Fraud and Social Engineering in Community Banks Information Security Trends and Strategies October 2, 2010 1
Our perspective LarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 20 in the U.S. 2
LarsonAllen Randy Romes Professional Student Pizza Guy High School Science Teacher Hacker Dad 3
Cub Scouts, IT Professionals, & Hackers Cub Scouts Be Prepared Camping Trip Preparation Road Trip!!! 4
Cub Scouts, IT Professionals, & Hackers Cub Scouts Camp Tomahawk Daily Routine Business as Usual 5
Cub Scouts, IT Professionals, & Hackers Cub Scouts Monday Morning NOT Business as usual Parking X Ecology Camp Sites Main Lodge 6
Secure System Defined: A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Tools ` 7
How do hackers and fraudsters break in? Social Engineering What is it? Social Engineering uses non-technical attacks to gain information or access to technical systems Examples abound in the following movies: Catch Me If You Can Oceans 11 8
How do hackers and fraudsters break in? Social Engineering relies on the following: People want to help People want to trust The appearance of authority People want to avoid inconvenience Timing, timing, timing 9
Pre-text Phone Calls Hi, this is Randy from Comcast. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno-babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Several phone calls over the course of 2-3 days Systematic mining of information Calls culminate in request to wire funds 10
Email Attacks - Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web-site Ask them to open an attachment or run update Examples Better Business Bureau complaint http://scmagazine.com/us/news/article/660941/better-businessbureau-target-phishing-scam/ Microsoft Security Patch Download http://www.scmagazine.com/us/news/article/667467/researchers -warn-bogus-microsoft-patch-spam/ 11
Email Phishing Targeted Attack Randall J. Romes [rromes@larsonallen.com] Two or Three telltale signs Can you find them? 12
Email Phishing Targeted Attack Fewer tell tale signs on fake websites 13
Physical Penetration Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Steal hardware (laptops) http://www.sptimes.com/2007/10/28/business/here_s_how_a_slick_la.shtml http://www.privacyrights.org/ar/chrondatabreaches.htm 14
How we stop the hackers and fraudsters? People Need to understand their role Need to understand policies/standards/procedures Rules Clear policies and standards Validate who people say they are Awareness training Tools Email filters, hardened workstations Visitor logs and service calendars 15
Examples of ACH Fraud Our client Transfers made on Wednesday and Thursday 39 transactions all under $??? What happened next Examples (in the news): Bank sues customer Customer sues bank 16
Examples of ACH Fraud Michigan Company sues bank http://www.computerworld.com/s/article/9156558/michigan_firm_su es_bank_over_theft_of_560_000_?taxonomyid=17 http://www.krebsonsecurity.com/2010/02/comerica-phish-foiled-2- factor-protection/#more-973 Bank sues Texas company http://www.bankinfosecurity.com/articles.php?art_id=2132 17
The Boy Scouts Motto: Be Prepared Incident Response Policy Documentation is readily available BEFORE hand High Level Defined Processes Structured Procedures Defined communication Chain of command Escalation procedures 18
10 Things Every Bank Should Have 1. Strong Policies Define what is expected 2. Defined user access roles and permissions 3. Vulnerability management process 4. Defined incident response plan and procedures Including Data leakage prevention and monitoring Forensic preparedness 5. Vendor management and due dilligence 19
10 Things Every Bank Should Have 6. Hardened internal systems (end points) 7. Encryption strategy (end points, mobile media) 8. Well defined perimeter security: Firewall Proxy integration for traffic in AND out Email gateway/filter Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) Network segments 9. Centralized audit logging, analysis, and automated alerting capabilities 10. Validation that it all works the way you expect (remember the definition?) These things should be documented 20
Summary A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules ` Tools 21
Summary Today s attack vectors: Email Phishing Websites with malicious code Social engineering Strategy: Strong policies Staff awareness Hardened systems Monitoring Validation 22
Questions? Randy Romes, CISSP, CRISC, MCP Principal LarsonAllen 612-397-3114 rromes@larsonallen.com www.larsonallen.com/technology Slides available on our web site. http://www.larsonallen.com/presentations.aspx?taxid=160&sort=descending 23
Resources - Social Engineering Defined Per the Hacker s Jargon Dictionary: Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords and other information that compromises a system s security. 24
Insider Threats - Attacks on Users Employees pose biggest security risk Simple Nomad SANS NewsBites July 16, 2007 Vol. 9, Num. 56 TOP OF THE NEWS http://www.darkreading.com/document.asp?doc_id=129122&w T.svl=cmpnews1_1 SANS 2009 study and security report: http://www.sans.org/top-cyber-security-risks/ 25
Resources Social Engineering: Attacks on Users Security Focus 2 part series: http://online.securityfocus.com/infocus/1527 http://online.securityfocus.com/infocus/1533 CERT Advisory CA-1991-04 www.cert.org/advisories/ca-1991-04.html SANS Institute: http://rr.sans.org/social/social.php 26
References http://www.sans.org/top-cyber-security-risks/ http://www.heritage24.com/documents/corporat eaccounthijackingfsisacgreenbulletin_20090 824_final.pdf Google: ACH positive pay 27
In the Media http://voices.washingtonpost.com/securityfix/200 9/10/fbi_cyber_gangs_stole_40mi.html http://www.theregister.co.uk/2005/04/13/sumito mu_bank/ http://www.channelregister.co.uk/2005/03/17/su mitomo_cyber-heist_foiled/ 28
Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor-neutral hardening resources http://www.cisecurity.org/ Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true Most of these will be from the BIG software and hardware providers 29
Resources Computer Security Institute: http://www.gocsi.com/soceng.htm Methods of Hacking: Social Engineering by Rick Nelson http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html Computer Security Institute: http://www.sptimes.com/2007/10/28/business/here_s_how_a_slick_la.shtml 30
PCI Standards Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Quarterly test wireless network security Annual DSS Assessment By QSA if level 1 Annual Penetration Test (not vulnerability scan) External Internal And https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf 31