CYBERSECURITY HOT TOPICS

1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com chad.knutson@protectmybank.com Cell: (605) 480-3366 1

3 Background 10 Years Community Bank Consulting at SBS Experience in Risk Management, ISP Development, and Auditing SBS has worked with over 800 banks in 45 states Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security 4 My Experience Information Security Program Design and Implementation IT Risk Assessment Penetration Testing Vulnerability Assessments Awareness Programs Vendor Management Business Continuity Technology Selection Security Consulting IT Audit ISP audit Controls audit Wire transfer audit Internet banking audit 2

5 Cyber Security 6 Cybersecurity America s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas. President Obama 3

7 Nation Security Summary Cybersecurity Information Sharing Act of 2015 encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats funnel corporate intelligence about cybersecurity threats and breaches through the Department of Homeland Security The Personal Data Notification & Protection Act This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30- day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The proposal also criminalizes illicit overseas trade in identities. 8 Growth in Banking New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Bank Customer 4

9 Cyber Security Overview Community Banking 10 APT vs Organized Crime 5

11 FFIEC Cyber Security Main Site: https://www.ffiec.gov/cybersecurity.htm Board/Senior Management Video: http://youtu.be/t1zgwkjynxi Observations: https://www.ffiec.gov/press/pdf/ffiec_cybersecurity_ Assessment_Observations.pdf 12 FFIEC Observations 6

13 FFIEC Observations Inherent Risk: Financial institutions need a solid methodology to identify inherent risk from cyber threats. Community banks should ensure the following: Asset-based IT Risk Assessment that identifies: Connection Types Products and Services offered Technologies implemented Specific risks mentioned include: ATM Fraud BYOD Risks Wire and ACH Fraud DDOS Attacks 14 FFIEC Observations Preparedness: Following a solid understanding of inherent risks to community banks, institutions need to focus on risk mitigating comments. The FFIEC highlights the following areas: Risk management and oversight involves governance, allocation of resources, and training and awareness of employees. Threat intelligence and collaboration is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making. Cybersecurity controls controls can be preventive, detective, or corrective External dependency management includes the connectivity to third-party service providers, business partners, customers, or others and the financial institutions expectations and practices to oversee these relationships. Cyber incident management and resilience involves incident detection, response, mitigation, escalation, reporting, and resilience. 7

15 New York State Department of Financial Services Boards receiving updates less often than senior management. Specifically, 73% of institutions reported that the Board received information security updates quarterly or annually, whereas 33% of institutions reported that senior managers received monthly updates. The frequency of information security updates to CEO s varied dramatically amongst institutions, ranging from annually (30%), quarterly (24%), and monthly (22%). http://www.dfs.ny.gov/about/press 2014/pr140505_cyber_security.pdf 16 New York StateDepartment of Financial Services Key pillars: 1) a written information security policy 2) security awareness education and employee training 3) risk management of cyber-risk, inclusive of identification of key risks and trends 4) information security audits 5) incident monitoring and reporting. General Statistics: only 62% of small institutions audit compliance of third party relationships 57% of small institutions have a DLP solution, compared to 78% of large institutions most reporting incidents involving malicious software (malware) (22%), phishing (21%), most frequent wrongful activity resulting from a cyber intrusion were account takeovers (46%) 8

17 CSBS Conference of State Banking Supervisors: The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue. http://www.csbs.org/cybersecurity/documents/csbs%20cybersecurity%20101%20resource%2 0Guide%20FINAL.pdf 18 Cybercrime made easy Underground Markets http://krebsonsecurity. com/2013/12/cardsstolen-in-targetbreach-floodunderground-markets/ Default Passwords http://cirt.net/passwor ds Hacking Tools http://sectools.org/ Hacking Toolkits http://www.kali.org/ Caller ID Spoofing http://www.spooftel.com/fre ecall/ Social Engineer Toolkit http://www.socialengineer.org Crime as a Service (CAAS) DDOS http://top10booters.com/ Exploit Resource Sites http://www.exploit-db.com Big News Vulnerabilities 9

19 Weak / Default Passwords Numerous password database breaches in 2013/2014 Password Cracking Technology taken to new level with GPU (graphics cards) processor capabilities In 76% of data breaches, weak or stolen user names and passwords were a cause - Verizon 20 Password Reuse & Breaches Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts Once the bad guys got it, it was very simple to move around [the network]. - Lance Spitzner SANS 59% had same between Yahoo and Sony breaches 67% had same between Sony and Gawker breaches 10

21 Hacking Tools 22 KALI Linux 11

23 Caller ID Spoofing 24 Social Engineering 12

25 26 Crime as a Service (CAAS) Growing Threat Built using Botnets Provide services such as: Conduct DDOS Conduct Phishing Anti-Antivirus Services Keylogging and central reporting 13

27 Crime as a Service (CAAS) 28 Social Engineering Phishing Attacks Pretext Phone Call SMS Phishing Dumpster Diving Physical Impersonation Unknown Media 14

29 Phishing Trend 91% of APTs start with phishing attacks 30 Phishing Examples https://www.us-cert.gov/ncas/current-activity/2014/02/26/us-tax- Season-Phishing-Scams-and-Malware-Campaigns 15

31 Spear Phishing Threat: Virus 32 Source Link 16

33 Banking Specific Malware 34 Top $$$ Hungry Malware to Know 1. Zbot/Zeus 2. Zeus Gameover (P2P) (Zeus family) 3. SpyEye (Zeus family) 4. Ice IX (Zeus family) 5. Citadel (Zeus family) 6. Carberp (Zeus family) 7. Bugat (Zeus family) 8. Shylock (Zeus family) 9. Torpig (Zeus family) 10. CryptoLocker https://heimdalsecurity.com/blog/top-financial-malware/ 17

35 Mobile Threats 36 FFIEC Destructive Malware Over the past two years, cyber attacks on businesses have increased in frequency and severity. Suggested controls include: Securely configure systems and services Review, update, and test incident response and business continuity plans Conduct ongoing information security risk assessments Perform security monitoring, prevention, and risk mitigation Protect against unauthorized access Implement and test controls around critical systems regularly Enhance information security awareness and training programs Participate in industry information-sharing forums 18

37 FFIEC Cyber Attacks Compromising Credentials Recent reports indicate an ongoing and increasing trend of attacks by cyber criminals to obtain large volumes of credentials. These attacks include theft of users credentials such as passwords, usernames, e- mail addresses and other forms of identification. Suggested controls include: Conduct ongoing information security risk assessments Perform security monitoring, prevention, and risk mitigation Protect against unauthorized access Implement and test controls around critical systems regularly Enhance information security awareness and training programs Participate in industry information-sharing forums 38 Carbanak Compromises of banks! $1 Billion cybersecurity incident 100 financial institutions in 30 countries The Greatest Heist of the Century Advanced Persistent Threat (APT) Fraud using online banking platforms, payment systems such as wire/ach, and ATM networks. Also called Anunak 19

39 Carbanak 40 Example Phishing Email The most dangerous emailings are those that are sent on behalf of partners with whom financial and government institutions communicates permanently by email. An example of such emailing occurred on September 25, 2014, at 14:11, from the e-mail address Elina Shchekina with the subject Updated agreement version. The attachment agreement.doc exploits the vulnerability CVE-2012-2539 and CVE-2012-0158. 20

41 Microsoft Office Vulnerability 42 Carbanak Process 21

43 ATM FFIEC Alert "Unlimited operations Fraud Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing email sent to bank employees. Hackers seek to obtain employee credentials to inject malware into a financial institution s system. The ultimate target it the web-based ATM control panel. The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems 44 ATM FFIEC Alert Checklist Conduct ongoing information security risk assessment Perform security monitoring, prevention, and risk mitigation Protect against unauthorized access Implement and test controls around critical systems regularly Conduct information security awareness and training programs Test incident response plans Participate in industry information sharing forums 22

45 Cyber Risk Assessment 46 GRAMM LEACH BLILEY ACT 501 (b) FINANCIAL INSTITUTIONS SAFEGUARDS. In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 23

47 FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information. 48 FFIEC Observations Inherent Risk: Financial institutions need a solid methodology to identify inherent risk from cyber threats. Community banks should ensure the following: Asset-based IT Risk Assessment that identifies: Connection Types Products and Services offered Technologies implemented Specific risks mentioned include: ATM Fraud BYOD Risks Wire and ACH Fraud DDOS Attacks 24

49 Risk Management Process: IT, Customer, Vendor, Optional 6 7 5 8 4 9 Demonstrate Compliance: Reporting Improve the process Additional Action Measure Against Goal Identify Controls Determine Residual Risk: What is the risk after applying controls? System Controls: What system safeguards does the financial institution have implemented? Document Information Security Program: Establish an effective set of IT policies 1 2 3 Determine Inherent Risk: Which assets represent risk to the financial institution? Inventory: Identify all assets, customers, And third parties (vendors). Develop Priorities: Protection Profiles (CIAV) Identify Threats: What are the threats to each asset (including probability and impact of each threat)? 50 25

51 52 26

53 54 Risk Management Process: Commercial Customer Optional 6 7 5 8 4 9 Demonstrate Compliance: Reporting Improve the process Additional Action Measure Against Goal Identify Controls Determine Residual Risk: What is the risk after applying controls? System Controls: What system safeguards does the customer have implemented? Document Information Security Program: Establish an effective set of IT policies 1 2 3 Determine Inherent Risk: Which customers represent risk to the financial institution? Inventory: Identify all commercial customers Develop Priorities: Protection Profiles (CIAV) Identify Threats: What are the threats to each asset (including probability and impact of each threat)? 27

55 Education Bank Third Party Customer How to monitor Cyber Security Issues and Take Action? Risk Assessment Conferences and Conventions Technology Conference Association Webinars Regular Hot Topics Audit Information Security Certifications CCBSP Certified Community Banking Security Professional CCBTP Certified Community Banking Technology Professional CCBVM Certified Community Banking Vendor Manager https://www.protectmybank.com/sbsinstitute/ Policy (ISP) 56 Question & Answer Contact me anytime with questions. Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad@protectmybank.com www.protectmybank.com 28