!

Helping You Stay Secure Online

!!

!

!!

!

!!!!!!!!

© 2014 Traina & Associates 1

Lisa D. Traina, CPA, CITP, CGMA

Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA to assist financial institutions, hospitals, CPA firms and their clients in implementing measures to secure data and manage risks.

Lisa is a nationally recognized speaker, sharing her knowledge with thousands of CPAs and business professionals annually helping them leverage emerging technologies.

Traina & Associates, an IT security audit firm, has been honored three times as a member of the LSU 100 list of the top 100 fastest growing Tiger-led businesses.

In 2013, Lisa was elected President of the Society of Louisiana CPAs, becoming only the fourth woman in the organization’s 102-year history to hold its top elected position.

She was also named to CPA Practice Advisor Magazine’s 2012 list of 25 ‘Most Powerful Women in Accounting’.

Traina & Associates Traina & Associates is based in Baton Rouge, Louisiana, and provides Information Technology (IT) Audit services to over 80 community financial institutions as well as hospitals, physicians, CPA firms and many other small businesses.

For every engagement, the staff of highly trained professionals completes review procedures in an efficient manner to produce a comprehensive assessment of the client’s Information Systems area. All audit reports are tailored for the unique makeup, size and complexity of the organization being audited. Reports are written in a concise manner, making them easy to read and understand by Management and Directors having a variety of IT expertise.

A variety of full day seminars, conference presentations and webinars are available for presentation to Directors & Executive Management teams and all levels of employees. Popular topics include: Cloud Computing, iPads & Other Mobile Devices, Helping You Stay Secure Online and Cyber Security Basics.

Visit our website for more details on any of our audit services or training options: www.TrainaCPA.com. Please contact us today at info@TrainaCPA.com or (225) 308-1712 or follow us on twitter at @TrainaCPA.

!

© 2014 Traina & Associates 2

Helping You Stay Secure Online

The number of individuals and businesses using online banking for financial transactions continues to increase rapidly. With this increase comes an increase in fraud, particularly corporate account takeover.

This seminar is designed to educate attendees on what corporate account takeover is, who is at risk, how systems are infected and what can be done to minimize the risk of infection.

Learn how a single email can infect a network and what steps you need to take to protect your business and prevent such an attack.

Topics For Today

I. Information Security Training II. Corporate Account Takeover

a. Major Threats b. Patching or Updating Systems c. Other Attacks d. Target Attack

III. Information Security Myths IV. Protection & Prevention

a. Layered Security i. Computer Security ii. Account Security iii. The Human Element

b. Safety Tips V. Mobile Devices

a. Mobile Malware b. Mobile Security Measures

VI. Expectations For The Future

© 2014 Traina & Associates 3

‘Some form of data breach, deliberate or accidental, is now considered inevitable for all organizations at some point.’ – IRM Cyber Risk Report 2014

Helping You Stay Secure Online

• Recent Victims o Apple, Department of Energy, Twitter, Federal Reserve, Facebook,

Adobe, Target, NBC, The Wall Street Journal, The Washington Post, The New York Times

Corporate Account Takeover • A form of corporate identity theft where a business’ online credentials are

stolen by malware and criminal entities fraudulently transfer funds from the account(s)

• CATO involves compromised identity credentials and is not about compromises to the wire system or ACH Network

• ACH fraud and wire fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer

• The ACH Network is safe and secure • Who are the Victims?

o Any business can fall victim o But small to mid-sized businesses remain the primary target of

criminals • Dissecting an Attack

o Target Victims o Install Malware o Online Banking o Collect & Transmit Data o Initiate Funds Transfer(s)

• Major Threats o Phishing - A person is tricked to visit a site and enter confidential info

(password, credit card info, etc.) or click on a link that installs malware o Malware

! Malicious software ! Installed without user consent or knowledge ! Many names: spyware, viruses, adware, etc.

o In 2013, 50% of malware incidents were caused by phishing attempts o 93% of large corporations and 87% of small businesses have

experienced a cyber breach in the past year o Top themes for spam & phishing messages worldwide

! Bank deposit/payment notifications ! Online product purchase ! Attached photo ! Shipping notices ! Online dating ! Taxes ! Facebook ! Gift card or voucher ! PayPal

© 2014 Traina & Associates 4

• One Click " Infected System • Patching or Updating Systems

o New vulnerabilities exploited daily o Constant work to patch issues o Problems arise when applications no longer have patches o Not just Windows

• Java • Windows XP

o Support by Microsoft for Windows XP ends in April 2014 o Any computer with XP still installed could receive a ‘flood’ of malware,

since security patches will no longer be released o Warning to businesses and consumers

• Internet Explorer o Actively exploited vulnerability recently discovered o All IE versions affected o Installs malware without user interaction o Patches were released for all supported versions

• Other Attacks o RansomWare

• Target Attack o Facts

! 2nd Largest Retail Cyber Attack ! 110 million customers affected ! November 27 - December 15, 2013 ! Names, CC #, Expiration Dates, CVV #

o How It Happened ! Infected with BlackPOS Malware ! Installed at some point before Nov 27 ! Undetected by 40+ commercial AV tools ! Previous versions used in attacks and categorized by FBI as POS

Malware o How Was Target’s Network Compromised? o Fazio Mechanical

! Citadel Malware - password stealing bot program ! A link was emailed to employees, someone clicked ! Network credentials for Target were stolen ! This occurred at least 2 months before Target was comprised ! “Our IT system and security measures are in full compliance

with industry practices.” ! Malwarebytes Anti-Malware - primary method of detection

malware • Free version does not offer real-time protection against

threats • Made explicitly for individuals and not for corporate use

! Maintains a data connection to Target for electronic billing, contract submission and project management

! Nearly all Target contractors use Ariba, Partners Online and Property Development Zone

! Theory - Ariba has a back end for admin access

© 2014 Traina & Associates 5

o Back To Target ! Clicking the link gave hackers access to track passwords ! Network credentials to access Target systems were used ! Hackers used this to obtain a wealth of information ! Mining this information allowed them to gain knowledge of the

internal network ! Web server exploited after gaining network credentials ! Allowed hackers access to internal POS system

o More Info ! Data being sold on underground market ! Other retailers have been compromised ! More hacks will be coming to light this year ! Arrests being made on people using stolen cards

o Malware For Sale o Heartbleed Vulnerability

! Heartbleed Bug - vulnerability in widely used web encryption software

! Impact on businesses & consumers unprecedented ! Over 500k websites could be affected.

o Protect Yourself ! Do not log into accounts from affected sites ! Check to ensure websites have been patched ! http://www.cnet.com/how-to/which-sites-have-patched-the-

heartbleed-bug/ ! https://lastpass.com/heartbleed/ ! Change passwords for sensitive accounts first ! Enable two factor authentication where available ! Don’t be afraid to contact technical support for more info

Information Security Myths • Internet banking users need better computer security than other employees • Anti-virus software is the best protection • Employees cannot access Facebook at work • This can only happen to big businesses • The ‘IT Guy’ keeps our business safe

Protection & Prevention • Layered Security

o No single measure alone is likely to prevent CATO o Each business must identify its own risks and implement appropriate

security ! Computer Security ! Account Security ! The Human Element

• Computer Security o Properly configure network equipment o Limit administrative rights

© 2014 Traina & Associates 6

o Patch all operating systems and applications o Keep anti-virus software updated o Delete unnecessary applications o Change all default passwords o Passwords should be complex and expire periodically o Utilize sophisticated spam filtering o Block pop-ups o Restrict Internet access

• Account Security o Use complex passwords, change frequently o Take advantage of all controls offered by your financial institution o Use dual control for wires & ACH, when feasible o Do not use administrator account for day-to-day transactions o Use tokens, if offered o Subscribe to file/transaction notifications o Limit the number of employees with access o Promptly deactivate employees that no longer require access o Set dollar and file limits as low as possible and periodically review all

users and their limits o Review accounts daily, particularly ACH and wire transactions

• Call Your Banker Immediately o Possible fraudulent transactions o New user accounts o Logins at unusual times of day o Emails or calls requesting account info o Maintenance pages while online

• Regulation E o Regulation E and the electronic funds transfer protections it affords are

only applicable to consumer accounts and are not applicable to business accounts

o Please see the following website for more information regarding Regulation E

! http://www.fdic.gov/regulations/laws/rules/6500-3100.html • The Human Element

o Employee education is important o All employees should receive training o Training must be repetitive and often

• Safety Tips o Use extreme caution when surfing the Internet o Immediately delete anything suspicious o Never open unknown links or email attachments o Do not reply to suspicious emails o Verify contact info listed in emails o Be suspicious of contact from a financial institution or government

agency o Look for changes in computer performance

• Always Ask – Does This Make Sense?

© 2014 Traina & Associates 7

Mobile Devices • Fraud Follows Money • Exponential growth over the past few years • More mobile devices in use than people on earth • Mobile devices should be treated as any other computing resource • Mobile Malware

o 71% of web delivered malware was encountered on Android devices (iOS 2nd with 14%)

o Mobile malware accounted for only 1.2% of total web malware encounters in 2013

• Mobile Security Measures o Password protection o Device lock o Device tracking & remote wipe o Update & protect devices o Restrict functions as much as feasible o Understand where data is located

What Else Can I Do? • In 2013, 50% of malware incidents were caused by phishing attempts • Security 24/7

o Use same precautions on all devices you access at work, home and in between.

o Business and personal passwords should be different o If you are doing it at work, you probably should be doing it at home!

Expectations For The Future • Credit Card Security • New Avenues Of Exploitations

o Health Care, Transportation, Emergency Communication, etc. o These avenues will only grow and change o Important to address current issues

• iPads & Airlines • Smart Light Bulbs • Remote Access Door Locks

‘The digital economy will continue to pose new information risks and

business opportunities for all organizations.’ – IRM Cyber Risk Report 2014

© 2014 Traina & Associates 8

!!

Find out with an IT Security Review You wouldn’t buy a home without a home inspection to identify potential repair issues, so why run a business without a tech inspection to identify data security weaknesses? The IT Security Review is an evaluation of the controls surrounding the IT area combined with testing of internal and external IT defenses against potential network attacks and intruders. You will be provided with an IT Security Review Report identifying security weaknesses and recommended actions for the following areas:

• Virus & spyware protection • Application controls • Network & local authentication

controls • Patching and updating • Data storage • Backup procedures • Password policies • User administration

• Remote access • Mobile device security • Firewall protection • Secure file exchange • Internet and email security • Internal vulnerability scanning • External vulnerability scanning

for static IP addresses

You will also receive an Information Security Toolkit containing the following items:

• Best practices for network authentication • Minimum mobile device security parameters • Password management and control recommendations • Email and Internet access and filtering best practices • Sample Employee IT & Mobile Device Acceptable Usage Policy • Sample Business Continuity & Disaster Recovery Plan

Since 1999, Traina & Associates has been providing IT audit services to financial institutions, hospitals, CPA firms, non-profits and other businesses. Our team of professionals has extensive experience and certifications, performing over 200 audit engagements per year. Let us help you ensure that your data is secure. Request a quote today: Info@TrainaCPA.com or (225) 308-1712

Is your data secure?