Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Crime Trends A “State of the Union”.

Published byGeorgina Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "Cyber Crime Trends A “State of the Union”."— Presentation transcript:

1 Cyber Crime Trends A “State of the Union”

2 Mark A. Eich, CPA, CISA Mark Eich is the Managing Principal of the Information Security Services Group at CliftonLarsonAllen. He has over 26 years’ experience in auditing and technology consulting and has actively led many IT audits and security assessments for clients in a range of industries

3 Themes Hackers have “monetized” their activity
More hacking More sophistication More “hands-on” effort Smaller organizations targeted Social engineering on the rise Hackers targeting businesses more than banks

4 Mitigation Themes Employees that are aware and savvy
Networks resistant to malware Relationships with banks maximized

5 Three Largest Trends Organized Crime
Wholesale theft of personal financial information Payment Fraud – Corporate Account Takeover Use of online credentials for ACH, CC and wire fraud Ransomware CryptoLocker Sans: Data from over 6,000 Intrusion Prevention Systems Data from over 9,000,000 systems (Qualys scans) Trustwave: Analysis of 200 investigations Analysis of 1,800 penetration tests

6 Theft of PFI Target Neiman Marcus University of Maryland
University of Indiana Olmested Medical Center Etc etc etc………… Main street hardware store??

7 Corporate Account Takeover
Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health care trade association Rural hospital Mining company On and on and on and on……………..

8 Ransomware Malware encrypts everything it can interact with
i.e. anything the infected user has access to CryptoLocker Kovter Also displays and adds child pornography images

9 Ransomware May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)

10 Ransomware Zip file is preferred delivery method
Helps evade virus protection Working (tested) backups are key

11 The Cost? Norton/Symantec Corp:
Cost of global cybercrime: $388 billion Global black market in marijuana, cocaine and heroin combined: $288 billion Hackers are lazy - go for the “easy money” Bank customers are much easier targets than the banks themselves Norton/Symantec (Norton Study Calculates Cost of Global Cybercrime_ $114 Billion Annually.pdf): Symantec Corp. (Nasdaq: SYMC) For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually1. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost2. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion). Ponemon study: PoneMon-2011_US_CODB_FINAL_5.pdf Ponemon study: PoneMon-2012_Business_Banking_Trust_Trends_FINAL14.pdf

12 Two Security Threat Reports
Intrusion Analysis: TrustWave January 2010 and April 2011 Intrusion Analysis: Verizon Business Services July 2010 and April 2011 Sans: Outside  In attempts Data from over 6,000 Intrusion Prevention Systems Data from over 9,000,000 systems (Qualys scans) Trustwave: Successful breach analysis (PCI related) Analysis of 200 investigations Analysis of 1,800 penetration tests Verizon: Successful breach analysis (in conjunction with secret service)

13 TrustWave – Intrusion Analysis Report
Top Methods of Entry Included: Top Methods of Entry Included: Remote Access Applications [45%] Default vendor supplied or weak passwords [90%] 3rd Party Connections [42%] MPLS, ATM, frame relay SQL Injection [6%] Web application compromises [90%] Exposed Services [4%]

14 Verizon Data Breach Analysis

15 How do hackers and fraudsters break in?
Social Engineering Phishing “Spear Phishing” On-line banking trojans Back to the Future: pre-text phone calls Posing as a vendor Posing as staff (someone in IT, HR, Administration…) Posing as student/alumni/donor spear Phishing Attacks to harvest credentials Attacks to compromise the workstation Click here to claim your winnings The online survey from the HR department Install this critical software update

16 The Fine Art of “People Hacking”
“Amateurs hack systems, professionals hack people.” Bruce Schneier Social Engineering uses non-technical attacks to gain information or access to technical systems Pre-text telephone calls Building penetration Seeding attacks Back to the Future: pre-text phone calls Posing as a vendor Posing as staff (someone in IT, HR, Administration…) Posing as student/alumni/donor spear Phishing Attacks to harvest credentials Attacks to compromise the workstation Click here to claim your winnings The online survey from the HR department Install this critical software update

17 Spear Phishing “Second Generation” phishing
Goal is to “root the network” Install malware Log system activity to harvest passwords Use automated tools to execute fraudulent payments Trick users into supplying credentials (passwords)

18 Spear Phishing Success Factors
With so much money at stake hackers are putting in more effort to increase the likelihood that the ed link will be followed: “Spoof” the to appear that it comes from someone in authority Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking)

19 Email Phishing – Targeted Attack
Randall J. Romes Two or Three tell-tale signs Can you find them?

20 10 Key Defensive Measures
Training Your Employees is Critical (but not easy)

21 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Relationship with our FI is maximized

22 Ten Keys to Mitigate Risk
Strong Policies - use Website links Removable media Users vs Admin Insurance We are seeing a lot of clients with Policies geared towards Privicy rule. Not enough on the Security Rule. We are also seeing many clients that have not properly documented why they are not implementing Addressable Rules Vendors often have full/pervasive access with few controls or monitoring enforced on them

23 Ten Keys to Mitigate Risk
2. Defined user access roles and permissions Principal of minimum access and least privilege Users should NOT have system administrator rights “Local Admin” in Windows should be removed (if practical) We are seeing a lot of clients with Policies geared towards Privicy rule. Not enough on the Security Rule. We are also seeing many clients that have not properly documented why they are not implementing Addressable Rules Vendors often have full/pervasive access with few controls or monitoring enforced on them

24 Ten Keys to Mitigate Risk
Hardened internal systems (end points) Hardening checklists Turn off unneeded services Change default password Use Strong Passwords (see tip next slide) Encryption strategy – data centered Laptops and desktops Thumb drives enabled cell phones Mobile media

25 Ten Keys to Mitigate Risk
Vulnerability management process Operating system patches Application patches Testing to validate effectiveness – “belt and suspenders”

26 Ten Keys to Mitigate Risk
Well defined perimeter security layers: Network segments gateway/filter Firewall – “Proxy” integration for traffic in AND out Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points) Centralized audit logging, analysis, and automated alerting capabilities Routing infrastructure Network authentication Servers Applications

27 Ten Keys to Mitigate Risk
Defined incident response plan and procedures Be prepared Including data leakage prevention and monitoring Forensic preparedness

28 Ten Keys to Mitigate Risk
Know / use Online Banking Tools Multi-factor authentication Dual control / verification Out of band verification / call back thresholds ACH positive pay ACH blocks and filters Review contracts relative to all these Monitor account activity daily Isolate the PC used for wires/ACH

29 Ten Keys to Mitigate Risk
10. Test, Test, Test “Belt and suspenders” approach Penetration testing Internal and external Social engineering testing Simulate spear phishing Application testing Test the tools with your bank Test internal processes

30 Information Security Services Group
Questions? Hang on, it’s going to be a wild ride!! Mark Eich, Principal Information Security Services Group *** (612)

Download ppt "Cyber Crime Trends A “State of the Union”."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Welcome James B. Underhill, CFP ® Financial Planner Underhill Financial Advisors, LLC 3146 N. Swan Rd Tucson, AZ 85712 Office: (520) 795-2950

Welcome James B. Underhill, CFP ® Financial Planner Underhill Financial Advisors, LLC 3146 N. Swan Rd Tucson, AZ Office: (520)
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Payment Fraud Trends : What Can you do? Protect Yourself and Your Business from Financial Fraud.

Payment Fraud Trends : What Can you do? Protect Yourself and Your Business from Financial Fraud.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
©2013 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card.

©2013 CliftonLarsonAllen LLP CLAconnect.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business card.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google