20140609 acuia schauer devil knocks handouts...according to businessweek, target was running its own...
Post on 17-Jul-2020
2 Views
Preview:
TRANSCRIPT
6/11/14
1
Copyright TrustCC. All Rights Reserved.
"In the world of networked computers every sociopath is your
neighbor“ …Dan Geer
Provoking Thought
Copyright TrustCC. All Rights Reserved.
Introduc)on
Tom Schauer; CEO TrustCC CISA, CISM, CRiSC, CISSP, CEH, CTGA
tschauer@trustcc.com
253.468.9750
Copyright TrustCC. All Rights Reserved.
When the Devil Knocks… The State of Informa)on Security in 2014
By Tom Schauer CEO TrustCC: Trusted Consul)ng and Compliance
CISA, CISM, CISSP, CEH, CRISC, CTGA
Serving Financial Ins)tu)ons since 1986
6/11/14
2
Copyright TrustCC. All Rights Reserved.
It is an exci)ng )me for computer users…
Copyright TrustCC. All Rights Reserved.
But with these benefits comes risk…
Copyright TrustCC. All Rights Reserved.
It is an exci)ng )me to be a Credit Union…
6/11/14
3
Copyright TrustCC. All Rights Reserved.
Izz ad-Din al-Qassam Cyber Fighters
Copyright TrustCC. All Rights Reserved.
New Threats: DDoS A^acks ✓ An a^acker has control of many compromised systems
and uses them to launch a coordinated a^ack that uses resources… making sites unavailable to ‘real’ users.
Credit Union Servers
A single server could host multiple CU websites.
Copyright TrustCC. All Rights Reserved.
6/11/14
4
Copyright TrustCC. All Rights Reserved.
Target Breach by the Numbers… – The Dates the a^ackers stole card numbers – The number of card numbers stolen – Percentage decline in profit Q4 2013 vs Q4 2012 – The cost to banks and credit unions for reissue – The number of Target employees with CISO )tle – The median price of cards successfully sold – The likely income made by the hackers See www.krebsonsecurity.com
Nov 27 to Dec 15
40,000,000
46
$200,000,000 0
$18.00 – $35.70
$53,700,000
Copyright TrustCC. All Rights Reserved.
Copyright TrustCC. All Rights Reserved.
6/11/14
5
Copyright TrustCC. All Rights Reserved.
h"ps://www.privacyrights.org/data-‐breach
Copyright TrustCC. All Rights Reserved.
Of 4239, only 34 CU Events and 124 Bank Events
Credit Union Events • Merchant breach (3) • Vendor Negligence
• Accidental disclosure (5) • Paper Carelessness (3) • Accidental Loss of Tape Backup (2)
• Employee Misuse of Information (3)
• ATM Skimming • Hacking (2) • Theft (8) • Social Engineering (2) • Malware
4/6/14, 9:14 AMChronology of Data Breaches | Privacy Rights Clearinghouse
Page 1 of 6https://www.privacyrights.org/data-breach-asc?title=Credit+Union
Credit Union
Search the entire database for acompany or organization by name Search
Date Made Public (/data-breach-asc?
order=field_breach_date_value_1&sort=asc&title=Credit+Union)Name Entity Type
Total Records (/data-breach-asc?
order=field_breach_total_value&sort=asc&title=Credit+Union)
September 7, 2013Rockland Federal Credit UnionRockland, Massachusetts
BSF HACK Unknown
Those with questions may call 781-878-0232.
Rockland Federal Credit Union is sending customers new debit cards with new PINs as a result of a merchant who discovereda breach in their computer system. All old debit cards will be deactivated on September 26.
Information Source:Media
records from this breach used in our total: 0
August 28, 2013Missouri Credit UnionColumbia, Missouri
BSF DISC 39,000
A file with customer information was accidentally published on Missouri Credit Union's website on August 5. The names,Social Security numbers, account numbers, teller and call in passwords, and addresses of Missouri Credit Union memberswere accessed. The file was accessed 10 times before the issue was discovered and it was taken off of the website.
Information Source:Media
records from this breach used in our total: 39,000
June 17, 2013Yolo Federal Credit UnionWoodland, California
BSF UNKN Unknown
Yolo was notified by Visa that there may have been a breach at several merchant locations. Yolo was not the sight of thebreach, but customers were issued new payment cards. The issue was reported to Yolo on May 31.
Information Source:Media
records from this breach used in our total: 0
December 13, 2012Yolo Federal Credit UnionWoodland, California
BSF CARD Unknown
A skimming device on an ATM resulted in fraudulent transactions on over 800 accounts. The fraudulent transactions appear todate from October 27, 2012 to November 7, 2012. It is not clear how many skimming devices were involved and where theywere located.
Information Source:California Attorney General
records from this breach used in our total: 0
October 29, 2012Abilene Telco Federal Credit Union, ExperianAbilene, Texas
BSF HACK 847
A hacker or hackers were able to access an Abilene Telco Federal Credit Union employee's computer in September 2011. TheBank's online account with Experian was then used to download the credit reports of 847 people. Social Security numbers,dates of birth and detailed financial data were exposed.
Information Source:Dataloss DB
records from this breach used in our total: 847
October 24, 2012Vermont State Employee's Credit Union(VSECU)Montplier, Vermont
BSF PORT Unknown
Two unencrypted backup tapes were discovered missing on September 10. They were lost sometime between August 27, and
Sign In to Your Complaint Center.
Copyright TrustCC. All Rights Reserved.
Overall, How Breaches Occur*…
52% used some form of hacking 76% exploited weak or stolen creden)als 40% incorporated malware 35% involved physical a^acks 29% involved social tac)cs 13% resulted from privilege misuse *Verizon 2013 Data Breach Inves)ga)ons Report
6/11/14
6
Copyright TrustCC. All Rights Reserved.
What can we learn from Target that applies to community and regional
financial ins)tu)ons?
Copyright TrustCC. All Rights Reserved.
How did it happen?
The Target breach began with the phishing of an HVAC contractor that had credentials to access the Target network. Hackers and crackers are sophisticated; at this level, they're playing a long game to nail lucrative, high-value targets. They're looking where they think you're not looking.
Copyright TrustCC. All Rights Reserved.
The weakest part of your security is something you haven’t considered…
1. Social Engineering (SE). We know most a^acks start with SE because employees are reliably ineffec)ve at stopped the a^ack. Have you specifically tested what can happen when an employee is compromised?
2. Should an incident occur, do you have an incident response plan that will minimize financial and reputa)on impacts?
6/11/14
7
Copyright TrustCC. All Rights Reserved.
Applicability to Financial Ins)tu)ons (FIs)
1. Most FIs test Social Engineering but not do so with escala)on inten)ons. Tes)ng the ability to detect and thwart an a^ack origina)ng from an employee worksta)on is essen)al.
*Simulated Insider Penetra)on Tes)ng
2. Many FIs have a token Incident Response Plan that is dusty and un-‐tested.
Copyright TrustCC. All Rights Reserved.
According to Businessweek, Target was running its own security operations center in Minneapolis, In May 2013 Target implemented best-of-breed malware detection software named FireEye FireEye caught the initial November 30 infection of Target's payment system by malware. All told, five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale. Unfortunately, it appears Target's security team failed to act on the threat indicators."
Missed Alerts and Opportuni)es
Copyright TrustCC. All Rights Reserved.
Its Vital to know which Alerts can be Ignored
1. Skills may have been insufficient. Should this ac)vity have been outsourced to experts?
2. Does your organiza)on perform ‘Covert’ security tes)ng in order to test incident detec)on and response?
6/11/14
8
Copyright TrustCC. All Rights Reserved.
Applicability to Financial Ins)tu)ons (FIs)
1. Insufficient Skills is more common at smaller and more remote FIs.
2. The vast majority of Financial Ins)tu)ons do not perform sufficient ‘covert’ tes)ng to validate their incident detec)on and response.
Copyright TrustCC. All Rights Reserved.
Class Ac)on…
Copyright TrustCC. All Rights Reserved.
Negligence or Risk Acceptance “We believe that Target not only knew its systems were vulnerable to exactly this kind of attack all the way back in 2007, but was alerted to and acknowledged suggestions that would have made its customers safer,” said Tom Loeser, a Hagens Berman Partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys’ Office in Los Angeles. “However, Target did not act on this knowledge, and as a result, tens of millions have had their personal information stolen and financial accounts compromised.”
6/11/14
9
Copyright TrustCC. All Rights Reserved.
Two Incredibly Important Points
1. “Head in the Sand” and/or “Risk Acceptance” is a risky management technique.
2. When an incident occurs the sharks may be in a feeding frenzy. Percep)on will be as important as reality.
Copyright TrustCC. All Rights Reserved.
Applicability to Financial Ins)tu)ons
1. “Risk Acceptance” is a very common prac)ce. a. Too expensive, cannot afford the control b. The Core is compa)ble with only the older
versions of Adobe, Java, etc
2. “Risk Acceptance” is oten poorly documented. a. If the feeding frenzy begins you will want
evidence of a well-‐informed and well-‐supported conclusion.
Copyright TrustCC. All Rights Reserved.
Okay, but Banks & Credit Unions rarely get breached!"
"Can you explain this?"
"""
6/11/14
10
Copyright TrustCC. All Rights Reserved.
A^ackers seek obscurity and profit.
✓ Stealing cards numbers is generally easy because retailers have poor controls.
✓ Selling card numbers is profitable because carders can easily replicate cards.
✓ There is li^le risk to the a^acker since they sell the cards and do not commit the fraud using their cards.
✓ But… what happens with Chip and PIN or Signature…
What Payment System will be next?
Copyright TrustCC. All Rights Reserved.
How could an a^acker steal enough money from your FI to make the effort worthwhile?
✓ Takeover the online banking accounts of your higher wealth or business customers/members.
✓ Modify the ACH file just before processing.
✓ Execute a wire transfer.
Copyright TrustCC. All Rights Reserved.
Okay, but Banks & Credit Unions already perform security testing!"
"Are we easy targets like retailers?"
"""
6/11/14
11
Copyright TrustCC. All Rights Reserved.
The BIG Disconnect with Tradi)onal Security Tes)ng
✓ Most Security Assessors perform Pen Tes)ng with an approach that is deeply flawed and unrealis)c. ✓ SE is performed but without escala)on inten)ons ✓ “Pen Tes)ng” is performed from a conference
room with a laptop loaded with hacking tools ✓ Tes)ng is almost never covert. IT is aware
✓ And when results are reported IT oten discredits the assessment by saying… ‘We let you in the conference room, we saw your tes)ng, this would never happen in a real a^ack’
Frustra)ng!
Copyright TrustCC. All Rights Reserved.
Attacking our clients using the SAME methods being used ‘in the wild’."
"
‘Realistic’ Pen-testing 2013
Copyright TrustCC. All Rights Reserved.
"Breached – 63%"Nearly 200 Financial Institutions"
Sensitive Data – 79%"Admin Access – 58%"
"And we got better as the year progressed…"
Results when Realistic Penetration was performed at TrustCC clients…
6/11/14
12
Copyright TrustCC. All Rights Reserved.
How do we do it? ✓ Just like the bad guys… ✓ we carefully research and plan our a^acks, ✓ we develop very convincing scenarios, ✓ we set up fic))ous yet convincing websites, ✓ we trickle our tes)ng, ✓ we deliver payloads, AND
✓ We have the skills to go from domain user on a domain worksta)on with no tools and limited access to domain administrator
Copyright TrustCC. All Rights Reserved.
Example: Social Engineering – Pretext Calling
Copyright TrustCC. All Rights Reserved.
Credit Union with over $700M in Assets Contract with CU, only Senior Management knows the precise timing of testing
1. We use LinkedIn to Identify potential Victims 2. We call in to Branch pretending to be “Jackson from IT” 3. We bond by small talk and empathy 4. Convince employee to run our Network Diagnostic Tool 5. AV stops us. We convince employee to disable AV. This
is effective because employee has local admin rights.
• We now have remote control of employee’s computer with her access. It’s all about getting our ‘Payload’ to run.
6/11/14
13
Copyright TrustCC. All Rights Reserved.
What can we do with a users workstation? • Path 1: Install keystroke logger, capture her passwords,
commit fraud using her accounts
• Path 2: Harvest sensitive information
• Path 3: Work to Escalate Access • Found a Domain Admin had previously logged into her computer • Use tool to pull residual credentials (token) from system • RDC to Domain Controller and reuse old token.
• In 60 minutes we are Domain Admin. • No IT Response. None. Zero. Game Over. Checkmate!
Copyright TrustCC. All Rights Reserved.
With domain admin access we can commit any fraud, control any
system, steal any data… a^ribute our ac)ons to any user… and erase
many of our tracks.
Copyright TrustCC. All Rights Reserved.
6/11/14
14
Copyright TrustCC. All Rights Reserved.
Social Engineering – Success Rates
An attacker needs ONE responsive session.
Phishing: Average = 2.5 in 10 Pretext Calling = 4.5 in 10
Site Visits = 2.5 in 10
Copyright TrustCC. All Rights Reserved.
Realis)c Penetra)on Tes)ng • Requires more Coordina)on • Requires Less Disclosure • Requires stringent Rules of Engagement • Requires much more analysis of logging and alerts
to determine if ac)vity could be detected
• We are unaware of our compe)tors performing pen-‐tes)ng like this…
Copyright TrustCC. All Rights Reserved.
Probability Frequency Consequence
Probability Frequency Consequence
Cut Breach Costs and Reputation Risk
GLBA says… Build and Effec)ve Security Program
6/11/14
15
Copyright TrustCC. All Rights Reserved.
Consider this a Call to Ac)on!
1. Name a CISO, equip them, empower them. 2. Resist Risk Acceptance and Security Compromise. 3. Ensure sufficient security skills on IT team. 4. Perform Realis)c Penetra)on Tes)ng. a. Covert to test incident detec)on and response b. Real SE and real access escala)on c. Choose a crea)ve and competent provider
5. Have a robust/tested incident response plan. 6. Risk Assess to iden)fy your weak links.
Copyright TrustCC. All Rights Reserved.
Consider TrustCC a part of your network…
Tom Schauer; CEO TrustCC CISA, CISM, CRiSC, CISSP, CEH, CTGA
tschauer@trustcc.com
253.468.9750
top related