Get on First Base with your Regulators and Cyber Security

Transcription

1 Get on First Base with your Regulators and Cyber Security Secure Banking Solutions Chad Knutson

2 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC Cell: (605)

3 3 Background 10 Years Community Bank Consulting at SBS Experience in Risk Management, ISP Development, and Auditing SBS has worked with over 800 banks in 45 states Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security

4 4 Cybersecurity America s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas. President Obama

5 5 Growth in Banking Bank New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Customer

6 6 APT vs Organized Crime

7 7 FFIEC Cyber Security Main Site: Board/Senior Management Video: Observations: Assessment_Observations.pdf

8 8 FFIEC Observations

9 9 FFIEC Observations Inherent Risk: Financial institutions need a solid methodology to identify inherent risk from cyber threats. Community banks should ensure the following: Asset-based IT Risk Assessment that identifies: Connection Types Products and Services offered Technologies implemented Specific risks mentioned include: ATM Fraud BYOD Risks Wire and ACH Fraud DDOS Attacks

10 10 FFIEC Observations Preparedness: Following a solid understanding of inherent risks to community banks, institutions need to focus on risk mitigating comments. The FFIEC highlights the following areas: Risk management and oversight involves governance, allocation of resources, and training and awareness of employees. Threat intelligence and collaboration is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making. Cybersecurity controls controls can be preventive, detective, or corrective External dependency management includes the connectivity to third-party service providers, business partners, customers, or others and the financial institutions expectations and practices to oversee these relationships. Cyber incident management and resilience involves incident detection, response, mitigation, escalation, reporting, and resilience.

11 11 Fresh Update to BCP Guidance

12 12 Cybercrime made easy Underground Markets ty.com/2013/12/car ds-stolen-in-targetbreach-floodundergroundmarkets/ Default Passwords ords Hacking Tools Hacking Toolkits Caller ID Spoofing freecall/ Social Engineer Toolkit Crime as a Service (CAAS) DDOS Exploit Resource Sites Big News Vulnerabilities

13 13 Weak / Default Passwords Numerous password database breaches in 2012/2013 Password Cracking Technology taken to new level with GPU (graphics cards) processor capabilities In 76% of data breaches, weak or stolen user names and passwords were a cause - Verizon

14 14 Password Reuse & Breaches Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts Once the bad guys got it, it was very simple to move around [the network]. - Lance Spitzner SANS 59% had same between Yahoo and Sony breaches 67% had same between Sony and Gawker breaches

15 15 Hacking Tools

16 16 KALI Linux

17 17 Caller ID Spoofing

18 18 Social Engineering

19 19 Crime as a Service (CAAS) Growing Threat Built using Botnets Provide services such as: Conduct DDOS Conduct Phishing Anti-Antivirus Services Keylogging and central reporting

20 20 Crime as a Service (CAAS)

21 21 ATM Fraud Increasing

22 22 ATM FFIEC Alert "Unlimited operations Fraud Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing sent to bank employees. Hackers seek to obtain employee credentials to inject malware into a financial institution s system. The ultimate target it the web-based ATM control panel. The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems

23 23 USB Theft Find specific style ATM (also windows XP) Drill hold in the casing and insert USB or SD card Hole covered with sticker or patch Infects the computer with malware Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface Also, required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money. Returned to regular screen after 3 minutes. Jackpot at Defcon (caution language)

24 24 Recent Malware Heist NCR ATMs attacked in Malaysia $1 million with the help of malware they d installed on at least 18 ATMs across the country. (Krebs)

25 25 Latest Skimming Techniques Completely Fake ATM s and ATM covers. Keypad overlay instead of camera s. Transmission: devices: cell phone, Wifi, Bluetooth Gluing down the physical enter, cancel and clear keys. Allowing hacker to capture PIN and get the card. Card/Cash Trapping

26 26 CATO Corporate Account Takeover

27 27 What is CATO? Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal or no disbursement controls for use with their bank s online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered. These thefts have affected both large and small banks. Texas ECTF

28 28 Corporate Account Takeover FDIC lists this as top threat: responsible for millions of dollars in losses frayed business relationships litigation affecting both financial institutions and commercial accounts. around 85% of cyber attacks are now targeting small businesses. White House Cybersecurity Coordinator

29 Faces of Fraud

30 30 CATO Fraud Losses

31 31 CATO Issues Cyber-criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) If Financial Institutions do not start to prevent fraud in commercial accounts the government will expand legal protections to commercial accounts, what will this COST (Sen. Chuck Schumer (D-NY) Schumer Bill )

32 32 Outcome Who is responsible? 3% 12% 13% Relationship Status 14% 34% 21% 72% 31% Customer Bank Government Law Enforcement Diminished trust Move Money No Change Terminated

33 33 Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc.

34 34 The Legal Battle Commercially Reasonable EMI Case - EMI employee opened and clicked on links within a phishing M in wires stolen, $560,000 was not recoverable. Court rules in favor of small business. Patco Construction's computer infected with Zeus malware and steals $589,000 via ACH (payroll) with net loss of $345,440. Court rules in favor of Bank, then July 3, 2012 appeals court overturned in favor of small business. Court calls a "one-size-fits-all" approach Commercially Unreasonable.

35 35 Win (?) for Banks Choice Escrow and Land Title LLC sued BancorpSouth Inc. for a $440,000 loss via a single wire in March Choice Escrow was offered and explicitly declined in writing the use of dual controls and wire limits. Important Factors: Incident occurred prior to January 2012 Offering of controls was clearly documented

36 36 Recent Incidents May J.T. Alexander & Son Inc. $800,000 in ACH transactions ranging from 5-10K to 60 mules, company has 15 employees with average 30K payroll. April 2013 Chelan County Public Hospital $1M in ACH transactions from payroll account using 96 mules Identified by Brian Krebs December Efficient Services Escrow Group $1.5M in wires (December.4M and January 1.1M). Forced company to close. December 2012 Ascent Builders Inc. $900,000 in wires and ACH covered up by DDOS Identified by Brian Krebs July 2013 Texas Brand Bank (TBB) sues Luna & Luna, LLP. Funds at JP Morgan 1.66M in three separate wire transfers, 2012 U.S. Department of Housing and Urban Development (HUD) funds Bank borrowed 1.66M to corporate customer, went unpaid. Government froze funds.

37 37 Regulatory Guidance FFIEC Specific Supervisory Expectations 1/2012: Risk Assessment Customer Authentication for High-Risk Transactions Layered Security Programs Effectiveness of Certain Authentication Techniques Customer Awareness and Education Conference of State Bank Supervisors (CSBS) Expectations (19 controls) 12/2012: Prevent Detect Respond Resources: FFIEC 2005 Guidance FFIEC Supplement Guidance FIL CSBS Guidance NACHA CATO Group Customer Movement

38 38 FFIEC Risk Assessment Should be updated when new information is obtained, new electronic services offered, or at least every 12 months. It should consider: Changes in internal and external threats Changes in customer base adoption Changes in functionality offered Actual incidents of security breaches, identity theft, or fraud experienced by institution or industry

39 39 FFIEC Layered Security Programs Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out-Of-Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation-based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education

40 40 FFIEC Customer Awareness and Education Efforts should address both retail and commercial accounts and, at a minimum, include: Explanation of protections provided, and not provided, or limitations relative to Regulation E. Explanation of circumstances and through what means unsolicited requests may be made to the customer. Suggestions for the commercial online banking customer to perform a risk assessment and controls evaluation periodically. List alternative risk control mechanisms and resources that customers may consider to mitigate their own risk. List institutional contacts for customers use in the event they notice suspicious activity or security incidents.

41 41 PROTECT Implement processes and controls to protect the financial institution and corporate customers. P1. Expand the risk assessment to include corporate account takeover. P2. Rate each customer (or type of customer) that performs online transactions. P3. Outline to the Board of Directors the Corporate Account Takeover issues. P4. Communicate basic online security practices for corporate online banking customers. P5. Implement/Enhance customer security awareness education for retail and high risk business account holders. P6. Establish bank controls to mitigate risks of corporate accounts being taken over. P7. Review customer agreements. P8. Contact your vendors to regularly receive information regarding reducing the risk of Corporate Account Takeovers.

42 42 DETECT Establish monitoring systems to detect electronic theft and educate employees and customers on how to detect a theft in progress. D1. Establish automated or manual monitoring systems. D2. Educate bank employees of warning signs that a theft may be in progress. D3. Educate account holders of warning signs of potentially compromised computer systems.

43 43 RESPOND Prepare to respond to an incident as quickly as possible (measured in minutes, not hours) to increase the chance of recovering the money for your customer. R1. Update incident response plans to include Corporate Account Takeover. R2. Immediately verify if a suspicious transaction is fraudulent. R3. Immediately attempt to reverse all suspected fraudulent transactions. R4. Send a Fraudulent File Alert through FedLine. R5. Immediately notify the receiving bank(s) of the fraudulent transactions and ask them to hold or return the funds. R6. Implement a contingency plan to recover or suspend any systems suspected of being compromised. R7. Contact law enforcement and regulatory agencies once the initial recovery efforts have concluded. R8. Implement procedures for customer relations and documentation of recovery efforts.

44 44 What is the silver bullet? Stronger Contracts? Multifactor? Out of Band Authentication? Call back procedures? Transaction limits? Insurance?

45 45 Solutions Comprehensive Risk Management Processes Leverage Your ISP! Bank IT Risk Assessment Third Party Risk Assessments Commercial Account Risk Assessment Educate Your Customers Commercial Accounts Third Party Bank IT

46 46 Risk Assessment FFIEC: Review commercial accounts and identify highest risk accounts, and consider: CSBS: New or changing threats to your services Change in customer base Change in functionality offered Actual incidents from breaches, ID theft, and fraud in the industry or institution P1. Expand the risk assessment to include corporate account takeover. P2. Rate each customer (or type of customer) that performs online transactions.

47 47 Customer Awareness and Education Handouts / Pamphlets Posters / Calendars Security Awareness Day InfraGard Certification Social Engineering Tests Games Resources Commercial Customer Roundtable

48 48 Onsite or Online Education

49 49 Continual Improvement What you can do about cybercrime

50 50 Security process Plan Risk Assessment Audits Check Do Information Security Program: Policy, Plans, Procedures

51 51 FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information.

52 52 FDIC - Appendix B to Part 364 Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards

53 53 Risk Management Process 9 Document Information Security Program: Establish an effective set of IT policies Optional Demonstrate Compliance: Reporting Improve the process Additional Action Measure Against Goal Identify Controls Determine Residual Risk: What is the risk after applying controls? System Controls: What system safeguards does the bank want to implement? Determine Inherent Risk: 4 Which assets represent risk to the bank? Inventory: Identify all assets, third parties, or customers. Develop Priorities: Protection Profiles (CIAV) Identify Threats: What are the threats to each asset (including probability and impact of each threat)?

54 54 Information Security Program

55 55 Audit (Check) Components Vulnerability Assessment Internal assessment, comprehensive. Checks for: Missing patches or updates Default settings and passwords Vulnerable systems Penetration Testing External assessment, replicating a hacker. Identifies: Vulnerable systems Exploits vulnerabilities Security warnings Test Intrusion Prevention Systems Social Engineering Tests your people and their responses to social engineering techniques. IT Audit Verifies you are following your Information Security Program Ensures its adequate to meet regulatory requirements and implements industry best practices.

56 Bank 56 Education Third Party Customer How to monitor Cyber Security Issues and Take Action? Conferences and Conventions Technology Conference Association Webinars Risk Assessment Regular Hot Topics Banking Schools Graduate School of Banking Information Security Certifications Audit Policy (ISP) CCBSP Certified Community Banking Security Professional CCBTP Certified Community Banking Technology Professional CCBVM Certified Community Banking Vendor Manager

57 57 Questions Contact Information: Chad Knutson VP SBS Institute Senior Information Security Consultant CISSP, CISA, CRISC Phone: