©2013
CliftonLarsonA
llen LLP
©2013
CliftonLarsonA
llen LLP
cliftonlarsonallen.com
Current Trends in Cyber Crime & Payments Fraud
©2013
CliftonLarsonA
llen LLP
Our perspective…CliftonLarsonAllen– Started in 1953 with a goal of total
client service– Today, industry specialized CPA and
Advisory firm ranked in the top 10 in the U.S.
– Information Security offered as specialized service offering for over 15 years
– Largest Credit Union Service Practice*
*Callahan and Associates 2014 Guide to Credit Union CPA Auditors.
CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country.www.larsonallen.com – news release
2
©2013
CliftonLarsonA
llen LLP
Overview
• Up To Date Cybersecurity and Fraud Risks– Current threat environment– Industry examples and case studies
• FFIEC Cybersecurity Assessments and Governance Requirements
• Strategies to mitigate and manage risks
3
©2013
CliftonLarsonA
llen LLP
Cyber Fraud Risk Themes
• Hackers have “monetized” their activity– More sophisticated hacking– More “hands‐on” effort– Smaller organizations targeted– Black market economy
• Social engineering is continuing threat
• Hackers targeting members and member businesses
4
©2013
CliftonLarsonA
llen LLP
Largest Cyber Fraud Trends
• Most common cyber fraud scenarios we see affecting our credit unions and their members– Theft of PII and PFI– Theft of credit card information– Member and Corporate Account Take Overs– Ransomware
• Defensive Measures to support Incident Response– Examples and Case Studies
5
©2013
CliftonLarsonA
llen LLP
• Target• Goodwill • Jimmy Johns
• University of Maryland• University of Indiana
• Olmsted Medical Center• Community Health Systems
Black Market Economy ‐ Theft of PFI and PII
6
• Anthem• Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities.
©2013
CliftonLarsonA
llen LLP
Anatomy of a Breach
7
©2013
CliftonLarsonA
llen LLP
Timeline of a Breach and Missed Opportunities
8
1. Attacked/compromisedvendor remote access
2. Missed AV/IDS warnings 3. Attacked/compromised internal vulnerabilities
4. Missed IDS warnings
1
2
3
4
©2013
CliftonLarsonA
llen LLP
Black Market Economy – Stolen Card Data
• Carder or Carding websites
• Dumps vs CVV’s
• A peek inside a carding operation:
http://krebsonsecurity.com/2014/06/peek‐inside‐a‐professional‐carding‐shop/
9
©2013
CliftonLarsonA
llen LLP
Black Market Economy – “Carder Boards”
• Easy to use!
10
©2013
CliftonLarsonA
llen LLP
Credit Card Data For Sale
11
©2013
CliftonLarsonA
llen LLP
• Catholic church parish• Hospice• Finance company• Main Street newspaper stand• Electrical contractor• Utility company• Industry trade association• Rural hospital• Mining company• Credit Union
• On and on and on and on……………..
“Corporate Account Takeover” ‐ CATO
12
©2013
CliftonLarsonA
llen LLP
CATO Lawsuits ‐ UCC
a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
13
©2013
CliftonLarsonA
llen LLP
CATO Lawsuits ‐ UCC
• Electrical Contractor vs Bank
• > $300,000 stolen via ACH through CATO
• Internet banking site was “down” – DOS?
• Contractor asserting Bank processed bogus ACH file without any call back
©2013
CliftonLarsonA
llen LLP
CATO Lawsuits ‐ UCC
• Escrow company vs Bank
• > $400,000 stolen via single wire through CATO– CE passed on dual control offered by the bank
• Court ruled in favor of bank
• Companies attorneys failed to demonstrate bank’s procedures were not commercially reasonable
©2013
CliftonLarsonA
llen LLP
• CEO asks the CFO…
• Common mistakes1. Use of private email2. “Don’t tell anyone”
• http://www.csoonline.com/article/2884339/malware‐cybercrime/omahas‐scoular‐co‐loses‐17‐million‐after‐spearphishing‐attack.html
16
Case Study – Please Wire $ to….
©2013
CliftonLarsonA
llen LLP
CATO Defensive Measures• Multi‐layer authentication• Multi‐factor authentication• Out of band authentication• Positive pay• ACH block and filter• IP address filtering• Dual control• Defined processes for payments
• Activity monitoring• Manual vs. Automated controls Combination of preventative and detective controls
17
©2013
CliftonLarsonA
llen LLP
Ransomware
• Malware encrypts everything it can interact with– i.e. anything the infected user has access to
• CryptoLocker
18
May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker‐goes‐spear‐phishing‐infections‐soar‐warns‐knowbe4‐a‐506966.html
©2013
CliftonLarsonA
llen LLP
Ransomware
• Working (tested) backups are key19
©2013
CliftonLarsonA
llen LLP
Ten things that make it easy for hackers1. Giving users local admin privileges2. Domain Admins don’t have separate user account3. Domain Admins log into workstation4. Weak passwords5. Shared passwords6. Poor patching7. Unnecessary ports and services8. Weak/no encryption9. Vendor Systems10. Lack of security awareness
20
©2013
CliftonLarsonA
llen LLP
Keys to Successful Breaches 2013 2014
21
https://www2.trustwave.com/GSR2014.
©2013
CliftonLarsonA
llen LLP
Keys to Successful Breaches…
22
Reliance/dependence on 3rd party service providers is at root of most breaches
©2013
CliftonLarsonA
llen LLP
How do hackers and fraudsters break in?
Social Engineering relies on the following:
• The appearance of “authority”
• People want to avoid inconvenience
• Timing, timing, timing…
“Amateurs hack systems, professionals hack people.”Bruce Schneier
23
©2013
CliftonLarsonA
llen LLP
Pre‐text Phone Calls• “Hi, this is Randy from Fiserv users support. I am working with Dave, and I need your help…”– Name dropping– Establish a rapport– Ask for help– Inject some techno‐babble– Think telemarketers script
• Home Equity Line of Credit (HELOC) fraud calls• Ongoing high‐profile ACH frauds
24
©2013
CliftonLarsonA
llen LLP
Email Attacks ‐ Spoofing and Phishing
• Impersonate someone in authority and:– Ask them to visit a web‐site– Ask them to open an attachment or run update
• Examples– Better Business Bureau complaint– http://www.millersmiles.co.uk/email/visa‐usabetter‐business‐bureaucall‐for‐action‐visa
– Microsoft Security Patch Download
25
©2013
CliftonLarsonA
llen LLPEmail Phishing – “Targeted Attack”
26
©2013
CliftonLarsonA
llen LLP
Physical (Facility) SecurityCompromise the site:• “Hi, Joe said he would let you know I was coming to fix the
printers…”
Plant devices:• Keystroke loggers• Wireless access point• Thumb drives (“Switch Blade”)
Examples…‐Sumitomo Bank (2005) – over $500M‐http://www.networkworld.com/news/2009/012209‐clerical‐error‐foiled‐sumitomo‐bank.html
‐Barclays Bank (December, 2013) ‐ $1.30M lost‐http://www.telegraph.co.uk/news/uknews/crime/10322536/Barclays‐hacking‐attack‐gang‐stole‐1.3‐million‐police‐say.html
27
©2013
CliftonLarsonA
llen LLP
Strategies to Combat Social Engineering• (Ongoing) user awareness training• SANS “First Five” – Layers “behind the people”
1. Secure/Standard Configurations (hardening)2. Critical Patches – Operating Systems 3. Critical Patches – Applications4. Application White Listing5. Minimized user access rightsNo browsing/email with admin rights
• Logging, Monitoring, and Alerting capabilities – “The 3 R’s”: Recognize, React, Respond– More on this at the end…
28
©2013
CliftonLarsonA
llen LLP
FFIEC Executive Leadership Cybersecurity Webinar
29
©2013
CliftonLarsonA
llen LLP
Cybersecurity Leadership ‐ FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
30
©2013
CliftonLarsonA
llen LLP
Cybersecurity Leadership ‐ FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
31
©2013
CliftonLarsonA
llen LLP
May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar• Importance of identifying emerging cyber threats and the
need for Board/C‐suite involvement, including:– Setting the tone at the top and building a security culture – Identifying, measuring, mitigating, and monitoring risks – Developing risk management processes commensurate with the
risks and complexity of the institutions – Aligning cybersecurity strategy with business strategy and
accounting for how risks will be managed now and in the future – Creating a governance process to ensure ongoing awareness and
accountability – Ensuring timely reports to senior management that include
meaningful information addressing the institution's vulnerability to cyber risks
32
©2013
CliftonLarsonA
llen LLP
Cybersecurity Leadership ‐ FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
33
©2013
CliftonLarsonA
llen LLP
Cybersecurity Leadership ‐ FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
34
©2013
CliftonLarsonA
llen LLP
Cybersecurity Leadership ‐ FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
35
©2013
CliftonLarsonA
llen LLP
Cybersecurity Leadership ‐ FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
36
©2013
CliftonLarsonA
llen LLP
Cybersecurity Assessments
July – August 2014
37
©2013
CliftonLarsonA
llen LLP
Current FFIEC IT Examination Process• Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA) will
perform periodic information technology examinations at regulated financial institutions.
• Examination procedures are based on the FFIEC IT Handbooks (http://ithandbook.ffiec.gov/) and supplemented by periodic agency guidance.
• IT Examinations review the financial institution’s Information Security Program (ISP).
38
©2013
CliftonLarsonA
llen LLP
New/Added FFIEC Cybersecurity Assessments• In the summer of 2014, the Federal Financial Institutions
Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks.
• Integrated into regular IT Examination process– Cyber Risk Management and Oversight– Cyber Security Controls– External Dependency Management– Threat Intelligence and Collaboration– Cyber Resilience
• Launched a cybercrime website https://www.ffiec.gov/cybersecurity.htm
39
©2013
CliftonLarsonA
llen LLP
Recent Examiner Supplemental Cyber Security “Request List”
40
©2013
CliftonLarsonA
llen LLP
Recent Examiner Supplemental Cyber Security “Request List”
41
©2013
CliftonLarsonA
llen LLP
Recent Examiner Supplemental Cyber Security “Request List”
42
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Released in June 2015
• The National Credit Union Administration intends to incorporate the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool into its examinations, starting in June 2016.
43
http://news.cuna.org/articles/107023‐ncua‐outlines‐examiner‐training‐for‐cyber‐assessment‐tool
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Inherent Risk Profile• Cybersecurity inherent risk is the level of risk posed to the institution by the following:1. Technologies and Connection
Types2. Delivery Channels3. Online/Mobile Products and
Technology Services4. Organizational Characteristics5. External Threats
44
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Cybersecurity Maturity
1. Cyber Risk Management and Oversight
2. Threat Intelligence and Collaboration
3. Cybersecurity Controls4. External Dependency
Management5. Cyber Incident Management
and Resilience
45
©2013
CliftonLarsonA
llen LLP
©2013
CliftonLarsonA
llen LLP
cliftonlarsonallen.com
Key Defensive Strategies
46
©2013
CliftonLarsonA
llen LLP
Strategies
Our information security strategy should have the following objectives:
• Users who are more aware and savvy
• Networks that are resistant to malware
• Be Prepared… Monitoring, Incident Response, and forensic Capabilities
47
©2013
CliftonLarsonA
llen LLP
1. Strong policies
2. Defined user access roles Minimum Access
3. Hardened internal systems and end points
4. Encryption strategy – data centered
5. Vulnerability management process
Ten Keys to Mitigate Risk
6. Perimeter security layers
7. Centralized logging, analysis and alerting capabilities
8. Incident response capabilities
9. Know / use online banking tools
10.Assess and Test – Independent validation that it works…
48
©2013
CliftonLarsonA
llen LLP
Verizon• Report is analysis of intrusions
investigated by Verizon and US Secret Service.
• KEY POINTS:– Time from successful intrusion to compromise of data was days to weeks.
– Log files contained evidence of the intrusion attempt, success, and removal of data.
– Most successful intrusions were not considered highly difficult.
49
©2013
CliftonLarsonA
llen LLP
Centralized Logging, Analysis, and Alerting
50
Centralized audit logging, analysis, and automated alerting capabilities (SIEM)•Firewalls•Security appliances•Routing infrastructure•Network authentication•Servers•Applications ***•Archiving vs. Reviewing
•Know your: Network, Systems, DATA
©2013
CliftonLarsonA
llen LLP
Call To Action
51
Policies to set foundationTrain your usersThoroughly assess your risksThree R’s: Recognize, React, RespondThoroughly validate your controls
– High expectations of your vendors– Penetration testing– Application testing– Vulnerability scanning– Social engineering testing
People Rules
`
Tools
©2013
CliftonLarsonA
llen LLP
Questions?
52
©2013
CliftonLarsonA
llen LLP
53
©2013
CliftonLarsonA
llen LLP
cliftonlarsonallen.com
twitter.com/CLA_CPAs
facebook.com/cliftonlarsonallen
linkedin.com/company/cliftonlarsonallen
Randy Romes, CISSP, CRISC, MCP, PCI‐QSAPrincipalInformation Security [email protected]
53
©2013
CliftonLarsonA
llen LLP
Resources – Hardening Checklists
Hardening checklists from vendors
• CIS offers vendor‐neutral hardening resourceshttp://www.cisecurity.org/
• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=truehttp://technet.microsoft.com/en‐us/library/dd366061.aspx
Most of these will be from the “BIG” software and hardware providers
54
©2013
CliftonLarsonA
llen LLP
“Three” Security Reports• Trends: Sans 2009 Top Cyber Security Threats
– http://www.sans.org/top‐cyber‐security‐risks/
• Intrusion Analysis: TrustWave (Annual)– https://www.trustwave.com/whitePapers.php
• Intrusion Analysis: Verizon Business Services (Annual)– http://www.verizonenterprise.com/DBIR/
55
©2013
CliftonLarsonA
llen LLP
Information Security Program – includes…• Section 501(b) of the Gramm‐Leach‐Bliley Act of 1999 (GLBA)
for the safeguarding of customer information
Board of Directors will develop an Information Security Program that addresses the requirements of:
◊ Section 501(b) of the GLBA;◊ Federal Financial Institutions Examination Council’s (FFIEC) “Interagency Guidelines
Establishing Information Security Standards” (501[b] Guidelines); and ◊ Agency‐specific guidelines (i.e. Appendix B to Part 364 of the FDIC’s Rules and
Regulations)
The Information Security Program (ISP) is comprised of: ◊ Risk Assessment◊ Risk Management◊ Audit◊ Business Continuity/Disaster Recovery/Incident Response◊ Vendor Management◊ Board and Committee Oversight
56
©2013
CliftonLarsonA
llen LLP
• Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data and/or availability of systems.
• Risk is determined based on the likelihood of a given threat‐source’s ability to exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
• The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative, technical, and physical controls to reduce or eliminate the impact of the threat.
Information Security ProgramRisk Assessment and Risk Management
57
©2013
CliftonLarsonA
llen LLP
Information Security ProgramAudit• ISP‐related Audits/Reviews
– ISP Review/IT General Controls Review– External/Internal Vulnerability and Penetration Assessments– Social Engineering Assessments
• E‐Banking Reviews– ACH Audit– Wire Transfer Audit– Remote/Mobile Deposit Capture Audit
• Audit/Exam Recommendation Tracking and Reporting
58
©2013
CliftonLarsonA
llen LLP
Information Security ProgramBusiness Continuity/Disaster Recovery Incident Response• Business Continuity/Disaster Recovery Plan
– Annual Testing of Critical Systems– Annual Employee Tabletop/Scenario Testing– Board Reporting
• Incident Response Plan– Compromise of customer information– Annual Testing– FS‐ISAC – FBI Infraguard– Cybersecurity Examinations?
59
©2013
CliftonLarsonA
llen LLP
Information Security ProgramVendor Management
• Vendor Management Policy
• Vendor Risk Assessment– Access to Customer Information– Criticality to Bank Operations– Ease of Replacement
• New Vendor Due Diligence and Annual Reviews
• Continuous Monitoring 60
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Threat and Vulnerability Monitoring
and Sharing Statement (11/3/14)
• All FIs AND their critical technology service providers must have appropriate threat identification, information sharing, and response procedures.
• Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS‐ISAC)
– Improved identification and mitigation of attacks – Better identification and understanding of specific vulnerabilities and
necessary mitigating controls for systems– Sharing information to help other FIs
61
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Threat and Vulnerability Monitoring
and Sharing Statement (11/3/14)• FI Management should:
– Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
– Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization◊ FS‐ISAC: www.fsisac.com◊ FBI Infragard: www.infragard.org◊ U.S. Computer Emergency Readiness Team at US‐CERT: www.us‐cert.gov◊ U.S. Secret Service Electronic Crimes Task Force:
www.secretservice.gov/ectf.shtml
62
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment
General Observations• Cybersecurity Inherent Risk– Management must understand the FIs INHERENT RISK when
assessing cybersecurity preparedness◊ Connection Types: identify and assess the threats to all access points to the internal network• VPN• Wireless• Remote access protocols: RDP/Telnet/FTP• Vendor LAN/WAN access• BYOD
63
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment
General Observations• Cybersecurity Inherent Risk (cont.)
◊ Products and Services: identify and assess threats to all products and services currently offered and planned• Online ACH and Wire Transfer origination• External funds transfers (A2A, P2P, bill pay)
64
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment
General Observations• Cybersecurity Inherent Risk (cont.)
◊ Technologies Used: identify and assess threats to all technologies currently used and planned• Core systems• ATMs• Internet and mobile applications• Cloud computing
65
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment
General Observations• Cybersecurity Preparedness – Current cybersecurity practices and overall preparedness
should include:◊ Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats • Patching, encryption, limited user access• Intrusion detection/prevention systems, firewall alerts• Formal audit program with scope and schedule based on an
asset’s inherent risk, prompt and documented remediation of findings, regular activity report reviews
66
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment
General Observations• Cybersecurity Preparedness (cont.)–
◊ Cyber Incident Management and Resilience: Incident detection, response, mitigation, escalation, reporting, and resilience • Formal Incident Response Programs, including regulatory and
customer notification guidelines and procedures• Senior management and board incident reporting
67
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment Implications?
• Increased Board and C‐Suite Involvement• Participation in information‐sharing group(s)• Cybersecurity scenario testing with employees and
management• Increased oversight of third‐party service providers• Documentation on how FI is addressing the FFIEC Cybersecurity
Assessment findings
68
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 1 –Risk Management & Oversight– Governance
– Oversight– Strategies & Policies– IT Asset Management
69
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 1 –Risk Management & Oversight– Risk Management
– Risk Management Program– Risk Assessment– Audit
70
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 1 –Risk Management & Oversight– Resources ‐Staffing– Training & Culture
71
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 2 –Threat Intelligence & Collaboration– Threat Intelligence & Info.– Monitoring & Analyzing– Information Sharing
72
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 3 –Cybersecurity Controls– Preventative Controls
– Infrastructure Management– Access and Data Management– Device/End‐Point Security– Secure Coding
73
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 3 –Cybersecurity Controls– Detective Controls
– Threat & Vulnerability Detection
– Anomalous Activity Detection– Event Detection
74
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 3 –Cybersecurity Controls– Corrective Controls
– Patch Management
– Remediation
75
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 4 –External Dependency Management
• Connections– Relationship Management
– Due Diligence
– Contracts– Ongoing Monitoring
76
©2013
CliftonLarsonA
llen LLP
FFIEC Cybersecurity Assessment Tool (CAT)• Domain 5 –Cyber Incident Management & Resilience– Incident Resilience Planning & Strategy– Planning
– Testing
• Detection, Response, & Mitigation• Escalation & Reporting
77