IT TRENDS AND FUTURE CONSIDERATIONS Paul Rainbow - CPA, CISA, CIA, CISSP, CTGA
The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought.
AGENDA BYOD Cloud Computing PCI Fraud Internet Banking Questions
The Mobile Explosion Mobile traffic data in 2011 was nearly 12 times the size of the entire global Internet traffic in 2000 Global mobile traffic will increase 13-fold between 2012 and 2017 By the end of 2013, the number of mobile-connected devices will exceed the number of people on earth By 2017, there will be 8.6 billion handheld or personal mobile-ready devices Gartner predicts that by 2014, 90% of companies will support corporate applications on personal mobile devices Source: Cisco Global Mobile Data Traffic Forecast Update, 2012 - 2017
Mobile Computer Sales: Tablets Lead 6 Tablets are poised to outsell laptops by 2016
Mobile Technology Trends According to CTIA, as of June 2012, there were 327,577,529 active mobile devices connected to US carriers BYOD gaining acceptance in the workplace Mobile Device Sales (3Q 2012): – Android– 104.8 million units (68.1% market share) – iOS– 26 million units (16.9% market share) – BlackBerry– 7.4 million units (4.8% market share) – Symbian– 6.8 million units (4.4% market share) – Windows– 5.4 million units (3.5% market share) The popularity of smartphones has made them the next major target for cyber criminals
BYOD: The New Frontier Employees are using their own devices in the work place and asking to connect them to the company network – this trend is known as Bring Your Own Device (BYOD). According to Forrest Research, 48% of employees will buy their own device – whether their organization approves or not.
BYOD: The New Frontier Benefits Employees get a choice Boosts morale and productivity. The firm avoids owning hardware and ongoing contracts Employees set up services under their own names. The equipment can go with the employee if they leave Departures are cleaner, as data is simply wiped out from the employee’s device.
BYOD: The New Frontier Challenges Security is easier to manage in company owned devices Security is difficult to control when the environment and devices are not under the IT department’s control. The balance between life and work is challenged The line between life and work is blurred; employees have a hard time turning off work. Policies are not keeping up with the trend Enterprises are lagging behind in creating policies that addresses the BYOD trend.
BYOD: The New Frontier Legal Challenges Can legal discovery rights of corporate information be extended to personal devices if they hold personal data? Do breaches of personal data on company owned devices leave the company liable (e.g., HIPAA information on my company owned device)? Could it support wage and hour claims for non-exempt employees working off the clock? A 2010 US Supreme Court 9-0 ruling declared that employees are not entitled to privacy if they use an employer’s issued device, so what level of privacy is there for BYODs?
Current Mobile Threats Malware is the single largest threat to mobile security In 2012, Kaspersky Labs discovered an average of 6,300 new Android malware samples every month, which was an increase of over eight times from 2011 Mobile malware can be divided into three separate categories: Trojans, Backdoors, Spyware Trojans are widely used in SMS attacks Backdoors allow unauthorized access to devices Spyware targets the unauthorized collection of private data
Current Mobile Threats: Android Android is more susceptible to malware than Apple Why? – Lax application markets; apps can be downloaded outside of market – Easy to repackage legitimate applications with malware – Flawed Android security model Large security issues with jail-broken and rooted phones – “Hacking” mobile phones allows security controls to be circumvented
Current Mobile Threats: Find and Call Apple’s first App Store malware: Find and Call App steals phonebook from devices and pushes data back to a command-and-control (C&C) server Data is then used for SMS spam campaigns
Current Mobile Threats: Ransomware Ransomware: – Malware which effectively holds a user’s device hostage until a fee is paid
Current Mobile Threats: SMS Botnets SMS Spam Botnet: – Directs users to download malware directly on their device An SMS is received containing a URL When the users clicks on the URL, a Trojan is installed on the device with the legitimate application Trojan contacts C&C server to obtain spam message The spam message is sent to the contacts stored in the phone
Current Mobile Threats: Zitmo Banking Trojans: Zeus-In-The-Mobile (Zitmo) Masquerades as a banking activation application and eavesdrops while looking for mobile transaction authentication numbers (mTAN) in SMS messages sent by banks to customers for a second form of authentication First appeared in 2010
Cloud Computing Private Cloud − Hosted for or by a single entity on a private network; can be hosted internally or outsourced but is most often operated internally; only those within the entity share the resources Community Cloud − Hosted for a limited number of entities with a common purpose; access is generally restricted; most often used in a regulated environment where entities have common requirements Hybrid Cloud − Data or applications are portable and permit private and public clouds to connect Public Cloud − Available to the general public; owned and operated by a third-party service provider
Cloud Computing The institution has the ability to increase or decrease resources on demand without involving the service provider (on-demand self-service). Massive scalability in terms of bandwidth or storage is available to the institution. The institution can rapidly deploy or release resources. The financial institution pays only for those resources which are actually used (pay-as-you-go pricing)
Cloud Computing One of the major concerns with cloud computing is the loss of control for physical access to systems. Depending on the type of cloud service you use, you may be sharing hardware with others. This can lead to legal (and operational) issues if the systems and/or backups are requested by a court or government agency.
Notable Payment Card Security Breaches Heartland Payment Systems – 2008 – Hackers attacked the system that is used to process card transactions. Up to 100 million transactions compromised. TJX Corp. – 2007 – Hackers compromised wireless network to steal information on approx. 94 million card transactions. HEI Hospitality (Marriott, Sheraton, Westin) – March/April 2010: POS system compromised. Up to 3,400 credit card accounts compromised. PlayStation Network – 2011 – Hack attack. 77 million personal information acquired. Credit card information (TBD). Seattle Small-Medium-sized businesses – April 2011 – war driving hacks to steal credit card data. Stole about $750,000 worth of goods.
Payment Card Industry (PCI) – Data Security Standard Overview Not a government regulation, but an industry regulation. All entities that process, store, or transmit payment card information need to comply. (PAN is the deciding factor.) The Players: Card Brands, Merchants, Service Providers, Acquirers, and Issuers Effective compliance dates varies depending on merchant level or service provider level and card brand (June 2005, Dec. 2008). Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees.
Why is compliance with PCI DSS important? A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including: 1. Regulatory notification requirements 2. Loss of reputation 3. Loss of customers 4. Potential financial liabilities (regulatory and other fees and fines) 5. Litigation
Penalties for Non-Compliance Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed: – Non-compliance fine up to $500K – Forensic investigation costs – Issuer/Acquirer losses Unlimited liability for fraudulent transactions Potential additional issuer compensation (e.g., card replacement) – Dispute resolution costs
Fraud Trends Malware Mobile Devices Social Engineering Social Media
Malware “Man in the Browser” is malware that infects a web browser and has the ability to modify pages, modify transaction content, or insert additional transactions. This is hidden from both the user and application. Keystroke loggers and other similar strains of malware continue to be used to collect data and user credentials to be used for fraud.
Social Engineering As financial institutions enhance their online security, the criminals are changing their avenue of attack Social engineering is used in various forms (phishing, spear phishing, or smishing)
Social Media Easy way for criminals to gather intimate details about members to use in fraud Easy way to send malware or Trojans to a large group of people from a “trusted” friend New frontier for phishing and social engineering attacks
Internet Banking Authentication Regulators came out with guidance related to Internet banking authentication in June 2011. The guidance called out the responsibility of financial institutions to: Differentiate between retail and business transaction risk “Agencies recommend that institutions offer multifactor authentication to their business customers.” Continue to focus on Risk Assessment Increased emphasis on Layered Security Programs
Questions? Contact Us firstname.lastname@example.org 509-714-4865