Presented by: Mike Morris and Jim Rumph

Similar documents
Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

FFIEC CONSUMER GUIDANCE

Electronic Fraud Awareness Advisory

IT Security Risks & Trends

Section 12 MUST BE COMPLETED BY: 4/22

Host/Platform Security. Module 11

Network/Cyber Security

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Online Banking Risks efraud: Hands off my Account!

Presented by Evan Sylvester, CISSP

Business ebanking Fraud Prevention Best Practices

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Protecting Your Organisation from Targeted Cyber Intrusion

Securing Online Payments in ACH Client and Remote Deposit Express

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Additional Security Considerations and Controls for Virtual Private Networks

ACI Response to FFIEC Guidance

Security Guidelines and Best Practices for Retail Online and Business Online

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Business Internet Banking / Cash Management Fraud Prevention Best Practices

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Payment Fraud and Risk Management

Best Practices Guide to Electronic Banking

SPEAR PHISHING UNDERSTANDING THE THREAT

Phishing for Fraud: Don't Let your Company Get Hooked!

Tax-Related Identity Theft: IRS Efforts to Assist Victims and Combat IDT Fraud

Corporate Account Take Over (CATO) Guide

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

KEY STEPS FOLLOWING A DATA BREACH

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

Questions You Should be Asking NOW to Protect Your Business!

Attachment A. Identification of Risks/Cybersecurity Governance

Supplement to Authentication in an Internet Banking Environment

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Software that provides secure access to technology, everywhere.

Locking down a Hitachi ID Suite server

Secure Your Mobile Workplace

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Security Management. Keeping the IT Security Administrator Busy

Security Bank of California Internet Banking Security Awareness

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How We're Getting Creamed

Data Breaches and Cyber Risks

Security Considerations for DirectAccess Deployments. Whitepaper

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Remote Deposit Quick Start Guide

GFI White Paper PCI-DSS compliance and GFI Software products

External Supplier Control Requirements

05 June 2015 A MW TLP: GREEN

CKAHU Symposium Cyber-Security

Don t Fall Victim to Cybercrime:

Achieving PCI-Compliance through Cyberoam

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Seven Things To Consider When Evaluating Privileged Account Security Solutions

The Key to Secure Online Financial Transactions

Data Management Policies. Sage ERP Online

Evaluation Report. Office of Inspector General

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Security Whitepaper: ivvy Products

Data Center security trends

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Seven Strategies to Defend ICSs

FFIEC CONSUMER GUIDANCE

Securing Online Payments in the EPS Merchant and Partner Portals

I ve been breached! Now what?

Can We Become Resilient to Cyber Attacks?

RSA Security Anatomy of an Attack Lessons learned

Online Account Takeover. Roger Nettie

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Overall, which types of fraud has your organisation experienced in the past year?

Multi-Factor Authentication (FMA) A new security feature for Home Banking. Frequently Asked Questions 8/17/2006

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Transcription:

Presented by: Mike Morris and Jim Rumph

Introduction MICHAEL MORRIS, CISA Systems Partner JIM RUMPH, CISA Systems Manager

Objectives To understand how layered security assists in securing your network Learn how different layers of controls can stop attacks at various points Better recognize how layered security helps mitigate your organization s risks (compliance, reputation, operational, etc.)

What is Layered Security? According to the FFIEC, "Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control."

What is Layered Security?

Policies, Procedures, Awareness Training/awareness Social engineering Suspicious emails Internet surfing Wireless Internet Unique/strong passwords for each system or multifactor authentication Security policies

Perimeter Physical security Firewalls Intrusion detection and prevention ( IDS/IPS ) Multifactor authentication Access control lists Attack surface reduction Web content filtering Monitoring

Internal Network Network performance monitoring Monitoring of security logs Passwords Segregated domains File integrity checking/audit rules Least privileged access Screen saver passwords Administrative access reviews

Host Host level accounts Limited administrative rights Strong passwords Host level intrusion detection and prevention Multifactor authentication Up to date anti-virus/anti-spyware Patching Time out controls Administrative access reviews Attack surface reduction

Application Strong passwords Application patching Least privileged access Account timeout features Account lockout User activity logs Administrative access reviews

Data Encryption of non-public data Endpoint security Secure paths of communication Data leakage procedures

Authentication Guidance Supplement to authentication in an Internet banking environment Prompted by fraud in corporate cash management Trying to combat advanced persistent threats

Authentication Guidance What are your controls? Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response Jack Henry Yellowhammer Dual customer authorization through different access devices Two people authenticating through separate devices Out-of-band verification for transactions Verification using a separate means of communication (such as fax, SMS text message, etc.) "Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows [e.g., days and times]

Authentication Guidance What are your controls? Internet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities Blocking specific IP addresses or ranges (ex. China) Prompting security questions if IP address is different that what is expected Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels Call back procedures Multi factor authentication Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk

Case Study: Department of Revenue Hack Resulted in: 44 systems compromised 33 unique pieces of malicious software being installed including a backdoor At least four valid user accounts being compromised Approximately 74.7 GB of data was stolen, including 3.6 million SSNs and 387K credit and debit card numbers

Case Study: Department of Revenue Hack Timeline of events: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one user clicked on the embedded link, unwittingly executed malware, and became compromised. What could have prevented this: Better training Email filtering Social engineering testing End point security Restriction of local administrator access

Case Study: Department of Revenue Hack Timeline of events continued: The attacker logged into the remote access service using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email. What could have prevented this: Multi-factor authentication for remote access Restriction of remote access based upon specific job needs

Case Study: Department of Revenue Hack Timeline of events continued: The attacker executed utilities designed to obtain user account passwords on six servers. The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker installed malicious software ("backdoor") on one server. What could have prevented this: Host level IPS Internal network monitoring End point security APT monitoring software

Case Study: Department of Revenue Hack Timeline of events continued: The attacker interacted with multiple systems and conducted reconnaissance activities. What could have prevented this Internal network monitoring Host based IPS (behavioral) Host level security Internal network hardening (attack surface reduction)

Case Study: Department of Revenue Hack Timeline of events continued: The attacker copied databases and moved them to a staging directory and then sent them to the internet. The attacker then deleted the copied databases. What could have prevented this: Encryption of data Adequate user access controls to the database Database logging Network performance monitoring Data leakage prevention

Other Data Breaches California Department of Social Services Information compromised: Payroll information of over 700,000 individuals due to microfiche lost in mail Lessons learned: Physical security remains vital Wisconsin Department of Revenue Information compromised: Sensitive information on 110,000 people accidently put on website Lessons learned: We rely on knowledgeable employees, but human error is still a risk

Other Data Breaches NASA Information compromised: 10,000 employees sensitive data was on a stolen laptop which was unencrypted Lessons learned: Encrypt your data!

Summary There are threats that can potentially bypass your controls Risk mitigation needs to factor in compensating controls A layered security approach will help to minimize the ever-increasing threats from the outside

Mike Morris mmorris@pkm.com 404-420-5669 Jim Rumph jrumph@pkm.com 404-420-5639

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information