EMERGING CYBER RISKS FACING FINANCIAL SERVICES Presented by The Risk Management Group

Scope Cybercrime explained Key implications for financial services A short Cyber Security overview Conclusions Q&A

Risk in one simple image Threat factors Threat agents Vulnerabilities Exploit Controls Designed to correct Risks Lead to Assets Impact so as to reduce and protect

Cybercrime is …committed via the Internet when… 1 …the target is digital material on a connected device, or… 2 …the aim is to disrupt systems or services. 3

Cyber threats PC viruses Key- loggers Worm Rootkits MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet The 1980s threats are still challenges today, but attackers sophistication is increasing APT War dialling Digit grabbers Man-in- middle

Threat actors Hackers Malware developers Anarchists Negligent employees Spies Fraudsters and organised criminals Plus many others…

Cybercrime is evolving From one-to-one Through one-to-many To many-to-one Plus hybrid, multi-stage attacks

Attacker exfiltrates empty directories Victim removes data from known compromised systems Victim removes malware Case study: attack timeline Day 1 Day 32 Day 34 Day 37 Day 38 Day 39 Day 41 Attacker installs malware on target machines & creates backdoor Attacker installs new malware via backdoor Attacker pushes Day 1 malware to new systems Attacker pushes Day 34 malware to new systems Source: Mandiant

Malware is a key vector Attacker Infected Website User User action required Automatically

PC viruses Key- loggers Worm Rootkits MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Man-in- middle Cyber weapon APT War dialling Digit grabbers Cloud attack Malnet Selected examples

Rootkits PC viruses Key- loggers Worm MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Rootkits Applications (Word, Outlook, Explorer, games etc.) Data (Docs, contacts, saved game files...) Operating System (Windows, Mac OS...) Rootkits attack the lowest level of the operating system so that they execute on start up and avoid detection.

DOGMA Millions Rootkit Offers payment to partners who download their App. Similar model to Google toolbar etc. Then offers crime-as-a- service. User $ $ $ dogmamillions.com

Spyware PC viruses Key- loggers Worm Rootkit MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Spyware Sits on infected device and captures: –Passwords and usernames –Visited URLs –Keystrokes –Credit card and bank details –Other personal data May also change device settings Can turn off Firewall and Anti-virus

Keylogger software This particular Keylogger needs to be installed directly on the target machine

SerialGhost key logger

KeyGrabber hardware

Pwn Plug hacking tool Network hacking toolkit With inbuilt WiFi Remote command and control Would your users or security staff remove this if they saw it?

DDoS PC viruses Key- loggers Worm Rootkit MSDOS virus DDoS Phishing Spyware DoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Flooding example 2. Targeted device responds & assigns capacity to deal with the expected traffic SYN Packet SYN-ACK Packet Final ACK Packet X 3. Final ACK Packet is not sent and process is repeated in high volume, flooding the target with incomplete requests. 1. Attacker sends communication requests 1 2 3

Distributed denial of service Botnet Herder or Agitator Infected network of Bot machines or volunteers Target(s) Command & Control Multiple attacks 1 3 2

The Low Orbit Ion Cannon The Low Orbit Ion Cannon is an open source application designed to launch what is known as a denial of service attack. It does this by flooding a target server with messages. The Met Police report 34,000 UK downloads in only 3 days during the 2012 attacks on the US financial services sector and videos can be found on YouTube that provide lessons in how to use the tool.YouTube

The 1980s threats are still challenges today, but attackers sophistication is increasing Code Injection PC viruses Key- loggers Worm Rootkit MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Injection - extraction Attacker Vulnerable Web server exploited Insecure web form (e.g.) SQL Commands injected via the form Password or PCI databases compromised SQL Commands Stolen data extracted

Code injection example Over several months in early 2011 hackers: –executed a series of successful SQL Code Injection attacks against the servers of Sony Online Entertainment (SOE) –reportedly exposed the personal data of 100m SOE customers –Cost SOE $178 million in the process (mainly lost business through downtime)

The 1980s threats are still challenges today, but attackers sophistication is increasing Man-in-the-Middle PC viruses Key- loggers Worm Rootkit MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Definition 1 You wish to send me a message You Me

Definition 1 You Me 2 John manages to convince you that he is actually me… He also convinces me that he is actually you. You Me John

Definition 1 You Me 2 You Me John 3 You now innocently send your message to John, thinking he is me. John takes a copy or alters the message and then sends it on to me. John is the man-in-the- middle. You Me John

Man-in-the-Middle The equipment to attack Wireless (WiFi) networks can be purchased online

The 1980s threats are still challenges today, but attackers sophistication is increasing Cyber Weapons PC viruses Key- loggers Worm Rootkit MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Cyber weapon examples Flame & Stuxnet: –Adapted to attack Irans nuclear programme –Flame designed to collect target data –Stuxnet designed to attack SCADA systems Shamoon (2012) –Attacked PCs on Saudi Aramco network –30,000 PCs had to be written off The Low Orbit Ion Cannon…

Drop, Report & Wipe 1.The malware is dropped onto the target machine 2.The malware executes its payload and the extracted data is sent to the attacker 3.The eventually wipes itself off the machine, hiding the evidence of its activities Wipe (may persist for an extended period before wiping) Report Drop

Common APT vectors Advanced Persistent Threats: –Internet-based malware infection –Physical malware infection –External exploitation/hacking Internet Malware Infections Drive-by downloads attachments File sharing Pirated software DNS routing mods Physical Malware Infections Infected USB sticks Infected DVDs or CDs Infected memory cards Infected appliances Back-doored IT equipment External exploitation Professional hacking Co-location host exploits Cloud provider penetration WiFi penetration Device attacks

Trusted connections Insider Threats Rogue employee Malicious sub-contractor Social engineering Funded placement Criminal break-in Walk in Trusted connections Stolen VPN credentials Partner system breaches External hosting breaches Grey market equipment

The 1980s threats are still challenges today, but attackers sophistication is increasing Malnets PC viruses Key- loggers Worm Rootkit MSDOS virus Spy ware Phishing DoS DDoS Spam Session hijack SQL Worm Large Botnet virus SQL injection XSS virus Cloud attack Cyber weapon Malnet APT War dialling Digit grabbers Man-in- middle

Simple Malnet Malicious server Infected site Innocent users Innocent user Innocent users Infected site

Real Malnets A Malnet is comprised of unique domains, servers and websites working together to funnel users to the Malware payload. This visual map, produced by Blue Coat, shows the relationships between trusted sites, relays and exploit servers to which users are directed.Blue Coat

The Blackhole Exploit Kit Currently the most prevalent web threat (Q % of all web threats detected by Sophos and 91% by AVG are due to Blackhole Delivers a malicious payload to a victim's computer Suspected creators are Russian hackers named "HodLuM" and "Paunch"

How Blackhole works Attacker buys the kit & specifies the attack options. Victim: –Loads a compromised web page or; –Opens a malicious link in a spammed Malformed page or sends user to a Blackhole landing page. Landing page contains code that determines what is on the victim's computers and loads all exploits to which it is vulnerable.

Key implications for Firms Data integrity and compliance: –Data protection –PCI –Corporate data Fraud & other financial risks Reputation & public trust Legal liability Operational sustainability

Key controls The perimeter: –Firewalls –Intrusion detection –Antivirus Cloud and Social Media security Device security and BYOD management Data classification & encryption User awareness

Conclusion Threat factors Threat agents Vulnerabilities ControlsRisks Assets User awareness is the most important governing factor at all points in the chain of cause and effect.

Q&A

The CISI would like to thank Mark Johnson, Chairman, The Risk Management Group

Enjoy this event? Then why not attend one of our short courses Building a Client-Focussed Professional Service for the New World London 29 January 2013 Anti Money Laundering & Terrorist Financing Introductory Workshop London 31 January 2013 Manchester 5 February