September 20, 2013 Senior IT Examiner Gene Lilienthal



Similar documents
By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Into the cybersecurity breach

Protecting Your Organisation from Targeted Cyber Intrusion

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Defending Against Data Beaches: Internal Controls for Cybersecurity

CYBERSECURITY HOT TOPICS

Cyber Security Metrics Dashboards & Analytics

I ve been breached! Now what?

Cybersecurity Awareness. Part 1

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

IT Security Risks & Trends

Corporate Account Take Over (CATO) Guide

Practical Steps To Securing Process Control Networks

Cyber Security An Exercise in Predicting the Future

Cybersecurity: What CFO s Need to Know

Cybersecurity. Are you prepared?

NATIONAL CYBER SECURITY AWARENESS MONTH

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Marble & MobileIron Mobile App Risk Mitigation

Cybersecurity The role of Internal Audit

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cyber Security Breakout Session. Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cybersecurity: Protecting Your Business. March 11, 2015

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Who s Doing the Hacking?

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

I N T E L L I G E N C E A S S E S S M E N T

Presented by Evan Sylvester, CISSP

Are you prepared to be next? Invensys Cyber Security

U. S. Attorney Office Northern District of Texas March 2013

FFIEC Cybersecurity Assessment Tool

Managing IT Security with Penetration Testing

FFIEC CONSUMER GUIDANCE

Seven Strategies to Defend ICSs

Preventing Corporate Account Takeover Fraud

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Endpoint Threat Detection without the Pain

Agenda , Palo Alto Networks. Confidential and Proprietary.

Breaking the Cyber Attack Lifecycle

Attachment A. Identification of Risks/Cybersecurity Governance

How To Protect Your Online Banking From Fraud

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Enterprise Cybersecurity: Building an Effective Defense

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Securing OS Legacy Systems Alexander Rau

10 Things Every Web Application Firewall Should Provide Share this ebook

How To Handle A Threat From A Corporate Computer System

PwC Cybercrime US Center of Excellence

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Data Breach Response Planning: Laying the Right Foundation

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

PENETRATION TESTING GUIDE. 1

Critical Security Controls

DENIAL OF SERVICE: HOW BUSINESSES EVALUATE THE THREAT OF DDOS ATTACKS IT SECURITY RISKS SPECIAL REPORT SERIES

The Business Case for Security Information Management

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

OCIE CYBERSECURITY INITIATIVE

Information Security and Risk Management

FBI CHALLENGES IN A CYBER-BASED WORLD

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Advanced Threats: The New World Order

OCIE Technology Controls Program

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

CyberArk Privileged Threat Analytics. Solution Brief

Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Top Fraud Trends Facing Financial Institutions

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Cybersecurity and internal audit. August 15, 2014

Cybersecurity Awareness

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Franchise Data Compromise Trends and Cardholder. December, 2010

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Transcription:

Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank of San Francisco or the Board of Governors. 1 Agenda Headlines Cyber Threat Landscape Fraud Espionage Disruption & Destruction Mitigating Actions Questions 2 Restricted FR 1

HEADLINES 3 Headlines FBI Alerts Threats to Mobile Devices Using theandroidoperatingsystem System, August 2013 Cyber Criminals Continue to Use Spear Phishing Attacks to Compromise Computer Networks FBI, July 2013 Brobot attack scripts modified to attack login capabilities of a financial institution s website, April 2013 St. Mary s Bank notified 116,000 people that personal information may be exposed after malware compromise, New Hampshire Business Review July 2013 University Federal Credit Union, Austin, Texas hit by DDoS attacks January24 and February 25, 2013 with e banking down for 6 hours and 40 minutes, PR Web Foreign hackers stole 160 million credit card numbers from more than a dozen companies, New York Times July 2013 4 Restricted FR 2

THREAT LANDSCAPE 5 Types of threats: Fraud Espionage Disruption/ destruction Threats may be combined: Threat Landscape Account takeovers, ID theft, synthetic IDs, etc. Intrusion to gain unauthorized access to information DDoS attack Malicious software (malware) Disruption to mask theft or espionage Espionage to facilitate later theft or disruption Financial institutions are targets of all three types of threats 6 Restricted FR 3

Threat Landscape 2013 Verizon Data Breach Investigations Report 37% of breaches affected financial institutions 92% of breaches perpetrated by outsiders Financial industry Perpetrators organized crime & insiders Region of operation Eastern Europe & North America Common actions Tampering, brute force, malware and social engineering Targeted assets ATMs, POS terminals and controllers, databases, desktops, financial institution customers, employees and service providers Desired data payment cards, NPPI and bank credentials 7 8 Restricted FR 4

Restricted FR 9 FRAUD 10 Restricted FR 5

Cyber Threat Landscape: Fraud Account takeover and debit card skimming Institutions and their service providers targeted directly Payment applications, such as credit, debit, ATM, and funds transfer infrastructures, are targeted Malware sophistication continually increasing Mobile platforms increasingly targeted to carry out account takeover fraud 11 Cyber Threat Landscape: Fraud DDoS attacks employed as diversion for fraud DDoS occurs after fraudulent wire, ACH or credit/debit card transaction Used to confuse, distract or block security response DDoS and account takeover tools developed and marketed by same groups and being integrated into existing malware 12 Restricted FR 6

ESPIONAGE 13 Cyber Threat Landscape: Espionage Financial institutions protect high value information assets with: Customer information, proprietary information, application and operations processes, etc. Espionage may occur preparatory to fraud or destructive cyber attack. Advanced persistent threats may target financial institutions with: Zero day vulnerabilities Social engineering Exploitation of utility software Exploitation of service providers 14 Restricted FR 7

DISRUPTION & DESTRUCTION 15 Disruption/Destruction Background Motive political (domestic & nation state) or financiali DDoS a resiliency issue DDoS attack overwhelm target Malicious destructive software emerging security issue Malicious software (malware) data destruction, system disablement, and information theft 16 Restricted FR 8

Disruption/Destruction Risks Prolonged disruptions may result in loss of customer confidence in specific bank or financial system Impacts to banks include: Customer delays in accessing Internet based services Costs of implementing and maintaining defense solutions Greater demands on technical support, customer support and management resources All FIs are threatened: Directly targeted Collateral damage (from service provider) 17 DDoS Points of Attack Customers and Attackers Which communications are legitimate? Bank Network or Service Provider Network Trading Internet Service Provider (ISP) Electronic Banking Mobile Banking Firewall Email Internal Bank Servers and PCs 18 Restricted FR 9

DDoS Key Trends Politically motivated attack trends Largest t smaller FIs Hacktivism & coordination (social media) Average DDoS duration 38 hours Prolexic Average attack 49 Gbps Prolexic Peer to peer structure Global average broadband speed rose 25% in 2012 AT&T 19 Restricted FR 20 Restricted FR 10

More DDoS Trends Commercialization of DDoS DDoS rentals are cheap! Roughly 75% of DDoS attacks are network layer Continued use of compromised web and DNS servers to amplify traffic volume Application and multi vector attacks Application based attack volume tough to spot 21 Malicious Software Emerging threat sophisticated adversaries From attacker s perspective war is won before the battle starts Targeted persistent attacks: Target has something attacker wants to destroy Execution spear phishing, USB sticks or malicious insider Customized destructive malware Workstation Domain Controller Patching Server Very difficult, time consuming and expensive to recover Most applicable to large banks, technology service providers and other forms of criticalinfrastructureinfrastructure Examples three South Korean banks, Saudi Aramco & RASGAS 22 Restricted FR 11

MITIGATING ACTIONS 23 General Mitigating Actions Continue to evaluate and update security and resiliency technologies and processes. Maintain comprehensive and effective information security programs that reduce information security risks, including: Assessment of current and emerging threats Information security risk assessment processes Vulnerability scanning and penetration testing Identity and access management programs Need to know and least privilege access controls Operations basedsecurity security controls Secure application development and maintenance Process controls, including separation of duties Management and testing of outsourced technology services Inclusion of cyber threats in resiliency and event management planning and testing 24 Restricted FR 12

Effective Practices Fraud Fraud prevention, detection and mitigation mechanisms: Bank customer education, awareness and use of available tools, such as secure browsers, dedicated computers, software updates and anti malware products Periodic risk assessments and risk management approaches, including: Understanding the benefits of particular layered security and anomaly detection tools for an organization s specific environment Anomaly detection, including: During login When there are electronic funds transfer requests Escalation when thresholds or sequences of anomalous activities are exceeded Information sharing through financial industry associations, FS_ISAC and among peers 25 Effective Practices Disruption/Destruction Board and senior management awareness Realistic, thoroughand ongoing assessmentsof evolving threats and risks related to cyber attacks Well documented incident response program for the timely mitigation of the threat Defense in depth approach for protecting systems, applications and infrastructure Deployment of automated security event monitoring and network vulnerability scanning tools, as well as remediation of identified vulnerabilities 26 Restricted FR 13

Effective Practices Disruption/Destruction (Continued) Formal incident reporting process to: Provide key stakeholders with timely information. Alert the fraud detection group when a Cyber attack occurs Notify regulator promptly of all significant cyber attacks. Engagement with industry groups (Financial Services Sector Coordinating Council, FS ISAC) that share information on cyber incidents with government and law enforcement agencies (DHS and FBI) 27 Effective Practices Disruption/Destruction (Continued) Analyzing the firm s dependence on 3rd party service providers who may also be vulnerable to attacks. Comprehensive, sustained engagement with service providers to assess and manage cyber risks and to test resiliency plans Following up attacks by conducting a root cause analysis and identifying opportunities to strengthen the firm s defenses. 28 Restricted FR 14

Questions 29 Restricted FR 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information