Risks and Trends in Network Security. Credit Unions

Transcription

1 Risks and Trends in Network 012 CliftonLarsonAllen LLP 20 Security Key IT Controls for Credit Unions ACUIA Region 4 Meeting April

2 Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Largest Credit Union Service Practice* *Callahan and Associates 2011 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. news release 2

3 CliftonLarsonAllen Randy Romes Randy Romes Professional Student Pizza Guy High Sh School lsi Science Teacher Hacker Dad 3

4 Cub Scouts, IT Professionals, & Hackers Cub Scouts Be Prepared Camping Trip Preparation Road Trip!!! 4

5 Cub Scouts, IT Professionals, & Hackers Cub Scouts Camp Tomahawk Daily Routine Business as Usual 5

6 Cub Scouts, IT Professionals, & Hackers Cub Scouts Monday Morning NOT Business asusual usual Parking X Ecology Camp Sites Main Lodge 6

7 Presentation overview Emerging & Continuing Trends Industry Security Reports 14Years of InformationSecurity Audit, Assurance, and Incident Response Strategies and Key Controls 7

8 Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Confidentiality Integrity Availability ` Tools 8 8

9 Three Reasons Why We Should Care Regulatory and industry requirements: NCUA/FFIEC/GLBA, PCI, State Laws (this list is not getting smaller ) Contractual compliance More and more partners and vendors A recent example from Regulatory Compliance Audit It s a good idea Breach Listings breach 9

10 Three Security Reports Trends: Sans 2009 Top Cyber Security Threats cyber security risks/ Intrusion Analysis: TrustWave (2010 and 2011) Intrusion Analysis: Verizon Business Services 2010 report p p_ 010 DBIR combined reports_en_xg.pdf 2011 report ata breach investigations report 2011_en_xg.pdf 10

11 Trends 2009 SANS Report SANS study: cyber security risks/ security risks/ Client Side Attacks End user workstation (vulnerabilities) Website application vulnerabilities External web sites Organization s web sites Password Attacks: FTP, SSH, Remote Access Unpatched Applications: Adobe Java Apple Etc Phishing Attacks Application Vulnerabilities: SQL injection PHP issues 11

12 TrustWave Intrusion Analysis Report 2011 Methods of Entry: Methods of Propagation: 12

13 TrustWave Intrusion Analysis Report 2011 Most of the compromised systems were managed by a third party 13

14 TrustWave Intrusion Analysis Report Incident Response Investigative Conclusions Window of Data Exposure Once inside, attackers have very little reason to think they will be detected The bd bad guys are inside id for 1 ½ YASbf YEARS before anyone knows! 14

15 Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered d highly hl difficult. 15

16 Hackers, Fraudsters, and Victims 2010 Opportunistic Attacks Targeted Attacks 16

17 Hackers, Fraudsters, and Victims 2011 Opportunistic Attacks Targeted Attacks 17

18 Verizon 2010 and

19 Hackers and Fraudsters Objectives Identity Theft and Account Hijacking Phishing ACH fraud Identity theft and fraudulent credit Corporate Account Take over's Targeted Attacks Internal access for privilege escalation Corporate/Government Espionage Mass data theft Access to Intellectual Property (IP) or Financial Information Targeted Corporate Account Take Over System Access for Processing Power Bot Nets 19

20 Phishing and ACH Examples (Since Dec) Manufacturing Company ($348,000) Public School District ($110,000) 000) Church ($29,000 and $32,000) Hospital ($150,000) 000) Health CareAssociation ($1,088,000) 000) Dec 2011* More on these in next session 20

21 Emerging Areas for Risk Management Social Engineering (later today ) Mobile Banking Bring Your Own Device Cloud Service Providers Virtualization Vendor Management 21

22 Mobile Banking 012 CliftonLarsonAllen LLP 20 Understanding the Risks 2222

23 Mobile Banking Basics Mobile Banking is here to stay More people have (smart) phones than computers Mobile payments py are here 23

24 Mobile Banking Basics Different types of mobile banking SMS mobile banking Mobile web Mobile applications 24

25 Vulnerabilities, Risks, & Controls Vulnerabilities and risks at each component Perform a risk assessment Risk Assessment Heat map Server Side Risks (Vendor Risks) Transmission Risks Mobile Device Risks Mobile App Risks End duser Risks 25

26 Vulnerabilities, Risks, & Controls Server Side Risks Essentially the same as traditional Internet banking website risks Insecure coding practices Default credentials Patch/update maintenance Certificate issues This is essentially a web server for the mobile devices to connect to. Credit Union Firewall 26

27 Vulnerabilities, Risks, & Controls Vendor Risks Same risks as credit union now outside of your direct control. Insecure coding practices Default credentials Patch/update maintenance Certificate issues Also need controls on the dedicated link Credit Union Firewall This is essentially a web server for the mobile devices to connect to. Credit Union Core System 27

28 Vulnerabilities, Risks, & Controls Transmission Risks Most mobile devices have always on Internet connection Cellular (cell phone service provider) Wifi ( home, corporate, public ) Need encryption Common end user practices 28

29 Vulnerabilities, Risks, & Controls Mobile Device Risks Multiple hardware platforms & multiple operating systems 29

30 Mobile Banking Basics Mobile banking applications (i.e. mobile apps ) Various mobile app market places itunes/apple App Store Android Market Verizon App Store BlackBerry App Store 30

31 Vulnerabilities, Risks, & Controls Mobile App Risks Secure coding issues Installation of App Useand protection of credentials Storage of data Transmission of data 31

32 Vulnerabilities, Risks, & Controls End User Risks Losethe device Don t use passwords, or use easy to guess passwords Store passwords on the device Jail break the device Don t use security software Use/don t recognize insecure wireless networks Let their kids use the device 32

33 Vendor Due Diligence and Management All of the above applies to your vendor(s) Mobile banking application provider Mobile banking hosting provider Contracts with SLA s SSAE16 reviews Independent code review and testing 33

34 Mobile Devices 012 CliftonLarsonAllen LLP 20 Bring Your Own Device (BYOD) 3434

35 BYOD People, Rules, and Tools: Standards Data Classification Acceptable Use Incident Response Litigation Preparedness 35

36 BYOD Controls and Enterprise management of: Credentials Login/Screen Saver Encryption Monitoring Data Loss Prevention (DLP) Remote Locate and Wipe Segregation... 36

37 Cloud Services 20Cloud 012 CliftonLarsonAllen LLP Benefits and Risks 3737

38 What is the Cloud? Is it a clever marketing term? Where is the cloud? 38

39 What is the Cloud? The original cloud computing : Mainframes 39

40 What is the Cloud? The next generation: Thin Clients (Citrix, RDP, etc ) 40

41 What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 41

42 What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 42

43 What is the Cloud? National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009: Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 43

44 Cloud Computing Service Models Software as a Service (SaaS) Capability to use the provider s applications that run on the cloud infrastructure. Platform as a Service (PaaS) Capability to deploy onto the cloud infrastructure customer created or acquired applications created using programming languages and tools supported by the provider Infrastructure as a Service (IaaS) Capability to provision processing, storage, networks and other fundamental computing resources that offer the customer the ability to deploy and run arbitrary software, which can include operating systems and applications 44

45 Cloud Computing Service Models The KEY takeaway for cloud architecture is that the lower down the stack the cloud service provide stops, the more capabilities and management the users are responsible forimplementing and managing themselves 45

46 What does that mean? Cloud computing means an increased need for: Good polices Clear communication bt between the provider and the consumer of the services Ownership and governance of the relationship with the provider 46

47 Cloud Computing Deployment Models Public cloud (commercial): Made available to the general public or a large industry group Owned by an organization that sells cloud services Community cloud: Shared by several organizations Supports a specific community that has a shared mission or interest May be managed by the organizations or a third party May reside on or off premise 47

48 Cloud Computing Deployment Models cont. Hybrid cloud: Composed of twoor or more clouds (private, communityor or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) Private cloud: Operated solely for an organization May be managed by the organization or a third party May exist on or off premise 48

49 Examples of Cloud Services Hosted applications Gmail Google Apps Hosted accounting On line/cloud back up services and storage Hosted infrastructure 49 Private Clouds

50 Benefits Cost Administration DR/BCP Compliance 50

51 Risks Vendor Risks Governance Risks Data Risks Who has your data? Where is your data? Who has access to your data? 51

52 Examples in the news Megaupload story: SANS NewsBites Vol. 14 Num wiredefense hobbled/ A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data 25 petabytes are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture association i of America (MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets. 52

53 Examples closer to home Recent conference Betweensessions vendors describe their service offerings Company X offers online, secure back up to the cloud Company X has grown over 300% in the last year Best of all, Company X now provides online, secure, cloud based back up for Company Y one of the larger Core hosting company providers Where does the outsourcing chain end? How many FI s using Company Y know where their data is 53

54 Cloud Computing Controls The overall control domain is the same as an in house IT environment, the challenge is to figureout who is doing what. Controls in the cloud computing environment may be provided by the consumer/company, the cloud service provider, or a separate 3 rd party. SSAE 16 SOC2 report from service providers 54

55 Evaluate the Control Environment 55

56 Things to do Risk Assessment Cost benefit analysis Vendor due diligence Scrutinize i contracts t Ongoing vendor management Be rigorous about where your data is Understand vendors responsibility and YOURS Remember basic security tenants 56

57 Ten Things Every Credit Union Should Have 1. Strong Policies Define what is expected Foundation for all that follows 57

58 Ten Things Every Credit Union Should Have 2. Defined user access roles and permissions Principal of minimum access and least privilege Mostusers shouldnot have system administrator rights Don t forget your vendors 58

59 Ten Things Every Credit Union Should Have 3. Hardened internal systems (end points) Hardening checklists Turn off unneeded services (minimizeattacksurface) Change (vendor) default password 59

60 Ten Things Every Credit Union Should Have 4. Encryption strategy (variety of state laws ) Laptops, desktops, enabled cell phones Thumb drives/mobile media Data at rest? 60

61 Ten Things Every Credit Union Should Have 5. Vulnerability management process Operating system patches Application i patches SMS and Shavlik Testing to validate effectiveness find and address the exceptions 61

62 Ten Things Every Credit Union Should Have 6. Well defined perimeter security layers: Network segments gateway/filter gateway/filter, firewall, and Proxy integration for traffic in AND out Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) 62

63 Ten Things Every Credit Union Should Have 7. Centralized audit logging, analysis, and automated alerting capabilities : Security Information and Event Management (SIEM) Routing infrastructure Network authentication Servers Applications Archiving vs. Reviewing 63

64 Ten Things Every Credit Union Should Have 8. Defined incident response plan and procedures Be prepared Documentation and procedures Including data leakage prevention and monitoring Incident Response testing, just like DR testing Forensic preparedness 64

65 Ten Things Every Credit Union Should Have 9. Validation that it all works the way you expect (remember the definition?) (IT) Audits Vulnerability Assessments Penetration Testing A combination i of internal and external resources Pre implementation and post implementation 65

66 Ten Things Every Credit Union Should Have 10. Vendor Management The previous 9 topics should all be applied to your vendors/business partners Require vendor systems be at least as secure as your own For managed services, require vendors to agree to operate up to your standards Vulnerability management Secure communication protocols Incident response capabilities Right to audit Understand your contracts and SLAs 66

67 Solutions From SANS Report 20 Critical Controls: security controls/ 67

68 SANS First Five 1. Software white listing 2. Secure standard configurations 3. Application security patch installation within 48 hours 4. System security patch installation within 48 hours 5. Ensuring administrative privileges are not active while browsing the Internet or handling 68

69 Questions? 69

70 Thank you! 012 CliftonLarsonAllen LLP 20 Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services com Slides are available here: Presentations link/buttonon lower left. 7070

71 Common Compliance Requirements Compliance Matrix Resources: mpliance_wp_20.pdf pdf 71

72 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources Microsoft Security Checklists us/library/dd aspx Most of these will be from the BIG software and hardware providers 72

73 Resources Computer Security Institute: com/soceng htm Mthd Methods of Hacking: Social lengineering i by Rick Nelson html Computer Security Institute: 73

74 Resources Bank Info Security Resource Center com/ FFIEC Authentication Guidance htm / h i i id 74

75 PCI Standards Quarterly external vulnerability scan by an Approved Scanning Vendor (ASV) Quarterly test wireless network security Annual DSSAssessment (i.e. SAQ) By QSA if level 1 Annual Penetration Test (not vulnerability scan) External Internal And 75

76 Resources In the News Privacy Rights <dot> org Resource for State Laws breach FAQ#10 76

77 References Michigan Company sues bank com/s/article/ /michigan sues _bank_over_theft_of_560_000_?taxonomyid=17 phish foiled 2 com/2010/02/comerica phish 2 factor protection/#more 973 Bank sues Texas company 77

78 References to Specific State Laws Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. State laws: For details, see the Open Security Foundation Datalossdb website: