240 likes | 368 Views
III Congreso de Prevención del Fraude y Seguridad Cyber Threats to the Financial Service Industry and Response. Director with Forward Discovery, an expert information security company with offices in the United States and UAE
E N D
III Congreso de Prevención del Fraude y SeguridadCyber Threats to the Financial Service Industry and Response
Director with Forward Discovery, an expert information security company with offices in the United States and UAE • Formerly the Director of Corporate Information Security for USAA, a Fortune 200 financial services firm in the United States • Previously assistant director of information security for Northrop Grumman Corporation • Prior FBI Supervisory Special Agent in the Computer Investigations Unit at FBI Headquarters • Former Adjunct Professor at George Washington, Georgetown and Duke Universities on information security and cyber crimes • Created information security programs to protect data from external and internal compromise Art Ehuan, CISSP Cyber Threats to the Financial Service Industry and Response
The financial services industry faces unprecedented threats in protecting customer data from cyber compromise • The threats are from cyber criminals and Organized Crime (OC) groups that use the Internet and technology to commit massive information and monetary theft from financial institutions • The cyber threats from these groups will continue to increase for the foreseeable future • The monetary losses to the United States financial sector is estimated in the hundreds of millions of US dollars (www.ic3.gov). The worldwide figure is probably in the billions of US dollars Threats to the Financial Services Industry Cyber Threats to the Financial Service Industry and Response
Threats to the Financial Services Industry Cyber Threats to the Financial Service Industry and Response
Willie Horton, an infamous American banker robber in the 1920’s was asked “Why he robbed banks”. His reply: “Because that is where the money is” • The average bank robbery nets the thief approximately $5,000 • The risk is great for a low very gain • Bodily injury or death from security or police • High jail sentence for bank robbery Bank Robbery, Old Crime Cyber Threats to the Financial Service Industry and Response
Cyber threats can be classified as internal or external • The cyber threat can be known or unknown • The external known threat is composed of: • Cyber criminals and Organized Crime (OC) that have efficiently and effectively adapted to bank robbery in the high technology age • Web and application compromise • Account takeover • The external unknown threat is composed of: • Nation-States that have the ability to conduct offensive activity against financial institutions • Web and application compromise • Account takeover • Terrorist organizations External Threat Classification Cyber Threats to the Financial Service Industry and Response
Cyber threats can be classified as internal or external • The cyber threat can be known or unknown • The internal known threat is composed of: • Financial sector employees that steal sensitive data for illicit purposes (In 2004, the United States Secret Service, which has concurrent jurisdiction with the FBI to investigate cyber crime, published an insider threat study on illicit cyber activity in the financial sector) • Expanded access devices brought in by employees like iPhones, iPods, USB drives, etc • The internal unknown threat is composed of: • Corporate espionage by organizations that are interested in strategic information of competitors • Partner organizations that have network connections to the company • Supply chain via software/hardware that has been compromised and installed in the financial organization Internal Threat Classification Cyber Threats to the Financial Service Industry and Response
158% increase in cyber attacks – US Department of Homeland Security statistics show that there were over 37,000 attempted and reported breaches of government and private computer systems in fiscal year 2007 • 239,900,000 personal records that have been stolen since 2005 (Privacy right Clearing House 2008) • 10% devaluation – In 2006, the Congressional Research Services estimate that a New York Stock Exchange (NYSE) company suffered shareholder losses of $50-200 million dollars US • 9 out of 10 businesses were impacted by cyber crime (FBI statistics 2005) Cyber Threat Statistics Cyber Threats to the Financial Service Industry and Response
This type of illicit activity targets the financial sector customer to acquire access to passwords, pins and other identifiable information Financial Sector Account Takeover Cyber Threats to the Financial Service Industry and Response
OC and cyber criminals are attacking and stealing customer data from bank databases Financial Sector Organization Attack 1. Cyber Compromise of Bank 7. Compromise of Bank HSM by Cyber Criminal 037583920938475 PIN 6496 2. Customer Enters Card & Pin Number 6. Pin Block Provided to Hardware Security Module (HSM) 3. Encryption of Account Number & Pin Provides Pin Block 8. Old Pin Block, Account Number and Pin Generate New Pin Block 9. New Pin Block is Provided to Customer Bank 4. Pin Block Provided to Hardware Security Module (HSM) 5. Old Pin Block, Account Number and Pin Generate New Pin Block Cyber Threats to the Financial Service Industry and Response
OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Web Browser compromise or Redirection (IFrame) Financial Sector Client Attack 3. Customer Online Login 2. Customer System Rootkit 4. User ID & PW Stolen 6. Customer Funds Transferred 1. Cyber Compromise 5. Cyber Criminal Login with Stolen Customer Credentials Cyber Threats to the Financial Service Industry and Response
OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Phishing Financial Sector Client Attack 1. Cyber Fraudster Phishing Email 4. Customer Credentials Sent to Fraudster Fake Website 2.. Victim Receives Email and Clicks on Link 3. System Rootkit and/or Redirection Cyber Threats to the Financial Service Industry and Response
The following strategies will assist financial institutions in protecting their information assets: • Develop and implement a CERT and Incident Response capability • Extrusion detection of network traffic • Create information sharing forums (formal/informal) with other financial institutions • Conduct scheduled/unscheduled vulnerability assessments and identify risk to the organization from employees, partners and suppliers • Provide regular customer and employee cyber security awareness • Prepare for regulatory activity from government agencies Financial Sector Strategies Cyber Threats to the Financial Service Industry and Response
Develop and implement a CERT and Incident Response capability • Every financial institution requires a centralized capability to manage cyber incidents • A Computer Emergency Response Team (CERT) is the primary line of defense when an incident is suspected • A CERT must have a formal framework with executive support • Maintain dedicated personnel, software, hardware to respond to incidents • Identify and track anomalous activity on the network • Cyber threat exercises should be conducted to test framework on a regular basis CERT and IR Capability Cyber Threats to the Financial Service Industry and Response
Extrusion Detection of External Traffic • All financial institutions monitor external network traffic coming in for unauthorized cyber activity • Monitoring of anomalous network traffic that is exiting the network is equally as important • A baseline should be established that provides information on normal versus abnormal outbound network traffic • The cyber criminal will get in and it is critical that monitoring take place to identify network traffic leaving the organization • Example of network activity that extrusion detection should identify: • non-HTTP traffic over port 80 • non-DNS traffic over port 53 • non-SSL traffic over port 443 Extrusion Detection Cyber Threats to the Financial Service Industry and Response
Create information sharing forums with other financial institutions • The sharing of information on cyber threats is critical for financial organizations to respond to new and emerging threats • Financial institutions should coordinate information on cyber threats that are observed or identified and make this available to the group • The sharing can either be formal or informal without a need for attribution to a particular institution • In a formal information sharing model, a database repository can be utilized to capture and share “feeds” from members • The United States financial sector information sharing model is the Financial Services Information Sharing and Analysis Center (FS-ISAC) Information Sharing Forum Cyber Threats to the Financial Service Industry and Response
Conduct vulnerability assessments to identify risk to the financial services organization from employees, partners and suppliers • Vulnerability assessments are crucial for identifying risk for a financial institution • A framework should be utilized in conducting a vulnerability assessment like the ISO 27001/27002 • Assessments should be conducted on a scheduled and unscheduled basis • Develop a framework whereby partners that are connected to the organization are required to conduct assessments to identify threats from partners • Follow up and mitigate or eliminate risk that is identified as soon as possible Vulnerability Assessments Cyber Threats to the Financial Service Industry and Response
Vulnerability Assessment Approach Control Assessment Outcome Input Detection Deterrence Mitigation Prevention Policies & Procedures Interviews • Provides qualitative assessment of security posture • Establishes security baseline for use in future assessments • Identifies areas of opportunities • Drives investment decisions Human Resources Security Information Requests Access Controls Asset Inventory Communications & Operations Best Practices Business Continuity Planning Process Maps Only 6 of the 11 ISO areas depicted Compliance Cyber Threats to the Financial Service Industry and Response
Interviews with Business Units Multiple Interviews Vulnerability Assessment Approach Process Review Data Classification • Asset Usage • Linkages between process, asset and underlying supporting components • Confirmation of owners and custodians • Catalogue of process maps and assets identified Asset Identification Underlying Assets Asset Asset Asset Underlying IT Assets High Level Processes Business Owner Interviews IT Assets Used by Processes of Consequence Information Security Risk Assessment Business Case Driven Roadmap Opportunities & Unmitigated Risks Cyber Threats to the Financial Service Industry and Response
Customer and employee cyber security awareness • Provide regularly scheduled information/messages to all employees on cyber threats that have impacted the financial institution • Require partners to provide information security training to partner organization employees that will be managing, maintaining, handling, storing sensitive company or customer data • Provide cyber security awareness messages to customers to make them aware of cyber threats that may be directed at them, i.e. the fact that a financial institution will never require a customer to provide personnel identifiable information from an email Cyber Security Awareness Cyber Threats to the Financial Service Industry and Response
Prepare for regulatory activity from government agencies • Suspicious Activity Reports (SARs) • Money laundering • With the increasing incidents of cyber attacks reported by the financial sector, the United States Treasury Department added computer intrusion as a new category of suspicious activity in mid-2000 • Banks must now fill out Suspicious Activity Reports (SARs) if they suspect someone has gained access to their computer network to steal funds or customer information, or to disable the institution's computer network • Web sites defaced by a hacker banks do not have to report such incidents, because no funds or sensitive information is stolen Regulatory Activity Response Cyber Threats to the Financial Service Industry and Response
The Future of Cyber Crime Cyber Threats to the Financial Service Industry and Response
The Future of Cyber Crime Cyber Threats to the Financial Service Industry and Response
Art Ehuan, CISSP, CCNP, EnCE • 571-331-7763 • aehuan@forwarddiscovery.com • www.forwarddiscovery.com Forward Discovery Contact Cyber Threats to the Financial Service Industry and Response