©2013 CliftonLar sonAllen LLP ©2013 CliftonLar sonAllen cliftonlarsonallen.com
Current
Trends
in
Cyber
Crime
&
©2013 CliftonLar sonAllen
Our
perspective…
CliftonLarsonAllen
– Started in 1953 with a goal of total
client service
– Today, industry specialized CPA and
Advisory firm ranked in the top 10 in
the U.S.
– Information Security offered as
specialized service offering for over
15 years
– Largest Credit Union Service
Practice*
*Callahan and Associates 2014 Guide to Credit Union CPA Auditors.
CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including more than
20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and
human resource management for credit unions across the country.
©2013
CliftonLar
sonAllen
Overview
• Up
To
Date
Cybersecurity
and
Fraud
Risks
– Current threat environment
– Industry examples and case studies
• FFIEC
Cybersecurity
Assessments
and
Governance
Requirements
©2013
CliftonLar
sonAllen
Cyber
Fraud
Risk
Themes
• Hackers
have
“monetized”
their
activity
– More sophisticated hacking
– More “hands‐on” effort
– Smaller organizations targeted
– Black market economy
• Social
engineering
is
continuing
threat
©2013
CliftonLar
sonAllen
Largest
Cyber
Fraud
Trends
• Most
common
cyber
fraud
scenarios
we
see
affecting
our
credit
unions
and
their
members
– Theft of PII and PFI
– Theft of credit card information
– Member and Corporate Account Take Overs
– Ransomware
• Defensive
Measures
to
support
Incident
Response
©2013 CliftonLar sonAllen
• Target
• Goodwill
• Jimmy
Johns
• University
of
Maryland
• University
of
Indiana
• Olmsted
Medical
Center
• Community
Health
Systems
Black
Market
Economy
‐
Theft
of
PFI
and
PII
• Anthem
• Blue
Cross
Primera
Active
campaigns
involving
targeted
phishing
and
©2013
CliftonLar
sonAllen
©2013
CliftonLar
sonAllen
Timeline
of
a
Breach
and
Missed
Opportunities
1. Attacked/compromised vendor remote access 2. Missed AV/IDS warnings
3. Attacked/compromised
internal vulnerabilities 4. Missed IDS warnings 1
2
3
©2013
CliftonLar
sonAllen
Black
Market
Economy
– Stolen
Card
Data
• Carder
or
Carding
websites
• Dumps
vs CVV’s
• A
peek
inside
a
carding
operation:
http://krebsonsecurity.com/2014/06/peek
‐
inside
‐
a
‐
©2013
CliftonLar
sonAllen
Black
Market
Economy
– “Carder
Boards”
©2013
CliftonLar
sonAllen
©2013
CliftonLar
sonAllen
• Catholic church parish • Hospice
• Finance company
• Main Street newspaper stand • Electrical contractor
• Utility company
• Industry trade association • Rural hospital
• Mining company • Credit Union
• On and on and on and
on………..
©2013
CliftonLar
sonAllen
CATO
Lawsuits
‐
UCC
a
payment
order
received
by
the
[bank]
is
“effective
as
the
order
of
the
customer,
whether
or
not
authorized,
if
the
security
procedure
is
a
commercially
reasonable
method
of
providing
security
against
unauthorized
payment
orders,
and
the
bank
proves
that
it
accepted
the
payment
order
in
good
faith
and
in
compliance
with
the
security
procedure
and
any
written
agreement
or
instruction
of
the
customer
restricting
acceptance
of
payment
©2013
CliftonLar
sonAllen
CATO
Lawsuits
‐
UCC
• Electrical
Contractor
vs
Bank
• >
$300,000
stolen
via
ACH
through
CATO
• Internet
banking
site
was
“down”
– DOS?
• Contractor
asserting
Bank
processed
bogus
ACH
file
©2013
CliftonLar
sonAllen
CATO
Lawsuits
‐
UCC
• Escrow
company
vs
Bank
• >
$400,000
stolen
via
single
wire
through
CATO
– CE passed on dual control offered by the bank
• Court
ruled
in
favor
of
bank
• Companies
attorneys
failed
to
demonstrate
bank’s
©2013
CliftonLar
sonAllen
• CEO
asks
the
CFO…
• Common
mistakes
1. Use of private email
2. “Don’t tell anyone”
• http://www.csoonline.com/article/2884339/malware‐cybercrime/omahas‐scoular‐co‐loses‐17‐million‐after‐
spearphishing‐attack.html
©2013
CliftonLar
sonAllen
CATO
Defensive
Measures
• Multi‐layer authentication
• Multi‐factor authentication
• Out of band authentication
• Positive pay
• ACH block and filter
• IP address filtering
• Dual control
• Defined processes for payments
• Activity monitoring
• Manual vs. Automated controls
©2013
CliftonLar
sonAllen
Ransomware
• Malware
encrypts
everything
it
can
interact
with
– i.e. anything the infected user
has access to
• CryptoLocker
May
20,
2014
– Ransomware
attacks
doubled
in
last
month
(7,000
to
15,000)
©2013
CliftonLar
sonAllen
Ransomware
©2013
CliftonLar
sonAllen
Ten
things
that
make
it
easy
for
hackers
1. Giving
users
local
admin
privileges
2. Domain
Admins
don’t
have
separate
user
account
3. Domain
Admins
log
into
workstation
4. Weak
passwords
5. Shared
passwords
6. Poor
patching
7. Unnecessary
ports
and
services
8. Weak/no
encryption
9. Vendor
Systems
©2013
CliftonLar
sonAllen
Keys
to
Successful
Breaches
2013
2014
©2013
CliftonLar
sonAllen
Keys
to
Successful
Breaches…
Reliance/dependence
on
3
rdparty
service
providers
is
©2013
CliftonLar
sonAllen
How
do
hackers
and
fraudsters
break
in?
Social
Engineering
relies
on
the
following:
• The
appearance
of
“authority”
•
People
want
to
avoid
inconvenience
•
Timing,
timing,
timing…
“Amateurs
hack
systems,
professionals
hack
people.”
©2013
CliftonLar
sonAllen
Pre
‐
text
Phone
Calls
• “Hi,
this
is
Randy
from
Fiserv
users
support.
I
am
working
with
Dave,
and
I
need
your
help…”
– Name dropping
– Establish a rapport
– Ask for help
– Inject some techno‐babble
– Think telemarketers script
• Home
Equity
Line
of
Credit
(HELOC)
fraud
calls
©2013
CliftonLar
sonAllen
Attacks
‐
Spoofing
and
Phishing
• Impersonate someone in authority and:
– Ask them to visit a web‐site
– Ask them to open an attachment or run update
• Examples
– Better Business Bureau complaint
– http://www.millersmiles.co.uk/email/visa‐usabetter‐
business‐bureaucall‐for‐action‐visa
©2013
CliftonLar
sonAllen
©2013
CliftonLar
sonAllen
Physical
(Facility)
Security
Compromise
the
site:
• “Hi, Joe said he would let you know I was coming to fix the
printers…”
Plant
devices:
• Keystroke loggers
• Wireless access point
• Thumb drives (“Switch Blade”)
Examples…
‐Sumitomo Bank (2005) – over $500M
‐http://www.networkworld.com/news/2009/012209‐clerical‐error‐foiled‐sumitomo‐bank.html
‐Barclays Bank (December, 2013) ‐ $1.30M lost
©2013
CliftonLar
sonAllen
Strategies
to
Combat
Social
Engineering
• (Ongoing)
user
awareness
training
• SANS
“First
Five”
– Layers
“behind
the
people”
1. Secure/Standard Configurations (hardening)
2. Critical Patches – Operating Systems
3. Critical Patches – Applications
4. Application White Listing
5. Minimized user access rights
No browsing/email with admin rights
• Logging,
Monitoring,
and
Alerting
capabilities
– “The 3 R’s”: Recognize, React, Respond
©2013
CliftonLar
sonAllen
FFIEC
Executive
Leadership
©2013
CliftonLar
sonAllen
Cybersecurity
Leadership
‐
FFIEC
©2013
CliftonLar
sonAllen
Cybersecurity
Leadership
‐
FFIEC
©2013
CliftonLar
sonAllen
May
7,
2014
FFIEC
Executive
Leadership
Cybersecurity
webinar
• Importance of identifying emerging cyber threats and the
need for Board/C‐suite involvement, including:
– Setting the tone at the top and building a security culture
– Identifying, measuring, mitigating, and monitoring risks
– Developing risk management processes commensurate with the
risks and complexity of the institutions
– Aligning cybersecurity strategy with business strategy and
accounting for how risks will be managed now and in the future
– Creating a governance process to ensure ongoing awareness and
accountability
– Ensuring timely reports to senior management that include
meaningful information addressing the institution's vulnerability
©2013
CliftonLar
sonAllen
Cybersecurity
Leadership
‐
FFIEC
©2013
CliftonLar
sonAllen
Cybersecurity
Leadership
‐
FFIEC
©2013
CliftonLar
sonAllen
Cybersecurity
Leadership
‐
FFIEC
©2013
CliftonLar
sonAllen
Cybersecurity
Leadership
‐
FFIEC
©2013 CliftonLar sonAllen
Cybersecurity
Assessments
July
– August
2014
©2013
CliftonLar
sonAllen
Current FFIEC
IT
Examination
Process
• Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA) will
perform periodic information technology examinations at
regulated financial institutions.
• Examination procedures are based on the FFIEC IT Handbooks
(http://ithandbook.ffiec.gov/) and supplemented by periodic
agency guidance.
• IT Examinations review the financial institution’s Information
©2013
CliftonLar
sonAllen
New/Added FFIEC
Cybersecurity
Assessments
• In the summer of 2014, the Federal Financial Institutions
Examination Council (FFIEC) agencies piloted new Cybersecurity
Assessment procedures at over 500 community financial
institutions to raise awareness of and evaluate their
preparedness to mitigate cybersecurity risks.
• Integrated into regular IT Examination process
– Cyber Risk Management and Oversight – Cyber Security Controls
– External Dependency Management – Threat Intelligence and Collaboration – Cyber Resilience
©2013
CliftonLar
sonAllen
Recent
Examiner
Supplemental
Cyber
©2013
CliftonLar
sonAllen
Recent
Examiner
Supplemental
Cyber
©2013
CliftonLar
sonAllen
Recent
Examiner
Supplemental
Cyber
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
• Released in June 2015
• The National Credit Union
Administration intends to
incorporate the Federal Financial
Institutions Examination Council’s
(FFIEC) Cybersecurity Assessment
Tool into its examinations, starting
in June 2016.
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
• Inherent
Risk
Profile
• Cybersecurity
inherent
risk
is
the
level
of
risk
posed
to
the
institution
by
the
following:
1. Technologies and Connection
Types
2. Delivery Channels
3. Online/Mobile Products and
Technology Services
4. Organizational Characteristics
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
• Cybersecurity
Maturity
1. Cyber Risk Management and
Oversight
2. Threat Intelligence and
Collaboration
3. Cybersecurity Controls
4. External Dependency
Management
5. Cyber Incident Management
©2013 CliftonLar sonAllen ©2013 CliftonLar sonAllen
©2013
CliftonLar
sonAllen
Strategies
Our
information
security
strategy
should
have
the
following
objectives:
• Users
who
are
more
aware
and
savvy
• Networks
that
are
resistant
to
malware
• Be
Prepared…
Monitoring,
Incident
©2013
CliftonLar
sonAllen
1. Strong policies
2. Defined user access roles
Minimum Access
3. Hardened internal systems
and end points
4. Encryption strategy – data
centered
5. Vulnerability management
process
Ten
Keys
to
Mitigate
Risk
6. Perimeter security layers
7. Centralized logging, analysis and
alerting capabilities
8. Incident response capabilities
9. Know / use online banking tools
10.Assess and Test – Independent
©2013
CliftonLar
sonAllen
Verizon
• Report is analysis of intrusions
investigated by Verizon and US
Secret Service.
• KEY
POINTS:
– Time from successful intrusion to
compromise of data was days to
weeks.
– Log files contained evidence of
the intrusion attempt, success,
and removal of data.
– Most successful intrusions were
©2013
CliftonLar
sonAllen
Centralized
Logging,
Analysis,
and
Alerting
Centralized
audit
logging,
analysis,
and
automated
alerting
capabilities
(SIEM)
•Firewalls •Security appliances •Routing infrastructure •Network authentication •Servers •Applications *** •Archiving vs. Reviewing
©2013
CliftonLar
sonAllen
Call
To
Action
Policies
to
set
foundation
Train
your
users
Thoroughly
assess
your
risks
Three
R’s:
Recognize,
React,
Respond
Thoroughly
validate
your
controls
– High expectations of your vendors
– Penetration testing
– Application testing
– Vulnerability scanning
– Social engineering testing
People Rules
` Tools
©2013
CliftonLar
sonAllen
©2013 CliftonLar sonAllen LLP ©2013 CliftonLar sonAllen cliftonlarsonallen.com
twitter.com/ facebook.com/ linkedin.com/company/
Randy Romes, CISSP, CRISC, MCP, PCI‐QSA
Principal
Information Security Services
Randy.romes@cliftonlarsonallen.com 888.529.2648
©2013
CliftonLar
sonAllen
Resources
– Hardening
Checklists
Hardening
checklists
from
vendors
• CIS
offers
vendor
‐
neutral
hardening
resources
http://www.cisecurity.org/
• Microsoft
Security
Checklists
http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true
http://technet.microsoft.com/en‐us/library/dd366061.aspx
Most
of
these
will
be
from
the
“BIG”
software
and
©2013
CliftonLar
sonAllen
“Three”
Security
Reports
• Trends:
Sans
2009
Top
Cyber
Security
Threats
– http://www.sans.org/top‐cyber‐security‐risks/
• Intrusion
Analysis:
TrustWave (Annual)
– https://www.trustwave.com/whitePapers.php
• Intrusion
Analysis:
Verizon
Business
Services
(Annual)
©2013
CliftonLar
sonAllen
Information
Security
Program
– includes…
• Section 501(b) of the Gramm‐Leach‐Bliley Act of 1999 (GLBA)
for the safeguarding of customer information
Board
of
Directors
will
develop
an
Information
Security
Program
that
addresses
the
requirements
of:
◊ Section 501(b) of the GLBA;
◊ Federal Financial Institutions Examination Council’s (FFIEC) “Interagency Guidelines
Establishing Information Security Standards” (501[b] Guidelines); and
◊ Agency‐specific guidelines (i.e. Appendix B to Part 364 of the FDIC’s Rules and
Regulations)
The Information Security Program (ISP) is comprised of:
◊ Risk Assessment
◊ Risk Management
◊ Audit
◊ Business Continuity/Disaster Recovery/Incident Response
◊ Vendor Management
©2013
CliftonLar
sonAllen
• Assess risk periodically to identify reasonably foreseeable
internal and external threats to data and information
technology assets that could negatively impact
confidentiality and integrity of data and/or availability of
systems.
• Risk is determined based on the likelihood of a given threat‐
source’s ability to exercise a particular potential
vulnerability, and the resulting impact of that adverse event
on the organization.
• The results of the risk assessment are used as a basis for
establishing and implementing appropriate administrative,
technical, and physical controls to reduce or eliminate the
impact of the threat.
Information
Security
Program
©2013
CliftonLar
sonAllen
Information
Security
Program
Audit
• ISP‐related Audits/Reviews
– ISP Review/IT General Controls Review
– External/Internal Vulnerability and Penetration Assessments – Social Engineering Assessments
• E‐Banking Reviews
– ACH Audit
– Wire Transfer Audit
– Remote/Mobile Deposit Capture Audit
©2013
CliftonLar
sonAllen
Information
Security
Program
Business
Continuity/Disaster
Recovery
Incident
Response
• Business Continuity/Disaster Recovery Plan
– Annual Testing of Critical Systems
– Annual Employee Tabletop/Scenario Testing – Board Reporting
• Incident Response Plan
– Compromise of customer information – Annual Testing
– FS‐ISAC – FBI Infraguard
©2013
CliftonLar
sonAllen
Information
Security
Program
Vendor
Management
• Vendor Management Policy
• Vendor Risk Assessment
– Access to Customer Information
– Criticality to Bank Operations
– Ease of Replacement
• New Vendor Due Diligence and Annual Reviews
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Threat
and
Vulnerability
Monitoring
and
Sharing
Statement
(11/3/14)
• All FIs AND their critical technology service providers must have
appropriate threat identification, information sharing, and
response procedures.
• Recommendation to participate in the Financial Services
Information Sharing and Analysis Center (FS‐ISAC)
– Improved identification and mitigation of attacks
– Better identification and understanding of specific vulnerabilities and
necessary mitigating controls for systems – Sharing information to help other FIs
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Threat
and
Vulnerability
Monitoring
and
Sharing
Statement
(11/3/14)
• FI Management should:
– Monitor and maintain sufficient awareness of cybersecurity
threats and vulnerability information so they may evaluate risk
and respond accordingly
– Establish procedures to evaluate and apply the various types and
quantity of cyber threat and vulnerability information to meet the
needs of their organization
◊ FS‐ISAC: www.fsisac.com
◊ FBI Infragard: www.infragard.org
◊ U.S. Computer Emergency Readiness Team at US‐CERT: www.us‐cert.gov
◊ U.S. Secret Service Electronic Crimes Task Force:
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Assessment
General
Observations
• Cybersecurity Inherent Risk
– Management must understand the FIs INHERENT RISK when
assessing cybersecurity preparedness
◊ Connection Types: identify and assess the threats to all access
points to the internal network
• VPN
• Wireless
• Remote access protocols: RDP/Telnet/FTP • Vendor LAN/WAN access
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Assessment
General
Observations
• Cybersecurity Inherent Risk (cont.)
◊ Products and Services: identify and assess threats to all
products and services currently offered and planned
• Online ACH and Wire Transfer origination • External funds transfers (A2A, P2P, bill pay)
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Assessment
General
Observations
• Cybersecurity Inherent Risk (cont.)
◊ Technologies Used: identify and assess threats to all
technologies currently used and planned
• Core systems • ATMs
• Internet and mobile applications • Cloud computing
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Assessment
General
Observations
• Cybersecurity Preparedness
– Current cybersecurity practices and overall preparedness
should include:
◊ Cybersecurity Controls: Preventive, detective, or corrective
procedures for mitigating identified cybersecurity threats
• Patching, encryption, limited user access
• Intrusion detection/prevention systems, firewall alerts
• Formal audit program with scope and schedule based on an
asset’s inherent risk, prompt and documented remediation of
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Assessment
General
Observations
• Cybersecurity Preparedness (cont.)
–
◊ Cyber Incident Management and Resilience: Incident
detection, response, mitigation, escalation, reporting, and
resilience
• Formal Incident Response Programs, including regulatory and
customer notification guidelines and procedures • Senior management and board incident reporting
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessments
FFIEC
Cybersecurity
Assessment
Implications?
• Increased Board and C‐Suite Involvement
• Participation in information‐sharing group(s)
• Cybersecurity scenario testing with employees and
management
• Increased oversight of third‐party service providers
• Documentation on how FI is addressing the FFIEC Cybersecurity
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
1
–Risk
Management
&
Oversight
– Governance
– Oversight
– Strategies & Policies
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
1
–Risk
Management
&
Oversight
– Risk
Management
– Risk Management Program
– Risk Assessment
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
1
–Risk
Management
&
Oversight
– Resources ‐Staffing
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
2
–Threat
Intelligence
&
Collaboration
– Threat Intelligence & Info.
– Monitoring & Analyzing
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
3
–Cybersecurity
Controls
– Preventative
Controls
– Infrastructure Management
– Access and Data Management
– Device/End‐Point Security
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
3
–Cybersecurity
Controls
– Detective
Controls
– Threat & Vulnerability
Detection
– Anomalous Activity Detection
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
3
–Cybersecurity
Controls
– Corrective Controls
– Patch Management
©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
4
–External
Dependency
Management
• Connections
– Relationship Management – Due Diligence – Contracts – Ongoing Monitoring©2013
CliftonLar
sonAllen
FFIEC
Cybersecurity
Assessment
Tool
(CAT)
•
Domain
5
–Cyber
Incident
Management
&
Resilience
– Incident Resilience Planning & Strategy
– Planning
– Testing