Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Crime Trends A “State of the Union”.

Similar presentations


Presentation on theme: "Cyber Crime Trends A “State of the Union”."— Presentation transcript:

1 Cyber Crime Trends A “State of the Union”

2 Mark A. Eich, CPA, CISA Mark Eich is the Managing Principal of the Information Security Services Group at CliftonLarsonAllen. He has over 26 years’ experience in auditing and technology consulting and has actively led many IT audits and security assessments for clients in a range of industries

3 Themes Hackers have “monetized” their activity
More hacking More sophistication More “hands-on” effort Smaller organizations targeted Social engineering on the rise Hackers targeting businesses more than banks

4 Mitigation Themes Employees that are aware and savvy
Networks resistant to malware Relationships with banks maximized

5 Three Largest Trends Organized Crime
Wholesale theft of personal financial information Payment Fraud – Corporate Account Takeover Use of online credentials for ACH, CC and wire fraud Ransomware CryptoLocker Sans: Data from over 6,000 Intrusion Prevention Systems Data from over 9,000,000 systems (Qualys scans) Trustwave: Analysis of 200 investigations Analysis of 1,800 penetration tests

6 Theft of PFI Target Neiman Marcus University of Maryland
University of Indiana Olmested Medical Center Etc etc etc………… Main street hardware store??

7 Corporate Account Takeover
Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health care trade association Rural hospital Mining company On and on and on and on……………..

8 Ransomware Malware encrypts everything it can interact with
i.e. anything the infected user has access to CryptoLocker Kovter Also displays and adds child pornography images

9 Ransomware May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)

10 Ransomware Zip file is preferred delivery method
Helps evade virus protection Working (tested) backups are key

11 The Cost? Norton/Symantec Corp:
Cost of global cybercrime: $388 billion Global black market in marijuana, cocaine and heroin combined: $288 billion Hackers are lazy - go for the “easy money” Bank customers are much easier targets than the banks themselves Norton/Symantec (Norton Study Calculates Cost of Global Cybercrime_ $114 Billion Annually.pdf): Symantec Corp. (Nasdaq: SYMC) For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually1. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost2. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion). Ponemon study: PoneMon-2011_US_CODB_FINAL_5.pdf Ponemon study: PoneMon-2012_Business_Banking_Trust_Trends_FINAL14.pdf

12 Two Security Threat Reports
Intrusion Analysis: TrustWave January 2010 and April 2011 https://www.trustwave.com/GSR Intrusion Analysis: Verizon Business Services July 2010 and April 2011 Sans: Outside  In attempts Data from over 6,000 Intrusion Prevention Systems Data from over 9,000,000 systems (Qualys scans) Trustwave: Successful breach analysis (PCI related) Analysis of 200 investigations Analysis of 1,800 penetration tests Verizon: Successful breach analysis (in conjunction with secret service)

13 TrustWave – Intrusion Analysis Report
Top Methods of Entry Included: Top Methods of Entry Included: Remote Access Applications [45%] Default vendor supplied or weak passwords [90%] 3rd Party Connections [42%] MPLS, ATM, frame relay SQL Injection [6%] Web application compromises [90%] Exposed Services [4%]

14 Verizon Data Breach Analysis

15 How do hackers and fraudsters break in?
Social Engineering Phishing “Spear Phishing” On-line banking trojans Back to the Future: pre-text phone calls Posing as a vendor Posing as staff (someone in IT, HR, Administration…) Posing as student/alumni/donor spear Phishing Attacks to harvest credentials Attacks to compromise the workstation Click here to claim your winnings The online survey from the HR department Install this critical software update

16 The Fine Art of “People Hacking”
“Amateurs hack systems, professionals hack people.” Bruce Schneier Social Engineering uses non-technical attacks to gain information or access to technical systems Pre-text telephone calls Building penetration Seeding attacks Back to the Future: pre-text phone calls Posing as a vendor Posing as staff (someone in IT, HR, Administration…) Posing as student/alumni/donor spear Phishing Attacks to harvest credentials Attacks to compromise the workstation Click here to claim your winnings The online survey from the HR department Install this critical software update

17 Spear Phishing “Second Generation” phishing
Goal is to “root the network” Install malware Log system activity to harvest passwords Use automated tools to execute fraudulent payments Trick users into supplying credentials (passwords)

18 Spear Phishing Success Factors
With so much money at stake hackers are putting in more effort to increase the likelihood that the ed link will be followed: “Spoof” the to appear that it comes from someone in authority Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking)

19 Email Phishing – Targeted Attack
Randall J. Romes Two or Three tell-tale signs Can you find them?

20 10 Key Defensive Measures
Training Your Employees is Critical (but not easy)

21 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Relationship with our FI is maximized

22 Ten Keys to Mitigate Risk
Strong Policies - use Website links Removable media Users vs Admin Insurance We are seeing a lot of clients with Policies geared towards Privicy rule. Not enough on the Security Rule. We are also seeing many clients that have not properly documented why they are not implementing Addressable Rules Vendors often have full/pervasive access with few controls or monitoring enforced on them

23 Ten Keys to Mitigate Risk
2. Defined user access roles and permissions Principal of minimum access and least privilege Users should NOT have system administrator rights “Local Admin” in Windows should be removed (if practical) We are seeing a lot of clients with Policies geared towards Privicy rule. Not enough on the Security Rule. We are also seeing many clients that have not properly documented why they are not implementing Addressable Rules Vendors often have full/pervasive access with few controls or monitoring enforced on them

24 Ten Keys to Mitigate Risk
Hardened internal systems (end points) Hardening checklists Turn off unneeded services Change default password Use Strong Passwords (see tip next slide) Encryption strategy – data centered Laptops and desktops Thumb drives enabled cell phones Mobile media

25 Ten Keys to Mitigate Risk
Vulnerability management process Operating system patches Application patches Testing to validate effectiveness – “belt and suspenders”

26 Ten Keys to Mitigate Risk
Well defined perimeter security layers: Network segments gateway/filter Firewall – “Proxy” integration for traffic in AND out Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) Centralized audit logging, analysis, and automated alerting capabilities Routing infrastructure Network authentication Servers Applications

27 Ten Keys to Mitigate Risk
Defined incident response plan and procedures Be prepared Including data leakage prevention and monitoring Forensic preparedness

28 Ten Keys to Mitigate Risk
Know / use Online Banking Tools Multi-factor authentication Dual control / verification Out of band verification / call back thresholds ACH positive pay ACH blocks and filters Review contracts relative to all these Monitor account activity daily Isolate the PC used for wires/ACH

29 Ten Keys to Mitigate Risk
10. Test, Test, Test “Belt and suspenders” approach Penetration testing Internal and external Social engineering testing Simulate spear phishing Application testing Test the tools with your bank Test internal processes

30 Information Security Services Group
Questions? Hang on, it’s going to be a wild ride!! Mark Eich, Principal Information Security Services Group *** (612)


Download ppt "Cyber Crime Trends A “State of the Union”."

Similar presentations


Ads by Google