Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Transcription

1 Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC

2 Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information Security Systems Professional) CISA (Certified Information Systems Auditor) CRISC (Certified Risk and Information Systems Control) Cell: (605) SECURE BANKING SOLUTIONS, LLC 2

3 My Experience Information Security Program Design and Implementation IT Risk Assessment Penetration Testing Vulnerability Assessments Awareness Programs Vendor Management Business Continuity Technology Selection Security Consulting IT Audit ISP audit ATM audit Controls audit Wire transfer audit SOX audit Internet banking audit 2014 SECURE BANKING SOLUTIONS, LLC 3

4 NSA Designated School National Security Agency Department of Homeland Security DSU is the only national center of excellence focused on the security of banks SECURE BANKING SOLUTIONS, LLC 4

5 Growth in Banking New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Bank Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Customer 2014 SECURE BANKING SOLUTIONS, LLC 5

6 Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 6

7 Data Breaches 2014 (few month) + so many more JP Morgan gigabytes of data was compromised, including customer account data from June to Mid-August by exploiting an overlooked flaw in one of the bank s websites, leading to infections on 90 servers. Possible 1M accounts breached. UPS - malware was on its in-store cash register systems at 51 of its locations in 24 states from Jan 20 to Aug 11, Home Depot involves nearly all of the 2,200 company s stores across the nation, back till April. Bigger then Target? AB Acquisition and SuperValu effected more than 180 stores in18 state between June 22 and July 17 (AMCE, Shaw, Albertson ) DQ initial breach as far back as early June Same malware that hit Target SECURE BANKING SOLUTIONS, LLC 7

8 SECURE BANKING SOLUTIONS, LLC 8

9 Verizon 2013 DATA BREACH INVESTIGATIONS REPORT (DBIR) 92% stemmed from external agents Organized criminal group 55% 55% utilized some form of hacking 29% utilized some form of social engineering 40% incorporated malware 75% of victims were opportunistic attacks 97% of breaches were avoidable through simple or intermediate controls (*2012) SECURE BANKING SOLUTIONS, LLC 9

10 Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 10

11 Hacking made easy Default Passwords Hacking Tools Kali Linux (turnkey solutions) Caller ID Spoofing Social Engineer Toolkit Crime as a Service (CAAS) Exploit Sites SECURE BANKING SOLUTIONS, LLC 11

12 Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 12

13 Phishing Trend 91% of APTs start with phishing attacks 2014 SECURE BANKING SOLUTIONS, LLC 13

14 Phishing Examples Scams-and-Malware-Campaigns 2014 SECURE BANKING SOLUTIONS, LLC 14

15 Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 15

16 Corporate Account Takeover FDIC lists this as top threat: responsible for millions of dollars in losses frayed business relationships litigation affecting both financial institutions and commercial accounts. around 85% of cyber attacks are now targeting small businesses. White House Cybersecurity Coordinator 2014 SECURE BANKING SOLUTIONS, LLC 16

17 2014 Faces of Fraud SECURE BANKING SOLUTIONS, LLC 17

18 Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 18

19 DDOS Distributed Denial of Service 2014 SECURE BANKING SOLUTIONS, LLC 19

20 Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 20

21 "Unlimited operations Fraud FFIEC Warning Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing sent to bank employees. Hackers seek to obtain employee credentials to inject malware into a financial institution s system. The ultimate target it the web-based ATM control panel. The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems 2014 SECURE BANKING SOLUTIONS, LLC 21

22 USB Theft Find specific style ATM (also windows XP) Drill hold in the casing and insert USB or SD card Hole covered with sticker or patch Infects the computer with malware Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface Also, required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money. Returned to regular screen after 3 minutes SECURE BANKING SOLUTIONS, LLC 22

23 Latest Skimming Techniques Completely Fake ATM s and ATM covers. Keypad overlay instead of camera s. Transmission: devices: cell phone, Wifi, Bluetooth Gluing down the physical enter, cancel and clear keys. Allowing hacker to capture PIN and get the card. Card/Cash Trapping SECURE BANKING SOLUTIONS, LLC 23

24 Continual Improvement WHAT YOU CAN DO ABOUT CYBERCRIME 2014 SECURE BANKING SOLUTIONS, LLC 24

25 Security process Plan Risk Assessment Audits Check Do Information Security Program: Policy, Plans, Procedures 2014 SECURE BANKING SOLUTIONS, LLC 25

26 Information Security Program 2014 SECURE BANKING SOLUTIONS, LLC 26

27 Bank Education How to monitor Cyber Security Issues and Take Action? Conferences and Conventions Technology Conference Webinars Regular Hot Topics Banking Schools Graduate Banking Schools Information Security Certifications Certified Community Banking Security Professional Certified Community Banking Technology Professional Certified Community Banking Vendor Manager Third Party Audit Risk Assessment Customer Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 27

28 Questions? Chad Knutson Senior Information Security Consultant Cell: (605) Automated Information Security Suite Security Services SECURE BANKING SOLUTIONS, LLC 28