Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com

Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com

Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Information Security offered as specialized service offering for over 15 years Largest Credit Union Service Practice* *Callahan and Associates 2014 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com news release 2

Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity Assessments and Governance Requirements Strategies to mitigate and manage risks 3

Cyber Fraud Risk Themes Hackers have monetized their activity More sophisticated hacking More hands on effort Smaller organizations targeted Black market economy Social engineering is continuing threat Hackers targeting members and member businesses 4

Largest Cyber Fraud Trends Most common cyber fraud scenarios we see affecting our credit unions and their members Theft of PII and PFI Theft of credit card information Member and Corporate Account Take Overs Ransomware Defensive Measures to support Incident Response Examples and Case Studies 5

Black Market Economy Theft of PFI and PII Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities. Target Goodwill Jimmy Johns University of Maryland University of Indiana Anthem Blue Cross Primera Olmsted Medical Center Community Health Systems 6

Anatomy of a Breach 7

Timeline of a Breach and Missed Opportunities 1. Attacked/compromised vendor remote access 2. Missed AV/IDS warnings 1 3 3. Attacked/compromised internal vulnerabilities 4. Missed IDS warnings 2 4 8

Black Market Economy Stolen Card Data Carder or Carding websites Dumps vs CVV s A peek inside a carding operation: http://krebsonsecurity.com/2014/06/peek inside aprofessional carding shop/ 9

Black Market Economy Carder Boards Easy to use! 10

Credit Card Data For Sale 11

Corporate Account Takeover CATO Catholic church parish Hospice Finance company Main Street newspaper stand Electrical contractor Utility company Industry trade association Rural hospital Mining company Credit Union On and on and on and on.. 12

CATO Lawsuits UCC a payment order received by the [bank] is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. 13

CATO Lawsuits UCC Electrical Contractor vs Bank > $300,000 stolen via ACH through CATO Internet banking site was down DOS? Contractor asserting Bank processed bogus ACH file without any call back

CATO Lawsuits UCC Escrow company vs Bank > $400,000 stolen via single wire through CATO CE passed on dual control offered by the bank Court ruled in favor of bank Companies attorneys failed to demonstrate bank s procedures were not commercially reasonable

Case Study Please Wire $ to. CEO asks the CFO Common mistakes 1. Use of private email 2. Don t tell anyone http://www.csoonline.com/article/2884339/malware cybercrime/omahas scoular co loses 17 million afterspearphishing attack.html 16

CATO Defensive Measures Multi layer authentication Multi factor authentication Out of band authentication Positive pay ACH block and filter IP address filtering Dual control Defined processes for payments Activity monitoring Manual vs. Automated controls Combination of preventative and detective controls 17

Ransomware Malware encrypts everything it can interact with i.e. anything the infected user has access to CryptoLocker May 20, 2014 Ransomware attacks doubled in last month (7,000 to 15,000) http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker goes spearphishing infections soar warns knowbe4 a 506966.html 18

Ransomware Working (tested) backups are key 19

Ten things that make it easy for hackers 1. Giving users local admin privileges 2. Domain Admins don t have separate user account 3. Domain Admins log into workstation 4. Weak passwords 5. Shared passwords 6. Poor patching 7. Unnecessary ports and services 8. Weak/no encryption 9. Vendor Systems 10. Lack of security awareness 20

Keys to Successful Breaches 2013 2014 https://www2.trustwave.com/gsr2014. 21

Keys to Successful Breaches Reliance/dependence on 3 rd party service providers is at root of most breaches 22

How do hackers and fraudsters break in? Amateurs hack systems, professionals hack people. Bruce Schneier Social Engineering relies on the following: The appearance of authority People want to avoid inconvenience Timing, timing, timing 23

Pre text Phone Calls Hi, this is Randy from Fiserv users support. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Ongoing high profile ACH frauds 24

Email Attacks Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web site Ask them to open an attachment or run update Examples Better Business Bureau complaint http://www.millersmiles.co.uk/email/visa usabetterbusiness bureaucall for action visa Microsoft Security Patch Download 25

Email Phishing Targeted Attack 26

Physical (Facility) Security Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Sumitomo Bank (2005) over $500M http://www.networkworld.com/news/2009/012209 clerical error foiled sumitomo bank.html Barclays Bank (December, 2013) $1.30M lost http://www.telegraph.co.uk/news/uknews/crime/10322536/barclays hacking attack gang stole 1.3 million police say.html 27

Strategies to Combat Social Engineering (Ongoing) user awareness training SANS First Five Layers behind the people 1. Secure/Standard Configurations (hardening) 2. Critical Patches Operating Systems 3. Critical Patches Applications 4. Application White Listing 5. Minimized user access rights No browsing/email with admin rights Logging, Monitoring, and Alerting capabilities The 3 R s : Recognize, React, Respond More on this at the end 28

FFIEC Executive Leadership Cybersecurity Webinar 29

Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 30

Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 31

May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar Importance of identifying emerging cyber threats and the need for Board/C suite involvement, including: Setting the tone at the top and building a security culture Identifying, measuring, mitigating, and monitoring risks Developing risk management processes commensurate with the risks and complexity of the institutions Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future Creating a governance process to ensure ongoing awareness and accountability Ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyber risks 32

Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 33

Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 34

Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 35

Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 36

Cybersecurity Assessments July August 2014 37

Current FFIEC IT Examination Process Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA) will perform periodic information technology examinations at regulated financial institutions. Examination procedures are based on the FFIEC IT Handbooks (http://ithandbook.ffiec.gov/) and supplemented by periodic agency guidance. IT Examinations review the financial institution s Information Security Program (ISP). 38

New/Added FFIEC Cybersecurity Assessments In the summer of 2014, the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks. Integrated into regular IT Examination process Cyber Risk Management and Oversight Cyber Security Controls External Dependency Management Threat Intelligence and Collaboration Cyber Resilience Launched a cybercrime website https://www.ffiec.gov/cybersecurity.htm 39

Recent Examiner Supplemental Cyber Security Request List 40

Recent Examiner Supplemental Cyber Security Request List 41

Recent Examiner Supplemental Cyber Security Request List 42

FFIEC Cybersecurity Assessment Tool (CAT) Released in June 2015 The National Credit Union Administration intends to incorporate the Federal Financial Institutions Examination Council s (FFIEC) Cybersecurity Assessment Tool into its examinations, starting in June 2016. http://news.cuna.org/articles/107023 ncua outlines examiner training for cyber assessment tool 43

FFIEC Cybersecurity Assessment Tool (CAT) Inherent Risk Profile Cybersecurity inherent risk is the level of risk posed to the institution by the following: 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 44

FFIEC Cybersecurity Assessment Tool (CAT) Cybersecurity Maturity 1. Cyber Risk Management and Oversight 2. Threat Intelligence and Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management and Resilience 45

Key Defensive Strategies cliftonlarsonallen.com 46

Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Be Prepared Monitoring, Incident Response, and forensic Capabilities 47

Ten Keys to Mitigate Risk 1. Strong policies 6. Perimeter security layers 2. Defined user access roles Minimum Access 3. Hardened internal systems and end points 4. Encryption strategy data centered 5. Vulnerability management process 7. Centralized logging, analysis and alerting capabilities 8. Incident response capabilities 9. Know / use online banking tools 10.Assess and Test Independent validation that it works 48

Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered highly difficult. 49

Centralized Logging, Analysis, and Alerting Centralized audit logging, analysis, and automated alerting capabilities (SIEM) Firewalls Security appliances Routing infrastructure Network authentication Servers Applications *** Archiving vs. Reviewing Know your: Network, Systems, DATA 50

Call To Action Policies to set foundation Train your users Thoroughly assess your risks Three R s: Recognize, React, Respond Thoroughly validate your controls High expectations of your vendors Penetration testing Application testing Vulnerability scanning Social engineering testing People Tools ` Rules 51

Questions? 52

Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services Randy.romes@cliftonlarsonallen.com 888.529.2648 cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 53

Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources http://www.cisecurity.org/ Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en us/library/dd366061.aspx Most of these will be from the BIG software and hardware providers 54

Three Security Reports Trends: Sans 2009 Top Cyber Security Threats http://www.sans.org/top cyber security risks/ Intrusion Analysis: TrustWave (Annual) https://www.trustwave.com/whitepapers.php Intrusion Analysis: Verizon Business Services (Annual) http://www.verizonenterprise.com/dbir/ 55

Information Security Program includes Section 501(b) of the Gramm Leach Bliley Act of 1999 (GLBA) for the safeguarding of customer information Board of Directors will develop an Information Security Program that addresses the requirements of: Section 501(b) of the GLBA; Federal Financial Institutions Examination Council s (FFIEC) Interagency Guidelines Establishing Information Security Standards (501[b] Guidelines); and Agency specific guidelines (i.e. Appendix B to Part 364 of the FDIC s Rules and Regulations) The Information Security Program (ISP) is comprised of: Risk Assessment Risk Management Audit Business Continuity/Disaster Recovery/Incident Response Vendor Management Board and Committee Oversight 56

Information Security Program Risk Assessment and Risk Management Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data and/or availability of systems. Risk is determined based on the likelihood of a given threatsource s ability to exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative, technical, and physical controls to reduce or eliminate the impact of the threat. 57

Information Security Program Audit ISP related Audits/Reviews ISP Review/IT General Controls Review External/Internal Vulnerability and Penetration Assessments Social Engineering Assessments E Banking Reviews ACH Audit Wire Transfer Audit Remote/Mobile Deposit Capture Audit Audit/Exam Recommendation Tracking and Reporting 58

Information Security Program Business Continuity/Disaster Recovery Incident Response Business Continuity/Disaster Recovery Plan Annual Testing of Critical Systems Annual Employee Tabletop/Scenario Testing Board Reporting Incident Response Plan Compromise of customer information Annual Testing FS ISAC FBI Infraguard Cybersecurity Examinations? 59

Information Security Program Vendor Management Vendor Management Policy Vendor Risk Assessment Access to Customer Information Criticality to Bank Operations Ease of Replacement New Vendor Due Diligence and Annual Reviews Continuous Monitoring 60

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14) All FIs AND their critical technology service providers must have appropriate threat identification, information sharing, and response procedures. Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS ISAC) Improved identification and mitigation of attacks Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems Sharing information to help other FIs 61

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14) FI Management should: Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization FS ISAC: www.fsisac.com FBI Infragard: www.infragard.org U.S. Computer Emergency Readiness Team at US CERT: www.us cert.gov U.S. Secret Service Electronic Crimes Task Force: www.secretservice.gov/ectf.shtml 62

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness Connection Types: identify and assess the threats to all access points to the internal network VPN Wireless Remote access protocols: RDP/Telnet/FTP Vendor LAN/WAN access BYOD 63

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk (cont.) Products and Services: identify and assess threats to all products and services currently offered and planned Online ACH and Wire Transfer origination External funds transfers (A2A, P2P, bill pay) 64

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk (cont.) Technologies Used: identify and assess threats to all technologies currently used and planned Core systems ATMs Internet and mobile applications Cloud computing 65

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness Current cybersecurity practices and overall preparedness should include: Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats Patching, encryption, limited user access Intrusion detection/prevention systems, firewall alerts Formal audit program with scope and schedule based on an asset s inherent risk, prompt and documented remediation of findings, regular activity report reviews 66

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness (cont.) Cyber Incident Management and Resilience: Incident detection, response, mitigation, escalation, reporting, and resilience Formal Incident Response Programs, including regulatory and customer notification guidelines and procedures Senior management and board incident reporting 67

FFIEC Cybersecurity Assessments FFIEC Cybersecurity Assessment Implications? Increased Board and C Suite Involvement Participation in information sharing group(s) Cybersecurity scenario testing with employees and management Increased oversight of third party service providers Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings 68

FFIEC Cybersecurity Assessment Tool (CAT) Domain 1 Risk Management & Oversight Governance Oversight Strategies & Policies IT Asset Management 69

FFIEC Cybersecurity Assessment Tool (CAT) Domain 1 Risk Management & Oversight Risk Management Risk Management Program Risk Assessment Audit 70

FFIEC Cybersecurity Assessment Tool (CAT) Domain 1 Risk Management & Oversight Resources Staffing Training & Culture 71

FFIEC Cybersecurity Assessment Tool (CAT) Domain 2 Threat Intelligence & Collaboration Threat Intelligence & Info. Monitoring & Analyzing Information Sharing 72

FFIEC Cybersecurity Assessment Tool (CAT) Domain 3 Cybersecurity Controls Preventative Controls Infrastructure Management Access and Data Management Device/End Point Security Secure Coding 73

FFIEC Cybersecurity Assessment Tool (CAT) Domain 3 Cybersecurity Controls Detective Controls Threat& Vulnerability Detection Anomalous Activity Detection Event Detection 74

FFIEC Cybersecurity Assessment Tool (CAT) Domain 3 Cybersecurity Controls Corrective Controls PatchManagement Remediation 75

FFIEC Cybersecurity Assessment Tool (CAT) Domain 4 External Dependency Management Connections Relationship Management Due Diligence Contracts Ongoing Monitoring 76

FFIEC Cybersecurity Assessment Tool (CAT) Domain 5 Cyber Incident Management & Resilience Incident Resilience Planning & Strategy Planning Testing Detection, Response, & Mitigation Escalation & Reporting 77