Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Transcription

1 Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

2 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA to assist financial institutions, hospitals, CPA firms and their clients in implementing measures to secure data and manage risks. Traina & Associates, an IT security audit firm, has been honored four times as a member of the LSU 100 list of the top 100 fastest growing Tiger-led businesses. Traina Advisory Services, LLC offers additional consulting services. In response to client requests for assistance with third party due diligence, Managed Vendor Program (MVP) was launched in Lisa was named to the Baton Rouge Business Report 2014 list of Influential Women in Business and also to the CPA Practice Advisor Magazine 2012 list of 25 Most Powerful Women in Accounting. Traina & Associates Traina & Associates helps secure your data. The fact is that a single hacker could ruin your company s reputation or drain your bank account. We provide IT Security Audit services to help you prevent that from happening. Since 1999, we have been a trusted provider serving financial institutions, hospitals, CPA firms, non-profits and other businesses. We have a team of professionals with extensive experience and certifications, performing hundreds of engagements per year. We continually research new technologies and security threats so audit procedures remain up to date. Take a step toward business security. Visit our website for more details on any of our audit services or training options: Please contact us today at info@trainacpa.com or (225) or follow us on twitter 2014 Traina & Associates 1

3 Some form of data breach, deliberate or accidental, is now considered inevitable for all organizations at some point. IRM Cyber Risk Report 2014 Making The Headlines Numerous companies and vendors have been breached recently Many of these breaches have been in the past few months Typical Myths Some users need better computer security than others Breaches only happen to large organizations Employees cannot access Facebook at work EMV is the solution to card fraud The IT Guy keeps the organization safe Anti-virus software is the best protection Top Security Threats 1. Weak Passwords o Default and weak passwords are very common o People use the same password for many systems o Many systems are accessible remotely with password as the single control 2. Phishing o A person is tricked into Visiting a site and entering confidential info (password, credit card info, etc.) Clicking on a link that installs malware o Top themes for spam & phishing messages worldwide Bank deposit/payment notifications, Online product purchase Attached photo, Shipping notices Online dating, Taxes Facebook, Gift card or voucher PayPal 3. Malware o Viruses, adware, bots, spyware o Installed without user s knowledge o Often not detected by anti-virus programs o Malware Timeframe o One Click " Infected System 4. Vulnerable Systems o Vulnerability = security hole or weakness o Malware typically exploits a vulnerability 2014 Traina & Associates 1

4 o Every system must be updated or patched to eliminate vulnerabilities (servers, workstations, mobile devices, firewalls, routers, switches, etc.) o Many new vulnerabilities discovered every day o Patching Systems Very difficult to keep everything patched Patches can break things Patches not provided for obsolete systems Operating Systems Windows XP, Windows 7, Windows 8, etc. Applications Java, Adobe, etc. run on many different operating systems 91% of attacks were from a Java vulnerability Recent News Windows XP o Support by Microsoft for Windows XP ended April 8, 2014 o Any computer with XP still installed could receive a flood of malware, since security patches will no longer be released o Server 2003 support ends June 2015 Internet Explorer o Recent vulnerability, malware risk o Homeland Security warning issued o All versions of Explorer affected o Patches released for all supported versions RansomWare o Files are encrypted and a ransom is requested o Can happen on networks, workstations and mobile devices Backoff Malware o 1,000 businesses of different sizes hit o Remote access vulnerabilities exploited and access gained to point of sale systems o Commonly compromised applications LogMeIn, Join.me, Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway We re Too Small To Matter o Hackers are not picky people o Path of least resistance o Gateway to ultimate target o Testing ground for new malware programs Malware For Sale Malware At Its Worst Corporate Account Takeover o A form of corporate identity theft where a business s online credentials are stolen by malware and criminal entities fraudulently transfer funds from the account(s) o Dissecting an Attack 2014 Traina & Associates 2

5 Target Victims, Install Malware, Online Banking, Collect & Transmit Data, Initiate Funds Transfer(s) o CATO is occurring at an alarming rate o Primary targets are small to mid-sized businesses o Lawsuits between businesses and financial institutions o Very preventable with proper security measures o OFI 19 Recommendations Protect, Detect, Respond o What institutions are doing right Most have adequate layered controls in place Risk assessments have been implemented and approved by BOD Better information provided through literature and online o Room for improvement Risk assessments missing new products/services Respond recommendations not yet implemented More training for employees, board members and customers needed Mobile Devices More mobile devices in use than people on earth Fraud will increase as use of banking and mobile payments increases Mobile devices should be treated as any other computing resource Mobile Malware o 75% of web-delivered malware was encountered on Android devices (ios 2nd with 17%) o Mobile malware accounted for only 1.2% of total web malware encounters in However, this is the next logical area of exploitation for hackers Types of exploitations: o Surveillance audio, camera, call logs, location, SMS messages o Impersonation SMS redirection, sending messages, posting to social media o Financial sending premium rate SMS messages, stealing transaction authentication numbers, extortion via ransomware, fake antivirus, making expensive calls o Botnet Activity DDoS attacks, click fraud, premium rate SMS messages o Data Theft account details, contacts, call logs, phone numbers, stealing data via app vulnerabilities, stealing IMEI number Bring Your Own Device (BYOD) o Most organizations do not: Know who is doing what with devices Have sufficient controls Have a centralized management system (MDM) The Trouble With Syncing o BYOD approved devices o Personal devices o Automated syncing 2014 Traina & Associates 3

6 o Recipe for disaster Bring Your Own Cloud o BYOC is newest problem with cloud data storage o Organizations with employees who are using cloud services for data storage Knowingly or Unknowingly o Data is no longer controlled or secured by the Organization Protection & Prevention No silver bullet, layers of security needed Security measures must include o Computer and mobile device security o Account security o The human element Critical Computer Security Measures 1. Properly configured network controls (firewalls, intrusion detection, administrator access, etc.) 2. Constant patching for everything 3. Current anti-virus on all systems 4. Complex passwords that expire 5. Very restricted Internet access 6. Spam filtering Mobile Device Security 1. Passcode and inactivity lock 2. Device tracking and wipe 3. Updated operating systems and applications 4. Limited storage of confidential data 5. Acceptable usage policies 6. Mobile device management software (MDM) 7. Knowledge of where data resides Online Banking Account Security 1. Financial institution controls (tokens, call backs, dual control, etc.) 2. Strict password & access controls 3. Frequent review of account activity The Human Element 1. Training for every employee Use caution online Delete anything suspicious Do not reply to unknown s 2. Important to include 3rd party testing of Organization systems and procedures Does This Make Sense? How Secure Is Your Organization? o You don t know what you don t know o Third party security can impact you Due diligence is critical 2014 Traina & Associates 4

7 What To Expect More Sophisticated Attacks All businesses are prone to exploits Known information is growing Results in better targeted phishing attempts Credit Cards & EMV Apple Pay & NFC Payments New Avenues of Exploitation Small business, health care, construction, emergency management, etc. These avenues will only grow and change Important to address current issues The Internet of Things The digital economy will continue to pose new information risks and business opportunities for all organizations. IRM Cyber Risk Report 2014 Questions & Comments: (225) 2014 Traina & Associates 5

8 Keeping up is challenging managed vendor program MAKE A CHOICE TO LESSEN YOUR BURDEN AND RISK Traina Advisory Services, LLC, is partnering with community financial institutions who face the challenge of keeping up with regulatory requirements for managing third party risk. Our Managed Vendor Program (MVP) will take the burden of document collection and assessment off of you, and will provide information that can quickly be evaluated and reported to your Board of Directors. Our thorough yet concise summaries will give you the information you need to assess your critical vendors. Reviews are performed by experienced professionals specializing in IS Risk Management for financial institutions. Reports provided include an Executive/Board Summary containing a snapshot of all vendors reviewed as well as a Vendor Review Report for each third party provider. We will also provide online access to your vendor documentation for 12 months, allowing easy retrieval for all auditing needs. As part of MVP, we will request for review the following vendor related documents as applicable: Contract * Audited financial statements Security audit reports (i.e. SSAE 16, SOC 1, SOC 2, etc.) Business continuity planning documentation Disaster recovery testing results and documentation Identity Theft Program Insurance Coverage Regulatory Exam and Management Responses DDoS Plans Compliance and licensing information Customer complaint resolution information *We do not offer legal advice on matters of contract structuring or obligations. We want to be your Most Valuable Partner in managing third party risk. (541)2VENDOR or (541) Sales@ManagedVendorProgram.com