INDUSTRY OVERVIEW: FINANCIAL

Similar documents
INDUSTRY OVERVIEW: RETAIL

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

IBM Security Strategy

2012 Data Breach Investigations Report

A Case for Managed Security

Common Cyber Threats. Common cyber threats include:

Anti-exploit tools: The next wave of enterprise security

IBM Security re-defines enterprise endpoint protection against advanced malware

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Fighting Advanced Threats

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

Perspectives on Cybersecurity in Healthcare June 2015

Franchise Data Compromise Trends and Cardholder. December, 2010

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Cyber liability threats, trends and pointers for the future

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Impact of Data Breaches

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Beyond the Hype: Advanced Persistent Threats

Presented by Evan Sylvester, CISSP

Protect Your Business and Customers from Online Fraud

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The Top Web Application Attacks: Are you vulnerable?

SPEAR PHISHING AN ENTRY POINT FOR APTS

Advanced Persistent Threats

I ve been breached! Now what?

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Symantec Advanced Threat Protection: Network

MITIGATING LARGE MERCHANT DATA BREACHES

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

SANS Top 20 Critical Controls for Effective Cyber Defense

ENABLING FAST RESPONSES THREAT MONITORING

Under the Hood of the IBM Threat Protection System

Advanced Persistent Threats

IBM Security Services 2014 Cyber Security Intelligence Index

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Defending Against Cyber Attacks with SessionLevel Network Security

Understanding SCADA System Security Vulnerabilities

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Advanced Threat Protection with Dell SecureWorks Security Services

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Cybersecurity Awareness. Part 1

Getting Ahead of Malware

Global Partner Management Notice

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

How We're Getting Creamed

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Why The Security You Bought Yesterday, Won t Save You Today

Stay ahead of insiderthreats with predictive,intelligent security

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

The Key to Secure Online Financial Transactions

Penetration Testing Report Client: Business Solutions June 15 th 2015

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Comprehensive Advanced Threat Defense

Cyber Security and Critical Information Infrastructure

Defending Against Data Beaches: Internal Controls for Cybersecurity

Seven Strategies to Defend ICSs

SPEAR PHISHING UNDERSTANDING THE THREAT

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Security strategies to stay off the Børsen front page

V ISA SECURITY ALERT 13 November 2015

FERPA: Data & Transport Security Best Practices

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

2015 TRUSTWAVE GLOBAL SECURITY REPORT

Protecting against cyber threats and security breaches

KEY STEPS FOLLOWING A DATA BREACH

Protecting your business from fraud

Advanced Persistent Threats

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Cybersecurity and internal audit. August 15, 2014

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Property of Secure Network Technologies-Do Not Distribute or Post Without Written Permission-Copyrights and Trademark Apply

End-user Security Analytics Strengthens Protection with ArcSight

Transcription:

ii IBM MSS INDUSTRY OVERVIEW: FINANCIAL RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: NOVEMBER 5, 2014 BY: JOHN KUHN, SENIOR THREAT RESEARCHER

iii TABLE OF CONTENTS EXECUTIVE OVERVIEW... 1 MAJOR FINANCIAL DATA BREACHES... 1 METHODS OF FINANCIAL DATA LOSS... 2 METHODS OF ATTACK... 4 HEARTBLEED... 4 MALWARE... 4 POPULAR BANKING TROJANS... 5 WEB APPLICATION ATTACKS... 5 MALICIOUS WEBSITES & SPEAR PHISHING... 6 DEFAULT PASSWORDS... 6 RECOMMENDATIONS/MITIGATION TECHNIQUES... 6 CONTRIBUTORS... 7 REFERENCES... 7 DISCLAIMER... 7

1 EXECUTIVE OVERVIEW Why do bank robbers rob banks? Well, That s where the money is. --Willie Sutton. While the origin of this quote is up for debate, the message is not, especially, in today's connected world. Criminals have been targeting financial institutions since the existence of the first bank. It's simply the quickest route to the money. In more recent years though, the risk to reward ratio for physical bank robbery has become much less appealing as security measures have increased considerably. What's a criminal entrepreneur to do? Not enter the bank, of course. Cyber attacks targeting financial institutions are becoming increasingly more effective. Not only is there a larger target area with all the interconnected systems, but criminals can also attack the customers of the bank. ATMs, online banking, payment systems, and retail Pointof-Sale (POS) systems are all points of potential weakness in the long chain of money transfer. Criminals are targeting you, the customer, and your money. Hence, not only do modern banks have to protect their own infrastructure, they have an obligation to monitor and protect the finances and identities of millions of people globally. This report is going to take a close look at financial data breaches, popular banking Trojans, and other methods of attack gleamed from IBM s MSS world-wide event data. MAJOR FINANCIAL DATA BREACHES According to the Privacy Rights Clearinghouse, nearly 460 million financial records have been leaked, lost, or stolen in the United States. While this may seem like an incredibly high number, the majority of it falls on two major data breaches. Court Ventures tops the charts as one of the largest data leaks to date with a reported 200,000,000 records stolen, which contributed greatly to the spike in the fall of 2013 as observed below in Figure 1. Although this is recorded as "unintended disclosure", it also has an element of insider threat. Through a very tangled web of information/data sharing, the criminal was able to gain access to the records through Court Ventures who also had a partnership with US Info Search. The criminal posed as a private investigator out of Singapore and gained access to all the records needed. The intent was to resell this data to the underground market for the purpose of identity theft. Criminals used the information to open new credit lines, loans and in other ways to put cash in their pockets. This data breach emphasizes the need to focus on the "money trail", which is often hard to monitor due to constant acquisitions that are common in the financial industry. Even the most rigorous auditing can often leave gaps in security practices and compliance.

2 Figure 1. Timeline of number of financial records lost in the United States since 2005. i The second major financial security breach reported in recent years targeted Heartland Payment Systems. Albert Gonzalez is now serving a 20 year sentence for hacking this company where a reported 1.5 million credit card numbers were stolen. He formerly belonged to "Shadowcrew", an international group of hackers with strong ties to Eastern Europe. Areas such as Odessa, Ukraine are a hot bed for fraudulent credit card activity. SQL Injection was used to gain access to the network of payments systems and install a RAT (Remote Administration Tool) to further penetrate and leak the targeted data. This technique is one of the leading causes of data loss for all top industries. It's an incredibly versatile attack and often goes undetected without proper mechanisms in place such as IDS or SQL monitoring software. IBM MSS Threat Research Group has published papers on the subject that help outline how attacks like this are carried out and how to help protect against them. METHODS OF FINANCIAL DATA LOSS Mining the public records for data loss reveals key insights into how exactly financial institutions are leaking customer data. There are many different ways that data is lost or stolen as indicated in Figure 2 below. In the data breach examples above, the methods used varied yet both were extremely successful attacks.

3 Figure 2. Breakdown of number of financial records lost and method of loss in the United States since 2005. ii As shown in Figure 3 below, the majority of the losses are the result or organizations disclosing information unintentionally. However, many states are still struggling to fight the cyber threat aspect of the attacks. Figure 3. Number of records lost by state since 2005 and type of attack. iii

4 METHODS OF ATTACK Managed Security Services has a wealth of information from our worldwide sensor network to see how attacks against any organization are being carried out. Let s take a look at the financial industry specifically. Figure 4. The majority of attacks seen against the financial industry via IDS signatures in 2014. iv HEARTBLEED Thankfully Heartbleed didn't create enough volume to make our top attacks chart, however it was the most significant attack we witnessed against the financial industry in 2014. Banking systems rely on encryption protocols and often use OpenSSL to secure customer data. The stealthy nature of this attack and the abundance of tools to exploit it resulted in a low cost, high return investment to the attacker. Most of the world s vulnerable systems to the attack have been subsequently patched; however it s critical that your entire network is patched. MALWARE Malware, targeted attacks, and advanced adversaries, while not specifically shown in our data, pose an incredible threat to the financial sector. As shown in Figure 3, it is the second largest method of financial records loss in the United States since 2005. Custom-made malware designed to target and infiltrate specific organizations are on the

5 rise. They are designed to evade all current detection mechanisms and blend in with every day functionality in an organization. This type of malware could be easily brought in by an advanced adversary with the knowledge and funding to complete their objective, penetration into the network. Attackers are not only directly targeting the banking systems - there is an entire economy behind banking Trojans. Much of the malware is bought and sold on the underground markets and have become incredibly simple to use and set up. Below are some of the most common and popular banking Trojans we see targeting customers networks. POPULAR BANKING TROJANS ZEUS: One of the original Trojans specifically targeting online banking. It has gone through many iterations from the original 1.0, expanding its capability in version 2.0. This is a "full service" Trojan and does not only contain the malware itself, but also toolkits that allow for customization and building. These toolkits even include software to control the malware. On top of these "features", Zeus often comes included with tools to host your own malicious website to lure victims into your control. For many years, the source code for Zeus has been leaked and it's become the basis of many more modern variants such as Gameover Zeus. This variant utilizes P2P to diversify its command and control as well as many more new tricks to maintain control of infected machines. CITADEL: Arguably, Citadel uses source code and techniques based on Zeus however, adds even more capability into the mix. It has the ability to use AES encryption not only on its configuration file, but on its Command and Control as well. It also uses a very clever way to hook into web browsers in order to inject instructions specifically designed to mimic your online bank or steal the credentials passed into it. To further the infection, it has a built in keystroke logger as well as an email and FTP login credential stealer. It's incredibly versatile and can add on any further modules such as a video capture service that can record video from your screen and send it to the attacker s command and control. Carberp: This Trojan has its roots in more traditional capability. It was designed to remotely steal users sensitive data. One of the more advanced features of this Trojan is its rootkit capability that allows the Trojan to remain deep in the infected machine and evade detection. This malware also comes with a slew of plugins furthering the capability to remove AV and competing infections such as Zeus. With strong encryption capability and bundling with the Blackhole exploit kit, infections of this Trojan rapidly expanded. Its capability allows capturing of banking credentials and ransomware type scams. WEB APPLICATION ATTACKS Web applications are a high target via Command & SQL Injection against public and non-public facing sites. The softest target in any organization will always be their web sites and SQL databases. While much of the banking industry uses rigorous vulnerability scanning and penetration testing, holes can often still remain. Techniques and

6 tools appear as rapidly as the vulnerabilities they exploit. MALICIOUS WEBSITES & SPEAR PHISHING Malicious websites are utilized by attackers as a method to gain internal access into critical systems. Malicious websites are a concern for all industries, as they allow attackers to penetrate networks and potentially evade the perimeter defenses of an organization. Sophisticated spear phishing is often utilized to target personnel inside the network, specifically in the area they want to obtain data from. These attacks often utilize malicious PDFs with payloads that contain malware or send the victim to a malicious website. RATS are typically the payload, giving the attacker full control of the victim s system including access to the webcam and microphone. Penetration into connected systems would follow along with burying more malware to remain a persistent foothold within the network. DEFAULT PASSWORDS One alarming statistic from our data is that many organizations are using default passwords on systems such as their MySQL databases. It is imperative for organizations to thoroughly audit all of its connected devices and take the steps to configure them properly. Password rotation is absolutely critical to maintain reliable security at the very basic level. Once attackers penetrate a network, they often have a static list pulled at the time of penetration. Rotating these passwords can help stop further infiltration or at the very least, slow the attacker. RECOMMENDATIONS/MITIGATION TECHNIQUES This is an area where security intelligence is a must. It is critical that organizations understand the adversaries they face every day - from what their capability and motivations are, to where they attack from. Having this knowledge can help financial companies keep one step ahead of criminals and bolster internal and external detection and protection mechanisms. The data breach incidents highlighted in this report are just two of hundreds that have affected the financial industry in the last several years. Lessons learned from these incidents are applicable to the entire industry. First, the insider threat is a legitimate concern facing organization s today. It is important to monitor employee activity in order to identify misuse. Limit unauthorized access by disabling default user names and passwords. Require unique ID and passwords and preferably implement two-factor authentication. Critical systems should be contained in their own segment within an organization s network and closely monitored for suspicious activity. The second data breach and our attack data provide another lesson learned SQL injection is one of the largest concerns facing not only the financial industry, but all industries. Vulnerability scanning and penetration testing are key to mitigating this threat. IBM has a very reliable and robust set of rules within its SIEM environment allowing

7 nearly a %100 accuracy rate of SQL injection detection. More SQL injection recommendations can be obtained from our report SQL Injection Input Validation located on the MS Threat Research Papers web site (see references). Heartbleed is an example of a threat where timely deployment of routine validated security patches goes a long way to limiting the pervasiveness of particular threats. Malware including Trojans specifically targeting banks also continue to pose a significant threat to the financial industry. Use anti-virus and other host based protections as suitable. Disable unneeded services and ports. Unintended disclosure is the largest method of data loss for the financial industry in the United States. It is important for organizations to update cyber incident response policies and facility crisis management plans to incorporate cyber security scenarios. Providing training on these policies is also a critical step towards educating employees on how to prevent the disclosure of financial data. CONTRIBUTORS Michelle Alvarez - Researcher/Editor, Threat Research Group Nick Bradley Practice Lead, Threat Research Group REFERENCES http://www.bankinfosecurity.com/ http://privacyrights.org/data-breach https://portal.sec.ibm.com/mss/html/en_us/support_resources/threat_papers.html DISCLAIMER This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat. The data contained herein describing tactics, techniques and procedures is classified Confidential for the benefit of IBM MSS clients only. This information is provided AS IS, and without warranty of any kind. i Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse. ii Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse. iii Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse. iv 2014 IDS Data, IBM Managed Security Services.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information