1

Guard Against Cyber Theft 2011 Security Update

Maryland Association of CPA’sOctober 3, 2011

Steven J. Ursillo, Jr.CPA, CIA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC

• Principal, Director of Information Technology andAssurance Services at Sparrow, Johnson & Ursillo, Inc.

• Over 17 years of public accounting experience in several Industries.• Information system security and privacy, information technology governance, information

technology assurance, internal controls, risk management, fraud detection, and data extraction and analysis.

• Security and Technology Attestation Services, SAS 70/SSAE 16 Audits, SAS 70/SSAE 16 Readiness Assessments, Trust Services, SOC (1,2,3), GAPP, Agreed Upon Procedures, Information Security Readiness, Technology Risk Assessments, and DR/BCP Reviews. Experience in the area of information security consists of security consulting and implementation services to security assessments involving network and application penetration testing.

• Provided subcontracting services to ACL Services, Ltd. from 1999 through 2001.• Graduated from Bryant University with a Bachelor of Science degree in business administration

with a major in accounting and currently pursuing a Masters degree in computer information systems with a concentration in information security from Boston University.

• Currently a member of the AICPA Information Technology Executive Committee, AICPA ITEC Service Provider Assurance & Cloud Computing Taskforce, RI Society of CPA’s executive board member, a past chairman of the RI Society of CPA’s Technology Committee and a past president of the RI Certified Fraud Examiners Chapter #33.

• Numerous publications, training and awareness on many experience relevant topics including live hacking demonstrations on simulation environments. Awarded the 2004 and 2009 “Speaker of the Year” for the RI Certified Fraud Examiners Chapter #33.

Speaker Biography

2

Presentation Outline

• Introduction• Who / What Need Protection?• Risks Overview• Organizational, Personal• Drivers of Cyber Theft• How Important Is Information Security?• LAN Methods Of Attack• EFT Fraud • Wireless Risk• Mobile Device Risk• Physical Risks• VOIP Attacks• Application Attacks• Risk Analysis• Security Policies• Front Line Protection and Prevention• Resources

Information Security & Control

Security Objectives

Confidentiality Integrity Availability

Limiting information access and disclosure to a set of authorized users

Preventing access by or disclosure to unauthorized intruders  E-mail's, IM’s Contact & Personal

Identifying Info. Financial Info.

Data Integrity Trustworthiness Of 

Information Resources

Source Integrity Data actually came 

from the person or entity you think it did, rather than an imposter 

Availability of Information Resources 

3

Cyber Theft?

Definition: Stealing of financial and/or personal information through the use of computers for fraudulent or other illegal uses.

– EFT Fraud• ACH• Credit Card• Debit Card• ATM• Wire• Remote Deposit Capture

– Identity TheftPersonal Information

Who is Responsible?

• Employees• Ex-employees• Disguised Contractors• Unauthorized Guests

• Crackers• Hackers• Scammers• Competitors• Organized Crime• Terrorists

Internal External

4

What Assets Need Protection?

• Physical Resources (Assets, etc.)• Intellectual Resources (Trade Secrets, etc.)• Time Resources (Time Allocations)

Organizational Risks

• Misappropriated Time & Money

• ICFR Risk

• Operations and Compliance Risk

• Monetary Loss

• Asset Theft or Destruction

• Potential Litigation

• Business Interruption / Lost Sales

• Opportunity Costs

• Reputation

5

Personal Risks

• Identity Theft

• Monetary Theft

• Loss of Confidential Information

• Medical Information

• Financial Assets & Information

• Credit Card Information

• Passwords

Drivers of Cyber Theft• Buy and sell stolen information• Financial gain• Carding forums• Dump vendors• Non-carding forums• $ funding to perpetrate a variety of crimes• Competitive advantages• Ego• & more…………………………

6

Example 1: (ACH Fraud)

Hillary Machinery Inc. $800,000 scam / $200,000 losshttp://www.bankinfosecurity.com/articles.php?art_id=2132

Example 2: (Credit Card Theft)

Heartland Payment Systems, 7-Eleven, Inc., Hannaford Brothers Company, 130 million credit cards stolen

http://www.foxnews.com/story/0,2933,540060,00.html

Example 3: (ID Theft)

FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers

http://www.ftc.gov/opa/2003/09/idtheft.shtm

How Realistic?

Security Breach Types

Source: Microsoft Security Intelligence Report Volume 10 (2010) Key Finding Summary

7

In the news…

• RSA

• Epsilon

• Corporate Account Takeover

• MaaS

• Zues, Stuxnet, Aurora, Anonymous

• Amazon EC2 outage

• Cloud services growth 25-30% CAGR thru 2014-15

• Sony Playstation

• Google Buzz

• ATM/POS skimming

• Patch Tuesday = 64

• Wordpress.com

• Geotracking

2011 Data Breach Investigations Report (2011 DBIR)

• A study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit.

• 2010: 761 Breaches• Over 7 Years: 1700+ Breaches: Over 900

million compromised records

8

• External Agents 92% (+22%)• Implicated Insiders 17% (-31%)• Business Partners <1% (-10%)• Involved Multiple Parties 9% (-18%)

Who 2011 DBIR

External Agents 2011 DBIR• Organized Crime 58%• Unaffiliated Person(s) 40% • Former Employee 2%• Competitor 1%• Unknown 14%• Other <1%

How? (2011 DBIR)

• 50% some form of hacking (+10%)• 49% incorporated malware (+11%)• 29% involved physical attacks (+14%)• 17% privilege misuse (-31%)• 11% social tactics (-17%)

9

Targets (2011 DBIR) • Hospitality 40%• Retail 25%• Financial Services 22%• Government 4%• Manufacturing 2%• Tech Services 2%• Business Services 1%• Healthcare 1%• Media <1%• Transportation <1%• Other 2%

LAN/WAN Methods of Attack• Malware, Viruses, Spyware, & AdWare• Trojan Horse• Denial Of Service (DOS) • Sniffing• Buffer Overflows• Unnecessary Services and Configuration Errors• Physical Attacks• Authentication Attacks• Network Device and Services• Hardware (embedded devices, skimmers, POS,

ATM, Scanners, etc.)• Social Engineering

10

Definition:

Malware (MALicious softWARE) is software designed to infiltrate or damage a computer system, without the owner’s consent. Malware is commonly taken to include computer Viruses, Trojan Horses, Spyware and Adware.

MALWARE

Malware Distribution Internet: Downloads, Email, IM, Phishing,

Spear Phishing, File Sharing, Un-trusted Applications, DNS & Routing Modifications

Physical: USB/DVD/External Media

External: Hacking, Mass Vulnerability Exploits, Cloud, *aaS Providers

11

Methods of Attack

Trojan Horse

Hidden or Disguised program installed on a computer for stealth remote control and backdoor access

Damage is usually done by the time it is detected

Have been used to capture user names and passwords

Difficult to detect or remove

Combat malware protection

Custom design has evolved to do much more

Custom EFT Trojan Characteristics

Banking Trojans Key logging

Form grabbing

Screen shot and mouse event capture

Site key theft

Protected storage retrieval

Certificate stealing

MBR (master boot record) rootkits

Cookie stealing

HTML replacement or injection

Confirmation tempering

And more (0-day) ……

12

EFT Fraud Prevention• EFT Risk Assessment• Segregation of Duty (Initiation and Approval)• Dedicated EFT Trusted Systems • Multi-factor Authentication with Independent

Mechanism(Token, FOB, SMS, Secure ID, etc.)• Logging and Monitoring (systems and accounts)• Daily EFT Reconciliations• Dedicated Clearing Accounts• Positive Pay and Debit Blocks• General IT Security and Controls (Firewall,

malware and AV, patch management, etc.)• Cyber Theft Insurance

http://www.journalofaccountancy.com/Issues/2010/Oct/20092174.htm

Wireless Risks

Rogue WLANs (evil twin) Insecure Network Configurations Accidental & Malicious Associations

Eavesdropping & Espionage Unauthorized Access System Identity Theft Evolving Attacks Hi-Jacking Man-in-the-Middle DOS

Internal Risks

External Risks

13

Denial Of Service (DOS) Example

Hacker

Access Point (Target)

Victim

Methods of Attack

Spoofing & Hi-Jacking (Wireless & Wired)

Allows an attacker to pose as legitimate user, the third party is unaware, aka “man in the middle attacks”.

IP spoofing ARP/ Mac spoofing DNS spoofing Email spoofing 

14

Man in the Middle/Session Hijacking Attacks

Intercepting traffic between nodes

Target

Hacker

ServerAccess Point

Network Access, Now What?

• Local area network connectivity

• Bypass firewalls and other access control devices

• Capable of all traditional wired network security vulnerabilities and exploits

15

Wireless Controls, Prevention & Mitigation

• Layered security • Wireless network architecture

– Placement of AP’s– Use of antennas– Separate network segment– Firewalls– VPN access

• Security policies and procedures• Implement technical baselines • Technology policy enforcement

software

Mobile Device Risks

• Physical theft Laptops, PDAs, Cell Phones, etc.

• Negligence Lost or misplaced

• Malicious software installation• Malware or Virus infection• Security configuration errors or limits• Shared or common authentication (same

passwords)• Password retrieval software• Device and data compromise (unauthorized

Bluetooth connections)

16

• Theft • Hardware modifications• Physical access ups the stakes• Workstation/server/laptop/mobile device

theft • Lost or misplaced portable devices or

portable storage• Device and media decommissioning• Facility Access Controls

Physical Access Risks

Physical Device Security

• Physical lockdown• Secure authentication• Malware protection• VPN security• Policy based data

destruction• Bios or boot passwords• Drive and device

encryption

• Disable bootable drives• OS specific measures• Video and monitoring• Mobile device tracking• Data cleansing (retired

equipment and devices)• Insurance (lost or

stolen)

17

VOIP Risks

• Eavesdropping– Sniffing and packet capturing

• Man in the middle attacks• Service interruption (DOS)• SPIT (voice spam)• Voice phishing (Vishing)• Signal and media manipulation

– Unauthorized registration modification– Registration Hijacking– Registration Spoofing– Spoofing caller-ID

Web Application based attacks may include some of the following:

Client Application attacks

SQL Server Injection

Cross‐Site Scripting (XSS)

Session Tampering

Field Input Validation

HTTP Post Field Modification

Parameter Tampering

Web Application Based Attacks

18

Source: Microsoft Security Intelligence Report Volume 10 (2010) Key Finding Summary

Application Based Attacks

Client Application Based AttacksWeb Browsers

•BHO Browser helper objects•Active X, Java applets and other embedded scripting

Office Applications•Embedded macros•Malicious docs sent email or open thru browsing

Email & IM Clients•Malware (viruses, Trojans, key‐loggers, spyware, adware, rootkits, etc);•Phishing and Spam•Social Engineering

Media Player Software•Software vulnerabilities•Execution of programs with the software

Pier to Pier Software•Malware (viruses, Trojans, key‐loggers, spyware, adware, rootkits, etc);

19

What is this doing?

Username = user@abc‐ex‐co.com

Password =  ‘anything’ OR ‘1’ =‘1’;

Username = ‘user@abc‐ex‐co.com’ OR ‘1’ =‘1’;

Password =  ‘anything’

How about this?

Application Based Attacks

Potential Threats:

•Exploits•Viruses •Trojans •Spyware, •AdWare, •Rootkits, •Key loggers•Back doors

= Identity Theft & EFT Fraud

20

Where do we start?

• Identify Responsibility• Identify Resources• Identify Risks• Establish a Time Table & Budget• Create a Security Policy• Identify Necessary Controls and Audit Objectives• Establish Necessary Standards and Procedures• Design Management Reports and Substantive

Testing• Education

Risk Based Security

• Develop Loss Scenarios• Identify Exposures and

Controls• Define Risk Categories• Assess Likelihood and

Severity of Possible Losses• Develop Risk Control Costs• Rank Exposures

21

Risk Analysis

Firewall Penetration

HighLow Med

Virus Attack

E-MailAbuse

Fire

Loss ofAssets

High

Med

Low

Severity of Impact

Likelihood

Personal Use ofInternet

What is a Security Policy?

• Minimum Level of Security Tolerable by Mgt.

• High Level Guidelines

• Consists of Organizational Goals, Objectives, Culture, Ethics, Controls, and Employee Responsibility.

22

Prevention

• Authentication– Enforced password policy– Strong password

management– Multi-factor authentication

• Smart cards/tokens• One time passwords• Biometrics

• Service or vendor updates• “Least privilege”• SDLC Enforcement• Malware/Spam/Anti-virus

protection• Periodic security audits• Logical access controls

• Physical access controls• Performance benchmarks• Traffic Normalization• “Phone home” prevention• Enable and centralize logging • Network Access Control (NAC)• Control rights and permissions• Segregations of duties• (SOP’s) Standard Operating

Procedures• Removable device control• Encryption (transfer and at rest)

More Prevention

• Mandatory vacations & job rotation

• Accountability• Implement security traps• Network and Application

IDS/IPS• Secure, Fault-tolerance

data and network design• VPN’s• Log off policy• Control internet downloads

• Data Loss Prevention (DLP)• Traffic and log correlation• Monitor e-mail and HTTP traffic

(set & uphold policy) System change controls

• Data backup• Off site storage• Restrict outside software and

disks to general users• EMPLOYEE AWARENESS

23

Resources

• http://www.aicpa.org/trustservices/• http:// www.packetstormsecurity.com• http:// www.securityfocus.com• http:// www.cert.org• http:// www.sans.org• http:// www.isaca.org• http:// www.microsoft.com/security• http:// www.isc2.org• http:// www.nipc.gov• http://labs.idefense.com• http:// www.issa.org• http://www.sju.com

Questions?

Steven J. Ursillo, Jr.CPA, CIA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC

Phone: 401-521-4000 ext. 144

sursillojr@sju.com

Thank You!

24

Steven J. Ursillo Jr., Principal

SPARROW, JOHNSON & URSILLO, INC.Certified Public Accountants, Business & Technology Consultants

1300 Division Road, West Warwick, RI 02893

Phone: (401)521-4000 x144 Fax: (401)274-5368http://www.sju.com E-mail: sursillojr@sju.com