20140609 acuia schauer devil knocks handouts...according to businessweek, target was running its own...

6/11/14

1

Copyright TrustCC. All Rights Reserved.

"In the world of networked computers every sociopath is your

neighbor“ …Dan Geer

Provoking Thought


Introduc)on

Tom Schauer; CEO TrustCC CISA, CISM, CRiSC, CISSP, CEH, CTGA

[email protected]

253.468.9750


When the Devil Knocks… The State of Informa)on Security in 2014

By Tom Schauer CEO TrustCC: Trusted Consul)ng and Compliance

CISA, CISM, CISSP, CEH, CRISC, CTGA

Serving Financial Ins)tu)ons since 1986

6/11/14

2


It is an exci)ng )me for computer users…


But with these benefits comes risk…


It is an exci)ng )me to be a Credit Union…

6/11/14

3


Izz ad-Din al-Qassam Cyber Fighters


New Threats: DDoS Aâcks ✓  An aâcker has control of many compromised systems

and uses them to launch a coordinated aâck that uses resources… making sites unavailable to ‘real’ users.

Credit Union Servers

A single server could host multiple CU websites.


6/11/14

4


Target Breach by the Numbers… – The Dates the a^ackers stole card numbers – The number of card numbers stolen – Percentage decline in profit Q4 2013 vs Q4 2012 – The cost to banks and credit unions for reissue – The number of Target employees with CISO )tle – The median price of cards successfully sold – The likely income made by the hackers See www.krebsonsecurity.com

Nov 27 to Dec 15

40,000,000

46

$200,000,000 0

$18.00 – $35.70

$53,700,000



6/11/14

5


h"ps://www.privacyrights.org/data-‐breach


Of 4239, only 34 CU Events and 124 Bank Events

Credit Union Events •  Merchant breach (3) •  Vendor Negligence

•  Accidental disclosure (5) •  Paper Carelessness (3) •  Accidental Loss of Tape Backup (2)

•  Employee Misuse of Information (3)

•  ATM Skimming •  Hacking (2) •  Theft (8) •  Social Engineering (2) •  Malware

4/6/14, 9:14 AMChronology of Data Breaches | Privacy Rights Clearinghouse

Page 1 of 6https://www.privacyrights.org/data-breach-asc?title=Credit+Union

Credit Union

Search the entire database for acompany or organization by name Search

Date Made Public (/data-breach-asc?

order=field_breach_date_value_1&sort=asc&title=Credit+Union)Name Entity Type

Total Records (/data-breach-asc?

order=field_breach_total_value&sort=asc&title=Credit+Union)

September 7, 2013Rockland Federal Credit UnionRockland, Massachusetts

BSF HACK Unknown

Those with questions may call 781-878-0232.

Rockland Federal Credit Union is sending customers new debit cards with new PINs as a result of a merchant who discovereda breach in their computer system. All old debit cards will be deactivated on September 26.

Information Source:Media

records from this breach used in our total: 0

August 28, 2013Missouri Credit UnionColumbia, Missouri

BSF DISC 39,000

A file with customer information was accidentally published on Missouri Credit Union's website on August 5. The names,Social Security numbers, account numbers, teller and call in passwords, and addresses of Missouri Credit Union memberswere accessed. The file was accessed 10 times before the issue was discovered and it was taken off of the website.


records from this breach used in our total: 39,000

June 17, 2013Yolo Federal Credit UnionWoodland, California

BSF UNKN Unknown

Yolo was notified by Visa that there may have been a breach at several merchant locations. Yolo was not the sight of thebreach, but customers were issued new payment cards. The issue was reported to Yolo on May 31.



December 13, 2012Yolo Federal Credit UnionWoodland, California

BSF CARD Unknown

A skimming device on an ATM resulted in fraudulent transactions on over 800 accounts. The fraudulent transactions appear todate from October 27, 2012 to November 7, 2012. It is not clear how many skimming devices were involved and where theywere located.

Information Source:California Attorney General


October 29, 2012Abilene Telco Federal Credit Union, ExperianAbilene, Texas

BSF HACK 847

A hacker or hackers were able to access an Abilene Telco Federal Credit Union employee's computer in September 2011. TheBank's online account with Experian was then used to download the credit reports of 847 people. Social Security numbers,dates of birth and detailed financial data were exposed.

Information Source:Dataloss DB


October 24, 2012Vermont State Employee's Credit Union(VSECU)Montplier, Vermont

BSF PORT Unknown

Two unencrypted backup tapes were discovered missing on September 10. They were lost sometime between August 27, and

Sign In to Your Complaint Center.


Overall, How Breaches Occur*…

52% used some form of hacking 76% exploited weak or stolen creden)als 40% incorporated malware 35% involved physical a^acks 29% involved social tac)cs 13% resulted from privilege misuse *Verizon 2013 Data Breach Inves)ga)ons Report

6/11/14

6


What can we learn from Target that applies to community and regional

financial ins)tu)ons?


How did it happen?

The Target breach began with the phishing of an HVAC contractor that had credentials to access the Target network. Hackers and crackers are sophisticated; at this level, they're playing a long game to nail lucrative, high-value targets. They're looking where they think you're not looking.


The weakest part of your security is something you haven’t considered…

1.  Social Engineering (SE). We know most a^acks start with SE because employees are reliably ineffec)ve at stopped the a^ack. Have you specifically tested what can happen when an employee is compromised?

2.  Should an incident occur, do you have an incident response plan that will minimize financial and reputa)on impacts?

6/11/14

7


Applicability to Financial Ins)tu)ons (FIs)

1.  Most FIs test Social Engineering but not do so with escala)on inten)ons. Tes)ng the ability to detect and thwart an a^ack origina)ng from an employee worksta)on is essen)al.

*Simulated Insider Penetra)on Tes)ng

2.  Many FIs have a token Incident Response Plan that is dusty and un-‐tested.


According to Businessweek, Target was running its own security operations center in Minneapolis, In May 2013 Target implemented best-of-breed malware detection software named FireEye FireEye caught the initial November 30 infection of Target's payment system by malware. All told, five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale. Unfortunately, it appears Target's security team failed to act on the threat indicators."

Missed Alerts and Opportuni)es


Its Vital to know which Alerts can be Ignored

1.  Skills may have been insufficient. Should this ac)vity have been outsourced to experts?

2.  Does your organiza)on perform ‘Covert’ security tes)ng in order to test incident detec)on and response?

6/11/14

8


Applicability to Financial Ins)tu)ons (FIs)

1.  Insufficient Skills is more common at smaller and more remote FIs.

2.  The vast majority of Financial Ins)tu)ons do not perform sufficient ‘covert’ tes)ng to validate their incident detec)on and response.


Class Ac)on…


Negligence or Risk Acceptance “We believe that Target not only knew its systems were vulnerable to exactly this kind of attack all the way back in 2007, but was alerted to and acknowledged suggestions that would have made its customers safer,” said Tom Loeser, a Hagens Berman Partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys’ Office in Los Angeles. “However, Target did not act on this knowledge, and as a result, tens of millions have had their personal information stolen and financial accounts compromised.”

6/11/14

9


Two Incredibly Important Points

1.  “Head in the Sand” and/or “Risk Acceptance” is a risky management technique.

2.  When an incident occurs the sharks may be in a feeding frenzy. Percep)on will be as important as reality.


Applicability to Financial Ins)tu)ons

1.  “Risk Acceptance” is a very common prac)ce. a.  Too expensive, cannot afford the control b.  The Core is compa)ble with only the older

versions of Adobe, Java, etc

2.  “Risk Acceptance” is oten poorly documented. a.  If the feeding frenzy begins you will want

evidence of a well-‐informed and well-‐supported conclusion.


Okay, but Banks & Credit Unions rarely get breached!"

"Can you explain this?"

"""

6/11/14

10


Aâckers seek obscurity and profit.

✓  Stealing cards numbers is generally easy because retailers have poor controls.

✓  Selling card numbers is profitable because carders can easily replicate cards.

✓  There is li^le risk to the aâcker since they sell the cards and do not commit the fraud using their cards.

✓  But… what happens with Chip and PIN or Signature…

What Payment System will be next?


How could an aâcker steal enough money from your FI to make the effort worthwhile?

✓  Takeover the online banking accounts of your higher wealth or business customers/members.

✓  Modify the ACH file just before processing.

✓  Execute a wire transfer.


Okay, but Banks & Credit Unions already perform security testing!"

"Are we easy targets like retailers?"

"""

6/11/14

11


The BIG Disconnect with Tradi)onal Security Tes)ng

✓  Most Security Assessors perform Pen Tes)ng with an approach that is deeply flawed and unrealis)c. ✓  SE is performed but without escala)on inten)ons ✓  “Pen Tes)ng” is performed from a conference

room with a laptop loaded with hacking tools ✓  Tes)ng is almost never covert. IT is aware

✓  And when results are reported IT oten discredits the assessment by saying… ‘We let you in the conference room, we saw your tes)ng, this would never happen in a real a^ack’

Frustra)ng!


Attacking our clients using the SAME methods being used ‘in the wild’."

"

‘Realistic’ Pen-testing 2013


"Breached – 63%"Nearly 200 Financial Institutions"

Sensitive Data – 79%"Admin Access – 58%"

"And we got better as the year progressed…"

Results when Realistic Penetration was performed at TrustCC clients…

6/11/14

12


How do we do it? ✓  Just like the bad guys… ✓  we carefully research and plan our a^acks, ✓  we develop very convincing scenarios, ✓  we set up fic))ous yet convincing websites, ✓  we trickle our tes)ng, ✓  we deliver payloads, AND

✓  We have the skills to go from domain user on a domain worksta)on with no tools and limited access to domain administrator


Example: Social Engineering – Pretext Calling


Credit Union with over $700M in Assets Contract with CU, only Senior Management knows the precise timing of testing

1.  We use LinkedIn to Identify potential Victims 2.  We call in to Branch pretending to be “Jackson from IT” 3.  We bond by small talk and empathy 4.  Convince employee to run our Network Diagnostic Tool 5.  AV stops us. We convince employee to disable AV. This

is effective because employee has local admin rights.

•  We now have remote control of employee’s computer with her access. It’s all about getting our ‘Payload’ to run.

6/11/14

13


What can we do with a users workstation? •  Path 1: Install keystroke logger, capture her passwords,

commit fraud using her accounts

•  Path 2: Harvest sensitive information

•  Path 3: Work to Escalate Access •  Found a Domain Admin had previously logged into her computer •  Use tool to pull residual credentials (token) from system •  RDC to Domain Controller and reuse old token.

•  In 60 minutes we are Domain Admin. •  No IT Response. None. Zero. Game Over. Checkmate!


With domain admin access we can commit any fraud, control any

system, steal any data… a^ribute our ac)ons to any user… and erase

many of our tracks.


6/11/14

14


Social Engineering – Success Rates

An attacker needs ONE responsive session.

Phishing: Average = 2.5 in 10 Pretext Calling = 4.5 in 10

Site Visits = 2.5 in 10


Realis)c Penetra)on Tes)ng •  Requires more Coordina)on •  Requires Less Disclosure •  Requires stringent Rules of Engagement •  Requires much more analysis of logging and alerts

to determine if ac)vity could be detected

•  We are unaware of our compe)tors performing pen-‐tes)ng like this…


Probability Frequency Consequence

Probability Frequency Consequence

Cut Breach Costs and Reputation Risk

GLBA says… Build and Effec)ve Security Program

6/11/14

15


Consider this a Call to Ac)on!

1.  Name a CISO, equip them, empower them. 2.  Resist Risk Acceptance and Security Compromise. 3.  Ensure sufficient security skills on IT team. 4.  Perform Realis)c Penetra)on Tes)ng. a.  Covert to test incident detec)on and response b.  Real SE and real access escala)on c.  Choose a crea)ve and competent provider

5.  Have a robust/tested incident response plan. 6.  Risk Assess to iden)fy your weak links.


Consider TrustCC a part of your network…

Tom Schauer; CEO TrustCC CISA, CISM, CRiSC, CISSP, CEH, CTGA

[email protected]

253.468.9750

20140609 acuia schauer devil knocks handouts...according to businessweek, target was running its own...

Documents