Copyright*TrustCC.**All*Rights*Reserved.*
Data$Breach$$and$Fraud$Prevention
By$Tom$Schauer$CEO$TrustCC:$Trusted$Consulting$and$Compliance$
CISA,$CISM,$CISSP,$CEH,$CRISC,$CTGA$
Serving$Financial$Institutions$since$1986
5
5
Copyright*TrustCC.**All*Rights*Reserved.*
Thesis
Credit$Unions$and$Community$Banks$are$not$as$secure$as$they$think.$$$!
SubMstandard$security$testing$has$contributed$to$a$false$sense$of$security.
6
6
Copyright*TrustCC.**All*Rights*Reserved.*
https://www.privacyrights.org/data2breach
7
7
Copyright*TrustCC.**All*Rights*Reserved.*
https://www.privacyrights.org/data2breach January820058to8September82014
8
Type of Breach Number of Breaches
Number of Records Lost
% Breaches
Hacking or Malware
1068 471,676,671 24%
Portable Device 1055 172,707,621 24%Unintended Disclosure
771 225,987,855 18%
Insider 534 32,681,369 12%Physical Loss 522 3,210,802 12%
Stationary Device 246 11,568,743 6%Other 207 12,809,013 4%
TOTAL 4403 930,642,074
8
Copyright*TrustCC.**All*Rights*Reserved.*
Of$4403$total$breaches….$160$Breaches$Occurred$at$Banks$and$
Credit$Unions$!
That$is$just$3.6%
9
9
Copyright*TrustCC.**All*Rights*Reserved.*10
10
Copyright*TrustCC.**All*Rights*Reserved.*
Why$do$FIs$account$for$so$few$breaches?
• Expectation$of$Security$• Perception$of$Security$• Minimal$Research$or$Proof$of$Insecurity$• Hackers$remain$focused$where$Card$is$Present$• Cardholder$Data$Theft$is$Anonymous$and$Lucrative$(plenty$of$buyers)$• Krebs:$Attackers$“Have$Tunnel$Vision”
11
11
Copyright*TrustCC.**All*Rights*Reserved.*
Scientifically$Speaking$M$Current$Testing$is$Woefully$Inadequate
The Oxford English Dictionary defines the scientific method as "a method or procedure that consists of systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses.”!!Scientific inquiry is intended to be as objective as possible in order to minimize bias.
12
12
Copyright*TrustCC.**All*Rights*Reserved.*
Traditional$Security$Testing
• We$sent$phishing$emails$to$100$employees,$25$clicked$the$link.$$If$this$had$been$an$actual$attack$we$could$have$gotten$on$the$network.$!!
• Scientific$or$Flawed?
13
13
Copyright*TrustCC.**All*Rights*Reserved.*
Traditional$Security$Testing
• We$were$allowed$into$a$conference$room$and$from$a$network$jack$that$was$enabled$for$our$testing$and$using$our$laptop$fully$loaded$with$hacking$tools$we$found$35$vulnerabilities$we$could$exploit.$!!
• Scientific$or$Flawed?
14
14
Copyright*TrustCC.**All*Rights*Reserved.*
Traditional$Security$Testing
• IT$knew$we$were$testing$and$the$IDS$alerted$when$we$ran$the$vulnerability$scanner.$$An$actual$attack$would$be$detected.$!!
• Scientific$or$Flawed?
15
15
Copyright*TrustCC.**All*Rights*Reserved.*
The$BIG$Disconnect
Yes,$HR$has$some$training$to$do.
16
16
Copyright*TrustCC.**All*Rights*Reserved.*
Verizon’s$2013$Data$Breach$Investigations$Report
17
17
Copyright*TrustCC.**All*Rights*Reserved.*
Recommended$Approach
• Real$Research$• Real$Social$Engineering$• Real$Penetration$Testing$• Real$Incident$Detection$and$Response$!
• Yields$a$Realistic$Evaluation
18
18
Copyright*TrustCC.**All*Rights*Reserved.* 19
Realistic Pen Testing Complements Traditional Testing
19
Copyright*TrustCC.**All*Rights*Reserved.*
Five$Real$Reports$from$TrustCC$Social$Engineering$Testing$over$the$last$2$WeeksCU0$M$500$emps,$$1.5B$assets$CU1$M$200$emps,$$1B$assets$CU2$M$250$emps,$<$1B$assets$CU3$M$50$emps,$$600M$assets$CU4$M$150$emps,$$650M$assets$!!
• Scientific$or$Flawed?
20
20
Copyright*TrustCC.**All*Rights*Reserved.*
!
Breached – 63%
Nearly 150 Financial Institutions
Sensitive Data – 79%
Admin Access – 58%
!And we got better as the year progressed…
2013 Results
21
21
Copyright*TrustCC.**All*Rights*Reserved.*
Thought$Provoking$Quote…
“The$threat$has$reached$the$point$that,$given$enough$time,$motivation,$and$funding,$a$determined$adversary$will$likely$be$able$to$penetrate$any$system$accessible$from$the$Internet.”$!Joseph$M$Demarest,$Assistant$Director,$Cyber$Division$FBI,$before$the$Senate$Judiciary$Committee,$May$8,$2013
22
22
Copyright*TrustCC.**All*Rights*Reserved.*
Incident$Detection$and$Response
How$does$it$work$in$the$real$world?
23
23
Copyright*TrustCC.**All*Rights*Reserved.*
Target$Breach$by$the$Numbers…– The Dates the attackers stole card numbers!!– The number of card numbers stolen!!– Percentage decline in profit Q4 2013 vs Q4 2012!!– The cost to banks and credit unions for reissue!!– The number of Target employees with CISO title!!– The median price of cards successfully sold!!– The likely income made by the hackers!! See www.krebsonsecurity.com
24
Nov 27 to Dec 15!!
40,000,000!!
46!!
$200,000,000!!
0!!
$18.00 – $35.70!!
$53,700,000
24
Copyright*TrustCC.**All*Rights*Reserved.*
How$did$it$happen?
25
The Target breach began with the phishing of an HVAC contractor that had credentials to access the Target network.
!Hackers and crackers are sophisticated; at this level, they're playing a long game to nail lucrative, high-value targets. !They're looking where they think you're not looking.
!
25
Copyright*TrustCC.**All*Rights*Reserved.*
The$weakest$part$of$your$security$is$something$you$haven’t$considered…
1. Social$Engineering$(SE).$$We$know$most$attacks$start$with$SE$because$employees$are$reliably$ineffective$at$stopping$the$attack.$$
2. What$is$my$weakest$link?$$Are$my$risk$assessments$an$effective$tool$or$a$compliance$obligation?
26
26
Copyright*TrustCC.**All*Rights*Reserved.*
According to Business Week, Target was running its own security operations center in Minneapolis, !In May 2013 Target implemented best-of-breed malware detection software named FireEye !FireEye caught the initial November 30 infection of Target's payment system by malware. All told, five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale.
!Unfortunately, it appears Target's security team failed to act on the threat indicators."
Missed$Alerts$and$Opportunities
27
27
Copyright*TrustCC.**All*Rights*Reserved.*
Its$Vital$to$know$which$Alerts$can$be$Ignored
1. Skills$may$have$been$insufficient.$$Should$this$activity$have$been$outsourced$to$experts?$$!
2. Does$your$organization$perform$‘Covert’$security$testing$in$order$to$be$well$prepared$for$an$actual$event?$!
Test$incident$detection$and$response!
28
28
Copyright*TrustCC.**All*Rights*Reserved.*
Class$Action…
29
29
Copyright*TrustCC.**All*Rights*Reserved.*
Two$Incredibly$Important$Points
1. “Head$in$the$Sand”$and/or$“Risk$Acceptance”$is$a$risky$management$technique.$$The$risk$does$not$go$away.$$Are$decisions$documented?$!
2. When$an$incident$occurs$the$sharks$may$be$in$a$feeding$frenzy.$$Perception$will$be$as$important$as$reality.
30
30
Copyright*TrustCC.**All*Rights*Reserved.*
What$is$unique$about$an$attack$that$starts$from$social$engineering?
31
31
Copyright*TrustCC.**All*Rights*Reserved.*
Domain$User$/$Domain$Workstation
Do$you$monitor$authorized$user$activity$or$have$you$been$convinced$that$monitoring$authorized$users$is$a$waste$of$time$and$resources?
32
32
Copyright*TrustCC.**All*Rights*Reserved.*
If$your$users$are$Local$Admins…$9$of$10$times$its$game$over!
33
33
Copyright*TrustCC.**All*Rights*Reserved.*
Incident$Response$Planning$Imperative
• The$frequency$of$network$breach$at$an$organization$is$likely$to$increase$as$monetization$becomes$clear$and$other$opportunities$fade.$!
• Breach$prevention$is$a$matter$of$being$a$‘harder’$target$when$compared$to$the$next$organization.$
34
34
Copyright*TrustCC.**All*Rights*Reserved.*
Start8by8Studying8Breaches
35
Type of Breach Number of Breaches
Number of Records Lost
% Breaches
Hacking or Malware
1068 471,676,671 24%
Portable Device 1055 172,707,621 24%Unintended Disclosure
771 225,987,855 18%
Insider 534 32,681,369 12%Physical Loss 522 3,210,802 12%
Stationary Device 246 11,568,743 6%Other 207 12,809,013 4%
TOTAL 4403 930,642,074
35
Copyright*TrustCC.**All*Rights*Reserved.*
Diagram
36
Recovery
Containment
Significant Incident?
Incident Identification
Reporting an Incident
Notification Escalation
ContainmentProtecting Evidence
Eradication Recovery
Follow-up
Pass on to others
Assessment
Ongoing Operation
36
Copyright*TrustCC.**All*Rights*Reserved.*
Testing
•Table$Top$Scenario$Testing$•Unplanned$Tests$•Covert$Penetration$Tests
37
37
Copyright*TrustCC.**All*Rights*Reserved.*
Documentation$of$Incidents
Documentation$should$not$only$provide$consistent$means$to$record$events$but$should$help$guide$response.$!Sometimes$best$to$have$documentation$off$the$network$and$communications$Out$of$Band.
38
38
HOW TO H-ACH A BANK
39
Thesis
It is possible to extract Millions of dollars from a compromised Institution in a single day using the fundamentally flawed Automated Clearing House (ACH) file submission process.
40
Monetization Is More Complex
41
Old School
Routing # Check Digit Account #
42
Routing # Check Digit Account #
ACH File Format
43
Entry “Hash”Purpose: Confirm Entries are Correct
Entry “Hash”: 0152016604Routing #’s
24823818 72288726
+54904060 152016604
“Hash” Creation
44
FedLine
The FED
Upload ACH File
• Confirm Total Debits!• Confirm Total Credits!• Confirm Total # Batches
45
Windows File Share
ACH
The FED
Upload File to The FED
CORE Banking System
4PM
FedLine ACH
4:15PM
HACKER
4:01PM
46
Altering the ACH file
47
Altering the ACH file
48
Who?
Anybody who is manually uploading ACH files to The FED/EPN.
53
Reaction
• Interesting, we’ve known of ACH file risks for years.!• I believe your letter is misleading.!• Holy Smokes!!!
• Dozens of Financial Institutions have acknowledged.!• The Federal Reserve “Committed” and “Catalyst”
54
Stop Gap Solutions
ACH• Should not be on the Domain (i.e. NAS?) • WORM - Write Once Read Many • Only allow write access from the CORE
• Make Sure Share Permissions are Solid
FedLine• Should not be on the Domain • Isolated to it’s own VLAN • Only allow read from this host
55
Why Disclose Now?
Cardholder Data Theft
56
Copyright*TrustCC.**All*Rights*Reserved.*
A$Call$to$Action
• Make$Sure$Credit$Unions:$• Are$performing$adequate$testing$including$effective$testing$of$incident$response.$
• Are$performing$effective$Risk$Assessments$and$are$accepting$risk$wisely$
• Are$aware$of$the$most$likely$targets$in$their$environment$and$are$designing$controls$to$mitigate$risks$to$these$targets$(at$least$ACH)
57
57
Copyright*TrustCC.**All*Rights*Reserved.*
Wrap$Up
Questions$and$Answers$!Network
58
58
Copyright*TrustCC.**All*Rights*Reserved.* 59
59