1. Cyber Security in the 21 st Century

2. 2 Safe Harbor Statement This presentation outlines certain practices that businesses should consider to reduce the likelihood of loss caused by online fraud and identity theft. This presentation does not purport to identify all existing online fraud and identity theft practices and all fraud mitigation measures that your business should consider implementing. There is no way to guarantee that any set of protective measures will eliminate loss caused by online fraud and identify theft. U.S. Bank is not responsible for losses caused by online fraud and identity theft.

3. 3 Agenda  Context  The Expanding Internet  Cyber Crime Scale  Today’s Threats  Malware  Preventing Business Account Takeover  Avoid Being a Victim

4. 4 Context 1. Pew Research Center, Jan 2012 2. Federal Reserve 2010 Survey of Consumer Finances 3. comScore e-Commerce Measurement The internet is incredibly convenient – banking and shopping with a few clicks of the mouse. Personal Banking 63 million Americans bank online 1 $3,500 average balance in “transaction accounts” 2 ~ $221 Billion managed online Shopping $1.042 Billion spent online the day after Thanksgiving 2012 3 $1.465 Billion spent online the Monday after Thanksgiving 2012 3 The internet holds a wealth of information Encyclopedia Britannica has 32 volumes - English Wikipedia, if bound identically, would consist of 1,673 volumes Birthdates, residences, phone numbers, email addresses – all conveniently located in one place – your Facebook or LinkedIn profile page!

5. 5 The Expanding Internet 2012THE SUPERHIGHWAY, pre-2000 13 2 1 2 3 AnalogyPre-20002012 Cars  Billions (1,000,000,000)  60 mph  Quintillions (1,000,000,000,000,000,000)  60,000 mph Lanes 44  4,000 On/Off Ramps  Millions (1,000,000)  Hundreds of Millions (800,000,000)

6. 6 Cyber Crime Scale (347M)(431M)  14 adults become victims of cybercrime every second, totaling more than one million victims each day 1  Cybercriminals unleash 3.5 new threats targeting businesses every second 2  69% of breaches incorporated malware as part of the attack 3 1 1 Norton Cybercrime Report 2011 2 Trend Micro “Small business is big business in cybercrime” 3 Verizon Breach Report 2012

7. 7 Cybercrime is maturing as a business, with marketing, support, advertising, R&D, and economies of scale Insiders Hacktivists Nation-states Often undetected for up to 32 months Culprits are employees- typically managers – with 5 years + experience Usually low-tech, relying on access privileges Responsible for 58% of all data stolen in 2011 Targets include CIA, FBI, Visa, MasterCard, Sony (breached 21 times in 2011), Amazon Since 2010, nation-state linked malware IDs increased from 1 to 8; 5 in 2012 Gauss Malware targets financial services in the Middle East; steals credentials Technically sophisticated malware for espionage, data breaches, even sabotage Organized crime Changing Cyber Threats

8. 8 Changing Threats: Insiders Almost 1 in 10 who reported fraud suffered losses of more than $5 million. 56% of respondents said the most serious fraud was an ‘inside job’. PWC Global Economic Crime Survey November 2011 Perpetrators of fraud by industry

9. 9 Changing Threats: Hacktivists Hacktivism was responsible for 58% of all data stolen last year Hacktivist motives vary; nationalism, digital/electronic rights, privacy issues, copyright issues, Occupy Wall Street, even animal rights Hacktivist tactics depend on the size of the organization and the relative skill levels of its members. Some typical attacks are: Denial of service Advanced persistent threats Vulnerabilities Broad scans of identified targets in search of easily-exploitable vulnerabilities May be the first choice, with DDoS as a last resort if no exploitable vulnerabilities are found A DDoS attack can be used as cover for a smaller team to exploit previously identified vulnerabilities Highly skilled, technologically advanced and stealthy attacks by smaller teams Goal is to steal IP and authentication information, and PII for individuals & organizations Often has a spearphishing component, or other social engineering stage APTs linked with “watering hole” attacks, where malware is seeded at sites where targets of interest gather to see who they can snare Hacktivists use software tools to overload target servers and applications with requests; little technical skill required and there is strength in sheer numbers Goal is to bring down web sites and applications for hours or even days DDoS attacks like this are planned publicly, so there is usually lead time to prepare

10. 10 Changing Threats: Organized Crime TRADITIONAL INDICATORONLINE PARALLEL Extortion techniques Threats to close down systems by malware attacks Use of compromising browser records for blackmail Control of gambling Development of new ‘offshore’ income streams Control of drug markets Sales of illegal drugs Development of fake Viagra and other pseudo drug markets / spamming Money laundering Laundering of digital income Global money mule systems Counterfeiting Organized DVD copying gangs Organized intellectual copyright theft Carding and skimming Sex & prostitution Creation of online pornography empires Links between escort sites, trafficking and organized groups Organized crime in the digital age: the real picture, BAE Systems Deltica- sponsored study, London Metropolitan University Traditional organized crime is making inroads and extending operations into digital markets Young hacker stereotype turns out not to be the case - 43% of organized digital crime associates are over 35 – more than those who are under 25 (29%) –Research indicates this is because technology bar to digital crime has been lowered due to easy availability of ready-made, low-skill toolkits to make malware or manage botnets

11. 11 Changing Threats: Nation-state Threats Red lines indicate probable family link Only circumstantial evidence for Wiper link to Stuxnet family (it left very little forensic data) The status of Shamoon as nation-state malware has been questioned – some attribute it to nationalist hackers or cybercriminals Double-threat from highly advanced and specialized malware & Advanced Persistent Threats Targets specific nations through government & civil organizations, commerce & infrastructure: –Gauss focused on financial institutions –Flame targeted companies and institutions in the Middle East Highly sophisticated and complex: –Stuxnet probably required 10 man- years of development; Flame 20 times more complex Enables plausible deniability –Researchers who analyze the code can’t be sure that they’re seeing more than what the writers want them to see. 0 2010201120122013 STUXNET DUQU MADHI FLAME WIPER IXESHE GAUSS Rise of Malware Linked to Nation-States SHAMOON  Intelligence gathering  Sabotage           ? MINIFLAME

12. 12 Attacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA Hosted ~50% of all phishing sites in 1H 2011 Hosted ~45% of all phishing-based keyloggers or Trojan downloaders China 55,000 malware/intrusion incidents on DoD systems in 2010; large but unspecified number blamed on China Highest level of malware infections Russia Produces 77% of all spam Source of many successful botnets; Rustock, Grum, Cutwail, and more *Trustwave Breach Report 2012

13. 13 What is Malware? “Malware” is an umbrella term used to describe many forms of malicious software Common forms of malware: Worms – malware that can spread by itself (most other forms spread by attaching to a file). Trojans – malware that looks legitimate and tricks the user into activating it. Known to create “backdoors” that give malicious users access to the infected system. Viruses – malware that replicates itself by inserting itself into and becoming a part of a piece of legitmate software. Bots – malware that automates the use of system resources on the infected computer to interact with external computers. Causes “Denial of Service (DoS) attacks.

14. 14 The Business of Malware… 350 to 400 million PCs compromised $388 billion per year in losses resulting from cybercrime 431 million adults fall victim per year (69% of those surveyed by Symantec had been victims) * 2011 PandaLabs A big problem… … getting bigger?

15. 15 How Malware Works Malware Service 0 Malware Infection 1 Credential Harvest 2 Money Theft Money Collection 4 3 VictimCyber Theft Money Mules Malware Coder Mule Organization Malware Service 0 Malware-as-a-Service Malware programmers - sell/lend malware. - purchase/rent malware module from other programmers - use testing services such as checking detection by Anti-Virus software - provide customers with customization, updates, and issue maintenance Malware Infection 1 Criminals - trick victims into opening infected attachments or visit nefarious websites - commands bots to download malware (criminals lend/rent botnets) Credential harvest 2 The victims visit their online banking websites and logon per the standard processes. The malware collects and transmits data back to the criminals. Money Theft 3 Criminals leverage the victim’s credentials to initiate funds transfers from the victim’s account to mules. Money Collection 4 Mule organizations collect money from mules and laundry money.

16. 16 Malware Infection Phishing – “phishing” is the use of spam email designed to trick the recipient into clicking a hyperlink or opening an attachment Phising emails often look official and have a clear “call to action” Most commonly look like email from banks, delivery services or law enforcement agencies Spear Phishing A phising attack that is designed for a specific person. The attacker may conduct extensive research on a specific individual to customize the attack. Social Networks Attackers using social networks take advantage of the fact that most everyone is on another user’s “trusted” list

17. 17 Social Engineering / Social Media Social engineering attacks occur by phone, email, or even in person A social engineer tricks people into giving away sensitive information, even passwords Social engineers are ‘hacking the human element’ – it’s easy and untrained employees won’t suspect Typical approaches: “Do me a favor and help me out or I’ll get in trouble…” “This is business-critical and time is running out…” “Hi, I’m from the IT helpdesk and we’re doing a routine but complicated-sounding test, can you give me your…” “The Sales Director has asked me for this information…” “Why can’t you hurry this up? I don’t have all day…” Social Media Malware– Automated social engineering: Malware can take over your social media account to: Send phishing emails to all your contacts Set your “like” status to a product you’ve never heard of, or to some malware-infected app Effective because it exploits the assumed trust we have in our networks – email typically comes from someone we know. 52% of companies surveyed at end of 2011 said they had seen an increase in social media attacks due to malware.

18. 18 Man-In-The-Browser One of the most concerning types of malware attacks is called “Man-In-The-Browser” (MITB). Typically the result of a Trojan infection, MITB permits a cybercriminal to modify the infected machine’s browser and harvest user credentials. Infected browser looks like an unifected browser, many times prompting the user for token generated passwords and / or transaction PINs. Login screen altered

19. 19 Prevent Business Account Takeover Dual Authorization If offered, utilize dual authorization for ACH / wire transactions and account administration Do not execute both authorizations from the same computer Business Account Settings Reset default transaction limits – many institutions set default transaction limits very high Remove those employees no longer with your organization from payroll rosters immediately Regularly review your account settings

20. 20 Prevent Business Account Takeover Dedicated Computer Use a dedicated computer for online financial transactions No internet browsing except for bank transactions No email or internet-accessing applications Configure user accounts with least necessary privilege

21. 21 How to Avoid Being a Victim Keep anti-virus software up to date AV software is not a silver bullet – only catches 40% of all documented malware! Use AV software as one part of your entire strategy to stay safe online. Smart internet browsing Stay away from websites ending in “.ru” Be very wary about downloading files, even from “trusted” websites Avoid downloading “plug-ins” for your browser Use strong passwords The longer the better (12 – 14 characters is optimal) Do not use dictionary words in your password Do not re-use passwords on different websites

22. 22 How to Avoid Being a Victim (Continued) Social Network Safety Minimize the amount of personal information (birth date, address, etc) you share on social networks Be careful when clicking on web links at social media sites Nielsen Global Trust in Advertising Report for 2012 “Social media is most influential new media because we consider familiar voices to be trustworthy”