Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Similar documents
Get on First Base with your Regulators and Cyber Security

CYBERSECURITY HOT TOPICS

INFORMATION SECURITY FOR YOUR AGENCY

What Directors need to know about Cybersecurity?

As global mobile internet penetration increases the cybercrime and cyberterrorism vector is extended

September 20, 2013 Senior IT Examiner Gene Lilienthal

Cybersecurity. WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity: What CFO s Need to Know

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Cybersecurity: Protecting Your Business. March 11, 2015

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Presented by: Islanders Bank

Top Fraud Trends Facing Financial Institutions

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

F G F O A A N N U A L C O N F E R E N C E

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Cybersecurity Best Practices

Topic 1 Lesson 1: Importance of network security

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com

A practical guide to IT security

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

IT Security Risks & Trends

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Internet threats: steps to security for your small business

Cybersecurity Workshop

Cybersecurity Awareness. Part 1

Impact of Data Breaches

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Presented by Evan Sylvester, CISSP

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Vulnerability and Threat Management and Prevention

Cybersecurity. Are you prepared?

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

CYBER ATTACKS CASHING IN ON RETAILERS: A WEBINAR ON CYBERSECURITY

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Certification Programs

SECURITY CONSIDERATIONS FOR LAW FIRMS

2012 Data Breach Investigations Report

EFT Industry and BSA/AML Dan Altman

FRAUD ALERT THESE SCAMS CAN COST YOU MONEY

What legal aspects are needed to address specific ICT related issues?

Data Security for the Hospitality

OIG Fraud Alert Phishing

Information Technology

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

InfoSec Academy Pen Testing & Hacking Track

How To Protect Yourself From A Hacker Attack

Detailed Description about course module wise:

Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com

Online Cash Manager Security Guide

Certification Programs

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

FFIEC CONSUMER GUIDANCE

PCI Compliance: Protection Against Data Breaches

Cyber Security Metrics Dashboards & Analytics

CKAHU Symposium Cyber-Security

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CYBERTRON NETWORK SOLUTIONS

A Network Administrator s Guide to Web App Security

Why The Security You Bought Yesterday, Won t Save You Today

How-To Guide: Cyber Security. Content Provided by

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Cyber Liability Insurance: It May Surprise You

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

How To Protect Your Online Banking From Fraud

Common Data Breach Threats Facing Financial Institutions

Transcription:

Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC

Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information Security Systems Professional) CISA (Certified Information Systems Auditor) CRISC (Certified Risk and Information Systems Control) www.protectmybank.com chad.knutson@protectmybank.com Cell: (605) 480-3366 2014 SECURE BANKING SOLUTIONS, LLC 2

My Experience Information Security Program Design and Implementation IT Risk Assessment Penetration Testing Vulnerability Assessments Awareness Programs Vendor Management Business Continuity Technology Selection Security Consulting IT Audit ISP audit ATM audit Controls audit Wire transfer audit SOX audit Internet banking audit 2014 SECURE BANKING SOLUTIONS, LLC 3

NSA Designated School National Security Agency Department of Homeland Security DSU is the only national center of excellence focused on the security of banks www.dsu.edu 2014 SECURE BANKING SOLUTIONS, LLC 4

Growth in Banking New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Bank Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Customer 2014 SECURE BANKING SOLUTIONS, LLC 5

Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 6

Data Breaches 2014 (few month) + so many more JP Morgan gigabytes of data was compromised, including customer account data from June to Mid-August by exploiting an overlooked flaw in one of the bank s websites, leading to infections on 90 servers. Possible 1M accounts breached. UPS - malware was on its in-store cash register systems at 51 of its locations in 24 states from Jan 20 to Aug 11, 2014. Home Depot involves nearly all of the 2,200 company s stores across the nation, back till April. Bigger then Target? AB Acquisition and SuperValu effected more than 180 stores in18 state between June 22 and July 17 (AMCE, Shaw, Albertson ) DQ initial breach as far back as early June 2014. Same malware that hit Target. 2014 SECURE BANKING SOLUTIONS, LLC 7

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 2014 SECURE BANKING SOLUTIONS, LLC 8

Verizon 2013 DATA BREACH INVESTIGATIONS REPORT (DBIR) 92% stemmed from external agents Organized criminal group 55% 55% utilized some form of hacking 29% utilized some form of social engineering 40% incorporated malware 75% of victims were opportunistic attacks 97% of breaches were avoidable through simple or intermediate controls (*2012) http://www.verizonenterprise.com/dbir/2013/ 2014 SECURE BANKING SOLUTIONS, LLC 9

Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 10

Hacking made easy Default Passwords http://cirt.net/passwords Hacking Tools http://sectools.org/ Kali Linux (turnkey solutions) http://www.kali.org/ Caller ID Spoofing http://www.spooftel.com/freecall/ Social Engineer Toolkit http://www.social-engineer.org Crime as a Service (CAAS) Exploit Sites http://www.exploit-db.com 2014 SECURE BANKING SOLUTIONS, LLC 11

Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 12

Phishing Trend 91% of APTs start with phishing attacks 2014 SECURE BANKING SOLUTIONS, LLC 13

Phishing Examples https://www.us-cert.gov/ncas/current-activity/2014/02/26/us-tax-season-phishing- Scams-and-Malware-Campaigns 2014 SECURE BANKING SOLUTIONS, LLC 14

Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 15

Corporate Account Takeover FDIC lists this as top threat: responsible for millions of dollars in losses frayed business relationships litigation affecting both financial institutions and commercial accounts. around 85% of cyber attacks are now targeting small businesses. White House Cybersecurity Coordinator 2014 SECURE BANKING SOLUTIONS, LLC 16

2014 Faces of Fraud http://www.bankinfosecurity.com 2014 SECURE BANKING SOLUTIONS, LLC 17

Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 18

DDOS Distributed Denial of Service 2014 SECURE BANKING SOLUTIONS, LLC 19

Cyber Security Agenda Data Breach Epidemic Hacking Made Easy Phishing with Malware Risk Assessment Commercial Customer Fraud DDOS = Fraud ATM Fraud Continual Improvement (What you can do) Audit Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 20

"Unlimited operations Fraud FFIEC Warning Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing email sent to bank employees. Hackers seek to obtain employee credentials to inject malware into a financial institution s system. The ultimate target it the web-based ATM control panel. The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems 2014 SECURE BANKING SOLUTIONS, LLC 21

USB Theft Find specific style ATM (also windows XP) Drill hold in the casing and insert USB or SD card Hole covered with sticker or patch Infects the computer with malware Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface Also, required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money. Returned to regular screen after 3 minutes. http://www.bbc.com/news/technology-25550512 2014 SECURE BANKING SOLUTIONS, LLC 22

Latest Skimming Techniques Completely Fake ATM s and ATM covers. Keypad overlay instead of camera s. Transmission: devices: cell phone, Wifi, Bluetooth Gluing down the physical enter, cancel and clear keys. Allowing hacker to capture PIN and get the card. Card/Cash Trapping http://krebsonsecurity.com/all-about-skimmers/ 2014 SECURE BANKING SOLUTIONS, LLC 23

Continual Improvement WHAT YOU CAN DO ABOUT CYBERCRIME 2014 SECURE BANKING SOLUTIONS, LLC 24

Security process Plan Risk Assessment Audits Check Do Information Security Program: Policy, Plans, Procedures 2014 SECURE BANKING SOLUTIONS, LLC 25

Information Security Program 2014 SECURE BANKING SOLUTIONS, LLC 26

Bank Education How to monitor Cyber Security Issues and Take Action? Conferences and Conventions Technology Conference Webinars Regular Hot Topics Banking Schools Graduate Banking Schools Information Security Certifications Certified Community Banking Security Professional Certified Community Banking Technology Professional Certified Community Banking Vendor Manager http://www.vacb.org/sbs.php Third Party Audit Risk Assessment Customer Policy (ISP) 2014 SECURE BANKING SOLUTIONS, LLC 27

Questions? Chad Knutson Senior Information Security Consultant chad.knutson@protectmybank.com Cell: (605) 480-3366 Automated Information Security Suite Security Services www.protectmybank.com 2014 SECURE BANKING SOLUTIONS, LLC 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information