Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com
|
|
- Adele Hawkins
- 8 years ago
- Views:
Transcription
1 Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com
2 Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Information Security offered as specialized service offering for over 15 years Largest Credit Union Service Practice* *Callahan and Associates 2014 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. news release 2
3 Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity Assessments and Governance Requirements Strategies to mitigate and manage risks 3
4 Cyber Fraud Risk Themes Hackers have monetized their activity More sophisticated hacking More hands on effort Smaller organizations targeted Black market economy Social engineering is continuing threat Hackers targeting members and member businesses 4
5 Largest Cyber Fraud Trends Most common cyber fraud scenarios we see affecting our credit unions and their members Theft of PII and PFI Theft of credit card information Member and Corporate Account Take Overs Ransomware Defensive Measures to support Incident Response Examples and Case Studies 5
6 Black Market Economy Theft of PFI and PII Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities. Target Goodwill Jimmy Johns University of Maryland University of Indiana Anthem Blue Cross Primera Olmsted Medical Center Community Health Systems 6
7 Anatomy of a Breach 7
8 Timeline of a Breach and Missed Opportunities 1. Attacked/compromised vendor remote access 2. Missed AV/IDS warnings Attacked/compromised internal vulnerabilities 4. Missed IDS warnings 2 4 8
9 Black Market Economy Stolen Card Data Carder or Carding websites Dumps vs CVV s A peek inside a carding operation: inside aprofessional carding shop/ 9
10 Black Market Economy Carder Boards Easy to use! 10
11 Credit Card Data For Sale 11
12 Corporate Account Takeover CATO Catholic church parish Hospice Finance company Main Street newspaper stand Electrical contractor Utility company Industry trade association Rural hospital Mining company Credit Union On and on and on and on.. 12
13 CATO Lawsuits UCC a payment order received by the [bank] is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. 13
14 CATO Lawsuits UCC Electrical Contractor vs Bank > $300,000 stolen via ACH through CATO Internet banking site was down DOS? Contractor asserting Bank processed bogus ACH file without any call back
15 CATO Lawsuits UCC Escrow company vs Bank > $400,000 stolen via single wire through CATO CE passed on dual control offered by the bank Court ruled in favor of bank Companies attorneys failed to demonstrate bank s procedures were not commercially reasonable
16 Case Study Please Wire $ to. CEO asks the CFO Common mistakes 1. Use of private 2. Don t tell anyone cybercrime/omahas scoular co loses 17 million afterspearphishing attack.html 16
17 CATO Defensive Measures Multi layer authentication Multi factor authentication Out of band authentication Positive pay ACH block and filter IP address filtering Dual control Defined processes for payments Activity monitoring Manual vs. Automated controls Combination of preventative and detective controls 17
18 Ransomware Malware encrypts everything it can interact with i.e. anything the infected user has access to CryptoLocker May 20, 2014 Ransomware attacks doubled in last month (7,000 to 15,000) goes spearphishing infections soar warns knowbe4 a html 18
19 Ransomware Working (tested) backups are key 19
20 Ten things that make it easy for hackers 1. Giving users local admin privileges 2. Domain Admins don t have separate user account 3. Domain Admins log into workstation 4. Weak passwords 5. Shared passwords 6. Poor patching 7. Unnecessary ports and services 8. Weak/no encryption 9. Vendor Systems 10. Lack of security awareness 20
21 Keys to Successful Breaches
22 Keys to Successful Breaches Reliance/dependence on 3 rd party service providers is at root of most breaches 22
23 How do hackers and fraudsters break in? Amateurs hack systems, professionals hack people. Bruce Schneier Social Engineering relies on the following: The appearance of authority People want to avoid inconvenience Timing, timing, timing 23
24 Pre text Phone Calls Hi, this is Randy from Fiserv users support. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Ongoing high profile ACH frauds 24
25 Attacks Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web site Ask them to open an attachment or run update Examples Better Business Bureau complaint usabetterbusiness bureaucall for action visa Microsoft Security Patch Download 25
26 Phishing Targeted Attack 26
27 Physical (Facility) Security Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Sumitomo Bank (2005) over $500M clerical error foiled sumitomo bank.html Barclays Bank (December, 2013) $1.30M lost hacking attack gang stole 1.3 million police say.html 27
28 Strategies to Combat Social Engineering (Ongoing) user awareness training SANS First Five Layers behind the people 1. Secure/Standard Configurations (hardening) 2. Critical Patches Operating Systems 3. Critical Patches Applications 4. Application White Listing 5. Minimized user access rights No browsing/ with admin rights Logging, Monitoring, and Alerting capabilities The 3 R s : Recognize, React, Respond More on this at the end 28
29 FFIEC Executive Leadership Cybersecurity Webinar 29
30 Cybersecurity Leadership FFIEC 30
31 Cybersecurity Leadership FFIEC 31
32 May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar Importance of identifying emerging cyber threats and the need for Board/C suite involvement, including: Setting the tone at the top and building a security culture Identifying, measuring, mitigating, and monitoring risks Developing risk management processes commensurate with the risks and complexity of the institutions Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future Creating a governance process to ensure ongoing awareness and accountability Ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyber risks 32
33 Cybersecurity Leadership FFIEC 33
34 Cybersecurity Leadership FFIEC 34
35 Cybersecurity Leadership FFIEC 35
36 Cybersecurity Leadership FFIEC 36
37 Cybersecurity Assessments July August
38 Current FFIEC IT Examination Process Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA) will perform periodic information technology examinations at regulated financial institutions. Examination procedures are based on the FFIEC IT Handbooks ( and supplemented by periodic agency guidance. IT Examinations review the financial institution s Information Security Program (ISP). 38
39 New/Added FFIEC Cybersecurity Assessments In the summer of 2014, the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks. Integrated into regular IT Examination process Cyber Risk Management and Oversight Cyber Security Controls External Dependency Management Threat Intelligence and Collaboration Cyber Resilience Launched a cybercrime website 39
40 Recent Examiner Supplemental Cyber Security Request List 40
41 Recent Examiner Supplemental Cyber Security Request List 41
42 Recent Examiner Supplemental Cyber Security Request List 42
43 FFIEC Cybersecurity Assessment Tool (CAT) Released in June 2015 The National Credit Union Administration intends to incorporate the Federal Financial Institutions Examination Council s (FFIEC) Cybersecurity Assessment Tool into its examinations, starting in June ncua outlines examiner training for cyber assessment tool 43
44 FFIEC Cybersecurity Assessment Tool (CAT) Inherent Risk Profile Cybersecurity inherent risk is the level of risk posed to the institution by the following: 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 44
45 FFIEC Cybersecurity Assessment Tool (CAT) Cybersecurity Maturity 1. Cyber Risk Management and Oversight 2. Threat Intelligence and Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management and Resilience 45
46 Key Defensive Strategies cliftonlarsonallen.com 46
47 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Be Prepared Monitoring, Incident Response, and forensic Capabilities 47
48 Ten Keys to Mitigate Risk 1. Strong policies 6. Perimeter security layers 2. Defined user access roles Minimum Access 3. Hardened internal systems and end points 4. Encryption strategy data centered 5. Vulnerability management process 7. Centralized logging, analysis and alerting capabilities 8. Incident response capabilities 9. Know / use online banking tools 10.Assess and Test Independent validation that it works 48
49 Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered highly difficult. 49
50 Centralized Logging, Analysis, and Alerting Centralized audit logging, analysis, and automated alerting capabilities (SIEM) Firewalls Security appliances Routing infrastructure Network authentication Servers Applications *** Archiving vs. Reviewing Know your: Network, Systems, DATA 50
51 Call To Action Policies to set foundation Train your users Thoroughly assess your risks Three R s: Recognize, React, Respond Thoroughly validate your controls High expectations of your vendors Penetration testing Application testing Vulnerability scanning Social engineering testing People Tools ` Rules 51
52 Questions? 52
53 Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 53
54 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources Microsoft Security Checklists us/library/dd aspx Most of these will be from the BIG software and hardware providers 54
55 Three Security Reports Trends: Sans 2009 Top Cyber Security Threats cyber security risks/ Intrusion Analysis: TrustWave (Annual) Intrusion Analysis: Verizon Business Services (Annual) 55
56 Information Security Program includes Section 501(b) of the Gramm Leach Bliley Act of 1999 (GLBA) for the safeguarding of customer information Board of Directors will develop an Information Security Program that addresses the requirements of: Section 501(b) of the GLBA; Federal Financial Institutions Examination Council s (FFIEC) Interagency Guidelines Establishing Information Security Standards (501[b] Guidelines); and Agency specific guidelines (i.e. Appendix B to Part 364 of the FDIC s Rules and Regulations) The Information Security Program (ISP) is comprised of: Risk Assessment Risk Management Audit Business Continuity/Disaster Recovery/Incident Response Vendor Management Board and Committee Oversight 56
57 Information Security Program Risk Assessment and Risk Management Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data and/or availability of systems. Risk is determined based on the likelihood of a given threatsource s ability to exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative, technical, and physical controls to reduce or eliminate the impact of the threat. 57
58 Information Security Program Audit ISP related Audits/Reviews ISP Review/IT General Controls Review External/Internal Vulnerability and Penetration Assessments Social Engineering Assessments E Banking Reviews ACH Audit Wire Transfer Audit Remote/Mobile Deposit Capture Audit Audit/Exam Recommendation Tracking and Reporting 58
59 Information Security Program Business Continuity/Disaster Recovery Incident Response Business Continuity/Disaster Recovery Plan Annual Testing of Critical Systems Annual Employee Tabletop/Scenario Testing Board Reporting Incident Response Plan Compromise of customer information Annual Testing FS ISAC FBI Infraguard Cybersecurity Examinations? 59
60 Information Security Program Vendor Management Vendor Management Policy Vendor Risk Assessment Access to Customer Information Criticality to Bank Operations Ease of Replacement New Vendor Due Diligence and Annual Reviews Continuous Monitoring 60
61 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14) All FIs AND their critical technology service providers must have appropriate threat identification, information sharing, and response procedures. Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS ISAC) Improved identification and mitigation of attacks Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems Sharing information to help other FIs 61
62 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14) FI Management should: Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization FS ISAC: FBI Infragard: U.S. Computer Emergency Readiness Team at US CERT: cert.gov U.S. Secret Service Electronic Crimes Task Force: 62
63 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness Connection Types: identify and assess the threats to all access points to the internal network VPN Wireless Remote access protocols: RDP/Telnet/FTP Vendor LAN/WAN access BYOD 63
64 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk (cont.) Products and Services: identify and assess threats to all products and services currently offered and planned Online ACH and Wire Transfer origination External funds transfers (A2A, P2P, bill pay) 64
65 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk (cont.) Technologies Used: identify and assess threats to all technologies currently used and planned Core systems ATMs Internet and mobile applications Cloud computing 65
66 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness Current cybersecurity practices and overall preparedness should include: Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats Patching, encryption, limited user access Intrusion detection/prevention systems, firewall alerts Formal audit program with scope and schedule based on an asset s inherent risk, prompt and documented remediation of findings, regular activity report reviews 66
67 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness (cont.) Cyber Incident Management and Resilience: Incident detection, response, mitigation, escalation, reporting, and resilience Formal Incident Response Programs, including regulatory and customer notification guidelines and procedures Senior management and board incident reporting 67
68 FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment Implications? Increased Board and C Suite Involvement Participation in information sharing group(s) Cybersecurity scenario testing with employees and management Increased oversight of third party service providers Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings 68
69 FFIEC Cybersecurity Assessment Tool (CAT) Domain 1 Risk Management & Oversight Governance Oversight Strategies & Policies IT Asset Management 69
70 FFIEC Cybersecurity Assessment Tool (CAT) Domain 1 Risk Management & Oversight Risk Management Risk Management Program Risk Assessment Audit 70
71 FFIEC Cybersecurity Assessment Tool (CAT) Domain 1 Risk Management & Oversight Resources Staffing Training & Culture 71
72 FFIEC Cybersecurity Assessment Tool (CAT) Domain 2 Threat Intelligence & Collaboration Threat Intelligence & Info. Monitoring & Analyzing Information Sharing 72
73 FFIEC Cybersecurity Assessment Tool (CAT) Domain 3 Cybersecurity Controls Preventative Controls Infrastructure Management Access and Data Management Device/End Point Security Secure Coding 73
74 FFIEC Cybersecurity Assessment Tool (CAT) Domain 3 Cybersecurity Controls Detective Controls Threat& Vulnerability Detection Anomalous Activity Detection Event Detection 74
75 FFIEC Cybersecurity Assessment Tool (CAT) Domain 3 Cybersecurity Controls Corrective Controls PatchManagement Remediation 75
76 FFIEC Cybersecurity Assessment Tool (CAT) Domain 4 External Dependency Management Connections Relationship Management Due Diligence Contracts Ongoing Monitoring 76
77 FFIEC Cybersecurity Assessment Tool (CAT) Domain 5 Cyber Incident Management & Resilience Incident Resilience Planning & Strategy Planning Testing Detection, Response, & Mitigation Escalation & Reporting 77
Cybersecurity Governance Update on New FFIEC Requirements
Cybersecurity Governance Update on New FFIEC Requirements cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, Professional Services Firm
More informationCybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity
More informationIT Security Risks & Trends
IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health
More informationManaging the Operational Risk of Our Bank
Managing the Operational Risk of Our Bank 1 Managing Operational Risk Has your organizational leadership ever made any of the following comments? The Board wants us to focus on risk management since we
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationMobile Banking and Bring Your Own Device
2013 CliftonLarsonAllen LLP Mobile Banking and Bring Your Own Device Cyber Security Strategies for Information Technology Risk Management cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started
More informationTop 10 Baseline Cybersecurity Controls Banks Aren't Doing
Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationCYBERSECURITY HOT TOPICS
1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationSeptember 20, 2013 Senior IT Examiner Gene Lilienthal
Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank
More informationWhat Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationQuestions You Should be Asking NOW to Protect Your Business!
Questions You Should be Asking NOW to Protect Your Business! Angi Farren, AAP Senior Director Jen Wasmund, AAP Compliance Services Specialist 31 st Annual Conference SHAPE YOUR FUTURE April 23, 2013 Regional
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More information2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP
2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf
More informationCybersecurity Awareness. Part 2
Part 2 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCybersecurity Issues for Community Banks
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014
Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA
More informationCybersecurity and Technology Update. Paul Rainbow, Information Security Supervisor, Umpqua Bank Francis Tam, Partner, Moss Adams LLP
Cybersecurity and Technology Update Paul Rainbow, Information Security Supervisor, Umpqua Bank Francis Tam, Partner, Moss Adams LLP Agenda Cybersecurity Governance Threat Intelligence/Monitoring Vendor
More informationRisks and Trends in Network Security. Credit Unions
Risks and Trends in Network 012 CliftonLarsonAllen LLP 20 Security Key IT Controls for Credit Unions ACUIA Region 4 Meeting April 2013 1 1 Our perspective CliftonLarsonAllen Started in 1953 with a goal
More informationCybersecurity. Are you prepared?
Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationCyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?
Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior,
More informationInformation Technology. A Current Perspective on Risk Management
Information Technology A Current Perspective on Risk Management Topics Covered Information Security Program Common Examination Findings Existing and Emerging Risks ACH/Wire Fraud and Corporate Account
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More information2012 CliftonLarsonAllen LLP. Ensuring Internal Controls in an Electronic Age
Ensuring Internal Controls in an Electronic Age 1 1 To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationCybersecurity and Other IT Related Focus Areas. Francis Tam, Partner
Cybersecurity and Other IT Related Focus Areas Francis Tam, Partner Agenda Cybersecurity Payment Card Industry (PCI) Outsourced Cloud Computing 2 Cybersecurity $45 million cyberheist and ATM cash out scheme
More informationData Breaches and Cyber Risks
Data Breaches and Cyber Risks Carolinas Credit Union League Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction,
More informationCYBERSECURITY INVESTIGATIONS
CYBERSECURITY INVESTIGATIONS Planning & Best Practices May 4, 2016 Lanny Morrow, EnCE Managing Consultant lmorrow@bkd.com Cy Sturdivant, CISA Managing Consultant csturdivant@bkd.com Michal Ploskonka, CPA
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationPenetration Testing and Vulnerability Assessment
2013 CliftonLarsonAllen LLP Penetration Testing and Vulnerability Assessment CLAconnect.com Presentation overview What is Risk Assessment Governance Frameworks Types of Audits Vulnerability Assessment
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More information2012 Data Breach Investigations Report
2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information
More informationAuditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement
Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25
More informationSECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationGet on First Base with your Regulators and Cyber Security
Get on First Base with your Regulators and Cyber Security Secure Banking Solutions Chad Knutson 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance
More informationCyber Security 2014 SECURE BANKING SOLUTIONS, LLC
Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationPayment Fraud Trends
2013 CliftonLarsonAllen LLP Payment Fraud Trends How to Protect my Business Customers from Payment and Corporate Account Take Over CLAconnect.com CliftonLarsonAllen Started in 1953 with a goal of total
More informationNetwork/Cyber Security
Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationToday s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.
Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationCybersecurity. WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI
Cybersecurity WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI Dr. Kevin Streff Founder: Secure Banking Solutions, LLC www.protectmybank.com Goals Understand IT cybersecurity law and regulation
More informationDon t Fall Victim to Cybercrime:
Don t Fall Victim to Cybercrime: Best Practices to Safeguard Your Business Agenda Cybercrime Overview Corporate Account Takeover Computer Hacking, Phishing, Malware Breach Statistics Internet Security
More informationPractice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited
Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident
More informationCybersecurity Awareness. Part 1
Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationFFIEC CONSUMER GUIDANCE
FFIEC CONSUMER GUIDANCE Important Facts About Your Account Authentication Online Banking & Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their
More informationWSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons
WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment
More informationWho s Regulating Whom & What are the Requirements: Banks As Payment Services Providers
Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta Disclaimer The opinions expressed
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationCybersecurity. Threats to Nonprofits. Chris Debo Senior Manager, IT Audit. August 14, 2014
Cybersecurity Threats to Nonprofits Chris Debo Senior Manager, IT Audit August 14, 2014 What is Cybersecurity? NIST definition: The process of protecting information by preventing, detecting, and responding
More informationCorporate Account Take Over (CATO) Guide
Corporate Account Take Over (CATO) Guide This guide was created to increase our customers awareness of the potential risks and threats that are associated with Internet and electronic- based services,
More informationIT Compliance Volume II
The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents
More informationEmerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA
Emerging Network Security Threats and what they mean for internal auditors December 11, 2013 John Gagne, CISSP, CISA 0 Objectives Emerging Risks Distributed Denial of Service (DDoS) Attacks Social Engineering
More informationHere are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.
Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online. FFIEC BUSINESS ACCOUNT GUIDANCE New financial standards will assist credit
More informationData Breaches and Cyber Risks
Data Breaches and Cyber Risks MD/DC Credit Union Association 2015 Volunteer Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationPresented by: Mike Morris and Jim Rumph
Presented by: Mike Morris and Jim Rumph Introduction MICHAEL MORRIS, CISA Systems Partner JIM RUMPH, CISA Systems Manager Objectives To understand how layered security assists in securing your network
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationHow a Company s IT Systems Can Be Breached Despite Strict Security Protocols
How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More information2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage
2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and
More informationBuilding The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord
Building The Human Firewall Andy Sawyer, CISM, C CISO Director of Security Locke Lord Confidentiality, Integrity, Availability Benchmarks of Cybersecurity: Confidentiality Information is protected against
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More information