1 1 (Security Risks ACUIA
and and
Se and ©2012 p
Region tember
CliftonLarsonAllen
Trends Trends
Compliance)
3
LLP 2012
Meeting
in in
IT IT
©2012 CliftonLarsonAllen LLP Our perspective…
• CliftonLarsonAllen – Started in 1953 with a goal of total client service – Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.
2 ©2012 CliftonLarsonAllen LLP Presentation overview
• Emerging & Continuing Trends
– Industry Security Reports
– 12 Years of Information Security Audit, Assurance, and Incident Response
•Social Engineering
• The Cloud
• Mobile and Electronic Banking
•Strategies and Key Controls 3 ©2012 CliftonLarsonAllen LLP Definition of a Secure System
“A secure system is one we can depend on to behave as we expect.” Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford
People Rules
• Confidentiality • Integrity • Availability `
Tools
4 ©2012 CliftonLarsonAllen LLP 4 “Three” Security Reports • Trends: Sans 2009 Top Cyber Security Threats – http://www.sans.org/top‐cyber‐security‐risks/
•Intrusion Analysis: TrustWave (Annual) – https://www.trustwave.com/whitePapers.php
• Intrusion Analysis: Verizon Business Services (Annual) – 2010 report – httpppp_://www.verizonbusiness.com/resources/reports/rp_20 10‐DBIR‐combined‐reports_en_xg.pdf – 2011 report – http://www. verizonbusiness. com/resources/reports/rp_ dat a‐breach‐investigations‐report‐2011_en_xg.pdf
5 ©2012 CliftonLarsonAllen LLP SANS – Client Side Vulnerabilities • Client side vulnerabilities – Missing operating system patches – Missing application patches –Objective is to get the users to “Open the door”
•Vulbllnerable Web sites Recent – Password guessing Facebook example… – Attack s on applica tion itinter faces with “input fields”
6 ©2012 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report Methods of Entry: Methods of Propagation:
7 ©2012 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report • Most of the compromised systems were managed by a third party…
8 ©2012 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report •Incident Response –Investigative Conclusions •Window of Data Exposure
Once inside, attackers have very little reason to think they will be detected…
The bad guys are inside for 1 ½ YEARS before anyone knows!
9 ©2012 CliftonLarsonAllen LLP Verizon • Report is analysis of intrusions investigated by Verizon and US Secret Service.
•KEY POINTS: –Time from successful intrusion to compromise of data was days to weeks. – Log files contained evidence of the intrusion attempt, success, and removal of data. –Most successful intrusions were not considere d hig hly difficu lt.
10 ©2012 CliftonLarsonAllen LLP Hackers, Fraudsters, and Victims
• Opportunistic Attacks
•Targeted Attacks
11 ©2012 CliftonLarsonAllen LLP Verizon 2011 •Anatomy of a data breach ‐ Opportunities
12 ©2012 CliftonLarsonAllen LLP How do hackers and fraudsters break in?
Social Engineering relies on the following:
• People want to help
• People want to trust
• The appearance of “authority”
• People want to avoid inconvenience
• Timing, timing, timing…
13 ©2012 CliftonLarsonAllen LLP Pre‐text Phone Calls •“Hi, this is Randy from Comcast. I am working with Dave, and I need your help…” –Name dropping – Establish a rapport – Ask for help –Inject some techno‐babble – Think telemarketers script
• Home EitEquity Line of CditCredit (HELOC) fdfraud calls • Recent string of high‐profile ACH frauds
14 ©2012 CliftonLarsonAllen LLP Email Attacks ‐ Spoofing and Phishing
• Impersonate someone in authority and: – Ask them to visit a web‐site – Ask them to open an attachment or run update
•Examples – Better Business Bureau complaint – http://scmagazine.com/us/news/article/660941/better‐business‐ bureau‐target‐phishing‐scam/ – Microsoft Security Patch Download – http://www.scmagazine.com/us/news/article/667467/researchers‐ warn‐bogus‐microsoft‐patch‐spam/
15 ©2012 CliftonLarsonAllen LLP Email Phishing –Targeted Attack Randall J. Romes [rromes@larsonallen. com]
Two or Three tell- tale signs Can you find them?
16 ©2012 CliftonLarsonAllen LLP Email Phishing –Targeted Attack
• Fewer ttllell ttlale signs on fake websites
17 ©2012 CliftonLarsonAllen LLP Physical (Facility) Security Compromise the site: •“Hi, Joe said he would let you know I was coming to fix the printers…”
Plant devices: • Keystroke loggers • Wireless access point • Thumb drives (“Switch Blade”)
Examples… Steal hardware (laptops) http://www.sptimes .com/2007/10/28/Business/Here _ s_ how_ a_ slick_ la. shtml http://www.privacyrights.org/ar/ChronDataBreaches.htm
18 ©2012 CliftonLarsonAllen LLP Strategies to Combat Social Engineering
• (Ongoing) user awareness training • Network perimeter security layers –Mail filter, mail gateway, hardened workstations – Antivirus software (3 places) and anti‐malware software – Internet browser proxies and filtering • Minimized user access rights • Application white listing • Logging and Monitoring capabilities (SIEM and DLP) –“The 3 R’s”: Recognize, React, Respond • VALIDATION Periodic testing People, Rules, Tools, and Spaces
19 ©2012 CliftonLarsonAllen LLP Questions?
20 ©2012 CliftonLarsonAllen LLP 21 21 Managing Outsource ©2012
the the
CliftonLarsonAllen
to
Risks Risks
the LLP
Cloud
as as
You You
©2012 CliftonLarsonAllen LLP What is the Cloud?
•Is it a clever marketing term?
• Where is the cloud?
22 ©2012 CliftonLarsonAllen LLP Cloud Services
Describe types of Cloud List Cloud Services YOU Services currently use 1. 1. 2. 2. 3. 3. 4. 4. 5. 5.
23 ©2012 CliftonLarsonAllen LLP What is the Cloud?
•The original “cloud computing”: Mainframes
24 ©2012 CliftonLarsonAllen LLP What is the Cloud?
•The next generation: Thin Clients (Citrix, RDP, etc…)
25 ©2012 CliftonLarsonAllen LLP What is the Cloud?
•Today’s cloud: Hosted service or process all the way to hosted infrastructure.
26 ©2012 CliftonLarsonAllen LLP What is the Cloud?
•Today’s cloud: Hosted service or process all the way to hosted infrastructure.
27 ©2012 CliftonLarsonAllen LLP What is the Cloud?
•National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009:
“Cloud computing is a model for enabling convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
28 ©2012 CliftonLarsonAllen LLP Examples of Cloud Services
• Hosted Email: Hosted Exchange, Gmail • Hosted productivity applications and enterprise applications – Google Apps, Amazon Web Services •On‐line/cloud back up services • Hosted infrastructure •Private Clouds
• Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS)
29 ©2012 CliftonLarsonAllen LLP Benefits
•Low upfront/entry cost • Pay as you go • Reduced support needs • Faster deployment speeds • Simpler/easier upgrades •Business agility – ability to scale
• Reduced hardware costs • Reduced software costs • Reduced maintenance/service costs
30 ©2012 CliftonLarsonAllen LLP Benefits
• Redundancy & Resiliency • Disaster recovery and business continuity • Specialized support expertise • Compliance benefits
• Ability to focus on the core of your business
31 ©2012 CliftonLarsonAllen LLP Risks
• Vendor Risks – Vendor selection and due diligence – Vendor viability – Vendor management • Governance Ris ks –Risk Management –Legal and compliance issues –Life cycle management and portability
• Who has your data? • Where is your data? • Who has access to your data?
32 ©2012 CliftonLarsonAllen LLP Risks
•Data Risks –Data location –Data segregation –Data recovery – Investigative support
•End User Risks –Privileged user access – Normal users – Malicious insiders
33 ©2012 CliftonLarsonAllen LLP Risks
• Technology Risks –Quick scalability –Pace of change –Outage downtime – Application level DDOS attacks –(Hacker) ease of access
34 ©2012 CliftonLarsonAllen LLP Examples in the news…
• Megaupload story: SANS NewsBites Vol. 14 Num. 29 http://www. wired. com/threatlevel/2012/04/megaupload‐ defense‐hobbled/
• A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data ‐ 25 petabytes ‐ are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. • Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture associiiation of America (()MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets.
35 ©2012 CliftonLarsonAllen LLP Examples closer to home…
• Recent client experience 18 months ago we outsourced our email to a cloud based email solution with Company A 6 months ago Company A was purchased by Company B 2 months ago Company B was purchased by Company C
I don’t know where my data is… I don’t know who has access to my data… I d’tdon’t know where my dtdata is bkdbacked up at any more… I don’t know…
36 ©2012 CliftonLarsonAllen LLP Examples closer to home…
• Recent conference Between sessions vendors describe their service offerings… Company X offers online, secure back up to the cloud Comppyany X has grown “over 300%” in the last year Best of all, Company X now provides online, secure, cloud based back up for Company Y –one of the larger Core hosting company providers
Where does the outsourcing chain end? How many using Company Y know where their data is
37 ©2012 CliftonLarsonAllen LLP Things to do…
•Risk Assessment • Cost benefit analysis • Vendor due diligence (Pre‐contract) • StiiScrutinize contttracts • Ongoing vendor management •Be disciplined about where your data is –DOCUMENT IT –an “inventory”! • UdUnderstand vendors responsibility and YOURS • Remember basic security tenants
38 ©2012 CliftonLarsonAllen LLP Questions?
39 ©2012 CliftonLarsonAllen LLP 40 40 Understanding Mobile ©2012
CliftonLarsonAllen
Devices Devices
LLP
the
Risks
©2012 CliftonLarsonAllen LLP Mobile Computing Basics • Mobile Devices are here to stay…
• More people have (smart) phones than computers
• Mobile ppyayments are coming (already here?) – Topic for another time
41 ©2012 CliftonLarsonAllen LLP Mobile Banking Basics • Different types of mobile banking – SMS mobile banking – Mobile web – Mobile applications
42 ©2012 CliftonLarsonAllen LLP Mobile Banking Basics • Mobile banking applications (i.e. “mobile apps”) – Various mobile app market places – iTunes/Apple App Store – Android Market –Verizon App Store – BlackBerry App Store
43 ©2012 CliftonLarsonAllen LLP Mobile Banking Basics • Basic/common mobile banking infrastructure – Mobile banking system at the bank
44 ©2012 CliftonLarsonAllen LLP Mobile Banking Basics • Basic/common mobile banking infrastructure – Mobile banking system with third party vendor between customer and bank infrastructure
45 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Vulnerabilities and risks at each component • Perform a risk assessment Risk Assessment Heat map –Server Side Risks – (Vendor Risks) –Transmission Risks – Mobile Device Risks – Mobile App Risks – EdEnd User Ris ks
46 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Server Side Risks – Essentially the same as traditional Internet banking website risks ◊ Insecure coding practices
◊ Default credentials This is essentially a web ◊ Patch/update maintenance server for the mobile devices ◊ Certificate issues to connect to.
47 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Vendor Risks –Same risks as banks –now outside of your direct control. ◊ Insecure coding practices Also need ◊ Default credentials controls on the dedicated link… ◊ Patch/update maintenance ◊ Certificate issues
This is essentially a web server for the mobile devices to connect to.
48 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Transmission Risks – Most mobile devices have always on Internet connection ◊ Cellular (cell phone service provider) ◊ Wifi (802.11 – home, corporate, “public”) – Need encryption – Common end user practices
49 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Mobile Device Risks – Multiple hardware platforms & multiple oppgerating systems
50 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Mobile App Risks – Secure coding issues – Installation of App – Use and protection of credentials – Storage of data –Transmission of data
51 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls
• End User Risks – Lose the device –Don’t use passwords, or use “easy to guess passwords” –Store passwords on the device – Jail break the device –Don’t use security software – U/d’tUse/don’t recognize insecure wireless networks – Let their kids “use” the device
52 ©2012 CliftonLarsonAllen LLP Vendor Due Diligence and Management •All of the above – applies to your vendor(s) – Mobile banking application provider – Mobile banking hosting provider
• Contracts with SLA’s • SSAE16 reviews • Independent code review and testing
53 ©2012 CliftonLarsonAllen LLP Questions?
54 ©2012 CliftonLarsonAllen LLP 55 55 ik n otosfor Controls and Risks Electronic Banking
and ©2012
CliftonLarsonAllen Controls
LLP
for
©2012 CliftonLarsonAllen LLP Phishing and ACH –In the News
Google: “ACH fraud suit”
Bank Sues Customer • $800,000 fraudulent ACH transfer
•Bank retrieves $600,000
• Wha t happens to the other $200,000?
56 ©2012 CliftonLarsonAllen LLP Phishing and ACH –In the News Customer Sues Bank • $560,000 in fraudulent ACH transfers to bank accounts in Russia, Estonia, Scotland, Finland, China and the US; withdrawn soon after the deposits were made.
• Alleges that the bank failed to notice unusual activity.
• Until the fraudulent transactions were made customer had made just two wire transfers ever
• In just a three‐hour period, 47 wire transfers requests were made.
•In addition, after customer became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.
57 ©2012 CliftonLarsonAllen LLP Phishing and ACH – Examples •Finance person receives “2000 spam messages” • Later in the day, fraudsters make three ACH transfers all within 30 minutes: – $$,8,000 to Houston – Two transfers for $540,000 each to Romania •In this case, business insists the following controls were not followed: – Dollar limit/thresholds were exceeded – Call back verification did not occur •This one was just “resolved”…
58 ©2012 CliftonLarsonAllen LLP Updated Authentication Guidance •Risk Assessment, Risk Assessment, Risk Assessment… • At least annually or after “changes”
Changes in the internal and external threat environment, – including those discussed in the Appendix of the Supplement Changes in the member base Changes in the member functionality AtActual iidtincidents of security bhbreaches, iden tity the ft, or fdfraud experienced by the institution or industry
59 ©2012 CliftonLarsonAllen LLP Updated Authentication Guidance
•Do not rely on single control
– Controls need to increase as risk increases
– Multi‐layer
– Additional controls at different points in transaction/interaction with member
• Technical (IT/systems) controls
60 ©2012 CliftonLarsonAllen LLP Updated Authentication Guidance (2)
•Specific authentication guidance
– Device identification
– Challenge questions
– Multifactor and two factor authentication
– “Out of band” authentication
61 ©2012 CliftonLarsonAllen LLP Controls for Layered Security
• Control of administrative functions
• Enhanced controls around payment authorization and verification
–“Positive Pay” features
–Dual authorization
– “Call back” verification
• Detection and response to suspicious activity
62 ©2012 CliftonLarsonAllen LLP Controls for Layered Security (2) • Member awareness and education – Explanation of protections provided and not provided –How the financial institution may contact a member on an unsolicited basis – A suggestion that commercial online banking members perform assessment and controls evaluation periodically – A listing of alternative risk control mechanisms that members may consider implementing to mitigate their own risk –A listing of financial institution contacts for members discretionary use to report suspected fraud
63 ©2012 CliftonLarsonAllen LLP Questions?
64 ©2012 CliftonLarsonAllen LLP 65 65 Randy ad oe@lfolroalncom romes@cliftonlarsonallen Randy
Information Romes Romes . romes@cliftonlarsonallen Thank , ©2012
CISSP CISSP 888.529.264
Principal CliftonLarsonAllen
Security ,
CRISC CRISC
y
LLP ou! ,
Services
MCP MCP ,
PCI PCI . com ‐ QSA
©2012 CliftonLarsonAllen LLP Solutions –From SANS Report 20 Critical Controls: • http://csis.org/files/publication/Twenty_Critical_Controls_fo r_Effective_Cyber_Defense_CAG.pdf
1. Inventory of Authorized and Unauthorized Devices Additional Critical Controls (not directly 2. Inventory of Authorized and Unauthorized Software supported by automated 3. Secure Configurations for Hardware and Software on measurement and validation): Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, 16. Secure Network Engineering Routers, and Switches 17. Penetration Tests and Red Team 5. Boundary Defense Exercises 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 18. Incident Response Capability 7. Application Software Security 19. Data Recovery Capability 8. Controlled Use of Administrative Privileges 20. Security Skills Assessment and 9. Controlled Access Based on Need to Know Appropriate Training to Fill Gaps 10. Con tinuous Vu lnera bility Assessmen t an d Reme dia tion 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention
66 ©2012 CliftonLarsonAllen LLP Common Compliance Requirements • Compliance Matrix Resources:
• http://net.educause.edu/ir/library/pdf/CSD5876.pdf
• http://www.infosec.co.uk/ExhibitorLibrary/277/Cross_Co mpliance_ wp_ 20. pdf
67 ©2012 CliftonLarsonAllen LLP Resources – Hardening Checklists
Hardening checklists from vendors
•CIS offers vendor‐neutral hardening resources http://www. cisecurity. org/
• Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en‐us/library/dd366061.aspx
Most of these will be from the “BIG” software and hardware providers
68 ©2012 CliftonLarsonAllen LLP Resources –In the News •Privacy Rights
•Resource for State Laws https://www.privacyrights.org/data‐breach‐FAQ#10
69 ©2012 CliftonLarsonAllen LLP References
•Bank Info Security: • http://ffiec. bankinfosecurity. com/
• FDIC ACH Advi sor ies: • http://www.fdic.gov/news/news/SpecialAlert/2011/i ndex.html
• SANS report (2009) • http://www.sans.org/top‐cyber‐security‐ risks/summary. php
70 ©2012 CliftonLarsonAllen LLP 70 References
•Michigan Company sues bank http://www.computerworld .com/s/article/9156558/Michigan _firm _sues _bank_over_theft_of_560_000_?taxonomyId=17
http://www.krebsonsecurity .com/2010/02/comerica ‐phish‐foiled‐2‐ factor‐protection/#more‐973 •Bank sues Texas company http://www.bankinfosecurity.com/articles.php?art_id=2132
71 ©2012 CliftonLarsonAllen LLP Examples in the news…
• Google: “cloud service outage” • Microsoft Windows Azure Cloud Suffers Outage; Blame Leap Year ... •Feb 29, 2012 – Microsoft Windows Azure, the software company's cloud computing service, has been suffering through a lengthy outage today, preventing ...
• Amazon gets 'black eye' from cloud outage – Computerworld •Apr 21, 2011 Keith Shaw chats with Network World's Jon Brodkin about the Amazon EC2 cloud service outage that ...
72 ©2012 CliftonLarsonAllen LLP Examples in the news…
• Chinese Gmail Attack Compromises Hundreds of Accounts • http://www.pcmag.com/article2/0,2817,2386287,00.asp
• June 3, 2012 – Earlier this week, Google discovered that a number of its Gmail account user names and passwords of personal accounts blbelong ing to senior government offic ia ls, activists, and journalists, had been compromised. The hack appears to have originated from Jinan, China, although Google did not accuse any individuals or governments of orchestrating the attack.
73 ©2012 CliftonLarsonAllen LLP Examples in the news…
“Cloud Computing Service Outages in 2011” • http: //new tec h.a bou t.com /o d/c lou dcompu ting /tp /Clou d‐ Computing‐Major‐Service‐Outages‐In‐2011.htm •Playstation Network 4///21/11 25 days • Amazon Web Services 4/21/11 4 days • Twitter 2/25, 3/16, 3/25, 3/27 hours at a time •Gmail and Google Apps 2/27/11 2 days • Intuit Service &Quickbooks 3/28/11 2‐5 days
74 ©2012 CliftonLarsonAllen LLP References to Specific State Laws
Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base . These states include Maine , Maryland , New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).
However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan , Nebraska, Hawaii and Wisconsin.
State laws: http://www.privacyrights.org/data-breach#10
For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources
http://www.privacyrights.org/ar/ChronDataBreaches.htm
75 ©2012 CliftonLarsonAllen LLP