III Congreso de Prevención del Fraude y Seguridad Cyber Threats to the Financial Service Industry...

III Congreso de Prevención del Fraude y Seguridad

Cyber Threats to the Financial Service Industry

and Response

© 2008 Forward Discovery, Inc. 2

• Director with Forward Discovery, an expert information security company with offices in the United States and UAE

• Formerly the Director of Corporate Information Security for USAA, a Fortune 200 financial services firm in the United States

• Previously assistant director of information security for Northrop Grumman Corporation

• Prior FBI Supervisory Special Agent in the Computer Investigations Unit at FBI Headquarters

• Former Adjunct Professor at George Washington, Georgetown and Duke Universities on information security and cyber crimes

• Created information security programs to protect data from external and internal compromise

Art Ehuan, CISSP

Cyber Threats to the Financial Service Industry and Response


• The financial services industry faces unprecedented threats in protecting customer data from cyber compromise

• The threats are from cyber criminals and Organized Crime (OC) groups that use the Internet and technology to commit massive information and monetary theft from financial institutions

• The cyber threats from these groups will continue to increase for the foreseeable future

• The monetary losses to the United States financial sector is estimated in the hundreds of millions of US dollars (www.ic3.gov). The worldwide figure is probably in the billions of US dollars

Threats to the Financial Services Industry



Threats to the Financial Services Industry



• Willie Horton, an infamous American banker robber in the 1920’s was asked “Why he robbed banks”. His reply: “Because that is where the money is”

• The average bank robbery nets the thief approximately $5,000

• The risk is great for a low very gain

– Bodily injury or death from security or police

– High jail sentence for bank robbery

Bank Robbery, Old Crime



• Cyber threats can be classified as internal or external• The cyber threat can be known or unknown• The external known threat is composed of:

– Cyber criminals and Organized Crime (OC) that have efficiently and effectively adapted to bank robbery in the high technology age

– Web and application compromise– Account takeover

• The external unknown threat is composed of:– Nation-States that have the ability to conduct offensive activity against financial

institutions– Web and application compromise– Account takeover– Terrorist organizations

External Threat Classification



• Cyber threats can be classified as internal or external• The cyber threat can be known or unknown• The internal known threat is composed of:

– Financial sector employees that steal sensitive data for illicit purposes (In 2004, the United States Secret Service, which has concurrent jurisdiction with the FBI to investigate cyber crime, published an insider threat study on illicit cyber activity in the financial sector)

– Expanded access devices brought in by employees like iPhones, iPods, USB drives, etc

• The internal unknown threat is composed of:– Corporate espionage by organizations that are interested in strategic information

of competitors– Partner organizations that have network connections to the company– Supply chain via software/hardware that has been compromised and installed in

the financial organization

Internal Threat Classification



• 158% increase in cyber attacks – US Department of Homeland Security statistics show that there were over 37,000 attempted and reported breaches of government and private computer systems in fiscal year 2007

• 239,900,000 personal records that have been stolen since 2005 (Privacy right Clearing House 2008)

• 10% devaluation – In 2006, the Congressional Research Services estimate that a New York Stock Exchange (NYSE) company suffered shareholder losses of $50-200 million dollars US

• 9 out of 10 businesses were impacted by cyber crime (FBI statistics 2005)

Cyber Threat Statistics



• This type of illicit activity targets the financial sector customer to acquire access to passwords, pins and other identifiable information

Financial Sector Account Takeover



• OC and cyber criminals are attacking and stealing customer data from bank databases

Financial Sector Organization Attack


1. Cyber Compromise of Bank

7. Compromise of Bank HSM by Cyber Criminal 037583920938475 PIN 6496

2. Customer Enters Card & Pin Number

3. Encryption of Account Number & Pin Provides Pin Block

4. Pin Block Provided to Hardware Security Module (HSM)

6. Pin Block Provided to Hardware Security Module (HSM)

5. Old Pin Block, Account Number and Pin Generate New Pin Block

8. Old Pin Block, Account Number and Pin Generate New Pin Block

9. New Pin Block is Provided to Customer Bank


• OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Web Browser compromise or Redirection (IFrame)

Financial Sector Client Attack

1. Cyber Compromise

2. Customer System Rootkit

4. User ID & PW Stolen

3. Customer Online Login

5. Cyber Criminal Login with Stolen Customer Credentials


6. Customer Funds Transferred


• OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Phishing

Financial Sector Client Attack

1. Cyber Fraudster Phishing Email

2.. Victim Receives Email and Clicks on Link

3. System Rootkit and/or Redirection


Fake Website

4. Customer Credentials Sent to Fraudster


• The following strategies will assist financial institutions in protecting their information assets:• Develop and implement a CERT and Incident Response capability• Extrusion detection of network traffic• Create information sharing forums (formal/informal) with other

financial institutions• Conduct scheduled/unscheduled vulnerability assessments and

identify risk to the organization from employees, partners and suppliers

• Provide regular customer and employee cyber security awareness• Prepare for regulatory activity from government agencies

Financial Sector Strategies



• Develop and implement a CERT and Incident Response capability• Every financial institution requires a centralized capability to

manage cyber incidents• A Computer Emergency Response Team (CERT) is the primary

line of defense when an incident is suspected• A CERT must have a formal framework with executive support• Maintain dedicated personnel, software, hardware to respond to

incidents• Identify and track anomalous activity on the

network• Cyber threat exercises should be conducted to

test framework on a regular basis

CERT and IR Capability



• Extrusion Detection of External Traffic• All financial institutions monitor external network traffic coming in

for unauthorized cyber activity• Monitoring of anomalous network traffic that is exiting the

network is equally as important• A baseline should be established that provides information on

normal versus abnormal outbound network traffic• The cyber criminal will get in and it is critical that monitoring take

place to identify network traffic leaving the organization• Example of network activity that extrusion detection should

identify:• non-HTTP traffic over port 80• non-DNS traffic over port 53• non-SSL traffic over port 443

Extrusion Detection



• Create information sharing forums with other financial institutions• The sharing of information on cyber threats is critical for financial

organizations to respond to new and emerging threats• Financial institutions should coordinate information on cyber

threats that are observed or identified and make this available to the group

• The sharing can either be formal or informal without a need for attribution to a particular institution

• In a formal information sharing model, a database repository can be utilized to capture and share “feeds” from members

• The United States financial sector information

sharing model is the Financial Services

Information Sharing and Analysis Center (FS-ISAC)

Information Sharing Forum



• Conduct vulnerability assessments to identify risk to the financial services organization from employees, partners and suppliers• Vulnerability assessments are crucial for identifying risk for a

financial institution• A framework should be utilized in conducting a vulnerability

assessment like the ISO 27001/27002• Assessments should be conducted on a scheduled and

unscheduled basis• Develop a framework whereby partners that are connected to

the organization are required to conduct assessments to identify threats from partners

• Follow up and mitigate or eliminate risk that is identified as soon as possible

Vulnerability Assessments


© 2008 Forward Discovery, Inc.

Interviews

Information Requests

Asset Inventory

Best Practices

Process Maps

Policies & Procedures

Human Resources Security

Communications & Operations

Business Continuity Planning

Access Controls

Compliance

Provides qualitative assessment of security posture

Establishes security baseline for use in future assessments

Identifies areas of opportunities

Drives investment decisions

Outcome Control Assessment Input

Only 6 of the 11 ISO areas depicted

Detection Deterrence Mitigation Prevention

Vulnerability Assessment Approach

Cyber Threats to the Financial Service Industry and Response 18

© 2008 Forward Discovery, Inc.

Business Case Driven RoadmapInformation Security Risk Assessment

Data Classification

Asset Identification

High Level Processes

Process Review

UnderlyingIT Assets

Underlying Assets

Asset Asset Asset

Asset Usage

Linkages between process, asset and underlying supporting components Confirmation of owners and custodians Catalogue of process maps and assets identified

Multiple Interviews

IT Assets Used byProcesses of Consequence

Business OwnerInterviews

Data

Network

Databases

Systems

Endpoints

Messaging& content

Applicationinfrastructure

Policy definition Enforcement Monitoring & Response

Measurement

Network access control

Network Behavior Analysis & Trending

Remote Access WLANMonitoring

IDS/IPS

Firewall

DatabaseEncryption

DatabaseMonitoring

Antivirus

Configuration Mgmt.

Storage Security

Firewall/Host IPS

Directory

Antivirus

Anti-spam

Email Encryption &Filtering

Web filtering

Antivirus/Antispyware

Endpoint controlFirewall/Host IPS

Client Encryption

AppScan

File Transfer

App encryption

Enterprise Encryption & Key Mgmt.

Data Classification

DatabaseConfig Mgmt.

App Config. Mgmt.

App FW

InformationLeak

Protection

InformationLeak

Protection

ApplicationAssessment

Ide

ntit

y &

Acc

ess

Ma

na

gem

ent

Str

ong

Au

then

ticat

ion

Vu

lner

abili

ty M

an

age

men

t

Dig

ital I

nve

stig

atio

n &

For

ensi

csE

nte

rpris

e L

oggi

ng

& E

ven

t Cor

rela

tion

Interviews with Business Units

Workstreams

Enterprise Data Warehouse ImplementationInstantiate enterprise data warehouse based on best practices

M L L H L

Data Sourcing AutomationEnable extraction and transformation of data f rom source systems into the enterprise data warehouse

H H M M M

Enterprise Metadata CompilationPopulation of enterprise repository with functional data dictionary and business logic

M – H L L

Disaster Readiness & Information Restoration PlanIntegrated data lifecycle management strategy (replication, retention, recovery and purging)

– – M – H

Strategic S&OP Reporting and AnalysisEnable Business Intelligence capabilities for dashboard creation

M M H M –

Data Entry Validation & Automation ApprovalValidate data entry by branch users and automated approval prior to S&OP meetings

M M H H L

Key: H = High Level of Contribution, M = Medium Level of Contribution, L = Low Level of Contribution, “–” = No Positive Contribution

S&

OP

S

peci

ficF

oun

datio

nal

/Sh

are

d

Benefits

EffortDistribution

~7100 hrs

~2500 hrs

IDQ4 08 Q3 09

Feb AprDec

1

2

5

6

7

8

10

11

12

13

14

15

16

17

18

19

Jul

Q1 09

Nov FebJanSepJan

4

3

9

Q2 09 Q1 10Q4 09

Aug OctMar Jun DecMay

Opportunities &Unmitigated Risks

Vulnerability Assessment Approach

Cyber Threats to the Financial Service Industry and Response 19


• Customer and employee cyber security awareness• Provide regularly scheduled information/messages to all employees

on cyber threats that have impacted the financial institution• Require partners to provide information security training to partner

organization employees that will be managing, maintaining, handling, storing sensitive company or customer data

• Provide cyber security awareness messages to customers to make them aware of cyber threats that may be directed at them, i.e. the fact that a financial institution will never require a customer to provide personnel identifiable information from an email

Cyber Security Awareness



• Prepare for regulatory activity from government agencies• Suspicious Activity Reports (SARs)• Money laundering

• With the increasing incidents of cyber attacks reported by the financial sector, the United States Treasury Department added computer intrusion as a new category of suspicious activity in mid-2000

• Banks must now fill out Suspicious Activity Reports (SARs) if they suspect someone has gained access to their computer network to steal funds or customer information, or to disable the institution's computer network

• Web sites defaced by a hacker banks do not have to report such incidents, because no funds or sensitive information is stolen

Regulatory Activity Response



The Future of Cyber Crime



The Future of Cyber Crime


© 2008 Forward Discovery, Inc. 24Cyber Threats to the Financial Service Industry and Response

Forward Discovery Contact

Art Ehuan, CISSP, CCNP, EnCE

571-331-7763

[email protected]

www.forwarddiscovery.com

Date post:	20-Jan-2016
Category:	Documents
Upload:	isabella-lester
View:	214 times
Download:	0 times

III Congreso de Prevención del Fraude y Seguridad Cyber Threats to the Financial Service Industry...

Documents