IT Security to Combat Today s Cyber Fraud

Transcription

1 IT Security to Combat Today s Cyber Fraud Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member Focus 1 Associates LLC

2 Speakers Tom DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting Services - O Connor Davies, LLP TDeMayo@odpkf.com Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com Footer 2

3 Objectives Current cyber security threats Information security and privacy compliance obligations and enforcement Business Continuity/Disaster Recovery considerations Risk management 3

4 Financial Industries in the Headlines 4

5 Why Attack a Financial Services Company? Why Not? A Financial Services company has: Bank accounts Brokerage accounts Customer personal information Employee payroll Employee personal Information EFT transactions frequently performed Large amounts of funds and assets under management 5

6 Why Attack a Financial Services Company? Indisputable cyber truths: Any Company that is connected to the internet can become a victim Any Company that uses software to manage their operations can become a victim A Company does not need to be a target to become a victim Majority of attacks are opportunistic and not targeted 6

7 What can happen? Personal information compromised Fraudulent fund transfers Fraudulent trades Stock prices manipulated Operations disrupted Regulatory fines Reputational damage 7

8 Types of Attacks Denial of Service Cyber Espionage Cyber Extortion Electronic Fund Transfer Fraud Data Ex-filtration 8

9 Cyber Extortion A Closer Look Cyber Extortion has been on the rise Companies are being held ransom at the risk of: Holding data hostage Data may be encrypted and made unusable, placing the company in limbo A financial application can have all database contents encrypted 9

10 Cyber Extortion A Closer Look Companies are being held ransom at the risk of: Releasing protected or personal data Threats may be placed to expose employee SSN s or Health Information on file Selling corporate secrets Denying service Financial systems could be brought off-line 10

11 Cyber Extortion A Closer Look Companies are being held ransom at the risk of: A ransomware variant will place child pornography on your system and threaten to alert the authorities No financial services company wants to be associated in the headlines with child pornography, regardless of how it got there 11

12 Cyber Extortion A Closer Look 12

13 Cyber Fraud is Big Business Malware is specifically written to target bank accounts, credit card information, personal information etc. Zeus SpyEye Hackers for hire Crime gangs are hiring rogue programmers to modify existing and/or create new malware to evade detection from anti-virus software 13

14 Cyber Fraud is Big Business Fraud as a Service ( FaaS ) Turnkey fraud solutions hosted by criminal organizations Malware is no longer just targeting your PC s but your Smart Phones as well Mobile Malware grew 614% from March 2012 to March 2013 (Juniper) 14

15 Cyber Fraud is Big Business Img. Source Webroot 15

16 Cyber Fraud is Big Business What have the mobile attacks accomplished? Intercept text messages and forward (specifically when banks or other applications send text messages with one time codes to log in) Record phone calls, turn on microphone to record conversations Track GPS location remotely Send text messages to premium services increasing fees Destroy the phone or components (Camera, Messaging, etc.) 16

17 Cyber Fraud is Big Business 17

18 Cyber Fraud is Big Business Img Source - Trusteer 18

19 Cyber Fraud is Big Business Img Source - Trusteer 19

20 Cyber Fraud is Big Business Img Source Krebs on security 20

21 Cyber Fraud is Big Business How do such services exist on the internet without being shutdown? The current (or downright absent) cyber laws in effect in different countries have sustained the growth of cyber-crime worldwide 21

22 Cyber Fraud is Big Business Commercial and Consumer EFT s are protected differently under the law Consumers are protected by the Electronic Funds Transfer Act Consumers are allowed up to 60 Days to report fraudulent transactions Commercial EFT s are regulated by the Uniform Commercial Code Article 4A Businesses are allowed up to two days to report the fraudulent transaction depending if it was an ACH or Wire Transfer Section 202: a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer 22

23 Security Laws and Obligations Gramm Leach Bliley Act ( GLBA ) and SEC Regulation S-P Fair Credit Reporting Act ( FCRA ) Fair and Accurate Credit Transactions Act ( FACTA ) and the Red Flags Rule State Privacy and Breach Notification Laws 23

24 GLBA and SEC Regulation S-P Regulation S-P was adopted by the SEC in accordance with Title V of GLBA GLBA requires the SEC and other federal agencies to adopt rules relating to notice requirements and restrictions on a financial institution s ability to disclose nonpublic personal information about its consumers 24

25 GLBA and SEC Regulation S-P The two primary rules under Regulation S-P are as follows: Rule 10 - Disclosure Rule -Financial institutions are required to: provide notices to customers about their information-collection and information-sharing practices subject to certain exceptions, consumers may "opt out" if they do not want their information shared with nonaffiliated third parties 25

26 GLBA and SEC Regulation S-P Rule 30 Safeguards Rule - requires every broker, dealer, investment company and every SEC-registered investment adviser to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information Safeguards implemented must be reasonably designed to: ensure that consumer records and information are kept secure and confidential; protect against anticipated threats or hazards to the security of such consumer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience. 26

27 Enforcement of Regulation S-P April 2011, the SEC announced the first ever assessment of financial penalties against individuals charged solely with violations of Regulation S-P in connection with: broker dealer whose registered representatives took customers personal information when leaving the firm without disclosing that personal information was being shared with non-affiliated third parties the chief compliance officer failed to ensure that the firm s policies and procedures were reasonably designed to safeguard confidential customer information 27

28 Enforcement of Regulation S-P Other SEC enforcement actions include: Fine against registered broker dealer that did not require its independent contractor registered representatives to maintain anti-virus software on computers Fine against broker dealer for failing to have adequate safeguards in its online trading platform, which resulted in a security breach, and for failure to have an information security policy that adequately protected customer records and information 28

29 2014 SEC Examinations U.S. Securities and Exchange Commission s Office of Compliance Inspections and Examinations (OCIE) announced that its 2014 Examination Priorities included a focus on technology, including cyber security preparedness March 26, 2014, the SEC sponsored a cyber security roundtable that underscored the importance of information security to the integrity of our market system and customer data protection 29

30 2014 SEC Examinations April 2014, the SEC OCIE issued a national exam program alert entitled OCIE Cybersecurity Initiative The alert includes a seven page sample document request list Footer 30

31 2014 SEC Examinations The alert specifies the SEC will focus on the following areas: Cyber Security Governance; Identification and Assessment of Cyber Security Risks; Protection of Networks and Information; Risks Associated with Remote Customer Access and Funds Transfer Requests; Risks Associated with Vendors and Other Third Parties; Detection of Unauthorized Activity; Expenses Associated with Certain Cyber Security Threats. 31

32 2014 SEC Examinations - TIPS Do not consider these cyber security examinations to be low risk Do not underestimate the possibility of serious and costly regulatory findings from the examination Do not simply take a check list approach In order for any cyber security plan to be effective it must be holistic, and it all starts with a detailed cyber security risk assessment 32

33 FCRA and FACTA FCRA regulates the content, use and disclosure of consumer reports issued by consumer reporting agencies FACTA added sections to FCRA intended primarily to help consumers fight the growing crime of identity theft (Red Flags Rule) The Dodd-Frank Act added the SEC to the list of other federal agencies directed by FACTA to adopt and enforce Red Flags Rules April 2013, the SEC voted unanimously to adopt a final rule requiring broker-dealers, mutual funds, investment advisers, and other regulated entities to implement programs designed to detect and prevent identity theft 33

34 FCRA and FACTA The final rule requires covered firms to: establish policies and procedures designed to identify relevant types of identity theft red flags, detect the occurrence of those red flags, respond appropriately to the detected red flags; and periodically update the identity theft program. provide staff training and oversight of service providers 34

35 State Privacy and Breach Notification Laws Regulation S-P does not require notice to be given to affected parties in the event of a security breach. You must look to the state laws for breach notification requirements Approximately 47 states have enacted a statute requiring a company to notify state residents if the security of certain sensitive customer information is breached Note- the majority of these laws require notification regardless of the location of the business operations. Most laws apply to sensitive information; however, the definition of sensitive information varies by state. For example Name and SSN, Drivers License ID, etc. 35

36 State Privacy and Breach Notification Laws If breached, a risk assessment may be necessary to determine whether notification is necessary Typically, data that is encrypted can remove a company from having to issue a breach notification Some states require notification whenever data is accessed by or reasonably assumed to have been accessed by an unauthorized person; however, some states take a risk of harm approach. 36

37 State Privacy and Breach Notification Laws Massachusetts Why all the fuss? Massachusetts has some of the strictest information privacy and security laws in the country. In addition, the law extends to all entities that own, license, or store personal information on any resident of the state regardless of the location of business operations 37

38 State Privacy and Breach Notification Laws Massachusetts Privacy Law Requirements Key points: Duty to develop and implement a comprehensive, written information security program applicable to any records containing the personal information of Massachusetts residents Security system requirements for computer and wireless networks Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly 38

39 Business Continuity and Disaster Recovery Look Familiar?! 39

40 Business Continuity and Disaster Recovery In a time of a local or wide spread emergency, a Financial Services firm must have a business continuity and disaster recovery plan ( BCP/DR ) The plan will be your script to recovery and assurance that your client s needs are met 40

41 Business Continuity and Disaster Recovery FINRA Emergency Preparedness Rule requires firms to create and maintain business continuity plans (BCPs) appropriate to the scale and scope of their businesses, and to provide FINRA with emergency contact information FINRA members business continuity plan must, at a minimum, address the following: Data back-up and recovery (hard copy and electronic) All mission critical systems Financial and operational assessments Alternate communications with customers and employee Alternate physical location of employees Critical business constituent, bank, and counter-party impact Regulatory reporting and communications with regulators Assuring customers prompt access to funds and securities 41

42 Business Continuity and Disaster Recovery Take a structured approach to the plan s development Identify all your business processes and prioritize them Determine how much data loss is acceptable and how long these business processes can be down Your clients needs and market status will define your objectives (e.g. market makers must be up and running in 4 hours) Identify the people, processes and technology that support the business processes TECHNOLOGY ALONE IS NOT THE SOLUTION Identify Interdependencies Create Calling Trees Internal, client and regulatory Define your recovery strategies DO NOT FOCUS ON THE POSSIBLE SCENERIOS, FOCUS ON THE IMPACT Four Key Area of Impact Premises, People, Systems, Suppliers 42

43 Risk Management All of our slides stress one key point RISK MANAGEMENT! Before risk can be managed, it must be understood While many financial service companies feel comfortable with identifying and understanding operational risk, IT risk remains a black box 43

44 Risk Management 44

45 Risk Management When it comes to IT security and governance, do not assume that just because it works, it is secure and managed effectively Do not assume that IT security is strictly an IT issue IT Security is a business issue that requires the assistance of a technical solution 45

46 Risk Management The first step in tackling all of these issues is a detailed IT risk assessment and gap analysis Ideally this assessment is performed by an unbiased third party Internal IT often: does not have the specific risk and security training necessary to complete the assessment; has difficulty in communicating the risks to management; is under resourced; and has difficulty in seeing the forest from the trees. 46

47 Risk Management Regardless of who performs the risk assessment, at its completion, management should have: A listing of possible threats with a ranking of their inherent risk A mapping of controls that have been implemented to reduce the identified inherent risks The residual risk ranking after the application of the controls A remediation plan if the residual risk is high to unacceptable 47

48 Key First Steps Ensure your IT governance program covers cyber security threats and operational issues Perform a detailed cyber security risk assessment and gap analysis Incorporate into gap analysis 206(4)-7 Annual Review, FINRA 3012/3120 or NFA Rule 2-9 Design a comprehensive information security policy and relevant supporting standards and procedures Patch Management, Change Management, Vendor Management, Password Management, Account Management, etc. When developing policies and procedures do not over commit or under commit Develop a security awareness training program Incorporate phishing testing to see who is prone to social engineering Create an incident response plan in the event a breach has occurred Ensure your BCP/DR plan is comprehensive and well tested to ensure recovery 48

49 Key First Steps Ensure vendor patches are applied consistently to address security vulnerabilities. Both Operating System (Microsoft) and Third Party Applications (Java, Adobe, etc) need to patched Ensure Antivirus is installed on all systems (no exceptions) and is active and up to date If you allow remote access consider two factor authentication Perform due diligence on all third parties Formalize the process with questionnaires and require they have independent third party audits Have mobile device policies and the technical solutions in place to enforce them Minimum password length, idle period timeout, application installation control, remote wipe, etc Network devices (switches and firewalls) are configured correctly Have a reasonable level of monitoring (security and operational) Ensure password parameters are strong and consistently enforced across all applicatoins 49

50 Questions? Tom DeMayo, CISSP, CIPP, CEH, CPT, CHFI, MCSE Director, IT Audit and Consulting Services - O Connor Davies, LLP TDeMayo@odpkf.com Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com

51 Information Technology Consulting Services We serve a wide range of clients including investment advisers, investment companies, private equity, hedge and venture capital funds, private foundations, endowments, management companies and family offices. With increasing threats to cyber security and greater mobility of our workforce and customers, we custom design our engagements to address control environment; vulnerability surrounding cyber perimeter, remote access, wireless network, physical access, internal network, user account security, online transactions and phishing; and business continuity. O Connor Davies provides industry experience and expertise in analyzing and testing transaction flows and interfaces. In particular, we evaluate information security risks as they interrelate and impact areas, including, operational functions, trading, clearing and settlement. Flexible in Scope and Deliverable: IT Audit, Consulting and Governance IT Policies and Procedures and Manuals - Review and Creation Risk Assessments, Gap Analysis and IT Risk Management Disaster Recovery and Business Continuity Cyber Security Vulnerability Assessments and Penetration Testing SOX IT Controls Security Awareness Training SOC-1 and SSAE 16 (formerly SAS 70) Reports 51

52 Contact Peter Heuzey, CPA CIPM Partner T: Thomas DeMayo, CISSP, MCSE, CEH, CIPP/US, CPT Director, IT Audit and Consulting Eric Gelb, CPA Director of Business Development, Financial Services 2014 Advent Software, Inc. Advent Confidential 52