We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byGeorgina Hines
Modified about 1 year ago
©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card. Find it at the bottom of the myCLA / Firm Resources / Materials / Templates page. See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card. Find it at the bottom of the myCLA / Firm Resources / Materials / Templates page. Cyber Crime Trends A “State of the Union”
©2014 CliftonLarsonAllen LLP Mark A. Eich, CPA, CISA Mark Eich is the Managing Principal of the Information Security Services Group at CliftonLarsonAllen. He has over 26 years’ experience in auditing and technology consulting and has actively led many IT audits and security assessments for clients in a range of industries 2
©2014 CliftonLarsonAllen LLP Themes Hackers have “monetized” their activity –More hacking –More sophistication –More “hands-on” effort –Smaller organizations targeted Social engineering on the rise Hackers targeting businesses more than banks 3
©2014 CliftonLarsonAllen LLP Mitigation Themes Employees that are aware and savvy Networks resistant to malware Relationships with banks maximized 4
©2014 CliftonLarsonAllen LLP Three Largest Trends Organized Crime –Wholesale theft of personal financial information Payment Fraud – Corporate Account Takeover –Use of online credentials for ACH, CC and wire fraud Ransomware –CryptoLocker 5
©2014 CliftonLarsonAllen LLP Theft of PFI Target Neiman Marcus University of Maryland University of Indiana Olmested Medical Center Etc etc etc………… Main street hardware store?? 6
©2014 CliftonLarsonAllen LLP Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health care trade association Rural hospital Mining company On and on and on and on…………….. Corporate Account Takeover 7
©2014 CliftonLarsonAllen LLP Ransomware Malware encrypts everything it can interact with –i.e. anything the infected user has access to CryptoLocker Kovter –Also displays and adds child pornography images 8
©2014 CliftonLarsonAllen LLP Ransomware May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000) cryptolocker-goes-spear-phishing-infections-soar- warns-knowbe4-a html 9
©2014 CliftonLarsonAllen LLP Ransomware Zip file is preferred delivery method –Helps evade virus protection Working (tested) backups are key 10
©2014 CliftonLarsonAllen LLP The Cost? Norton/Symantec Corp: Cost of global cybercrime: $388 billion Global black market in marijuana, cocaine and heroin combined: $288 billion Hackers are lazy - go for the “easy money” Bank customers are much easier targets than the banks themselves 11
©2014 CliftonLarsonAllen LLP Two Security Threat Reports Intrusion Analysis: TrustWave –January 2010 and April 2011 –https://www.trustwave.com/GSRhttps://www.trustwave.com/GSR Intrusion Analysis: Verizon Business Services –July 2010 and April 2011 –http://securityblog.verizonbusiness.com/2011/04/19/201 1-data-breach-investigations-report-released/http://securityblog.verizonbusiness.com/2011/04/19/201 1-data-breach-investigations-report-released/ 12
©2014 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report Top Methods of Entry Included: Remote Access Applications [45%] Default vendor supplied or weak passwords [90%] 3 rd Party Connections [42%] – MPLS, ATM, frame relay SQL Injection [6%] – Web application compromises [90%] Exposed Services [4%] 13
©2014 CliftonLarsonAllen LLP Verizon Data Breach Analysis 14
©2014 CliftonLarsonAllen LLP Social Engineering Phishing –“Spear Phishing” On-line banking trojans How do hackers and fraudsters break in? 15
©2014 CliftonLarsonAllen LLP The Fine Art of “People Hacking” “Amateurs hack systems, professionals hack people.” Bruce Schneier Social Engineering uses non-technical attacks to gain information or access to technical systems –Pre-text telephone calls –Building penetration ◊ Seeding – attacks 16
©2014 CliftonLarsonAllen LLP Spear Phishing “Second Generation” phishing Goal is to “root the network” Install malware Log system activity to harvest passwords Use automated tools to execute fraudulent payments Trick users into supplying credentials (passwords) 17
©2014 CliftonLarsonAllen LLP Spear Phishing Success Factors With so much money at stake hackers are putting in more effort to increase the likelihood that the ed link will be followed: –“Spoof” the to appear that it comes from someone in authority –Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking) 18
©2014 CliftonLarsonAllen LLP Phishing – Targeted Attack Randall J. Romes Two or Three tell- tale signs Can you find them? 19
©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card. Find it at the bottom of the myCLA / Firm Resources / Materials / Templates page. See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card. Find it at the bottom of the myCLA / Firm Resources / Materials / Templates page. 10 Key Defensive Measures Training Your Employees is Critical (but not easy)
©2014 CliftonLarsonAllen LLP Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Relationship with our FI is maximized 21
©2014 CliftonLarsonAllen LLP 1.Strong Policies - use Website links Removable media Users vs Admin Insurance Ten Keys to Mitigate Risk 22
©2014 CliftonLarsonAllen LLP Ten Keys to Mitigate Risk 2. Defined user access roles and permissions Principal of minimum access and least privilege Users should NOT have system administrator rights “Local Admin” in Windows should be removed (if practical) 23
©2014 CliftonLarsonAllen LLP Ten Keys to Mitigate Risk 3.Hardened internal systems (end points) Hardening checklists Turn off unneeded services Change default password Use Strong Passwords (see tip next slide) 4.Encryption strategy – data centered Laptops and desktops Thumb drives enabled cell phones Mobile media 24
©2014 CliftonLarsonAllen LLP Ten Keys to Mitigate Risk 5.Vulnerability management process Operating system patches Application patches Testing to validate effectiveness – “belt and suspenders” 25
©2014 CliftonLarsonAllen LLP Ten Keys to Mitigate Risk 6.Well defined perimeter security layers: Network segments gateway/filter Firewall – “Proxy” integration for traffic in AND out Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) 7.Centralized audit logging, analysis, and automated alerting capabilities Routing infrastructure Network authentication Servers Applications 26
©2014 CliftonLarsonAllen LLP Ten Keys to Mitigate Risk 8.Defined incident response plan and procedures Be prepared Including data leakage prevention and monitoring Forensic preparedness 27
©2014 CliftonLarsonAllen LLP Ten Keys to Mitigate Risk 9.Know / use Online Banking Tools Multi-factor authentication Dual control / verification Out of band verification / call back thresholds ACH positive pay ACH blocks and filters Review contracts relative to all these Monitor account activity daily Isolate the PC used for wires/ACH 28
©2014 CliftonLarsonAllen LLP 10. Test, Test, Test –“Belt and suspenders” approach –Penetration testing ◊ Internal and external –Social engineering testing ◊ Simulate spear phishing –Application testing ◊ Test the tools with your bank ◊ Test internal processes Ten Keys to Mitigate Risk 29
©2014 CliftonLarsonAllen LLP Questions? Hang on, it’s going to be a wild ride!! Mark Eich, Principal Information Security Services Group *** (612)
©2014 CliftonLarsonAllen LLP CLAconnect.com Cyber Crime Trends.
©2014 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card.
Welcome James B. Underhill, CFP ® Financial Planner Underhill Financial Advisors, LLC 3146 N. Swan Rd Tucson, AZ Office: (520)
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Small Business Security Keith Slagle April 24, 2007.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
©2013 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
By: Matt Winkeler. PCI – Payment Card Industry DSS – Data Security Standard PAN – Primary Account Number.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Cyber X-Force-SMS alert system for threats.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.
CHAPTER 8 Securing Information Systems. System Vulnerability Security (policies, procedures, technical measures) and controls (methods, policies, procedures)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Payment Fraud Trends : What Can you do? Protect Yourself and Your Business from Financial Fraud.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Mark Shtern. Our life depends on computer systems Traffic control Banking Medical equipment Internet Social networks Growing number of.
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Proprietary and Confidential Don’t be the Next Cyber Crime Statistic C. Kevin deBrucky, Vice President PINACLE ® Security Manager.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
1 CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited © CUNA Mutual Group 2010 Alaska Credit Union League Annual Meeting.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
“Assuring Reliable and Secure IT Services”. IT Redundancy: Its Value How much reliability to buy? Customer Service impacted as a result of 15 minutes.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Cyber Security—What you should know before it’s too late! T Jay Humphries and Trevor O’Donnal.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
System and Network Security Practices COEN 351 E-Commerce Security.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
GSHRM CONFERENCE CYBER SECURITY EDUCATION SHRI COCKROFT, CISO PIEDMONT HEALTHCARE, INC. September 21, 2015.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
© 2017 SlidePlayer.com Inc. All rights reserved.