IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

IT TRENDS AND FUTURE CONSIDERATIONS Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

AGENDA BYOD Cloud Computing PCI Fraud Internet Banking Questions

The Mobile Explosion Mobile traffic data in 2011 was nearly 12 times the size of the entire global Internet traffic in 2000 Global mobile traffic will increase 13 fold between 2012 and 2017 By the end of 2013, the number of mobile connected devices will exceed the number of people on earth By 2017, there will be 8.6 billion handheld or personal mobile ready devices Gartner predicts that by 2014, 90% of companies will support corporate applications on personal mobile devices Source: Cisco Global Mobile Data Traffic Forecast Update, 2012 2017

Mobile Computer Sales: Tablets Lead Tablets are poised to outsell laptops by 2016 4

Mobile Technology Trends According to CTIA, as of June 2012, there were 327,577,529 active mobile devices connected to US carriers BYOD gaining acceptance in the workplace Mobile Device Sales (3Q 2012): Android 104.8 million units (68.1% market share) ios 26 million units (16.9% market share) BlackBerry 7.4 million units (4.8% market share) Symbian 6.8 million units (4.4% market share) Windows 5.4 million units (3.5% market share) The popularity of smartphones has made them the next major target for cyber criminals

BYOD: The New Frontier Employees are using their own devices in the work place and asking to connect them to the company network this trend is known as Bring Your Own Device (BYOD). According to Forrest Research, 48% of employees will buy their own device whether their organization approves or not.

BYOD: The New Frontier Benefits Employees get a choice Boosts morale and productivity. The firm avoids owning hardware and ongoing contracts Employees set up services under their own names. The equipment can go with the employee if they leave Departures are cleaner, as data is simply wiped out from the employee s device.

BYOD: The New Frontier Challenges Security is easier to manage in company owned devices Security is difficult to control when the environment and devices are not under the IT department s control. The balance between life and work is challenged The line between life and work is blurred; employees have a hard time turning off work. Policies are not keeping up with the trend Enterprises are lagging behind in creating policies that addresses the BYOD trend.

BYOD: The New Frontier Legal Challenges Can legal discovery rights of corporate information be extended to personal devices if they hold personal data? Do breaches of personal data on company owned devices leave the company liable (e.g., HIPAA information on my company owned device)? Could it support wage and hour claims for non exempt employees working off the clock? A 2010 US Supreme Court 9 0 ruling declared that employees are not entitled to privacy if they use an employer s issued device, so what level of privacy is there for BYODs?

Current Mobile Threats Malware is the single largest threat to mobile security In 2012, Kaspersky Labs discovered an average of 6,300 new Android malware samples every month, which was an increase of over eight times from 2011 Mobile malware can be divided into three separate categories: Trojans, Backdoors, Spyware Trojans are widely used in SMS attacks Backdoors allow unauthorized access to devices Spyware targets the unauthorized collection of private data

Current Mobile Threats: Android Android is more susceptible to malware than Apple Why? Lax application markets; apps can be downloaded outside of market Easy to repackage legitimate applications with malware Flawed Android security model Large security issues with jail broken and rooted phones Hacking mobile phones allows security controls to be circumvented

Current Mobile Threats: Find and Call Apple s first App Store malware: Find and Call App steals phonebook from devices and pushes data back to a command and control (C&C) server Data is then used for SMS spam campaigns

Current Mobile Threats: Ransomware Ransomware: Malware which effectively holds a user s device hostage until a fee is paid

Current Mobile Threats: SMS Botnets SMS Spam Botnet: Directs users to download malware directly on their device An SMS is received containing a URL When the users clicks on the URL, a Trojan is installed on the device with the legitimate application Trojan contacts C&C server to obtain spam message The spam message is sent to the contacts stored in the phone

Current Mobile Threats: Zitmo Banking Trojans: Zeus In The Mobile (Zitmo) Masquerades as a banking activation application and eavesdrops while looking for mobile transaction authentication numbers (mtan) in SMS messages sent by banks to customers for a second form of authentication First appeared in 2010

Cloud Computing Private Cloud Hosted for or by a single en ty on a private network; can be hosted internally or outsourced but is most often operated internally; only those within the entity share the resources Community Cloud Hosted for a limited number of entities with a common purpose; access is generally restricted; most often used in a regulated environment where entities have common requirements Hybrid Cloud Data or applica ons are portable and permit private and public clouds to connect Public Cloud Available to the general public; owned and operated by a third party service provider

Cloud Computing The institution has the ability to increase or decrease resources on demand without involving the service provider (on demand self service). Massive scalability in terms of bandwidth or storage is available to the institution. The institution can rapidly deploy or release resources. The financial institution pays only for those resources which are actually used (pay as you go pricing)

Cloud Computing One of the major concerns with cloud computing is the loss of control for physical access to systems. Depending on the type of cloud service you use, you may be sharing hardware with others. This can lead to legal (and operational) issues if the systems and/or backups are requested by a court or government agency.

Notable Payment Card Security Breaches Heartland Payment Systems 2008 Hackers attacked the system that is used to process card transactions. Up to 100 million transactions compromised. TJX Corp. 2007 Hackers compromised wireless network to steal information on approx. 94 million card transactions. HEI Hospitality (Marriott, Sheraton, Westin) March/April 2010: POS system compromised. Up to 3,400 credit card accounts compromised. PlayStation Network 2011 Hack attack. 77 million personal information acquired. Credit card information (TBD). Seattle Small Medium sized businesses April 2011 war driving hacks to steal credit card data. Stole about $750,000 worth of goods.

Payment Card Industry (PCI) Data Security Standard Overview Not a government regulation, but an industry regulation. All entities that process, store, or transmit payment card information need to comply. (PAN is the deciding factor.) The Players: Card Brands, Merchants, Service Providers, Acquirers, and Issuers Effective compliance dates varies depending on merchant level or service provider level and card brand (June 2005, Dec. 2008). Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees.

Why is compliance with PCI DSS important? A security breach and subsequent compromise of payment card data has far reaching consequences for affected organizations, including: 1. Regulatory notification requirements 2. Loss of reputation 3. Loss of customers 4. Potential financial liabilities (regulatory and other fees and fines) 5. Litigation

Penalties for Non Compliance Members proven to be non compliant or whose merchants or agents are non compliant may be assessed: Non compliance fine up to $500K Forensic investigation costs Issuer/Acquirer losses Unlimited liability for fraudulent transactions Potential additional issuer compensation (e.g., card replacement) Dispute resolution costs

Fraud Trends Malware Mobile Devices Social Engineering Social Media

Malware Man in the Browser is malware that infects a web browser and has the ability to modify pages, modify transaction content, or insert additional transactions. This is hidden from both the user and application. Keystroke loggers and other similar strains of malware continue to be used to collect data and user credentials to be used for fraud.

Social Engineering As financial institutions enhance their online security, the criminals are changing their avenue of attack Social engineering is used in various forms (phishing, spear phishing, or smishing)

US Bank Types Attacked Phishing

Phishing Attacks per Month

Social Media Easy way for criminals to gather intimate details about members to use in fraud Easy way to send malware or Trojans to a large group of people from a trusted friend New frontier for phishing and social engineering attacks

Internet Banking Authentication Regulators came out with guidance related to Internet banking authentication in June 2011. The guidance called out the responsibility of financial institutions to: Differentiate between retail and business transaction risk Agencies recommend that institutions offer multifactor authentication to their business customers. Continue to focus on Risk Assessment Increased emphasis on Layered Security Programs

Questions? Contact Us paul.rainbow@mossadams.com 509 714 4865