Cybersecurity Governance Update on New FFIEC Requirements cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, Professional Services Firm with three lines of business: Wealth Management Outsourcing Traditional Assurance and Consulting Information Security offered as specialized service offering for over 15 years 1
Overview Three most common cyber fraud scenarios we see affecting our banks customers Theft of PII and PFI Corporate Account Take Overs Ransomware Defensive Measures to support Incident Response Examples and Case Studies 3 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Be Prepared Monitoring, Incident Response, and Forensic Capabilities 4 2
Cyber Fraud Risk Themes Hackers have monetized their activity More hacking More sophistication More hands on effort Smaller organizations targeted Social engineering on the rise Hackers targeting YOUR businesses customers In the News Theft of PFI and PII Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities. Target Goodwill Jimmy Johns University of Maryland University of Indiana Anthem Blue Cross Primera Olmsted Medical Center Community Health Systems 6 3
Timeline of a Breach and Missed Opportunities 1. Attacked/compromised vendor remote access 2. Missed AV/IDS warnings 1 3 3. Attacked/compromised internal vulnerabilities 4. Missed IDS warnings 2 4 7 Credit Card Data For Sale A peek inside a carding operation: http://krebsonsecurity.com/2014/06/peek inside a professional carding shop/ 4
Corporate Account Takeover Catholic church parish Hospice Finance company Main Street newspaper stand Electrical contractor Utility company Industry trade association Rural hospital Mining company On and on and on and on.. CATO Lawsuits UCC a payment order received by the [bank] is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. 5
CATO Lawsuits UCC Electrical Contractor vs Bank > $300,000 stolen via ACH through CATO Internet banking site was down DOS? Contractor asserting Bank processed bogus ACH file without any call back CATO Lawsuits UCC Escrow company vs Bank > $400,000 stolen via single wire through CATO CE passed on dual control offered by the bank Court ruled in favor of bank Companies attorneys failed to demonstrate bank s procedures were not commercially reasonable 6
Case Study Please Wire $ to. CEO asks the CFO Common mistakes 1. Use of private email 2. Don t tell anyone http://www.csoonline.com/article/2884339/malware cybercrime/omahas scoular co loses 17 million afterspearphishing attack.html 13 CATO Defensive Measures Multi layer authentication Multi factor authentication Out of band authentication 14 7
CATO Defensive Measures Positive pay ACH block and filter IP address filtering Dual control Defined processes for payments Activity monitoring Manual vs. Automated controls Combination of preventative and detective controls 15 Ransomware Malware encrypts everything it can interact with i.e. anything the infected user has access to CryptoLocker May 20, 2014 Ransomware attacks doubled in last month (7,000 to 15,000) http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker goes spearphishing infections soar warns knowbe4 a 506966.html 16 8
Ransomware Zip file is preferred delivery method Helps evade virus protection Working (tested) backups are key Keys to Successful Breaches 2013 2014 https://www2.trustwave.com/gsr2014. 18 9
Keys to Successful Breaches Reliance/dependence on 3 rd party service providers is at root of most breaches 19 How do hackers and fraudsters break in? Amateurs hack systems, professionals hack people. Bruce Schneier Social Engineering relies on the following: The appearance of authority People want to avoid inconvenience Timing, timing, timing 10
Pre text Phone Calls Hi, this is Randy from Fiserv users support. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Ongoing high profile ACH frauds Email Attacks Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web site Ask them to open an attachment or run update Examples Better Business Bureau complaint http://www.millersmiles.co.uk/email/visa usabetterbusiness bureaucall for action visa Microsoft Security Patch Download 11
Email Phishing Targeted Attack Strategies to Combat Social Engineering (Ongoing) user awareness training SANS First Five Layers behind the people 1. Secure/Standard Configurations (hardening) 2. Critical Patches Operating Systems 3. Critical Patches Applications 4. Application White Listing 5. Minimized user access rights No browsing/email with admin rights Logging, Monitoring, and Alerting capabilities The 3 R s : Recognize, React, Respond More on this at the end 12
Key Defensive Strategies cliftonlarsonallen.com 25 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Be Prepared Monitoring, Incident Response, and forensic Capabilities 13
Ten Keys to Mitigate Risk 1. Strong policies 6. Perimeter security layers 2. Defined user access roles Minimum Access 3. Hardened internal systems and end points 4. Encryption strategy data centered 5. Vulnerability management process 7. Centralized logging, analysis and alerting capabilities 8. Incident response capabilities 9. Know / use online banking tools 10.Test, Test, Test Independent validation that it works Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered highly difficult. 14
Centralized Logging, Analysis, and Alerting Centralized audit logging, analysis, and automated alerting capabilities (SIEM) Firewalls Security appliances Routing infrastructure Network authentication Servers Applications *** Archiving vs. Reviewing FFIEC Executive Leadership of Cybresecurity cliftonlarsonallen.com 30 15
Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 31 Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 32 16
Cybersecurity Leadership FFIEC Governance and Threat Intelligence https://www.fdic.gov/news/news/financial/2014/fil14021.html 33 Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 34 17
Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 35 Cybersecurity Leadership FFIEC https://www.fdic.gov/news/news/financial/2014/fil14021.html 36 18
Very Recent Examiner Supplemental Cyber Security Request List 37 Very Recent Examiner Supplemental Cyber Security Request List 38 19
Very Recent Examiner Supplemental Cyber Security Request List 39 Call To Action Policies to set foundation Train your users Thoroughly assess your risks Three R s: Recognize, React, Respond Thoroughly validate your controls High expectations of your vendors Penetration testing and vulnerability assessment Social engineering testing People Tools ` Rules 40 20
Questions? Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services Randy.romes@cliftonlarsonallen.com 888.529.2648 cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 42 21
Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources http://www.cisecurity.org/ Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en us/library/dd366061.aspx Most of these will be from the BIG software and hardware providers Three Security Reports Trends: Sans 2009 Top Cyber Security Threats http://www.sans.org/top cyber security risks/ Intrusion Analysis: TrustWave (Annual) https://www.trustwave.com/whitepapers.php Intrusion Analysis: Verizon Business Services (Annual) http://www.verizonenterprise.com/dbir/ 22