Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

(1)

Cyber Security

C HA D K N U T SO N

(2)

Presenter

Chad Knutson

◦

Senior Information Security Consultant

◦

Masters in Information Assurance

◦

CISSP (Certified Information Security Systems

Professional)

◦

CISA (Certified Information Systems Auditor)

◦

CRISC (Certified Risk and Information Systems Control)

◦

www.protectmybank.com

◦

[email protected]

(3)

My Experience



Information Security Program

Design and Implementation



IT Risk Assessment



Penetration Testing



Vulnerability Assessments



Awareness Programs



Vendor Management



Business Continuity



Technology Selection



Security Consulting



IT Audit

◦ ISP audit ◦ ATM audit ◦ Controls audit

◦ Wire transfer audit ◦ SOX audit

(4)

NSA Designated School

• National Security Agency

• Department of Homeland Security

• DSU is the only national center of excellence focused on

the security of banks

(5)

Growth in Banking

New Products/Services

◦ Mobile Cash Management

◦ Consumer Capture

◦ Online Account Opening

◦ Integrative Teller Machines

◦ P2P Payment Systems

Cybercrime Increasing

◦ Organized Crime

◦ Advance Persistent Threats

Bank

Customer

Third Party

(6)

Cyber Security Agenda

• Data Breach Epidemic

• Hacking Made Easy • Phishing with Malware

• Commercial Customer Fraud • DDOS = Fraud

• ATM Fraud

• Continual Improvement

(What you can do)

Risk Assessment

Policy (ISP) Audit

(7)

Data Breaches

2014 (few month) + so many more

◦

JP Morgan – gigabytes of data was compromised, including

customer account data from June to Mid-August by exploiting

an overlooked flaw in one of the bank’s websites, leading to

infections on 90 servers. Possible 1M accounts breached.

◦

UPS - malware was on its in-store cash register systems at 51

of its locations in 24 states from Jan 20 to Aug 11, 2014.

◦

Home Depot – involves nearly all of the 2,200 company’s

stores across the nation, back till April. Bigger then Target?

◦

AB Acquisition and SuperValu – effected more than 180 stores

in18 state between June 22 and July 17 (AMCE, Shaw,

Albertson…)

◦

DQ – initial breach as far back as early June 2014. Same

malware that hit Target.

(8)

(9)

Verizon 2013 DATA BREACH

INVESTIGATIONS REPORT (DBIR)

92% stemmed from external agents

◦ Organized criminal group 55%

55% utilized some form of hacking

29% utilized some form of social engineering 40% incorporated malware

75% of victims were opportunistic attacks

97% of breaches were avoidable through simple or intermediate controls (*2012)

(10)

Cyber Security Agenda

• Hacking Made Easy

• Phishing with Malware

• ATM Fraud

(What you can do)

Risk Assessment

Policy (ISP) Audit

(11)

Hacking made easy

Default Passwords

http://cirt.net/passwords

Hacking Tools

http://sectools.org/

Kali Linux (turnkey solutions)

http://www.kali.org/

Caller ID Spoofing

http://www.spooftel.com/freecall/

Social Engineer Toolkit

http://www.social-engineer.org

Crime as a Service (CAAS) Exploit Sites

(12)

Cyber Security Agenda

• Hacking Made Easy

• Phishing with Malware

• ATM Fraud

(What you can do)

Risk Assessment

Policy (ISP) Audit

(13)

(14)

Phishing Examples

https://www.us-cert.gov/ncas/current-activity/2014/02/26/US-Tax-Season-Phishing-Scams-and-Malware-Campaigns

(15)

Cyber Security Agenda

• Commercial Customer Fraud

• DDOS = Fraud • ATM Fraud

(What you can do)

Risk Assessment

Policy (ISP) Audit

(16)

Corporate Account Takeover

FDIC lists this as top threat:

◦

responsible for millions of dollars in losses

◦

frayed business relationships

◦

litigation affecting both financial institutions and

commercial accounts.

“…around 85% of cyber attacks are now targeting

small businesses.” White House Cybersecurity

(17)

2014 Faces of Fraud

(18)

Cyber Security Agenda

• Commercial Customer Fraud

• DDOS = Fraud

• ATM Fraud

(What you can do)

Risk Assessment

Policy (ISP) Audit

(19)

DDOS

(20)

Cyber Security Agenda

• Commercial Customer Fraud

• DDOS = Fraud

• ATM Fraud

(What you can do)

Risk Assessment

Policy (ISP) Audit

(21)

"Unlimited operations” Fraud

FFIEC Warning

Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing email sent to bank employees.

Hackers seek to obtain employee credentials to inject malware into a financial institution’s system. The ultimate target it the web-based ATM control panel.

The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems

(22)

USB Theft

Find specific style ATM (also windows XP)

Drill hold in the casing and insert USB or SD card Hole covered with sticker or patch

Infects the computer with malware

Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface

Also, required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money.

Returned to regular screen after 3 minutes.

(23)

Latest Skimming Techniques

Completely Fake ATM’s and ATM covers.

Keypad overlay instead of camera’s.

Transmission: devices: cell phone, Wifi, Bluetooth…

Gluing down the physical ‘enter’, ‘cancel’ and ‘clear’ keys. Allowing hacker to capture PIN and get the card.

Card/Cash Trapping

(24)

Continual

Improvement

(25)

Security process

Plan

Do

Check

Risk Assessment Information Security Program: Policy, Plans, Procedures Audits

(26)

(27)

Education

How to monitor Cyber Security Issues and Take

Action?

◦

Conferences and Conventions

◦ Technology Conference

◦

Webinars

◦ Regular Hot Topics

◦

Banking Schools

◦ Graduate Banking Schools

◦

Information Security Certifications

◦ Certified Community Banking Security Professional

◦ Certified Community Banking Technology Professional

◦ Certified Community Banking Vendor Manager

http://www.vacb.org/SBS.php Bank Customer Third Party Risk Assessment Policy (ISP) Audit

(28)