guard against cyber theft -...
TRANSCRIPT
1
Guard Against Cyber Theft 2011 Security Update
Maryland Association of CPA’sOctober 3, 2011
Steven J. Ursillo, Jr.CPA, CIA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC
• Principal, Director of Information Technology andAssurance Services at Sparrow, Johnson & Ursillo, Inc.
• Over 17 years of public accounting experience in several Industries.• Information system security and privacy, information technology governance, information
technology assurance, internal controls, risk management, fraud detection, and data extraction and analysis.
• Security and Technology Attestation Services, SAS 70/SSAE 16 Audits, SAS 70/SSAE 16 Readiness Assessments, Trust Services, SOC (1,2,3), GAPP, Agreed Upon Procedures, Information Security Readiness, Technology Risk Assessments, and DR/BCP Reviews. Experience in the area of information security consists of security consulting and implementation services to security assessments involving network and application penetration testing.
• Provided subcontracting services to ACL Services, Ltd. from 1999 through 2001.• Graduated from Bryant University with a Bachelor of Science degree in business administration
with a major in accounting and currently pursuing a Masters degree in computer information systems with a concentration in information security from Boston University.
• Currently a member of the AICPA Information Technology Executive Committee, AICPA ITEC Service Provider Assurance & Cloud Computing Taskforce, RI Society of CPA’s executive board member, a past chairman of the RI Society of CPA’s Technology Committee and a past president of the RI Certified Fraud Examiners Chapter #33.
• Numerous publications, training and awareness on many experience relevant topics including live hacking demonstrations on simulation environments. Awarded the 2004 and 2009 “Speaker of the Year” for the RI Certified Fraud Examiners Chapter #33.
Speaker Biography
2
Presentation Outline
• Introduction• Who / What Need Protection?• Risks Overview• Organizational, Personal• Drivers of Cyber Theft• How Important Is Information Security?• LAN Methods Of Attack• EFT Fraud • Wireless Risk• Mobile Device Risk• Physical Risks• VOIP Attacks• Application Attacks• Risk Analysis• Security Policies• Front Line Protection and Prevention• Resources
Information Security & Control
Security Objectives
Confidentiality Integrity Availability
Limiting information access and disclosure to a set of authorized users
Preventing access by or disclosure to unauthorized intruders E-mail's, IM’s Contact & Personal
Identifying Info. Financial Info.
Data Integrity Trustworthiness Of
Information Resources
Source Integrity Data actually came
from the person or entity you think it did, rather than an imposter
Availability of Information Resources
3
Cyber Theft?
Definition: Stealing of financial and/or personal information through the use of computers for fraudulent or other illegal uses.
– EFT Fraud• ACH• Credit Card• Debit Card• ATM• Wire• Remote Deposit Capture
– Identity TheftPersonal Information
Who is Responsible?
• Employees• Ex-employees• Disguised Contractors• Unauthorized Guests
• Crackers• Hackers• Scammers• Competitors• Organized Crime• Terrorists
Internal External
4
What Assets Need Protection?
• Physical Resources (Assets, etc.)• Intellectual Resources (Trade Secrets, etc.)• Time Resources (Time Allocations)
Organizational Risks
• Misappropriated Time & Money
• ICFR Risk
• Operations and Compliance Risk
• Monetary Loss
• Asset Theft or Destruction
• Potential Litigation
• Business Interruption / Lost Sales
• Opportunity Costs
• Reputation
5
Personal Risks
• Identity Theft
• Monetary Theft
• Loss of Confidential Information
• Medical Information
• Financial Assets & Information
• Credit Card Information
• Passwords
Drivers of Cyber Theft• Buy and sell stolen information• Financial gain• Carding forums• Dump vendors• Non-carding forums• $ funding to perpetrate a variety of crimes• Competitive advantages• Ego• & more…………………………
6
Example 1: (ACH Fraud)
Hillary Machinery Inc. $800,000 scam / $200,000 losshttp://www.bankinfosecurity.com/articles.php?art_id=2132
Example 2: (Credit Card Theft)
Heartland Payment Systems, 7-Eleven, Inc., Hannaford Brothers Company, 130 million credit cards stolen
http://www.foxnews.com/story/0,2933,540060,00.html
Example 3: (ID Theft)
FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers
http://www.ftc.gov/opa/2003/09/idtheft.shtm
How Realistic?
Security Breach Types
Source: Microsoft Security Intelligence Report Volume 10 (2010) Key Finding Summary
7
In the news…
• RSA
• Epsilon
• Corporate Account Takeover
• MaaS
• Zues, Stuxnet, Aurora, Anonymous
• Amazon EC2 outage
• Cloud services growth 25-30% CAGR thru 2014-15
• Sony Playstation
• Google Buzz
• ATM/POS skimming
• Patch Tuesday = 64
• Wordpress.com
• Geotracking
2011 Data Breach Investigations Report (2011 DBIR)
• A study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit.
• 2010: 761 Breaches• Over 7 Years: 1700+ Breaches: Over 900
million compromised records
8
• External Agents 92% (+22%)• Implicated Insiders 17% (-31%)• Business Partners <1% (-10%)• Involved Multiple Parties 9% (-18%)
Who 2011 DBIR
External Agents 2011 DBIR• Organized Crime 58%• Unaffiliated Person(s) 40% • Former Employee 2%• Competitor 1%• Unknown 14%• Other <1%
How? (2011 DBIR)
• 50% some form of hacking (+10%)• 49% incorporated malware (+11%)• 29% involved physical attacks (+14%)• 17% privilege misuse (-31%)• 11% social tactics (-17%)
9
Targets (2011 DBIR) • Hospitality 40%• Retail 25%• Financial Services 22%• Government 4%• Manufacturing 2%• Tech Services 2%• Business Services 1%• Healthcare 1%• Media <1%• Transportation <1%• Other 2%
LAN/WAN Methods of Attack• Malware, Viruses, Spyware, & AdWare• Trojan Horse• Denial Of Service (DOS) • Sniffing• Buffer Overflows• Unnecessary Services and Configuration Errors• Physical Attacks• Authentication Attacks• Network Device and Services• Hardware (embedded devices, skimmers, POS,
ATM, Scanners, etc.)• Social Engineering
10
Definition:
Malware (MALicious softWARE) is software designed to infiltrate or damage a computer system, without the owner’s consent. Malware is commonly taken to include computer Viruses, Trojan Horses, Spyware and Adware.
MALWARE
Malware Distribution Internet: Downloads, Email, IM, Phishing,
Spear Phishing, File Sharing, Un-trusted Applications, DNS & Routing Modifications
Physical: USB/DVD/External Media
External: Hacking, Mass Vulnerability Exploits, Cloud, *aaS Providers
11
Methods of Attack
Trojan Horse
Hidden or Disguised program installed on a computer for stealth remote control and backdoor access
Damage is usually done by the time it is detected
Have been used to capture user names and passwords
Difficult to detect or remove
Combat malware protection
Custom design has evolved to do much more
Custom EFT Trojan Characteristics
Banking Trojans Key logging
Form grabbing
Screen shot and mouse event capture
Site key theft
Protected storage retrieval
Certificate stealing
MBR (master boot record) rootkits
Cookie stealing
HTML replacement or injection
Confirmation tempering
And more (0-day) ……
12
EFT Fraud Prevention• EFT Risk Assessment• Segregation of Duty (Initiation and Approval)• Dedicated EFT Trusted Systems • Multi-factor Authentication with Independent
Mechanism(Token, FOB, SMS, Secure ID, etc.)• Logging and Monitoring (systems and accounts)• Daily EFT Reconciliations• Dedicated Clearing Accounts• Positive Pay and Debit Blocks• General IT Security and Controls (Firewall,
malware and AV, patch management, etc.)• Cyber Theft Insurance
http://www.journalofaccountancy.com/Issues/2010/Oct/20092174.htm
Wireless Risks
Rogue WLANs (evil twin) Insecure Network Configurations Accidental & Malicious Associations
Eavesdropping & Espionage Unauthorized Access System Identity Theft Evolving Attacks Hi-Jacking Man-in-the-Middle DOS
Internal Risks
External Risks
13
Denial Of Service (DOS) Example
Hacker
Access Point (Target)
Victim
Methods of Attack
Spoofing & Hi-Jacking (Wireless & Wired)
Allows an attacker to pose as legitimate user, the third party is unaware, aka “man in the middle attacks”.
IP spoofing ARP/ Mac spoofing DNS spoofing Email spoofing
14
Man in the Middle/Session Hijacking Attacks
Intercepting traffic between nodes
Target
Hacker
ServerAccess Point
Network Access, Now What?
• Local area network connectivity
• Bypass firewalls and other access control devices
• Capable of all traditional wired network security vulnerabilities and exploits
15
Wireless Controls, Prevention & Mitigation
• Layered security • Wireless network architecture
– Placement of AP’s– Use of antennas– Separate network segment– Firewalls– VPN access
• Security policies and procedures• Implement technical baselines • Technology policy enforcement
software
Mobile Device Risks
• Physical theft Laptops, PDAs, Cell Phones, etc.
• Negligence Lost or misplaced
• Malicious software installation• Malware or Virus infection• Security configuration errors or limits• Shared or common authentication (same
passwords)• Password retrieval software• Device and data compromise (unauthorized
Bluetooth connections)
16
• Theft • Hardware modifications• Physical access ups the stakes• Workstation/server/laptop/mobile device
theft • Lost or misplaced portable devices or
portable storage• Device and media decommissioning• Facility Access Controls
Physical Access Risks
Physical Device Security
• Physical lockdown• Secure authentication• Malware protection• VPN security• Policy based data
destruction• Bios or boot passwords• Drive and device
encryption
• Disable bootable drives• OS specific measures• Video and monitoring• Mobile device tracking• Data cleansing (retired
equipment and devices)• Insurance (lost or
stolen)
17
VOIP Risks
• Eavesdropping– Sniffing and packet capturing
• Man in the middle attacks• Service interruption (DOS)• SPIT (voice spam)• Voice phishing (Vishing)• Signal and media manipulation
– Unauthorized registration modification– Registration Hijacking– Registration Spoofing– Spoofing caller-ID
Web Application based attacks may include some of the following:
Client Application attacks
SQL Server Injection
Cross‐Site Scripting (XSS)
Session Tampering
Field Input Validation
HTTP Post Field Modification
Parameter Tampering
Web Application Based Attacks
18
Source: Microsoft Security Intelligence Report Volume 10 (2010) Key Finding Summary
Application Based Attacks
Client Application Based AttacksWeb Browsers
•BHO Browser helper objects•Active X, Java applets and other embedded scripting
Office Applications•Embedded macros•Malicious docs sent email or open thru browsing
Email & IM Clients•Malware (viruses, Trojans, key‐loggers, spyware, adware, rootkits, etc);•Phishing and Spam•Social Engineering
Media Player Software•Software vulnerabilities•Execution of programs with the software
Pier to Pier Software•Malware (viruses, Trojans, key‐loggers, spyware, adware, rootkits, etc);
19
What is this doing?
Username = user@abc‐ex‐co.com
Password = ‘anything’ OR ‘1’ =‘1’;
Username = ‘user@abc‐ex‐co.com’ OR ‘1’ =‘1’;
Password = ‘anything’
How about this?
Application Based Attacks
Potential Threats:
•Exploits•Viruses •Trojans •Spyware, •AdWare, •Rootkits, •Key loggers•Back doors
= Identity Theft & EFT Fraud
20
Where do we start?
• Identify Responsibility• Identify Resources• Identify Risks• Establish a Time Table & Budget• Create a Security Policy• Identify Necessary Controls and Audit Objectives• Establish Necessary Standards and Procedures• Design Management Reports and Substantive
Testing• Education
Risk Based Security
• Develop Loss Scenarios• Identify Exposures and
Controls• Define Risk Categories• Assess Likelihood and
Severity of Possible Losses• Develop Risk Control Costs• Rank Exposures
21
Risk Analysis
Firewall Penetration
HighLow Med
Virus Attack
E-MailAbuse
Fire
Loss ofAssets
High
Med
Low
Severity of Impact
Likelihood
Personal Use ofInternet
What is a Security Policy?
• Minimum Level of Security Tolerable by Mgt.
• High Level Guidelines
• Consists of Organizational Goals, Objectives, Culture, Ethics, Controls, and Employee Responsibility.
22
Prevention
• Authentication– Enforced password policy– Strong password
management– Multi-factor authentication
• Smart cards/tokens• One time passwords• Biometrics
• Service or vendor updates• “Least privilege”• SDLC Enforcement• Malware/Spam/Anti-virus
protection• Periodic security audits• Logical access controls
• Physical access controls• Performance benchmarks• Traffic Normalization• “Phone home” prevention• Enable and centralize logging • Network Access Control (NAC)• Control rights and permissions• Segregations of duties• (SOP’s) Standard Operating
Procedures• Removable device control• Encryption (transfer and at rest)
More Prevention
• Mandatory vacations & job rotation
• Accountability• Implement security traps• Network and Application
IDS/IPS• Secure, Fault-tolerance
data and network design• VPN’s• Log off policy• Control internet downloads
• Data Loss Prevention (DLP)• Traffic and log correlation• Monitor e-mail and HTTP traffic
(set & uphold policy) System change controls
• Data backup• Off site storage• Restrict outside software and
disks to general users• EMPLOYEE AWARENESS
23
Resources
• http://www.aicpa.org/trustservices/• http:// www.packetstormsecurity.com• http:// www.securityfocus.com• http:// www.cert.org• http:// www.sans.org• http:// www.isaca.org• http:// www.microsoft.com/security• http:// www.isc2.org• http:// www.nipc.gov• http://labs.idefense.com• http:// www.issa.org• http://www.sju.com
Questions?
Steven J. Ursillo, Jr.CPA, CIA, CFE, CISA, CISM, CITP, CISSP, CGEIT, CRISC
Phone: 401-521-4000 ext. 144
Thank You!
24
Steven J. Ursillo Jr., Principal
SPARROW, JOHNSON & URSILLO, INC.Certified Public Accountants, Business & Technology Consultants
1300 Division Road, West Warwick, RI 02893
Phone: (401)521-4000 x144 Fax: (401)274-5368http://www.sju.com E-mail: [email protected]