Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | isabella-lester |
View: | 214 times |
Download: | 0 times |
III Congreso de Prevención del Fraude y Seguridad
Cyber Threats to the Financial Service Industry
and Response
© 2008 Forward Discovery, Inc. 2
• Director with Forward Discovery, an expert information security company with offices in the United States and UAE
• Formerly the Director of Corporate Information Security for USAA, a Fortune 200 financial services firm in the United States
• Previously assistant director of information security for Northrop Grumman Corporation
• Prior FBI Supervisory Special Agent in the Computer Investigations Unit at FBI Headquarters
• Former Adjunct Professor at George Washington, Georgetown and Duke Universities on information security and cyber crimes
• Created information security programs to protect data from external and internal compromise
Art Ehuan, CISSP
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 3
• The financial services industry faces unprecedented threats in protecting customer data from cyber compromise
• The threats are from cyber criminals and Organized Crime (OC) groups that use the Internet and technology to commit massive information and monetary theft from financial institutions
• The cyber threats from these groups will continue to increase for the foreseeable future
• The monetary losses to the United States financial sector is estimated in the hundreds of millions of US dollars (www.ic3.gov). The worldwide figure is probably in the billions of US dollars
Threats to the Financial Services Industry
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 4
Threats to the Financial Services Industry
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 5
• Willie Horton, an infamous American banker robber in the 1920’s was asked “Why he robbed banks”. His reply: “Because that is where the money is”
• The average bank robbery nets the thief approximately $5,000
• The risk is great for a low very gain
– Bodily injury or death from security or police
– High jail sentence for bank robbery
Bank Robbery, Old Crime
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 6
• Cyber threats can be classified as internal or external• The cyber threat can be known or unknown• The external known threat is composed of:
– Cyber criminals and Organized Crime (OC) that have efficiently and effectively adapted to bank robbery in the high technology age
– Web and application compromise– Account takeover
• The external unknown threat is composed of:– Nation-States that have the ability to conduct offensive activity against financial
institutions– Web and application compromise– Account takeover– Terrorist organizations
External Threat Classification
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 7
• Cyber threats can be classified as internal or external• The cyber threat can be known or unknown• The internal known threat is composed of:
– Financial sector employees that steal sensitive data for illicit purposes (In 2004, the United States Secret Service, which has concurrent jurisdiction with the FBI to investigate cyber crime, published an insider threat study on illicit cyber activity in the financial sector)
– Expanded access devices brought in by employees like iPhones, iPods, USB drives, etc
• The internal unknown threat is composed of:– Corporate espionage by organizations that are interested in strategic information
of competitors– Partner organizations that have network connections to the company– Supply chain via software/hardware that has been compromised and installed in
the financial organization
Internal Threat Classification
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 8
• 158% increase in cyber attacks – US Department of Homeland Security statistics show that there were over 37,000 attempted and reported breaches of government and private computer systems in fiscal year 2007
• 239,900,000 personal records that have been stolen since 2005 (Privacy right Clearing House 2008)
• 10% devaluation – In 2006, the Congressional Research Services estimate that a New York Stock Exchange (NYSE) company suffered shareholder losses of $50-200 million dollars US
• 9 out of 10 businesses were impacted by cyber crime (FBI statistics 2005)
Cyber Threat Statistics
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 9
• This type of illicit activity targets the financial sector customer to acquire access to passwords, pins and other identifiable information
Financial Sector Account Takeover
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 10
• OC and cyber criminals are attacking and stealing customer data from bank databases
Financial Sector Organization Attack
Cyber Threats to the Financial Service Industry and Response
1. Cyber Compromise of Bank
7. Compromise of Bank HSM by Cyber Criminal 037583920938475 PIN 6496
2. Customer Enters Card & Pin Number
3. Encryption of Account Number & Pin Provides Pin Block
4. Pin Block Provided to Hardware Security Module (HSM)
6. Pin Block Provided to Hardware Security Module (HSM)
5. Old Pin Block, Account Number and Pin Generate New Pin Block
8. Old Pin Block, Account Number and Pin Generate New Pin Block
9. New Pin Block is Provided to Customer Bank
© 2008 Forward Discovery, Inc. 11
• OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Web Browser compromise or Redirection (IFrame)
Financial Sector Client Attack
1. Cyber Compromise
2. Customer System Rootkit
4. User ID & PW Stolen
3. Customer Online Login
5. Cyber Criminal Login with Stolen Customer Credentials
Cyber Threats to the Financial Service Industry and Response
6. Customer Funds Transferred
© 2008 Forward Discovery, Inc. 12
• OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Phishing
Financial Sector Client Attack
1. Cyber Fraudster Phishing Email
2.. Victim Receives Email and Clicks on Link
3. System Rootkit and/or Redirection
Cyber Threats to the Financial Service Industry and Response
Fake Website
4. Customer Credentials Sent to Fraudster
© 2008 Forward Discovery, Inc. 13
• The following strategies will assist financial institutions in protecting their information assets:• Develop and implement a CERT and Incident Response capability• Extrusion detection of network traffic• Create information sharing forums (formal/informal) with other
financial institutions• Conduct scheduled/unscheduled vulnerability assessments and
identify risk to the organization from employees, partners and suppliers
• Provide regular customer and employee cyber security awareness• Prepare for regulatory activity from government agencies
Financial Sector Strategies
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 14
• Develop and implement a CERT and Incident Response capability• Every financial institution requires a centralized capability to
manage cyber incidents• A Computer Emergency Response Team (CERT) is the primary
line of defense when an incident is suspected• A CERT must have a formal framework with executive support• Maintain dedicated personnel, software, hardware to respond to
incidents• Identify and track anomalous activity on the
network• Cyber threat exercises should be conducted to
test framework on a regular basis
CERT and IR Capability
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 15
• Extrusion Detection of External Traffic• All financial institutions monitor external network traffic coming in
for unauthorized cyber activity• Monitoring of anomalous network traffic that is exiting the
network is equally as important• A baseline should be established that provides information on
normal versus abnormal outbound network traffic• The cyber criminal will get in and it is critical that monitoring take
place to identify network traffic leaving the organization• Example of network activity that extrusion detection should
identify:• non-HTTP traffic over port 80• non-DNS traffic over port 53• non-SSL traffic over port 443
Extrusion Detection
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 16
• Create information sharing forums with other financial institutions• The sharing of information on cyber threats is critical for financial
organizations to respond to new and emerging threats• Financial institutions should coordinate information on cyber
threats that are observed or identified and make this available to the group
• The sharing can either be formal or informal without a need for attribution to a particular institution
• In a formal information sharing model, a database repository can be utilized to capture and share “feeds” from members
• The United States financial sector information
sharing model is the Financial Services
Information Sharing and Analysis Center (FS-ISAC)
Information Sharing Forum
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 17
• Conduct vulnerability assessments to identify risk to the financial services organization from employees, partners and suppliers• Vulnerability assessments are crucial for identifying risk for a
financial institution• A framework should be utilized in conducting a vulnerability
assessment like the ISO 27001/27002• Assessments should be conducted on a scheduled and
unscheduled basis• Develop a framework whereby partners that are connected to
the organization are required to conduct assessments to identify threats from partners
• Follow up and mitigate or eliminate risk that is identified as soon as possible
Vulnerability Assessments
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc.
Interviews
Information Requests
Asset Inventory
Best Practices
Process Maps
Policies & Procedures
Human Resources Security
Communications & Operations
Business Continuity Planning
Access Controls
Compliance
Provides qualitative assessment of security posture
Establishes security baseline for use in future assessments
Identifies areas of opportunities
Drives investment decisions
Outcome Control Assessment Input
Only 6 of the 11 ISO areas depicted
Detection Deterrence Mitigation Prevention
Vulnerability Assessment Approach
Cyber Threats to the Financial Service Industry and Response 18
© 2008 Forward Discovery, Inc.
Business Case Driven RoadmapInformation Security Risk Assessment
Data Classification
Asset Identification
High Level Processes
Process Review
UnderlyingIT Assets
Underlying Assets
Asset Asset Asset
Asset Usage
Linkages between process, asset and underlying supporting components Confirmation of owners and custodians Catalogue of process maps and assets identified
Multiple Interviews
IT Assets Used byProcesses of Consequence
Business OwnerInterviews
Data
Network
Databases
Systems
Endpoints
Messaging& content
Applicationinfrastructure
Policy definition Enforcement Monitoring & Response
Measurement
Network access control
Network Behavior Analysis & Trending
Remote Access WLANMonitoring
IDS/IPS
Firewall
DatabaseEncryption
DatabaseMonitoring
Antivirus
Configuration Mgmt.
Storage Security
Firewall/Host IPS
Directory
Antivirus
Anti-spam
Email Encryption &Filtering
Web filtering
Antivirus/Antispyware
Endpoint controlFirewall/Host IPS
Client Encryption
AppScan
File Transfer
App encryption
Enterprise Encryption & Key Mgmt.
Data Classification
DatabaseConfig Mgmt.
App Config. Mgmt.
App FW
InformationLeak
Protection
InformationLeak
Protection
ApplicationAssessment
Ide
ntit
y &
Acc
ess
Ma
na
gem
ent
Str
ong
Au
then
ticat
ion
Vu
lner
abili
ty M
an
age
men
t
Dig
ital I
nve
stig
atio
n &
For
ensi
csE
nte
rpris
e L
oggi
ng
& E
ven
t Cor
rela
tion
Interviews with Business Units
Workstreams
Enterprise Data Warehouse ImplementationInstantiate enterprise data warehouse based on best practices
M L L H L
Data Sourcing AutomationEnable extraction and transformation of data f rom source systems into the enterprise data warehouse
H H M M M
Enterprise Metadata CompilationPopulation of enterprise repository with functional data dictionary and business logic
M – H L L
Disaster Readiness & Information Restoration PlanIntegrated data lifecycle management strategy (replication, retention, recovery and purging)
– – M – H
Strategic S&OP Reporting and AnalysisEnable Business Intelligence capabilities for dashboard creation
M M H M –
Data Entry Validation & Automation ApprovalValidate data entry by branch users and automated approval prior to S&OP meetings
M M H H L
Key: H = High Level of Contribution, M = Medium Level of Contribution, L = Low Level of Contribution, “–” = No Positive Contribution
S&
OP
S
peci
ficF
oun
datio
nal
/Sh
are
d
Benefits
EffortDistribution
~7100 hrs
~2500 hrs
IDQ4 08 Q3 09
Feb AprDec
1
2
5
6
7
8
10
11
12
13
14
15
16
17
18
19
Jul
Q1 09
Nov FebJanSepJan
4
3
9
Q2 09 Q1 10Q4 09
Aug OctMar Jun DecMay
Opportunities &Unmitigated Risks
Vulnerability Assessment Approach
Cyber Threats to the Financial Service Industry and Response 19
© 2008 Forward Discovery, Inc. 20
• Customer and employee cyber security awareness• Provide regularly scheduled information/messages to all employees
on cyber threats that have impacted the financial institution• Require partners to provide information security training to partner
organization employees that will be managing, maintaining, handling, storing sensitive company or customer data
• Provide cyber security awareness messages to customers to make them aware of cyber threats that may be directed at them, i.e. the fact that a financial institution will never require a customer to provide personnel identifiable information from an email
Cyber Security Awareness
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 21
• Prepare for regulatory activity from government agencies• Suspicious Activity Reports (SARs)• Money laundering
• With the increasing incidents of cyber attacks reported by the financial sector, the United States Treasury Department added computer intrusion as a new category of suspicious activity in mid-2000
• Banks must now fill out Suspicious Activity Reports (SARs) if they suspect someone has gained access to their computer network to steal funds or customer information, or to disable the institution's computer network
• Web sites defaced by a hacker banks do not have to report such incidents, because no funds or sensitive information is stolen
Regulatory Activity Response
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 22
The Future of Cyber Crime
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 23
The Future of Cyber Crime
Cyber Threats to the Financial Service Industry and Response
© 2008 Forward Discovery, Inc. 24Cyber Threats to the Financial Service Industry and Response
Forward Discovery Contact
Art Ehuan, CISSP, CCNP, EnCE
571-331-7763
www.forwarddiscovery.com