Transcript Ten Keys to Mitigate Risk - Indiana Philanthropy Alliance

CLAconnect.com
©2014 CliftonLarsonAllen LLP
©2014 CliftonLarsonAllen LLP
Cyber Crime Trends
• What are hackers doing?
• Who is hacking us?
• How do they do it?
©2014 CliftonLarsonAllen LLP
3 Questions
• Hackers have “monetized” their activity
–
–
–
–
More hacking
More sophistication
More “hands-on” effort
Smaller organizations targeted
©2014 CliftonLarsonAllen LLP
Themes
• Employees that are aware and savvy
• Networks resistant to malware
• Relationships with banks maximized
©2014 CliftonLarsonAllen LLP
Mitigation Themes
• Organized Crime
– Wholesale theft of personal financial information
• CATO– Corporate Account Takeover
– Use of online credentials for ACH, CC and wire fraud
• Ransomware
©2014 CliftonLarsonAllen LLP
What are they doing?
Active campaigns involving targeted phishing and
hacking focused on common/known vulnerabilities.
• Target
• Goodwill
• Jimmy Johns
• University of Maryland
• University of Indiana
• Anthem
• Blue Cross Primera
• Olmsted Medical Center
• Community Health
Systems
©2014 CliftonLarsonAllen LLP
Black Market Economy - Theft of PFI and PII
6
Active campaigns involving targeted phishing and
often targeted industries and institutions.
©2014 CliftonLarsonAllen LLP
Black Market Economy - Theft of PFI and PII
• Five Colleges Had Data Breaches Larger Than
Sony's in 2014
http://www.huffingtonpost.com/kylemccarthy/five-colleges-with-datab_b_6474800.html
• Fifth largest was community college in California
which exposed 35,212 individual records of a
personal nature
7
• Carder or Carding websites
©2014 CliftonLarsonAllen LLP
Black Market Economy – Stolen Card Data
• Dumps vs CVV’s
• A peek inside a carding operation:
http://krebsonsecurity.com/2014/06/peek-inside-aprofessional-carding-shop/
8
• Specializing in anonymous purchases
©2014 CliftonLarsonAllen LLP
Black Market Economy – “Carder Boards”
9
• Customer service oriented!
©2014 CliftonLarsonAllen LLP
Black Market Economy – “Carder Boards”
10
• Easy to use!
©2014 CliftonLarsonAllen LLP
Black Market Economy – “Carder Boards”
11
©2014 CliftonLarsonAllen LLP
Credit Card Data For Sale
12
•
•
•
•
•
•
•
•
Catholic church parish
Hospice
Collection agency
Main Street newspaper stand
Electrical contractor
Health care trade association
Rural hospital
Mining company
• On and on and on and
on……………..
©2014 CliftonLarsonAllen LLP
Corporate Account Takeover
1. Deploy malware – keystroke logger
2. Deploy malware – man in the middle
3. Recon / email persuasion
©2014 CliftonLarsonAllen LLP
CATO – 3 Versions
• MFA is critical
• Silver bullet?
©2014 CliftonLarsonAllen LLP
Multi-Factor Authentication Solutions
• CEO asks the CFO…
©2014 CliftonLarsonAllen LLP
V3 Case Study – Please Wire $ to….
• Common mistakes
1. Use of private email
2. “Don’t tell anyone”
•
http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-afterspearphishing-attack.html
16
•
•
•
•
•
•
•
•
Multi-layer authentication
Multi-factor authentication
Out of band authentication
Positive pay
ACH block and filter
IP address filtering
Dual control
Activity monitoring
©2014 CliftonLarsonAllen LLP
CATO Defensive Measures
• Malware encrypts everything it can interact with
– V1: Everything where it lands
– V2: Everything where it lands plus everything user has
rights to on the network
– V3: Everything where it lands plus everything on the
network
• CryptoLocker / Cryptowall
• Kovter
– Also displays and adds child pornography images
©2014 CliftonLarsonAllen LLP
Ransomware
May 20, 2014 – Ransomware attacks doubled in last
month (7,000 to 15,000)
http://insurancenewsnet.com/oarticle/2014/05/20/
cryptolocker-goes-spear-phishing-infections-soarwarns-knowbe4-a-506966.html
©2014 CliftonLarsonAllen LLP
Ransomware
• Zip file is preferred
delivery method
– Helps evade virus
protection
• Working (tested)
backups are key
©2014 CliftonLarsonAllen LLP
Ransomware
Norton/Symantec Corp:
• Cost of global cybercrime: $388 billion
• Global black market in marijuana, cocaine and heroin
combined: $288 billion
©2014 CliftonLarsonAllen LLP
The Cost?
• Chinese
– State sponsored
– Goal is to supplant US as #1 economic power
• Russians
– State “protected”
– Goal is simpler, steal money
• Copycats
– Koreans, Africans, others use the tools of the Chinese and
Russians
©2014 CliftonLarsonAllen LLP
Who?
• Modern hacking relies on malware
• Social engineering
• Drive by surfing
– Infected websites
• Easy password attacks
©2014 CliftonLarsonAllen LLP
How do hackers and fraudsters break in?
©2014 CliftonLarsonAllen LLP
Social Engineering
“Amateurs hack systems, professionals hack people.”
Bruce Schneier
Pretext phone calls
Building penetration
Email attacks
24
• “Hi, this is Randy from Fiserv users support. I am
working with Dave, and I need your help…”
–
–
–
–
–
©2014 CliftonLarsonAllen LLP
Pre-text Phone Calls
Name dropping
Establish a rapport
Ask for help
Inject some techno-babble
Think telemarketers script
• Home Equity Line of Credit (HELOC) fraud calls
• Ongoing high-profile ACH frauds
25
Compromise the site:
©2014 CliftonLarsonAllen LLP
Physical (Facility) Security
• “Hi, Joe said he would let you know I was coming to fix the
printers…”
Plant devices:
• Keystroke loggers
• Wireless access point
• Thumb drives (“Switch Blade”)
26
• Impersonate someone in authority and:
– Ask them to visit a web-site
– Ask them to open an attachment or run update
©2014 CliftonLarsonAllen LLP
Email Attacks - Spoofing and Phishing
• Examples
– Better Business Bureau complaint
– http://www.millersmiles.co.uk/email/visa-usabetterbusiness-bureaucall-for-action-visa
– Microsoft Security Patch Download
27
©2014 CliftonLarsonAllen LLP
Email Phishing – “Targeted Attack”
28
• (Ongoing) user awareness training
• SANS “First Five” – Layers “behind the people”
1.
2.
3.
4.
5.
©2014 CliftonLarsonAllen LLP
Strategies to Combat Social Engineering
Secure/Standard Configurations (hardening)
Critical Patches – Operating Systems
Critical Patches – Applications
Application White Listing
Minimized user access rights
 No browsing/email with admin rights
29
•
•
•
•
•
Local agents unaware, uninformed or uninterested
Lack of standardized policy language
Generic “one size fits all” applications
Evolution at the actuarial process
Evolution at the underwriter
©2014 CliftonLarsonAllen LLP
The Cyber Insurance Maze
30
• Errors and omission
– Typically associated with software providers
• Media and intellectual property
– Media placed on website or made available
• Network and systems security
– Extensive and broad category (common considerations)
• Breach of privacy
– Disclosure of PFI, PII, HIPAA and others (donor info)
©2014 CliftonLarsonAllen LLP
Cyber Insurance Protection Basics
•
•
•
•
•
•
•
•
•
Forensic services
Business interruption coverage
Credit monitoring – Often by state regulations
Technical consulting and system repair
Legal costs
Cost of issuance of new credit cards
Certain fines from regulatory bodies
Lawsuit related settlements and costs
Cost of informing impacted entities and persons
©2014 CliftonLarsonAllen LLP
Cyber Insurance Coverage
• Obtain multiple quotes
–
–
–
–
Not necessarily based on cost
Exposure of an uninformed quote
Exposure of the “one size fits all” application
Education of dollar coverage amounts as recommended by
broker
• Obtain an objective third party review
• Discuss with peers
• DO IT!
©2014 CliftonLarsonAllen LLP
Cyber Insurance Procurement
©2014 CliftonLarsonAllen LLP
CLAconnect.com
©2014 CliftonLarsonAllen LLP
10 Key Defensive Measures
• Intrusion Analysis: TrustWave
• Intrusion Analysis: Verizon Business Services
• Intrusion Analysis: CERT Coordination Center
• Intrusion Analysis: CLA Incident Handling Team
©2014 CliftonLarsonAllen LLP
Attacks are Preventable!
Our information security strategy should have the
following objectives:
• Users who are more aware and savvy
• Networks that are resistant to malware
• Relationship with our FI is maximized
©2014 CliftonLarsonAllen LLP
Strategies
1. Strong Policies • Email use
• Website links
• Removable media
• Users vs Admin
• Insurance
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
2. Defined user access roles and permissions
• Principal of minimum access and least privilege
• Users should NOT have system administrator rights
•
“Local Admin” in Windows should be removed (if practical)
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
3. Hardened internal systems (end points)
•
•
•
Hardening checklists
Turn off unneeded services
Change default password
•
Use Strong Passwords
•
Consider application white-listing
4. Encryption strategy – data centered
•
•
•
•
•
Email
Laptops and desktops
Thumb drives
Email enabled cell phones
Mobile media
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
5. Vulnerability management process
• Operating system patches
• Application patches
• Testing to validate effectiveness –
•
“belt and suspenders”
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
6. Well defined perimeter security layers:
•
•
•
•
Network segments
Email gateway/filter
Firewall – “Proxy” integration for traffic in AND out
Intrusion Detection/Prevention for network traffic, Internet
facing hosts, AND workstations (end points)
7. Centralized audit logging, analysis, and automated alerting
capabilities
•
•
•
•
Routing infrastructure
Network authentication
Servers
Applications
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
8. Defined incident response plan and procedures
•
Be prepared
•
Including data leakage prevention and monitoring
•
Forensic preparedness
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
9. Know / use Online Banking Tools
•
•
•
•
•
•
•
Multi-factor authentication
Dual control / verification
Out of band verification / call back thresholds
ACH positive pay
ACH blocks and filters
Review contracts relative to all these
Monitor account activity daily
• Isolate the PC used for wires/ACH
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
10. Test, Test, Test
– “Belt and suspenders”
approach
– Penetration testing
◊ Internal and external
– Social engineering
testing
◊ Simulate spear phishing
– Application testing
◊ Test the tools with your
bank
◊ Test internal processes
©2014 CliftonLarsonAllen LLP
Ten Keys to Mitigate Risk
Hang on, it’s going to be a
wild ride!!
Darrell Songer, Principal
Information Security
Services Group
[email protected]
***
(314-925-4300)
©2014 CliftonLarsonAllen LLP
Questions?