Post on 11-May-2018
transcript
1
EMEA COMPLIANCE SUMMIT 2017 Cyber Security Landscape
Magda Mielcarz, EMEA Head OF Channel and Enterprise Services. Treasury and Trade Solutions, Citi
David Rose, Security and CitiDirect BE EMEA Product Manager, Treasury and Trade Solutions, Citi
Citi Academy for Financial Institution Professionals | 4 – 5 April 2017
3
Cyber Security – Threats and Impact Cyber attackers increasingly target institutions to steal money and data, exploiting technology and people/process failures.
Cyber “Insecurity” is Impacting Institutions 1
Methodologies 3
Human Effect
Human + Technology
Technology
1. Computer Weekly; “Cyber crime is a threat to global economy, says researcher”; February 2015.
2. McAfee; “Net Losses: Estimating the Global Cost of Cybercrime”; June 2014.
Payment Fraud – Trend 4
US Wire fraud is increasing while check fraud is decreasing
Source: 2016 AFP Payments Fraud and Control Survey.
Checks
Wires
Industry Stats 2
$445
Billion
Estimated Global
Cost of
Cybercrime as of
February in 20151
$241 Billion
Combined Cost
to Top Three
Global Economies2
US: $116 Billion
China: $71 Billion
Germany: $54 Billion
All Others $204 Billion
US$3.1 Billion lost via Business Email Compromise (BEC) Scams”, FBI
“Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million”,
NY Times
“Union Bank reports cyber breach on offshore account” Times of India
“Ecuador bank hack saw $9m stolen …” International Business Times
4
The Changing Information Security Threat Landscape The volume and sophistication of threats is increasing. Whereas criminals only need to succeed once, Institutions cannot afford one
failure.
Multi-vector attacks
Targeted victims
Sophisticated tools
Persistence / long-term outlook
Impersonation
Business Email Compromise
Key Trends
5
Cyber Threat Actors
Nation-state Cyber Crime Terrorism Hacktivism Insider
• Sophisticated
actors
• Targeting trade
secrets, sensitive
information
• Supporting
national interests
• Financially
motivated
• Frequent use
of social
engineering
• Politically or
ideologically
motivated
• Goal is to instill
fear
• Attacks often
destructive
• Advancement
of a social or
political
agenda
• Attacks often
disruptive
• Motivations vary
including fraud,
revenge, desire
for destruction
• Access is often
authorized,
making detection
hard
6
Trojans, 76.05% Viruses,
1.68%
Worms, 2.57%
Adware/ Spyware,
5.17%
Other, 14.53%
Malware by Type
Malware attacks can target high value transactions such as
money flows, often in conjunction with Social Engineering,
Man-in-the-Middle, Man-in-the-Browser and other attack
vectors
Malware is any software used to disrupt computer
operation, gather sensitive information, or gain access to
private computer systems
Malware is mostly used against financial institutions to
compromise passwords and gain confidential information
such as bank or credit card numbers
6
Malware – A Prominent Threat in the Financial Industry Malware attacks are among the most prevalent cyber threats faced by financial institutions today.
Method of Infection What is Malware?
0.3%
1.9%
2.2%
2.8%
3.6%
16.6%
37.4%
39.9%
Network Propagation
Remote Injection
Web Download
Download by Malware
Direct Install
Web Drive-By
E-Mail Link
E-Mail Attachment
1. PandaLabs Report Q1 2015
Trojans are the
most common:
malicious
programs
disguised as
something
normal that users
may unwittingly
install. 2. 2015 Verizon Data Breach Investigations Report
7
Security Ecosystem - Internal and External Interactions Fraud prevention requires controls and partnership.
Client
Financial
Centers and
Flows
Banks
Other Parts
of the
Corporation
Information
Security and
Technology
Suppliers
Vendor
Performing
Financial
Outsource
Function
Internal Interactions
9
Citi is facing a must-win battle against
sophisticated cyber adversaries. The
mission of Citi Global Information Security
is to prevent, detect, respond to, and
recover from cyber attacks. Citi does this
by implementing an intelligence-led
strategy to protect the firm’s data, assets,
people, and reputation.
Intelligence-Led Information Security
A business model and managerial
philosophy where analysis and
intelligence are pivotal to an objective,
decision-making framework that
facilitates information protection through
effective implementation of strategies
that target prolific and serious threat
actors and their methods.
Developing
information
sharing
platforms,
intelligence
products, and
operational
playbooks that
inform executive
action and
decision-making
Deploying
innovative
technologies
that enhance
safety and
security
Transform our
workforce by
investing in
top-level cyber
intelligence, IS
talent, and
leaders from the
private and public
sectors, and
academia
Implementing
leading
management
practices and
initiatives to
maximize
collaboration,
learning, and
innovation across
functional areas
Citi’s Intelligence-Led Information Security Investment Pillars
10
Cyber Security Fusion Center Mission Citi’s Cyber Security Fusion Center (CSFC) is an intelligence-led organization that unifies Citi’s efforts to prevent,
detect, respond to, and recover from cyber-attacks. Through a culture of collaboration, the CSFC fuses intelligence from a
variety of sources to prevent attacks, reduce risk, and support executive decision-making.
Strategic Objectives
Prevent and detect cyber-
attacks against Citi, its
customers, and critical
partners
Reduce Citi’s vulnerability
and risk to cyber-attacks
Minimize damage and
attacks through an
effective and efficient
response effort
Driving a learning
organization to action
11
Developing a Strategic Defence Creating a layered defense utilizing security best practices from the Industry, Financial Market Utilities (e.g. SWIFT) & law
enforcement (e.g. FBI).
People Process Technology
Protect
Detect
Respond
• Staff Segregation of Duties
• Background Verifications
• Identity and Access Management
• Vendor Management
• Data Protection
• Device/Software Controls
• Perimeter/Network Security
• Secure/Authorized Connectivity
• Staff Training • Audits
• Reconciliations
• Network Monitoring
• Vulnerability Assessment
• Response and Escalation • Security Incident Management
• Investigation and Insurance
• Contingency
• Testing
12
Checklist – Protect
People Process Technology
Staff Segregation of Duties
Mandatory absence for staff with financial
responsibilities
Divide responsibilities so one person
cannot dominate a transaction
Background Verifications
Ensure hiring procedures include
reference checks, background screening
Third-party employee due diligence
Identity and Access Management
Centralized Identity administration
Privileged user managed access
Vendor Management
Reviewing end-to-end
payments processes
All third-parties meet internal Information
Security and Risk requirements
Third-Party Information Security
Assessment process
Data Protection
Limit access to sensitive or confidential
data
Data retention, storage, and privacy policy
Account Controls and Segregation
Device/Software Controls
Anti-Malware and Anti-Virus Protection
Timely update of patches, upgrades to software including
SWIFT applications
Secure Software Development including Source Code
Review
Access and Entitlements Management
Perimeter/Network Security
Firewalls
Denial of Service Protection
Secure/Authorized Connectivity
Multi-Factor Authentication
Secure connectivity between
third-parties (including FMUs) with firewalls and encryption
Preventive measures and best practices can help balance risk and add value.
* These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.
13
Checklist – Detect
People Process Technology
Staff Training
Promote periodic internal training on
cyber threats and fraud awareness
Periodic and surprise staff
awareness/testing on ability to
recognize common threats
Contact Security or Fraud
representative upon suspicious activity
Audits
Periodic reviews and audits
Reconciliations
Daily reconciliation to identify fraud
Regular review of transaction reports
and dashboards
Network Monitoring
• Intrusion Detection (e.g. 24/7
monitoring of network traffic for
abnormalities)
• Anti-Phishing Controls (e.g. filtering e-
mails and proxying hyperlinks)
• Data Leakage Protection (e.g. content
monitoring of traffic leaving the firm)
Vulnerability Assessment
Ethical hack to proactively
identify/remediate weaknesses
Proactive measures to detect potential fraudulent activity can help mitigate transaction level risks.
* These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.
14
q
Checklist – Respond
People Process Technology
Response and Escalation
Issue alerts and reminders for staff to
know exactly what to do in the event of
an actual or potential compromise
Ensure crisis management proficiency
and other subject matter expertise
Security Incident Management
Recall processes
Periodic tests of response plan
External/Internal communication
Investigation and Insurance
Root cause investigation
Timely reporting of incidents
Insurance coverage as appropriate
Contingency
Contingency infrastructure
Testing
Testing of incident response for
data/system breach both in-house and
with critical 3rd parties
Reaction and recovery mechanisms are necessary for effective and timely risk mitigation.
Fraud Response Process Example
Detection and Impact
Analysis Communication Investigation Resolution
* These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.
16
Case Study— Compromised Bank Security Environment The example below illustrates how hackers use a wide variety of tactics to facilitate cyber attacks.
Cyber security training for staff
Avoid password re-use
Be quick to recall suspicious transactions
Utilize a fraud management playbook
Be vigilant and do not click on suspicious links
Deploy anti-virus and anti-malware tools
Deploy maker-checker for transactions
and multi factor authentication
Keep software and patches up to date
Multiple methods of reconciliation
Engage law enforcement
Review insurance and other mitigations
1
Hackers research institution and
identify high value targets, steal user
credentials via social/professional
media
2
Hackers target and compromise a
Bank’s proprietary environment via
malware-infected communication
3
Hackers create fraudulent payment
instructions sent to Financial Network
as authenticated instructions, without
compromising the network
4
Hackers cover their tracks by
planting malware in the
Bank’s infrastructure
5
Fraudulent transactions travel on the
Network via correspondent banks who
forward funds to beneficiary Bank
6
Fraudulent funds are quickly disbursed
via institutions/jurisdictions where
investigation and recalls are difficult
Security Tips * These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.
17
Anatomy of a Cyber Attack – Disrupting the Chain A successful cyber attack involves a number of stages. Disruption at any stage may thwart an attacker.
Data Protection Programs
Cyber Intelligence Center
Training & Awareness
Secure Email
Encryption
Cyber Intelligence Center
Training & Awareness
Intrusion Detection
Perimeter Security
Secure SDLC
Perimeter Security
Intrusion Detection
Security Incident Process
Vulnerability Assessments
Security Operations Center
Vulnerability & Threat Management
Security Operations Center
Entitlement Management
Privileged User Access
Intrusion Detection
ID Administration
Security Operations Center
Data Protection Programs
Entitlement Management
Intrusion Detection
Perimeter Security
Perimeter Security
Intrusion Detection
Cyber Intelligence Center
Data Protection Programs
Security Operations Center
Vulnerability & Threat Management
Init
iate
Att
ack
Act on Objectives
19
Citi’s Fraud Awareness Toolkit
Main Page: http://www.citi.com/treasuryandtradesolutions/fraudpreventionresources
The Fraud Risk Managers Toolkit provides best practices to tackle fraud risks, encapsulating both Social Engineering and Digital
Security.
20
Continuous Innovation to Keep Ahead of the Threat Citi is leveraging its global Innovation Labs to explore and develop new security solutions.
Device Security
Transaction Security
Biometrics
Out of Band Security
Voice Biometrics: Evaluate technologies to
enable user access via simple verification of
their
natural speech
Behavioral Biometrics: Deploy passive log-in
tool using client behavior (i.e. typing) that
cannot be emulated by external agents
Malware Detection: Enable passive
detection tools to identify viruses
Information Breach: Advise clients when
their private credentials are being publicly
distributed by cyber criminals
Out of Band Authentication: Provide One-
Time-Password via SMS, Phone Call or
device application, using a channel or device
separate from the primary banking channel
Digital Signature and Transaction Approval:
Secure transactions via mobile device
separate from desktop banking channel
Payments Risk Manager: Use data analytics
tools to help identify unusual payment
transactions for clients to review prior to
execution by Citi
Risk-based Authentication: Enable simpler
security for low risk transactions and
complex security for higher risk transactions
The key challenge is to balance user experience, security, and worldwide availability for Citi clients.
The above solutions are being evaluated but may or may not be rolled out in the future.
21
IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advise. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot
be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the “promotion or marketing” of any transaction contemplated hereby
(“Transaction”). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.
Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment
or firm offer and does not obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to
keep confidential the information contained herein and the existence of and proposed terms for any Transaction.
We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address,
and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided.
© 2017 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.
All views, opinions and estimates expressed in this communication (the “Communication”) (i) may change without notice, and (ii) may differ from those views, opinions and estimates held or
expressed by Citigroup Inc., its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel.
This Communication is provided for information and discussion purposes only and does not constitute legal or other advice. Unless otherwise expressly indicated, this Communication does not
constitute an offer or recommendation to purchase or sell any financial instruments or other products and does not take into account the investment objectives or financial situation of any particular
person. Recipients of this Communication should obtain advice based on their own individual circumstances from their own tax, financial, legal and other advisors before making an investment
decision or taking any other action and only make such decisions on the basis of the recipient’s own objectives, experience and resources and on the basis of the recipient’s own tax, financial and
legal advice. The information contained in this Communication is based on generally available information and, although obtained from sources believed by Citi to be reliable, its accuracy and
completeness cannot be assured, and such information may be incomplete or condensed. It has not been prepared by research analysts, and the information in this communication is not intended
to constitute “research” as that term is defined by applicable regulations. Furthermore, the information in it is general, may not reflect recent developments and was not intended and must not be
considered or relied on as legal, tax, financial or any other form of advice. Please contact your legal counsel and other advisors if you have any questions or concerns about the matters addressed
here. No liability is accepted by Citi for any loss (whether direct, indirect or consequential) that may arise from any use of the information contained in or derived from this Communication.
IRS Circular 230 Disclosure: Citi, its employees and its affiliates are not in the business of providing, and do not provide, tax or legal advice to any taxpayer outside of Citi. Any statements in this
Communication to tax matters were not intended or written to be used, and cannot be used or relied upon, by any taxpayer for the purpose of avoiding tax penalties. Any such taxpayer should
seek advice based on the taxpayer’s particular circumstances from an independent tax advisor.
Citi specifically prohibits the redistribution of this Communication in whole or in part without the written permission of Citi and Citi accepts no liability whatsoever for the actions of third parties in this
respect.
Copyright © 2017 Citigroup Inc. and/or its affiliates. All rights reserved. CITI, CITI and Arc Design, CITIBANK and CITIGROUP are trademarks and service marks of Citigroup Inc. and/or its
affiliates and are used and registered throughout the world
22
All views, opinions and estimates expressed in this communication (the “Communication”) (i) may change without notice, and (ii) may differ from those views, opinions and estimates held or
expressed by Citigroup Inc., its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel.
This Communication is provided for information and discussion purposes only and does not constitute legal or other advice. Unless otherwise expressly indicated, this Communication does not
constitute an offer or recommendation to purchase or sell any financial instruments or other products and does not take into account the investment objectives or financial situation of any
particular person. Recipients of this Communication should obtain advice based on their own individual circumstances from their own tax, financial, legal and other advisors before making an
investment decision or taking any other action and only make such decisions on the basis of the recipient’s own objectives, experience and resources and on the basis of the recipient’s own tax,
financial and legal advice. The information contained in this Communication is based on generally available information and, although obtained from sources believed by Citi to be reliable, its
accuracy and completeness cannot be assured, and such information may be incomplete or condensed. It has not been prepared by research analysts, and the information in this communication
is not intended to constitute “research” as that term is defined by applicable regulations. Furthermore, the information in it is general, may not reflect recent developments and was not intended
and must not be considered or relied on as legal, tax, financial or any other form of advice. Please contact your legal counsel and other advisors if you have any questions or concerns about the
matters addressed here. No liability is accepted by Citi for any loss (whether direct, indirect or consequential) that may arise from any use of the information contained in or derived from this
Communication.
IRS Circular 230 Disclosure: Citi, its employees and its affiliates are not in the business of providing, and do not provide, tax or legal advice to any taxpayer outside of Citi. Any statements in this
Communication to tax matters were not intended or written to be used, and cannot be used or relied upon, by any taxpayer for the purpose of avoiding tax penalties. Any such taxpayer should
seek advice based on the taxpayer’s particular circumstances from an independent tax advisor.
Citi specifically prohibits the redistribution of this Communication in whole or in part without the written permission of Citi and Citi accepts no liability whatsoever for the actions of third parties in
this respect.
Copyright © 2017 Citigroup Inc. and/or its affiliates. All rights reserved. CITI, CITI and Arc Design, CITIBANK and CITIGROUP are trademarks and service marks of Citigroup Inc. and/or its
affiliates and are used and registered throughout the world
GRA25586 03/15