digital security cyber security and fraud prevention · password guessing self-replicating code...
TRANSCRIPT
Digital Security – Cyber Security and Fraud Prevention
Citi Online Academy | December 2014
Treasury and Trade Solutions
Rajesh Shenoy
Global Head of TTS Digital Security
+1 (416) 947-5602
Elizabeth Petrie
Director Strategic Analysis
+1 (202) 776-1518
Agenda
1. Increasing Cyber Threats 3
2. Leveraging Bank Best Practices 7
3. Partnering on Security 11
4. Case Study: Social Engineering Attack 17
2
1. Increasing Cyber Threats
3
As business interactions move online, cyber threats are becoming more sophisticated and dangerous.
Increase in Digital Banking Enhances Need for Cyber Security
Tremendous Growth of Online Interactions with each Click
or Tap Leaving a Trail of Data
Cyber Threat and Fraud are on the Rise with Significant
Impacts on Business and the Economy
$200+ Billion Estimated Amount Stolen from Banks,
Financial Institutions, Companies and
Individuals, Double the Amount in 20102
Source: World Economic Forum, SWIFT.
1. McKinsey report: “Risk and responsibility in a hyperconnected world: Implications for enterprises”; January 2014.
2. The Guardian Report: “Online fraud costs global economy many times more than $100 billion”; October 2013.
Global Devices Connected to the Internet
Global Digital Data (In Exabytes)
4x in
10 Years
$3 Trillion Estimated Cyber Attack Fallout Cost
to Global Economy by 20201
44x in
10 Years
5B15B
50B
0
20
40
60
2009 2015 2020
(B)
0
20,000
40,000
2010 2012 2014 2016 2018 2020
4
Nature and Frequency of Cyber Attacks
Attack Sophistication vs. Intruder Technical Knowledge The amount of knowledge
required to launch very
sophisticated attacks is
decreasing over time making
these threats more severe
each day
Recent attacks show increased
knowledge and understanding
of the technology,
infrastructure and systems of
their victims
Bad Actors are going after
customers, suppliers, and
third-parties in addition to
direct attacks
Intelligence, external and
internal as well as shared
knowledge across the industry
and governments will be
the most effective
counter strategies
High
Low
1980 1990 2014
Attack
Sophistication
Cross Site Scripting
Password Guessing
Self-replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors
Hijacking
Sessions
Sweepers
Sniffers
Packet Spoofing
GUI Automated
Probes/Scans
Denial of Service
www Attacks
Tools
“Stealth”/Advanced
Scanning Techniques
Burglaries
Distributed
Attack Tools
Staged
Coordinated
DDOS
2000
Mobile
Malware
SQL Injections
Botnets Required
Intruder
Knowledge
5
Tools, Techniques, and Procedures Used by Attackers
The primary objectives of cyber attackers are: Manipulate, Destroy, Disrupt and Steal.
Social Engineering Phishing and Spear-Phishing Rootkits
A common tactic, at times even non-
technical, that relies on human
interaction to trick other people into
breaking normal security procedures,
allowing them to gain information that
may be useful for exploit efforts
Emails, online posts, or other
electronic communications that
masquerade as a trustworthy party in
an attempt to trick the target into
divulging information or downloading
malware
Set of software tools that enable an
unauthorized user to gain control of a
computer system without being
detected
Packs containing malicious programs
that are mainly used to carry out
automated ‘drive-by’ attacks in order
to spread malware. These kits are
sold on the black market, where
prices ranging from several hundred
to over a thousand dollars are paid
A program that is automatically
installed on a target’s computer by
merely visiting a website. Victims do
not have to explicitly click on a link
within the page
Through computer programs and/or
an increased number of participants,
hackers flood the target’s website
with more traffic than the server can
handle. As the site attempts to
process the large volume of
malicious traffic, it denies access
from legitimate users. The rush of
traffic also causes servers to crash
Exploit Kits Drive by Downloads Distributed Denial of Service
6
2. Leveraging Bank Best Practices
7
Intelligence must be an integral part of the decision making process. Intelligence is having the right
information, at the right time, and in the hands of the right people.
Role and Importance of Intelligence
Output/Deliverables
Inform operational planning and strategic decision-making
Inventory of intelligence resources
Identification of resource gaps, recommendations for remediation
Centralized mechanism for ad hoc intelligence data
Regular, frequent updates to senior management and key business stakeholders (e.g. dashboard-type, high-level briefing report)
Intelligence-sharing and knowledge-sharing (lessons learned, etc.)
Analysis and
Production
Planning and
Direction
Processing
and
Exploitation
Collection
Dissemination Requirements
Active
Collaboration
Intelligence Cycle
Source: 2008 Federal Bureau of Investigation; www.fbi.gov/about-us/intelligence.
Intelligence is embedded in the day-to-day work, from the establishment of a customer relationship to the execution of any
service. Capturing and understanding the knowledge of employees is the foundation of a successful Intelligence Program
8
Information Security Risk is determined based on strong assessment of the threats, known
vulnerabilities and the assets involved.
Leveraging Intelligence to Assess Information Security Risk
External
Nation State
Cyber Terrorists
Cyber Criminals
Hacktivists
Internal
Privileged Users
End Users
Insecure Code and Applications
Toxic Combinations/
Over Entitlements
Client Side
Software Vulnerabilities
Unauthorized Privileged
User Access
Unencrypted Data
Improper Configuration
Management
Network and Operating System
Software Vulnerabilities
Intellectual Property
Corporate Data
Credentials
Financial Transactions
X X
9
Using talent, processes and technology to approach Information Security can significantly reduce cyber
vulnerabilities inside Citi and their impact.
Citi’s Multi-Layered and Comprehensive Approach to Security
Select Pillars of Strong Identity and Access Management
Security Incident Management
Global Identity Management
Security Training and Awareness
Programs
Intelligence Collection
Vendor Management
Practices
Intelligence Collection and
Industry Networks
Human Resources
Policies
Vulnerability Assessment
Data Protection
Information Security Risk Assessments
and Issue Management
10
3. Partnering on Security
11
Citi invests large amounts annually to help protect client assets. Working with our clients is critical
to the integrity of end-to-end security.
Digital Security is our Business
Security goes beyond technology
and authentication mechanisms to
various processes, including
Maker/checker compliance for
transaction authorization
Ensuring business devices are
clean and password-protected
Leveraging data for alerts
Payment monitoring and
behavior-based blocking tools
Client collaboration is central to
maintaining high security
Cyber
Threat! Data Privacy
Channel Protection
Transaction Monitoring
Focus on Partnering End-to-end, Bringing Together Technology and Best Practices
Digital Channels have brought better control, but as we leverage new channels, we need to be at the
top of our game and keep ahead of the curve.
12
Channel Protection
We are leveraging innovation and strong best practices for existing solutions to balance risk and add value.
Citi Client
Technology Process Technology Process
Strong user log-in
credentials
End-to-End encryption
securing files and data
exchanged between
clients and Citi
Secure Channels support
message integrity,
authenticity and non-
repudiation*
Abnormal login behavior
detection
Intelligence on best
practices to prevent
Social Engineering
Regular security health
checks on channels (e.g.
vulnerability assessment)
Global policies and
processes aligned with
local regulatory
requirements
Update web browser and
Java regularly
Use anti-virus and other
detection tools
Use a pop-up blocker for
doubtful sites
Use automatic updates
for business devices
(Windows Update, Apple
Update etc.), also for
Adobe Flash
Do not install or
download unknown or
unsolicited programs on
your device
Never share SafeWord
Cards and keep PINs
secret
Password-protect all
devices (e.g. computers,
tablets, mobile etc.)
Log-out at the end of
each CitiDirect BESM
session
Do not share Challenge
Response over the phone
Be wary of web meeting
software, especially log
into your bank account
over the web session
* Capability specific to CitiConnect channel13
Transaction Monitoring
Our Transaction Monitoring capabilities help enable Citi and our clients to mitigate transaction level risks.
Citi Client
Technology Process Technology Process
Solutions enabling clients
to easily identify payment
outliers and help mitigate
potential risks (e.g.
behavior based blocking
capabilities)
Ongoing review of
communication and
transaction information
(e.g. content monitoring)
Intelligence and industry
trends monitoring
Fraud and suspicious
activities review
Leveraging big data to
enhance security
Robust Security Incident
Management
Applications for user and
entitlement reviews
Tools monitoring approved
users for file delivery and
processing*
Leverage solutions
enabling the identification
of payment outliers and
risk mitigation
Use pre-format
functionality for manual
payments
Utilize maker/checker
compliance for each
transaction authorization
For payment over a
certain amount, use
additional security levels
Regular review of
transaction reports and
dashboards
Report suspicious activity
to Citi
Never leave an active
session unattended
* Capability specific to CitiConnect channel 14
Data Privacy Data Privacy is a key focus area with controls that meet applicable data privacy guidelines around the world and
the flexibility to share information across a global organization.
Citi Client
Technology Process Technology Process
Stringent protection of
information with a variety
of systems helping to
ensure client data is
accurate and reliable
Data integrity tools to
protect privacy of
messages and files*
Accessible data and fully
backed-up at different
sites
Regular client training
and awareness sessions
Strict information security
approach in compliance
with applicable local data
protection regulations
Information sharing via
Industry networks for
successful protection
Robust controls around
modifications of payee
information and
beneficiary bank account
details
Controls for sharing and
modification of files,
messages and other
sensitive information
Corporate IT team should
utilize tools for data loss
prevention to monitor,
alert, identify, and block
the flow of unauthorized
data into and out of your
network
Set appropriate levels of
approvals
Limit access to sensitive
and confidential data
within your organization
Avoid storing sensitive
data on device
Implement a removable
media policy (e.g. restrict
the use of USB drives,
external hard disks etc.)
* Capability specific to CitiConnect channel 15
Acting on Suspicious Activity
Client
16
Contact Citi’s helpdesk to report any suspicious activities and findings.
Phone
Call-in before the call-back; Change in the tone of a well-
known contact; Fake text messages etc.
Transaction Approval
Requested to approve a transaction you don’t know
anything about, or for an unfamiliar supplier etc.
Receive email with alarmist language, poor grammar
and spelling errors, or visibly fake links etc.
System Message
Asking for password in place you don’t recognize,
Additional step/page during the login or transaction etc.
Red Flags
4. Case Study: Social Engineering Attack
17
Beneficiary Change Scenario
This scenario demonstrates the tactic of a social engineer to fabricate a change of beneficiary to steal money.
Youcef from Company X notices an email from his supplier
Bernie from ABC Technology, and is surprised that the tone is
more formal than usual
E-mail contains dually authorized bank letter requesting
change of bank account details
2
4
1
3
18 Red flags
Bernie replies that he is currently traveling and not available via
usual contact number and to work with his trusted colleague Yohan
who is also authorized to complete security
Youcef replies that it is subject to additional security and requires
signature verification call-back
Beneficiary Change Scenario (Cont.)
19
Soon after Yohan calls Youcef (in-bound call) to complete the
transaction (while out-of-band call verification is protocol) Youcef says first I need to take you through security procedure
Yohan becomes anxious, aggressive, and responds that Bernie
had provided dual authorization by email and him to contact
Youcef
Youcef quickly takes Yohan through security process given the
urgency, and upon his answering few questions, confirmed the
change of bank details within days
2
Red flags
1
4 3
Beneficiary Change Scenario (Cont.)
20
A few weeks later, Sam from ABC Technology calls Youcef noticing
a large overdue payment
Youcef remembers invoice due to its unusual size as he needed
management approval and it was received on the same day as the
bank details change
Sam says that they did not change their bank account Youcef escalates for investigation and finds that payment was
effective 4 weeks earlier, soon after the holidays
2
4
1
3
Red flags
Beneficiary Change Scenario (Cont.)
21
Youcef explains to Sam that after Bernie’s email and Yahon’s call,
an invoice from “ABC Technology” was received right away and
paid to the new bank account with Lucky bank
Sam confirms that they have never banked with Lucky Bank,
and did not request a bank account change
Youcef realizes that he acted on a fraudulent bank account change Youcef made a mistake of not initiating communication with an
approved contact from ABC Technology to confirm the validity
before making the change
2
4
1
Red flags
3
Analysis and internal investigations
22
• Investigation revealed that Bernie’s email account had been compromised. The fraudsters knew that
Bernie is the contact person for communicating with Company X. Personal information about Youcef was
harvested from Bernie’s compromised mailbox.
• In this situation Youcef missed several ‘Red Flags’ which may indicate suspicious activity:
Behavioral characteristics: request to change important information (bank account details) were
followed by a change in the tone and phraseology of the correspondence from a well-known
counterparty
Urgency and non-availability: initiator of the email stated that currently they are busy (travelling)
there is no opportunity to contact him/her using confirmed telephone numbers and further delegated
security verification via email to a subordinate employee
Inbound vs. outbound call: John from ABC calls in before the call-back can be made and is
extremely anxious to get the transaction completed
IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advise. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot
be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the “promotion or marketing” of any transaction contemplated hereby
(“Transaction”). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.
Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment
or firm offer and does not obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to
keep confidential the information contained herein and the existence of and proposed terms for any Transaction.
We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address,
and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided.
© 2014 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.