Mark Eich is the Managing Principal of the Information Security Services Group at CliftonLarsonAllen. He has over 26 years’ experience in auditing and technology consulting and has actively led many IT audits and security assessments for clients in a range of industries Mark Eich is the Managing Principal of the Information Security Services Group at CliftonLarsonAllen. He has over 26 years’ experience in auditing and technology consulting and has actively led many IT audits and security assessments for clients in a range of industries
Hackers have “monetized” their activity Hackers have “monetized” their activity - More hacking
- More sophistication
- More “hands-on” effort
- Smaller organizations targeted
Social engineering on the rise Hackers targeting businesses more than banks
Employees that are aware and savvy Employees that are aware and savvy Networks resistant to malware
Organized Crime Organized Crime - Wholesale theft of personal financial information
Payment Fraud – Corporate Account Takeover - Use of online credentials for ACH, CC and wire fraud
Ransomware
Target Target Neiman Marcus University of Maryland University of Indiana Olmested Medical Center Etc etc etc………… Main street hardware store??
Catholic church parish Catholic church parish Hospice Collection agency Main Street newspaper stand Health care trade association Rural hospital Mining company On and on and on and on……………..
Malware encrypts everything it can interact with Malware encrypts everything it can interact with - i.e. anything the infected user has access to
CryptoLocker Kovter - Also displays and adds child pornography images
May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000) May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000) http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966.html
Zip file is preferred delivery method Zip file is preferred delivery method - Helps evade virus protection
Working (tested) backups are key
Norton/Symantec Corp: Norton/Symantec Corp: Cost of global cybercrime: $388 billion Hackers are lazy - go for the “easy money” Bank customers are much easier targets than the banks themselves
Intrusion Analysis: TrustWave - January 2010 and April 2011
- https://www.trustwave.com/GSR
Intrusion Analysis: Verizon Business Services - July 2010 and April 2011
- http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/
Top Methods of Entry Included: Top Methods of Entry Included:
Social Engineering Social Engineering Email Phishing On-line banking trojans
“Amateurs hack systems, professionals hack people.” “Amateurs hack systems, professionals hack people.” Bruce Schneier Social Engineering uses non-technical attacks to gain information or access to technical systems - Pre-text telephone calls
- Building penetration
- Email attacks
“Second Generation” phishing “Second Generation” phishing Goal is to “root the network” Install malware - Log system activity to harvest passwords
- Use automated tools to execute fraudulent payments
Trick users into supplying credentials (passwords)
With so much money at stake hackers are putting in more effort to increase the likelihood that the emailed link will be followed: With so much money at stake hackers are putting in more effort to increase the likelihood that the emailed link will be followed: - “Spoof” the email to appear that it comes from someone in authority
- Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking)
Our information security strategy should have the following objectives: Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Relationship with our FI is maximized
Strong Policies - - Email use
- Website links
- Removable media
- Users vs Admin
- Insurance
2. Defined user access roles and permissions 2. Defined user access roles and permissions - Principal of minimum access and least privilege
- Users should NOT have system administrator rights
- “Local Admin” in Windows should be removed (if practical)
Hardened internal systems (end points) Hardened internal systems (end points) - Hardening checklists
- Turn off unneeded services
- Change default password
- Use Strong Passwords (see tip next slide)
Encryption strategy – data centered
Vulnerability management process Vulnerability management process - Operating system patches
- Application patches
- Testing to validate effectiveness –
Well defined perimeter security layers: Well defined perimeter security layers: - Network segments
- Email gateway/filter
- Firewall – “Proxy” integration for traffic in AND out
- Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points)
Centralized audit logging, analysis, and automated alerting capabilities
Defined incident response plan and procedures Defined incident response plan and procedures - Be prepared
- Including data leakage prevention and monitoring
- Forensic preparedness
Know / use Online Banking Tools Know / use Online Banking Tools - Multi-factor authentication
- Dual control / verification
- Out of band verification / call back thresholds
- ACH positive pay
- ACH blocks and filters
- Review contracts relative to all these
- Monitor account activity daily
- Isolate the PC used for wires/ACH
10. Test, Test, Test 10. Test, Test, Test - “Belt and suspenders” approach
- Penetration testing
- Social engineering testing
- Application testing
- Test the tools with your bank
- Test internal processes
Hang on, it’s going to be a wild ride!!
Information Security Services Group mark.eich@claconnect.com *** (612)397-3128
Dostları ilə paylaş: |