Risks and Trends in Network 012 CliftonLarsonAllen LLP 20 Security Key IT Controls for Credit Unions ACUIA Region 4 Meeting April 2013 1 1
Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Largest Credit Union Service Practice* *Callahan and Associates 2011 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com news release 2
CliftonLarsonAllen Randy Romes Randy Romes Professional Student Pizza Guy High Sh School lsi Science Teacher Hacker Dad 3
Cub Scouts, IT Professionals, & Hackers Cub Scouts Be Prepared Camping Trip Preparation Road Trip!!! 4
Cub Scouts, IT Professionals, & Hackers Cub Scouts Camp Tomahawk Daily Routine Business as Usual 5
Cub Scouts, IT Professionals, & Hackers Cub Scouts Monday Morning NOT Business asusual usual Parking X Ecology Camp Sites Main Lodge 6
Presentation overview Emerging & Continuing Trends Industry Security Reports 14Years of InformationSecurity Audit, Assurance, and Incident Response Strategies and Key Controls 7
Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Confidentiality Integrity Availability ` Tools 8 8
Three Reasons Why We Should Care Regulatory and industry requirements: NCUA/FFIEC/GLBA, PCI, State Laws (this list is not getting smaller ) Contractual compliance More and more partners and vendors A recent example from Regulatory Compliance Audit It s a good idea Breach Listings https://www.privacyrights.org/data breach 9
Three Security Reports Trends: Sans 2009 Top Cyber Security Threats http://www.sans.org/top cyber security risks/ Intrusion Analysis: TrustWave (2010 and 2011) https://www.trustwave.com/whitepapers.php Intrusion Analysis: Verizon Business Services 2010 report http://www.verizonbusiness.com/resources/reports/rp_2 p p_ 010 DBIR combined reports_en_xg.pdf 2011 report http://www.verizonbusiness.com/resources/reports/rp_d ata breach investigations report 2011_en_xg.pdf 10
Trends 2009 SANS Report SANS study: http://www.sans.org/top cyber security risks/ security risks/ Client Side Attacks End user workstation (vulnerabilities) Website application vulnerabilities External web sites Organization s web sites Password Attacks: FTP, SSH, Remote Access Unpatched Applications: Adobe Java Apple Etc Phishing Attacks Application Vulnerabilities: SQL injection PHP issues 11
TrustWave Intrusion Analysis Report 2011 Methods of Entry: Methods of Propagation: 12
TrustWave Intrusion Analysis Report 2011 Most of the compromised systems were managed by a third party 13
TrustWave Intrusion Analysis Report Incident Response Investigative Conclusions Window of Data Exposure Once inside, attackers have very little reason to think they will be detected The bd bad guys are inside id for 1 ½ YASbf YEARS before anyone knows! 14
Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered d highly hl difficult. 15
Hackers, Fraudsters, and Victims 2010 Opportunistic Attacks Targeted Attacks 16
Hackers, Fraudsters, and Victims 2011 Opportunistic Attacks Targeted Attacks 17
Verizon 2010 and 2011 18
Hackers and Fraudsters Objectives Identity Theft and Account Hijacking Phishing ACH fraud Identity theft and fraudulent credit Corporate Account Take over's Targeted Attacks Internal access for privilege escalation Corporate/Government Espionage Mass data theft Access to Intellectual Property (IP) or Financial Information Targeted Corporate Account Take Over System Access for Processing Power Bot Nets 19
Phishing and ACH Examples (Since Dec) Manufacturing Company ($348,000) Public School District ($110,000) 000) Church ($29,000 and $32,000) Hospital ($150,000) 000) Health CareAssociation ($1,088,000) 000) Dec 2011* More on these in next session 20
Emerging Areas for Risk Management Social Engineering (later today ) Mobile Banking Bring Your Own Device Cloud Service Providers Virtualization Vendor Management 21
Mobile Banking 012 CliftonLarsonAllen LLP 20 Understanding the Risks 2222
Mobile Banking Basics Mobile Banking is here to stay More people have (smart) phones than computers Mobile payments py are here 23
Mobile Banking Basics Different types of mobile banking SMS mobile banking Mobile web Mobile applications 24
Vulnerabilities, Risks, & Controls Vulnerabilities and risks at each component Perform a risk assessment Risk Assessment Heat map Server Side Risks (Vendor Risks) Transmission Risks Mobile Device Risks Mobile App Risks End duser Risks 25
Vulnerabilities, Risks, & Controls Server Side Risks Essentially the same as traditional Internet banking website risks Insecure coding practices Default credentials Patch/update maintenance Certificate issues This is essentially a web server for the mobile devices to connect to. Credit Union Firewall 26
Vulnerabilities, Risks, & Controls Vendor Risks Same risks as credit union now outside of your direct control. Insecure coding practices Default credentials Patch/update maintenance Certificate issues Also need controls on the dedicated link Credit Union Firewall This is essentially a web server for the mobile devices to connect to. Credit Union Core System 27
Vulnerabilities, Risks, & Controls Transmission Risks Most mobile devices have always on Internet connection Cellular (cell phone service provider) Wifi (802.11 home, corporate, public ) Need encryption Common end user practices 28
Vulnerabilities, Risks, & Controls Mobile Device Risks Multiple hardware platforms & multiple operating systems 29
Mobile Banking Basics Mobile banking applications (i.e. mobile apps ) Various mobile app market places itunes/apple App Store Android Market Verizon App Store BlackBerry App Store 30
Vulnerabilities, Risks, & Controls Mobile App Risks Secure coding issues Installation of App Useand protection of credentials Storage of data Transmission of data 31
Vulnerabilities, Risks, & Controls End User Risks Losethe device Don t use passwords, or use easy to guess passwords Store passwords on the device Jail break the device Don t use security software Use/don t recognize insecure wireless networks Let their kids use the device 32
Vendor Due Diligence and Management All of the above applies to your vendor(s) Mobile banking application provider Mobile banking hosting provider Contracts with SLA s SSAE16 reviews Independent code review and testing 33
Mobile Devices 012 CliftonLarsonAllen LLP 20 Bring Your Own Device (BYOD) 3434
BYOD People, Rules, and Tools: Standards Data Classification Acceptable Use Incident Response Litigation Preparedness 35
BYOD Controls and Enterprise management of: Credentials Login/Screen Saver Encryption Monitoring Data Loss Prevention (DLP) Remote Locate and Wipe Segregation... 36
Cloud Services 20Cloud 012 CliftonLarsonAllen LLP Benefits and Risks 3737
What is the Cloud? Is it a clever marketing term? Where is the cloud? 38
What is the Cloud? The original cloud computing : Mainframes 39
What is the Cloud? The next generation: Thin Clients (Citrix, RDP, etc ) 40
What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 41
What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 42
What is the Cloud? National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009: Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 43
Cloud Computing Service Models Software as a Service (SaaS) Capability to use the provider s applications that run on the cloud infrastructure. Platform as a Service (PaaS) Capability to deploy onto the cloud infrastructure customer created or acquired applications created using programming languages and tools supported by the provider Infrastructure as a Service (IaaS) Capability to provision processing, storage, networks and other fundamental computing resources that offer the customer the ability to deploy and run arbitrary software, which can include operating systems and applications 44
Cloud Computing Service Models The KEY takeaway for cloud architecture is that the lower down the stack the cloud service provide stops, the more capabilities and management the users are responsible forimplementing and managing themselves 45
What does that mean? Cloud computing means an increased need for: Good polices Clear communication bt between the provider and the consumer of the services Ownership and governance of the relationship with the provider 46
Cloud Computing Deployment Models Public cloud (commercial): Made available to the general public or a large industry group Owned by an organization that sells cloud services Community cloud: Shared by several organizations Supports a specific community that has a shared mission or interest May be managed by the organizations or a third party May reside on or off premise 47
Cloud Computing Deployment Models cont. Hybrid cloud: Composed of twoor or more clouds (private, communityor or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) Private cloud: Operated solely for an organization May be managed by the organization or a third party May exist on or off premise 48
Examples of Cloud Services Hosted applications Gmail Google Apps Hosted accounting On line/cloud back up services and storage Hosted infrastructure 49 Private Clouds
Benefits Cost Administration DR/BCP Compliance 50
Risks Vendor Risks Governance Risks Data Risks Who has your data? Where is your data? Who has access to your data? 51
Examples in the news Megaupload story: SANS NewsBites Vol. 14 Num. 29 http://www.wired.com/threatlevel/2012/04/megaupload wiredefense hobbled/ A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data 25 petabytes are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture association i of America (MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets. 52
Examples closer to home Recent conference Betweensessions vendors describe their service offerings Company X offers online, secure back up to the cloud Company X has grown over 300% in the last year Best of all, Company X now provides online, secure, cloud based back up for Company Y one of the larger Core hosting company providers Where does the outsourcing chain end? How many FI s using Company Y know where their data is 53
Cloud Computing Controls The overall control domain is the same as an in house IT environment, the challenge is to figureout who is doing what. Controls in the cloud computing environment may be provided by the consumer/company, the cloud service provider, or a separate 3 rd party. SSAE 16 SOC2 report from service providers 54
Evaluate the Control Environment 55
Things to do Risk Assessment Cost benefit analysis Vendor due diligence Scrutinize i contracts t Ongoing vendor management Be rigorous about where your data is Understand vendors responsibility and YOURS Remember basic security tenants 56
Ten Things Every Credit Union Should Have 1. Strong Policies Define what is expected Foundation for all that follows 57
Ten Things Every Credit Union Should Have 2. Defined user access roles and permissions Principal of minimum access and least privilege Mostusers shouldnot have system administrator rights Don t forget your vendors 58
Ten Things Every Credit Union Should Have 3. Hardened internal systems (end points) Hardening checklists Turn off unneeded services (minimizeattacksurface) Change (vendor) default password 59
Ten Things Every Credit Union Should Have 4. Encryption strategy (variety of state laws ) Email Laptops, desktops, email enabled cell phones Thumb drives/mobile media Data at rest? 60
Ten Things Every Credit Union Should Have 5. Vulnerability management process Operating system patches Application i patches SMS and Shavlik Testing to validate effectiveness find and address the exceptions 61
Ten Things Every Credit Union Should Have 6. Well defined perimeter security layers: Network segments Emailgateway/filter gateway/filter, firewall, and Proxy integration for traffic in AND out Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) 62
Ten Things Every Credit Union Should Have 7. Centralized audit logging, analysis, and automated alerting capabilities : Security Information and Event Management (SIEM) Routing infrastructure Network authentication Servers Applications Archiving vs. Reviewing 63
Ten Things Every Credit Union Should Have 8. Defined incident response plan and procedures Be prepared Documentation and procedures Including data leakage prevention and monitoring Incident Response testing, just like DR testing Forensic preparedness 64
Ten Things Every Credit Union Should Have 9. Validation that it all works the way you expect (remember the definition?) (IT) Audits Vulnerability Assessments Penetration Testing A combination i of internal and external resources Pre implementation and post implementation 65
Ten Things Every Credit Union Should Have 10. Vendor Management The previous 9 topics should all be applied to your vendors/business partners Require vendor systems be at least as secure as your own For managed services, require vendors to agree to operate up to your standards Vulnerability management Secure communication protocols Incident response capabilities Right to audit Understand your contracts and SLAs 66
Solutions From SANS Report 20 Critical Controls: http://www.sans.org/critical security controls/ 67
SANS First Five 1. Software white listing 2. Secure standard configurations 3. Application security patch installation within 48 hours 4. System security patch installation within 48 hours 5. Ensuring administrative privileges are not active while browsing the Internet or handling email 68
Questions? 69
Thank you! 012 CliftonLarsonAllen LLP 20 Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services Randy.romes@cliftonlarsonallen.com com 888.529.264 Slides are available here: http://www.larsonallen.com/information_security/ Presentations link/buttonon lower left. 7070
Common Compliance Requirements Compliance Matrix Resources: http://net.educause.edu/ir/library/pdf/csd5876.pdf http://www.infosec.co.uk/exhibitorlibrary/277/cross_co mpliance_wp_20.pdf pdf 71
Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources http://www.cisecurity.org/ Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en us/library/dd366061.aspx Most of these will be from the BIG software and hardware providers 72
Resources Computer Security Institute: http://www.gocsi.com/soceng.htm com/soceng htm Mthd Methods of Hacking: Social lengineering i by Rick Nelson http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html html Computer Security Institute: http://www.sptimes.com/2007/10/28/business/here_s_how_a_slick_la.shtml 73
Resources Bank Info Security Resource Center http://ffiec.bankinfosecurity.com/ com/ FFIEC Authentication Guidance http://www.ffiec.gov/press/pr062811.htm htm http://www.ffiec.gov/pdf/authentication_guidance.pdf / h i i id 74
PCI Standards Quarterly external vulnerability scan by an Approved Scanning Vendor (ASV) Quarterly test wireless network security Annual DSSAssessment (i.e. SAQ) By QSA if level 1 Annual Penetration Test (not vulnerability scan) External Internal And https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf 75
Resources In the News Privacy Rights <dot> org http://www.privacyrights.org/ar/chrondatabreaches.htm Resource for State Laws https://www.privacyrights.org/data breach FAQ#10 76
References Michigan Company sues bank http://www.computerworld.com/s/article/9156558/michigan_firm_sues com/s/article/9156558/michigan sues _bank_over_theft_of_560_000_?taxonomyid=17 http://www.krebsonsecurity.com/2010/02/comerica phish foiled 2 com/2010/02/comerica phish 2 factor protection/#more 973 Bank sues Texas company http://www.bankinfosecurity.com/articles.php?art_id=2132 77
References to Specific State Laws Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. State laws: http://www.privacyrights.org/data-breach#10 For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources http://www.privacyrights.org/ar/chrondatabreaches.htm 78