©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2014 C
lifto
nLars
onA
llen L
LP
CLAconnect.com
Cyber Crime TrendsLeadingAge Missouri
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Three Questions About the
• What are hackers doing?
• Who are the hackers?
• How do hack so well?
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Themes
• Hackers have “monetized” their activity
– More hacking
– More sophistication
– More “hands-on” effort
– Smaller organizations targeted◊ 62% hit small and medium size entities
◊ http://www.propertycasualty360.com/2015/05/27/small-mid-sized-businesses-hit-by-62-of-all-cyber?slreturn=1473190537
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Mitigation Themes
• Employees that are aware and savvy
• Networks resistant to penetration and malware
• Relationships with banks maximized
• Proper insurance coverage
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
What are they doing?
• PFI – Personal Financial Information
– Wholesale theft of personal financial information
• PHI – Personal Health Information
– Wholesale theft of patients health records
• CATO– Corporate Account Takeover
– Use of online credentials for ACH, CC and wire fraud
• Ransomware
– Lock down of a system with ransom demands
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Target
• Goodwill
• Jimmy Johns
• University of Maryland
• University of Indiana
• Olmsted Medical Center
• Community Health Systems
Black Market Economy - Theft of PFI and PII
6
• Anthem
• Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities.
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Advocate Health Care Network fined $5.550,000 (Federal Fine)
• http://www.cnbc.com/2016/08/04/huge-data-breach-at-health-system-leads-to-biggest-ever-settlement.html
Black Market Economy - Theft of PFI and PHI
7
Active campaigns involving targeted phishing and often targeted industries and institutions.
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Black Market Economy – Stolen Card Data
• Carder or Carding websites
• Dumps vs CVV’s
• A peek inside a carding operation:
http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
8
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Black Market Economy – “Carder Boards”
• Easy to use!
9
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
10
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Catholic church parish
• Hospice
• Collection agency
• Main Street newspaper stand
• Electrical contractor
• Health care trade association
• Health care facility
• Rural hospital
• Mining company
• On and on and on and on……………..
Corporate Financial Account Takeover
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Corporate Account Take Over – 3 Versions
1. Deploy malware – keystroke logger
2. Deploy malware – man in the middle
3. Recon / email persuasion
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Multi-Factor Authentication Solutions
• MFA is critical
• Silver bullet?
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• CEO asks the CFO…
• Common mistakes
1. Use of private email
2. “Don’t tell anyone”
• http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-after-spearphishing-attack.html
14
V3 Case Study – Please Wire $ to….
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
• Multi-layer authentication
• Multi-factor authentication
• Out of band authentication
• Positive pay
• ACH block and filter
• IP address filtering
• Dual control
• Activity monitoring
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
• Malware encrypts everything it can interact with
– V1: Everything where it lands
– V2: Everything where it lands plus everything user has rights to on the network
– V3: Everything where it lands plus everything on the network
• CryptoLocker / Cryptowall
• Kovter
– Also displays and adds child pornography images
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
• McAfee saw 4,000,000 ransomware versions in late 2015
• Ransomware is expected to explode in 2016
• http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
• Zip file is preferred delivery method
– Helps evade virus protection
• Working (tested) backups are key
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
The Cost?Norton/Symantec Corp:
• Cost of global cybercrime: $388 billion
• Global black market in marijuana, cocaine and heroin combined: $288 billion
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Who?
• Chinese
– State sponsored
– Goal is to supplant US as #1 economic power
• Russians
– State “protected”
– Goal is simpler, steal money
• Copycats
– Koreans, Africans, others use the tools of the Chinese and Russians
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in?
• Modern hacking relies on malware
• Social engineering
• Drive by surfing
– Infected websites
• Easy password attacks
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Social Engineering
Pretext phone calls
Building penetration
Email attacks
“Amateurs hack systems, professionals hack people.”Bruce Schneier
22
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls• “Hi, this is Randy from Fiserv users support. I am
working with Dave, and I need your help…”
– Name dropping
– Establish a rapport
– Ask for help
– Inject some techno-babble
– Think telemarketers script
• Home Equity Line of Credit (HELOC) fraud calls
• Ongoing high-profile ACH frauds
23
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) SecurityCompromise the site:
• “Hi, Joe said he would let you know I was coming to fix the printers…”
Plant devices:
• Keystroke loggers
• Wireless access point
• Thumb drives (“Switch Blade”)
24
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
• Impersonate someone in authority and:
– Ask them to visit a web-site
– Ask them to open an attachment or run update
• Examples
– Better Business Bureau complaint
– http://www.millersmiles.co.uk/email/visa-usabetter-business-bureaucall-for-action-visa
– Microsoft Security Patch Download
– Important software update from management
25
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing – “Targeted Attack”
26
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering• (Ongoing) user awareness training
• SANS “First Five” – Layers “behind the people”
1. Secure/Standard Configurations (hardening)
2. Critical Patches – Operating Systems
3. Critical Patches – Applications
4. Application White Listing
5. Minimized user access rights
No browsing/email with admin rights
27
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
The Cyber Insurance Maze• Local agents unaware, uninformed or uninterested
• Lack of standardized policy language
• Generic “one size fits all” applications
• Evolution at the actuarial process
• Evolution at the underwriter
28
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cyber Insurance Protection Basics
• Errors and omission
– Typically associated with software providers
• Media and intellectual property
– Media placed on website or made available
• Network and systems security
– Extensive and broad category (common considerations)
• Breach of privacy
– Disclosure of PFI, PII, HIPAA and others (donor info)
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cyber Insurance Coverage
• Forensic services
• Business interruption coverage
• Credit monitoring – Often by state regulations
• Technical consulting and system repair
• Legal costs
• Cost of issuance of new credit cards
• Certain fines from regulatory bodies
• Lawsuit related settlements and costs
• Cost of informing impacted entities and persons
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cyber Insurance Procurement
• Obtain multiple quotes
– Not necessarily based on cost
– Exposure of an uninformed quote
– Exposure of the “one size fits all” application
– Education of dollar coverage amounts as recommended by broker
• Obtain an objective third party review
• Discuss with peers
• DO IT!
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2014 C
lifto
nLars
onA
llen L
LP
CLAconnect.com
10 Key Defensive Measures
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Attacks are Preventable!
• Intrusion Analysis: TrustWave
• Intrusion Analysis: Verizon Business Services
• Intrusion Analysis: CERT Coordination Center
• Intrusion Analysis: CLA Incident Handling Team
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives:
• Users who are more aware and savvy
• Networks that are resistant to malware
• Relationship with our FI is maximized
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
1. Strong Policies -
• Email use
• Website links
• Removable media
• Users vs Admin
• Insurance
Ten Keys to Mitigate Risk
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ten Keys to Mitigate Risk
2. Defined user access roles and permissions
• Principal of minimum access and least privilege
• Users should NOT have system administrator rights
• “Local Admin” in Windows should be removed (if practical)
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ten Keys to Mitigate Risk
3. Hardened internal systems (end points)
• Hardening checklists
• Turn off unneeded services
• Change default password
• Use Strong Passwords
• Consider application white-listing
4. Encryption strategy – data centered
• Laptops and desktops
• Thumb drives
• Email enabled cell phones
• Mobile media
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ten Keys to Mitigate Risk
5. Vulnerability management process
• Operating system patches
• Application patches
• Testing to validate effectiveness –
• “belt and suspenders”
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ten Keys to Mitigate Risk
6. Well defined perimeter security layers:• Network segments• Email gateway/filter• Firewall – “Proxy” integration for traffic in AND out• Intrusion Detection/Prevention for network traffic, Internet
facing hosts, AND workstations (end points)
7. Centralized audit logging, analysis, and automated alerting capabilities
• Routing infrastructure• Network authentication• Servers• Applications
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ten Keys to Mitigate Risk
8. Defined incident response plan and procedures
• Be prepared
• Including data leakage prevention and monitoring
• Forensic preparedness
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Ten Keys to Mitigate Risk
9. Know / use Online Banking Tools
• Multi-factor authentication
• Dual control / verification
• Out of band verification / call back thresholds
• ACH positive pay
• ACH blocks and filters
• Review contracts relative to all these
• Monitor account activity daily
• Isolate the PC used for wires/ACH
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
10. Test, Test, Test
– “Belt and suspenders” approach
– Penetration testing◊ Internal and external
– Social engineering testing
◊ Simulate spear phishing
– Application testing◊ Test the tools with your
bank
◊ Test internal processes
Ten Keys to Mitigate Risk
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Questions?
Hang on, it’s going to be a wild ride!!
Darrell Songer, Principal
Information Security Services Group
***
(314-925-4300)