker's Job Easy

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Cybersecurity The Evolving Landscape

How NOT To Get Hacked

Ingram Micro Cyber Security Portfolio

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

How Breaches Really Happen

2017 Annual Meeting of Members and Board of Directors Meeting

How Cyber-Criminals Steal and Profit from your Data

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Cyber Insurance: What is your bank doing to manage risk? presented by

CHAPTER 8 SECURING INFORMATION SYSTEMS

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Evolution of Spear Phishing. White Paper

Cyber Security Audit & Roadmap Business Process and

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

CYBER SECURITY AND MITIGATING RISKS

Security Gaps from the Field

Total Security Management PCI DSS Compliance Guide

CYBERSECURITY RISK LOWERING CHECKLIST

Carbon Black PCI Compliance Mapping Checklist

PROTECTING YOUR BUSINESS ASSETS

SECURITY PRACTICES OVERVIEW

Security Audit What Why

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

IT Security Update on Practical Risk Mitigation Strategies

The BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

Cyber Security Stress Test SUMMARY REPORT

Information Technology General Control Review

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

How Credit Unions Are Taking Advantage of the Cloud

Integrated Access Management Solutions. Access Televentures

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

IT Security Update on Practical Risk Mitigation Strategies

Site Data Protection (SDP) Program Update

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Service Provider View of Cyber Security. July 2017

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

Payment Card Industry (PCI) Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

ACM Retreat - Today s Topics:

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Train employees to avoid inadvertent cyber security breaches

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

ANATOMY OF AN ATTACK!

Effective Strategies for Managing Cybersecurity Risks

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Will you be PCI DSS Compliant by September 2010?

PCI Compliance: It's Required, and It's Good for Your Business

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Oklahoma State University Institute of Technology Face-to-Face Common Syllabus Fall 2017

Personal Cybersecurity

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Governance Ideas Exchange

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Cybersecurity Today Avoid Becoming a News Headline

Defense in Depth Security in the Enterprise

Cyber Criminal Methods & Prevention Techniques. By

Cyber Crime Seminar. No Victim Too Small Why Small Businesses Are Low Hanging Fruit

Incident Response Table Tops

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Securing Information Systems

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

What FinAid offices need to know about cyberattacks. Presented by: Chris Chumley, COO at CampusLogic Thursday, March 31, EST

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

PRACTICING SAFE COMPUTING AT HOME

Security and Authentication

Simple and Powerful Security for PCI DSS

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Emerging Issues: Cybersecurity. Directors College 2015

IMPORTANT SECURITY CHANGES LOGGING ON. We are replacing the existing enhanced authentication.

Click to edit Master title style. DIY vs. Managed SIEM

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Securing Information Systems

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Transcription:

Fraud and Social Engineering in Community Banks Information Security Trends and Strategies October 2, 2010 1

Our perspective LarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 20 in the U.S. 2

LarsonAllen Randy Romes Professional Student Pizza Guy High School Science Teacher Hacker Dad 3

Cub Scouts, IT Professionals, & Hackers Cub Scouts Be Prepared Camping Trip Preparation Road Trip!!! 4

Cub Scouts, IT Professionals, & Hackers Cub Scouts Camp Tomahawk Daily Routine Business as Usual 5

Cub Scouts, IT Professionals, & Hackers Cub Scouts Monday Morning NOT Business as usual Parking X Ecology Camp Sites Main Lodge 6

Secure System Defined: A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Tools ` 7

How do hackers and fraudsters break in? Social Engineering What is it? Social Engineering uses non-technical attacks to gain information or access to technical systems Examples abound in the following movies: Catch Me If You Can Oceans 11 8

How do hackers and fraudsters break in? Social Engineering relies on the following: People want to help People want to trust The appearance of authority People want to avoid inconvenience Timing, timing, timing 9

Pre-text Phone Calls Hi, this is Randy from Comcast. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno-babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Several phone calls over the course of 2-3 days Systematic mining of information Calls culminate in request to wire funds 10

Email Attacks - Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web-site Ask them to open an attachment or run update Examples Better Business Bureau complaint http://scmagazine.com/us/news/article/660941/better-businessbureau-target-phishing-scam/ Microsoft Security Patch Download http://www.scmagazine.com/us/news/article/667467/researchers -warn-bogus-microsoft-patch-spam/ 11

Email Phishing Targeted Attack Randall J. Romes [rromes@larsonallen.com] Two or Three telltale signs Can you find them? 12

Email Phishing Targeted Attack Fewer tell tale signs on fake websites 13

Physical Penetration Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Steal hardware (laptops) http://www.sptimes.com/2007/10/28/business/here_s_how_a_slick_la.shtml http://www.privacyrights.org/ar/chrondatabreaches.htm 14

How we stop the hackers and fraudsters? People Need to understand their role Need to understand policies/standards/procedures Rules Clear policies and standards Validate who people say they are Awareness training Tools Email filters, hardened workstations Visitor logs and service calendars 15

Examples of ACH Fraud Our client Transfers made on Wednesday and Thursday 39 transactions all under $??? What happened next Examples (in the news): Bank sues customer Customer sues bank 16

Examples of ACH Fraud Michigan Company sues bank http://www.computerworld.com/s/article/9156558/michigan_firm_su es_bank_over_theft_of_560_000_?taxonomyid=17 http://www.krebsonsecurity.com/2010/02/comerica-phish-foiled-2- factor-protection/#more-973 Bank sues Texas company http://www.bankinfosecurity.com/articles.php?art_id=2132 17

The Boy Scouts Motto: Be Prepared Incident Response Policy Documentation is readily available BEFORE hand High Level Defined Processes Structured Procedures Defined communication Chain of command Escalation procedures 18

10 Things Every Bank Should Have 1. Strong Policies Define what is expected 2. Defined user access roles and permissions 3. Vulnerability management process 4. Defined incident response plan and procedures Including Data leakage prevention and monitoring Forensic preparedness 5. Vendor management and due dilligence 19

10 Things Every Bank Should Have 6. Hardened internal systems (end points) 7. Encryption strategy (end points, mobile media) 8. Well defined perimeter security: Firewall Proxy integration for traffic in AND out Email gateway/filter Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) Network segments 9. Centralized audit logging, analysis, and automated alerting capabilities 10. Validation that it all works the way you expect (remember the definition?) These things should be documented 20

Summary A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules ` Tools 21

Summary Today s attack vectors: Email Phishing Websites with malicious code Social engineering Strategy: Strong policies Staff awareness Hardened systems Monitoring Validation 22

Questions? Randy Romes, CISSP, CRISC, MCP Principal LarsonAllen 612-397-3114 rromes@larsonallen.com www.larsonallen.com/technology Slides available on our web site. http://www.larsonallen.com/presentations.aspx?taxid=160&sort=descending 23

Resources - Social Engineering Defined Per the Hacker s Jargon Dictionary: Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords and other information that compromises a system s security. 24

Insider Threats - Attacks on Users Employees pose biggest security risk Simple Nomad SANS NewsBites July 16, 2007 Vol. 9, Num. 56 TOP OF THE NEWS http://www.darkreading.com/document.asp?doc_id=129122&w T.svl=cmpnews1_1 SANS 2009 study and security report: http://www.sans.org/top-cyber-security-risks/ 25

Resources Social Engineering: Attacks on Users Security Focus 2 part series: http://online.securityfocus.com/infocus/1527 http://online.securityfocus.com/infocus/1533 CERT Advisory CA-1991-04 www.cert.org/advisories/ca-1991-04.html SANS Institute: http://rr.sans.org/social/social.php 26

References http://www.sans.org/top-cyber-security-risks/ http://www.heritage24.com/documents/corporat eaccounthijackingfsisacgreenbulletin_20090 824_final.pdf Google: ACH positive pay 27

In the Media http://voices.washingtonpost.com/securityfix/200 9/10/fbi_cyber_gangs_stole_40mi.html http://www.theregister.co.uk/2005/04/13/sumito mu_bank/ http://www.channelregister.co.uk/2005/03/17/su mitomo_cyber-heist_foiled/ 28

Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor-neutral hardening resources http://www.cisecurity.org/ Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true Most of these will be from the BIG software and hardware providers 29

Resources Computer Security Institute: http://www.gocsi.com/soceng.htm Methods of Hacking: Social Engineering by Rick Nelson http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html Computer Security Institute: http://www.sptimes.com/2007/10/28/business/here_s_how_a_slick_la.shtml 30

PCI Standards Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Quarterly test wireless network security Annual DSS Assessment By QSA if level 1 Annual Penetration Test (not vulnerability scan) External Internal And https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback