4/12/16
1
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
InvestmentadvisoryservicesareofferedthroughCliMonLarsonAllenWealthAdvisors,LLC,
anSEC-registeredinvestmentadvisor.|©2015CliMonLarsonAllenLLP
TrainingyouremployeesoncybersecurityandhowtheycanhelpprotectthebankCarlH.York
360-710-5631
www.CLAconnect.com
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Agenda
• WhoisCLA?
• Cybersecurity• Consumerac[vi[es
• Customerac[vi[es
• Businesscustomerac[vi[es
• Bankemployees
• Hackers:whattheywantandwhattheydo• Recommenda[onsfortraining
2
4/12/16
2
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
CLASta<s<cs
• Oneofthena[on’stop10cer[fiedpublicaccoun[ngandconsul[ngfirms
• Largeenoughtoefficientlyserveavarietyofour
clients’needsyetsmallenoughtoprovideclientsthe
personaladen[ontheydeserve
• Nearly4,000professionals,opera[ngfrommore
than90officesacrosstheUnitedStates
• Servesmorethan1,200financialins[tu[onsin37
states
3
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Carl H. York• Involvedinfinancialservicesfor25years• FormerSecurityandComplianceOfficerfora$700M
bankwith14branches
• ResponsibleforthedeliveryofallCLAinforma[on
securityservicesintheWest
• FathertoJake(20)andEmma(18)
• BAfromWWU,CISA,CRISC
4
4/12/16
3
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Cybersecurity
5
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Cybersecurity
6
• Cybersecurityisthebodyoftechnologies,processesandprac[cesdesignedtoprotectnetworks,
computers,programsanddatafromadack,damage
orunauthorizedaccess.Inacompu[ngcontext,the
termsecurityimpliescybersecurity.
• hdp://wha[s.techtarget.com/defini[on/
cybersecurity
4/12/16
4
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
ConsumerAc<vi<es
7
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Somanyop<ons…
8
4/12/16
5
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
ConsumerAc<vi<es
9
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
SocialMediaSites
10
4/12/16
6
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
PayOnline
11
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
School
12
4/12/16
7
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Rela<onships
13
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Laptops
14
4/12/16
8
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
I-Pad
15
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Phones
16
4/12/16
9
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
WirelessAccessPoints
17
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
PortableMedia
18
4/12/16
10
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
PortableDisks
19
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
It’saWonderfulLife!
20
4/12/16
11
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
ConsumerWeaknesses
21
• ResponsibleforthesecurityoftheirInternetconnec[on
• Controlwhoconnectstotheirnetwork• Responsibletokeeptheirdevicesuptodate–opera[ngsystems,applica[ons,an[-virus
• NolimitsonwheretheybrowsetheWeb
• NolimitsonUSBorCDdriveuse
• One-thirdofallusersusethesameIDandpassword
forEVERYTHING
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Customer Activities• Weneedtostartwithalloftheconsumerac[vi[es
previouslyoutlinedasourcustomersare
consumers…thenadd
22
4/12/16
12
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Online Banking
23
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BillPay
24
4/12/16
13
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
MobileBanking
25
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
RemoteDeposit
26
4/12/16
14
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
CustomerWeaknesses
27
• Consumerweaknessesmen[onedearlier…
• Greaterconcern– Theirnetworkisnowconnec[ngtotheBank’snetwork– Theirmobiledeviceisnowconnec[ngtotheBank’s
network
– Theirnetworkandmobiledevicesareoutofthecontrolof
theBank
– TheBankcouldincurrfinanciallossifacustomers’account
iscompromised
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BusinessCustomerAc<vi<es
28
4/12/16
15
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
AutomatedClearinghouse(ACH)
29
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
WireTransfer
30
4/12/16
16
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
RemoteDepositCapture
31
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BusinessCustomerWeaknesses
• ConsumerandCustomerweaknessesmen[oned
earlier
• Greaterconcern– Theirbusinesscouldbephysicallybreached– Thepoten[allossesincurredbytheBankcouldbelargerdueto“highrisk”transac[ons
– LossesnotcoveredbytheBankorBankinsurancecouldleadtolawsuits
– BusinessesareassignedanAdministratorovertheironline
bankingsystems
32
4/12/16
17
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BankEmployees
33
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BankEmployees
• TheGood– Backgroundchecksareperformed
– Creditchecksareperformed
– CodeofConductacknowledgement
– AcceptableUseacknowledgement
– SystemsareprovidedandsecuredbytheITDepartment
34
4/12/16
18
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BankEmployees
• TheBad– ITinheritedinsecuresystemsandareunawareof
vulnerabili[es
– InboundInternettrafficistypicallyblockedorlimitedto
whatisonlynecessary;however,outboundInternettraffic
isnotrestricted
– Monitoring,aler[ngandloggingaretypicallyfoundnotin
placenoreffec[ve
35
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
BankEmployees
• TheUgly– Bankemployeess[llfallforsocialengineering
– Anadackeronlyneedsonepersontofail– Ifasession(connec[on)isestablished,theadackerisnowanauthen[cateduser
– Employeesaretestedwithsocialengineeringtovalidate
theeffec[venessofsecurityawarenesstrainingbut
incidentresponseisexcludedfromtes[ng
– Mostcommonpasswordcracked=SeasonYear
36
4/12/16
19
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
What’sthepoint?
37
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TheHackers
38
4/12/16
20
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
2014–YearoftheBreach
39
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Iden<tyThe[
40
4/12/16
21
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TheHackers
• Whatdotheywant?
– Sensi[vecustomerinforma[on
– Sensi[veBankinforma[on
– TotransferthatdataoutoftheBank’snetwork– Gainfullcontrolofyournetwork– Gainpersistenceandreconnectwhenevertheyplease– Tonotbedetected– Togetinwhereit’seasiest–theydon’twanttoworkveryhard
41
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TheHackers
• Whattheydo?
– SocialEngineer– “…Manyofthemostdamagingsecuritypenetra6onsare,andwillcon6nuetobe,duetoSocialEngineering,notelectronichackingorcracking…SocialEngineeringisthesinglegreatestsecurityriskinthedecadeahead.”—
Gartner,2010
– Phonecalls,emailphishing,sitevisits,dumpsterdive
– Leaveportablemedia
– Paythecleaningcrew
42
4/12/16
22
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TheHackers
• Whattheydo?
– Onceaconnec[onisestablished– Scanforvulnerabili[es–whereisthedooropen?– Exploitvulnerabili[es– Finddata– Collectortransmitdata
– Elevaterights– Gainpersistence
43
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TheHackers
• Whodotheytarget?
– Historicallyretailersforcreditcardinforma[on
– Mostbreachesthathaveimpactedfinancialins[tu[ons
arebecauseofthirdpar[eswhowerebreached–TJMaxx,
Target,Heartland,HomeDepot,etc.
– Todateonly3%ofbreacheshaveoccurredatfinancialins[tu[ons–theyfounditdifficulttomone[ze
44
4/12/16
23
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TheHackers
• ChangeinTac[cs– Carbanak– ACHFiles–notpublicized
45
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Carbanak–TheGreatBankRobberyFebruary2015
46
4/12/16
24
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Carbanak–TheGreatBankRobberyFebruary2015
47
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
AutomatedClearinghouse(ACH)
48
4/12/16
25
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
AutomatedClearinghouse(ACH)
49
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Somuchtothinkabout…
50
4/12/16
26
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Isthistheendoftheworld?
51
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Wemustfindtherightbalance
52
Convenience
Security
4/12/16
27
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Wemustfindtherightbalance
• Staffneedaccesstoresourcestoperformtheirjobs
– Lenders– ITStaff
• CLevelstaffshouldnotbeexempt
• Vendordesignedsystemssome[meshamper
security
• Vendorcontractsshouldincludetheircommitment
tokeepsystemsuptodate(opera[ngsystems)and
patched
53
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING 54
4/12/16
28
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
PoliciesandStandards
• Ensureyourpoliciesaresimpleandclear
• Tonefromthetop–annualapproval
• Annualacknowledgement–technologyisrapidly
changing
• Standardsaremoredetailedandmustbeadheredto
–enforcedbytechnicalcontrolsifatallpossible
55
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• Ini[alandongoingtraining• Periodicnewsledersthatcontaincurrentcybersecurityevents
• Hackersarelazy–showthemexamples
• Passwords– Randomcharactersubs[tu[on
– Lengthiskey–usepass-phrases– Segmentworkandpersonalpasswords
– Varypasswordsbysystem
56
4/12/16
29
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• Vendorvisits– Confirmallvendorvisita[ons
– Ifnotconfirmed,turnaway
– Cashcontrolscomparison
◊ ArmoredCarriers
◊ SameDay,SameTime,SameCarrier
◊ Howisthishandledifall3don’tmatchup?
◊ HandleinthesamemannertoprotectdataandtheBank
• Ques[onthoseyoudonotrecognize• Howdoyouhandleastrangerwhoknocksonyourdoorathome?
57
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• EmailPhishing
– Onlyopenemailfromtrustedsources
– Don’tclickonalinkwithinanemail
– Don’topenanadachment
◊ GiMCards◊ PeepingTom
– NevershareyourIDandpassword(creden[als)withanyone–includingITstaff
– Ifyouques[ontheemail–calltoconfirm
– Ifyouques[ontheemail–reportit
58
4/12/16
30
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• PhoneCalls– Doacallback–spoofingiseasy– NevershareyourIDandpassword(creden[als)withanyone–includingITstaff
– Ifyouques[onthecall–callbacktoconfirm
– Ifyouques[onthecall–reportit
59
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• SimpleSugges[ons
– KnowthenamesofyourITStaff
– Requireacallback– Confirmvendorvisits
– Ques[ontheunknown– Thelitmustest
– Reportsuspicions
60
4/12/16
31
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• SpecificTrainingforITStaff– EnsureITStaffareprovidedthetrainingtheyneedtounderstandandsecurethesystemsusedbytheBank
– Ensuretheyknowhowtorespondtoareportedincidentorpoten[albreach
– PartTimePenetra[onTes[ngforFullTimeSystemAdmins
–aCLA-designedcourse
61
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
TrainingandExpecta<ons
• HowITcanhelp– Iden[fyexternalemail
◊ [External]inthesubjectline◊ InternalpullspicturefromAc[veDirectory
– Usecodeforiden[fica[on◊ Thishastobedonerightorcanmakelifeeasierforanadacker
– Ensureopera[ngsystemsareuptodate
– Ensureopera[ngsystemsandapplica[onsarepatched
– Ensureconfigura[onstandardsarefollowed
62
4/12/16
32
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Tes<ngandValida<on
• BanksarerequiredtohaveanInforma[onSecurity
Program
• Banksarerequiredtoperiodicallytestcontrols• Haveanindependentthirdpartyperformtes[ng
• WhiteBox–testofemployees
• BlackBox–testofemployeesandITresponse
• CLAofferstheseservices• CLAclientscanreceivesecurityawarenesstrainingatnoaddi[onalcost–expensesreimbursed
63
©2015CliMonLarsonAllenLLP
WEALTHADVISORY|OUTSOURCING|AUDIT,TAX,ANDCONSULTING
Ques<onsandAnswers?
64
4/12/16
33
twider.com/CLAconnectfacebook.com/
cliMonlarsonallen
linkedin.com/company/
cliMonlarsonallen
©2015CliMonLarsonAllenLLP
CLAconnect.com
CarlH.YorkSeniorManager360-710-5631carl.york@CLAconnect.comwww.CLAconnect.com