Get on First Base with your Regulators and Cyber Security
57
0
0
Full text
(2) 2. Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com [email protected] Cell: (605) 480-3366. © 2015 Secure Banking Solutions, LLC.
(3) 3. Background 10 Years Community Bank Consulting at SBS Experience in Risk Management, ISP Development, and Auditing SBS has worked with over 800 banks in 45 states Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security. © 2015 Secure Banking Solutions, LLC.
(4) 4. Cybersecurity “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.” President Obama © 2015 Secure Banking Solutions, LLC.
(5) 5. Growth in Banking. Bank. New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems. Cybercrime Increasing Organized Crime Advance Persistent Threats. © 2015 Secure Banking Solutions, LLC. Third Party. Customer.
(6) 6. APT vs Organized Crime. © 2015 Secure Banking Solutions, LLC.
(7) 7. FFIEC Cyber Security Main Site: https://www.ffiec.gov/cybersecurity.htm Board/Senior Management Video: http://youtu.be/t1ZgWKjynXI Observations: https://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_ Assessment_Observations.pdf. © 2015 Secure Banking Solutions, LLC.
(8) 8. FFIEC Observations. © 2015 Secure Banking Solutions, LLC.
(9) 9. FFIEC Observations Inherent Risk: Financial institutions need a solid methodology to identify inherent risk from cyber threats. Community banks should ensure the following: Asset-based IT Risk Assessment that identifies: Connection Types Products and Services offered Technologies implemented. Specific risks mentioned include: ATM Fraud BYOD Risks Wire and ACH Fraud DDOS Attacks © 2015 Secure Banking Solutions, LLC.
(10) 10. FFIEC Observations Preparedness: Following a solid understanding of inherent risks to community banks, institutions need to focus on risk mitigating comments. The FFIEC highlights the following areas: Risk management and oversight – involves governance, allocation of resources, and training and awareness of employees. Threat intelligence and collaboration – is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making. Cybersecurity controls – controls can be preventive, detective, or corrective External dependency management – includes the connectivity to third-party service providers, business partners, customers, or others and the financial institutions’ expectations and practices to oversee these relationships. Cyber incident management and resilience – involves incident detection, response, mitigation, escalation, reporting, and resilience. © 2015 Secure Banking Solutions, LLC.
(11) 11. Fresh Update to BCP Guidance. © 2015 Secure Banking Solutions, LLC.
(12) 12. Cybercrime made easy Underground Markets. Caller ID Spoofing. http://krebsonsecuri ty.com/2013/12/car ds-stolen-in-targetbreach-floodundergroundmarkets/. http://www.spooftel.com/ freecall/ Social Engineer Toolkit. http://cirt.net/passw ords. DDOS http://top10booters.com/ Exploit Resource Sites. Default Passwords Hacking Tools. http://sectools.org/. Hacking Toolkits. http://www.kali.org/ © 2015 Secure Banking Solutions, LLC. http://www.socialengineer.org Crime as a Service (CAAS). http://www.exploitdb.com Big News Vulnerabilities.
(13) 13. Weak / Default Passwords. Numerous password database breaches in 2012/2013 Password Cracking Technology taken to new level with GPU (graphics cards) processor capabilities. In 76% of data breaches, weak or stolen user names and passwords were a cause - Verizon. © 2015 Secure Banking Solutions, LLC.
(14) 14. Password Reuse & Breaches. Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. “With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts… Once the bad guys got it, it was very simple to move around [the network].” Lance Spitzner SANS 59% had same between Yahoo and Sony breaches 67% had same between Sony and Gawker breaches © 2015 Secure Banking Solutions, LLC.
(15) 15. Hacking Tools. © 2015 Secure Banking Solutions, LLC.
(16) 16. KALI Linux. © 2015 Secure Banking Solutions, LLC.
(17) 17. Caller ID Spoofing. © 2015 Secure Banking Solutions, LLC.
(18) 18. Social Engineering. © 2015 Secure Banking Solutions, LLC.
(19) 19. Crime as a Service (CAAS) Growing Threat Built using Botnets Provide services such as: Conduct DDOS Conduct Phishing Anti-Antivirus Services Keylogging and central reporting. © 2015 Secure Banking Solutions, LLC.
(20) 20. Crime as a Service (CAAS). © 2015 Secure Banking Solutions, LLC.
(21) 21. ATM Fraud Increasing…. © 2015 Secure Banking Solutions, LLC.
(22) 22. ATM FFIEC Alert "Unlimited operations” Fraud Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing email sent to bank employees. Hackers seek to obtain employee credentials to inject malware into a financial institution’s system. The ultimate target it the web-based ATM control panel. The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems. © 2015 Secure Banking Solutions, LLC.
(23) 23. USB Theft Find specific style ATM (also windows XP) Drill hold in the casing and insert USB or SD card Hole covered with sticker or patch Infects the computer with malware Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface Also, required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money. Returned to regular screen after 3 minutes. http://www.bbc.com/news/technology-25550512 Jackpot at Defcon (caution language) http://www.youtube.com/watch?v=YsXLwdw76-Y © 2015 Secure Banking Solutions, LLC.
(24) 24. Recent Malware Heist NCR ATMs attacked in Malaysia $1 million with the help of malware they’d installed on at least 18 ATMs across the country. (Krebs). © 2015 Secure Banking Solutions, LLC.
(25) 25. Latest Skimming Techniques. Completely Fake ATM’s and ATM covers. Keypad overlay instead of camera’s. Transmission: devices: cell phone, Wifi, Bluetooth… Gluing down the physical ‘enter’, ‘cancel’ and ‘clear’ keys. Allowing hacker to capture PIN and get the card. Card/Cash Trapping http://krebsonsecurity.com/all-about-skimmers/. © 2015 Secure Banking Solutions, LLC.
(26) 26. CATO Corporate Account Takeover. © 2015 Secure Banking Solutions, LLC.
(27) 27. What is CATO?. Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal or no disbursement controls for use with their bank’s online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered. These thefts have affected both large and small banks. – Texas ECTF © 2015 Secure Banking Solutions, LLC.
(28) 28. Corporate Account Takeover FDIC lists this as top threat: responsible for millions of dollars in losses frayed business relationships litigation affecting both financial institutions and commercial accounts.. “…around 85% of cyber attacks are now targeting small businesses.” White House Cybersecurity Coordinator © 2015 Secure Banking Solutions, LLC.
(29) 29. 2014 Faces of Fraud. © 2015 Secure Banking Solutions, LLC.
(30) 30. CATO Fraud Losses. © 2015 Secure Banking Solutions, LLC.
(31) 31. CATO Issues Cyber-criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) If Financial Institutions do not start to prevent fraud in commercial accounts the government will expand legal protections to commercial accounts, what will this COST (Sen. Chuck Schumer (D-NY) “Schumer Bill”). © 2015 Secure Banking Solutions, LLC.
(32) 32. Outcome Who is responsible? 3% 12%. Relationship Status 14%. 13% 34% 21% 72%. 31%. Customer. Diminished trust. Bank. Move Money. Government. No Change. Law Enforcement. Terminated. © 2015 Secure Banking Solutions, LLC.
(33) 33. Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc.. © 2015 Secure Banking Solutions, LLC.
(34) 34. The Legal Battle “Commercially Reasonable” EMI Case - EMI employee opened and clicked on links within a phishing email - 1.9M in wires stolen, $560,000 was not recoverable. Court rules in favor of small business. Patco Construction's computer infected with Zeus malware and steals $589,000 via ACH (payroll) with net loss of $345,440. Court rules in favor of Bank, then July 3, 2012 appeals court overturned in favor of small business. Court calls a "one-size-fits-all" approach “Commercially Unreasonable”.. © 2015 Secure Banking Solutions, LLC.
(35) 35. Win (?) for Banks Choice Escrow and Land Title LLC sued BancorpSouth Inc. for a $440,000 loss via a single wire in March 2010 . Choice Escrow was offered and explicitly declined in writing the use of dual controls and wire limits.. Important Factors: Incident occurred prior to January 2012 Offering of controls was clearly documented. © 2015 Secure Banking Solutions, LLC.
(36) 36. Recent Incidents May 2013 - J.T. Alexander & Son Inc. $800,000 in ACH transactions ranging from 5-10K to 60 mules, company has 15 employees with average 30K payroll.. April 2013 – Chelan County Public Hospital $1M in ACH transactions from payroll account using 96 mules Identified by Brian Krebs. December 2012 - Efficient Services Escrow Group $1.5M in wires (December .4M and January 1.1M). Forced company to close.. December 2012 – Ascent Builders Inc. $900,000 in wires and ACH covered up by DDOS Identified by Brian Krebs. July 2013 – Texas Brand Bank (TBB) sues Luna & Luna, LLP. Funds at JP Morgan 1.66M in three separate wire transfers, 2012 U.S. Department of Housing and Urban Development (HUD) funds Bank borrowed 1.66M to corporate customer, went unpaid. Government froze funds. © 2015 Secure Banking Solutions, LLC.
(37) Regulatory Guidance. 37. FFIEC Specific Supervisory Expectations – 1/2012: . Risk Assessment Customer Authentication for High-Risk Transactions Layered Security Programs Effectiveness of Certain Authentication Techniques Customer Awareness and Education. Conference of State Bank Supervisors (CSBS) Expectations (19 controls) – 12/2012: Prevent Detect Respond. Resources: . FFIEC 2005 Guidance http://www.ffiec.gov/pdf/authentication_guidance.pdf FFIEC Supplement Guidance http://www.ffiec.gov/press/pr062811.htm FIL-50-2011 http://www.fdic.gov/news/news/financial/2011/fil11050.html CSBS Guidance http://www.csbs.org/ec/cato/Documents/BestPracticesCATO.docx NACHA https://www.nacha.org/content/corporate-account-takeover-resource-center CATO Group http://www.cato.org/ Customer Movement http://www.yourmoneyisnotsafeinthebank.org © 2015 Secure Banking Solutions, LLC.
(38) 38. FFIEC Risk Assessment Should be updated when new information is obtained, new electronic services offered, or at least every 12 months. It should consider: Changes in internal and external threats Changes in customer base adoption Changes in functionality offered Actual incidents of security breaches, identity theft, or fraud experienced by institution or industry. © 2015 Secure Banking Solutions, LLC.
(39) 39. FFIEC Layered Security Programs Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out-Of-Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation-based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education. © 2015 Secure Banking Solutions, LLC.
(40) 40. FFIEC Customer Awareness and Education Efforts should address both retail and commercial accounts and, at a minimum, include: Explanation of protections provided, and not provided, or limitations relative to Regulation E. Explanation of circumstances and through what means unsolicited requests may be made to the customer. Suggestions for the commercial online banking customer to perform a risk assessment and controls evaluation periodically. List alternative risk control mechanisms and resources that customers may consider to mitigate their own risk. List institutional contacts for customers’ use in the event they notice suspicious activity or security incidents. © 2015 Secure Banking Solutions, LLC.
(41) 41. PROTECT Implement processes and controls to protect the financial institution and corporate customers. P1. Expand the risk assessment to include corporate account takeover. P2. Rate each customer (or type of customer) that performs online transactions. P3. Outline to the Board of Directors the Corporate Account Takeover issues. P4. Communicate basic online security practices for corporate online banking customers. P5. Implement/Enhance customer security awareness education for retail and high risk business account holders. P6. Establish bank controls to mitigate risks of corporate accounts being taken over. P7. Review customer agreements. P8. Contact your vendors to regularly receive information regarding reducing the risk of Corporate Account Takeovers.. © 2015 Secure Banking Solutions, LLC.
(42) 42. DETECT Establish monitoring systems to detect electronic theft and educate employees and customers on how to detect a theft in progress. D1. Establish automated or manual monitoring systems. D2. Educate bank employees of warning signs that a theft may be in progress. D3. Educate account holders of warning signs of potentially compromised computer systems.. © 2015 Secure Banking Solutions, LLC.
(43) 43. RESPOND Prepare to respond to an incident as quickly as possible (measured in minutes, not hours) to increase the chance of recovering the money for your customer. R1. Update incident response plans to include Corporate Account Takeover. R2. Immediately verify if a suspicious transaction is fraudulent. R3. Immediately attempt to reverse all suspected fraudulent transactions. R4. Send a “Fraudulent File Alert” through FedLine. R5. Immediately notify the receiving bank(s) of the fraudulent transactions and ask them to hold or return the funds. R6. Implement a contingency plan to recover or suspend any systems suspected of being compromised. R7. Contact law enforcement and regulatory agencies once the initial recovery efforts have concluded. R8. Implement procedures for customer relations and documentation of recovery efforts.. © 2015 Secure Banking Solutions, LLC.
(44) 44. What is the silver bullet? Stronger Contracts? Multifactor? Out of Band Authentication? Call back procedures? Transaction limits? Insurance?. © 2015 Secure Banking Solutions, LLC.
(45) 45. Solutions Comprehensive Risk Management Processes Leverage Your ISP! Bank IT Risk Assessment Third Party Risk Assessments Commercial Account Risk Assessment Educate Your Customers. Commercial Accounts Third Party Bank IT. © 2015 Secure Banking Solutions, LLC.
(46) 46. Risk Assessment FFIEC: Review commercial accounts and identify highest risk accounts, and consider: New or changing threats to your services Change in customer base Change in functionality offered Actual incidents from breaches, ID theft, and fraud in the industry or institution CSBS: P1. Expand the risk assessment to include corporate account takeover. P2. Rate each customer (or type of customer) that performs online transactions.. © 2015 Secure Banking Solutions, LLC.
(47) 47. Customer Awareness and Education Handouts / Pamphlets Posters / Calendars Security Awareness Day InfraGard Certification Social Engineering Tests Games Resources Commercial Customer Roundtable. © 2015 Secure Banking Solutions, LLC.
(48) 48. Onsite or Online Education. © 2015 Secure Banking Solutions, LLC.
(49) 49. Continual Improvement What you can do about cybercrime. © 2015 Secure Banking Solutions, LLC.
(50) 50. Security process Plan. Audits. Check. © 2015 Secure Banking Solutions, LLC. Risk Assessment. Do. Information Security Program: Policy, Plans, Procedures.
(51) 51. FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1.. Ensure the security and confidentiality of customer information;. 2.. Protect against any anticipated threats or hazards to the security or integrity of such information;. 3.. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and. 4.. Ensure the proper disposal of customer information and consumer information.. © 2015 Secure Banking Solutions, LLC.
(52) 52. FDIC - Appendix B to Part 364 Table of Contents I. Introduction. A. Scope B. Preservation of Existing Authority C. Definitions. II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives. III. Development and Implementation of Customer Information Security Program . A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards. © 2015 Secure Banking Solutions, LLC.
(53) 53. Risk Management Process 9 8. Optional. 7 6 5. Document Information Security Program: Establish an effective set of IT policies. Demonstrate Compliance: Reporting Improve the process Additional Action Measure Against Goal Identify Controls. Determine Residual Risk: What is the risk after applying controls?. 1. Inventory: Identify all assets, third parties, or customers. Develop Priorities: Protection Profiles (CIAV). 2 Identify Threats: 3 What are the threats. System Controls: to each asset What system safeguards (including probability does the bank want to and impact of each threat)? implement? Determine Inherent Risk: Which assets represent risk to the bank?. 4. © 2015 Secure Banking Solutions, LLC.
(54) 54. Information Security Program. © 2015 Secure Banking Solutions, LLC.
(55) 55. Audit (Check) Components Vulnerability Assessment. Internal assessment, comprehensive. Checks for: Missing patches or updates Default settings and passwords Vulnerable systems. Penetration Testing. External assessment, replicating a hacker. Identifies: . Vulnerable systems Exploits vulnerabilities Security warnings Test Intrusion Prevention Systems. Social Engineering Tests your people and their responses to social engineering techniques.. IT Audit. Verifies you are following your Information Security Program Ensures its adequate to meet regulatory requirements and implements industry best practices.. © 2015 Secure Banking Solutions, LLC.
(56) Bank. 56. Education Third Party. How to monitor Cyber Security Issues and Take Action? Conferences and Conventions. Customer. Risk Assessment. Technology Conference. Association Webinars Regular Hot Topics. Banking Schools Graduate School of Banking. Audit. Information Security Certifications CCBSP Certified Community Banking Security Professional CCBTP Certified Community Banking Technology Professional CCBVM Certified Community Banking Vendor Manager. http://www.wisbank.com/certifications © 2015 Secure Banking Solutions, LLC. Policy (ISP).
(57) 57. Questions Contact Information: Chad Knutson VP SBS Institute Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 [email protected] www.protectmybank.com. © 2015 Secure Banking Solutions, LLC.
(58)
Related documents
Gathering this data and fully comprehending the extent of your information assets will allow you to better understand your cyber exposures and where security practices need to
For former Bank of America checking accounts converted to First Tennessee accounts, monthly service charges will be waived for twelve months, until your September 2015
Here’s more good news: You can continue to use balances in your savings and money market accounts, CDs and IRAs to meet minimum balance requirements for Huntington Plus Checking..
This article will discuss the basics of managing your trade accounts receivables, including the topics of customer base, collection efforts and metrics that measure your
• Ensure your IT governance program covers cyber security threats and operational issues • Perform a detailed cyber security risk assessment and gap analysis –. • Incorporate
The purpose of Cyber Risk Management is to identify, analyze, and mitigate cyber-security threats and risks to critical information and technology assets and services. Risk management
Open New Accounts – using your social security number and other identifying information a thief can apply for and obtain new accounts in your name such as: credit card accounts,
• But as long as the applied force does not increase, the value of static friction itself will stay the same • Static friction is always equivalent to applied force as long as
