Mobile Banking Basics • Different Types of Mobile Banking – SMS Mobile Banking – Mobile Web

Home , App store, PlayStation Network

1 1 (Security Risks ACUIA

and and

Region tember

CliftonLarsonAllen

Trends Trends

Compliance)

LLP 2012

Meeting

in in

IT IT

• CliftonLarsonAllen – Started in 1953 with a goal of total client service – Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.

• Emerging & Continuing Trends

– Industry Security Reports

– 12 Years of Information Security Audit, Assurance, and Incident Response

•Social Engineering

• The Cloud

• Mobile and Electronic Banking

“A secure system is one we can depend on to behave as we expect.” Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford

People Rules

• Confidentiality • Integrity • Availability `

Tools

•Intrusion Analysis: TrustWave (Annual) – https://www.trustwave.com/whitePapers.php

• Intrusion Analysis: Verizon Business Services (Annual) – 2010 report – httpppp_://www.verizonbusiness.com/resources/reports/rp_20 10‐DBIR‐combined‐reports_en_xg.pdf – 2011 report – http://www. verizonbusiness. com/resources/reports/rp_ dat a‐breach‐investigations‐report‐2011_en_xg.pdf

5 ©2012 CliftonLarsonAllen LLP SANS – Client Side Vulnerabilities • Client side vulnerabilities – Missing operating system patches – Missing application patches –Objective is to get the users to “Open the door”

•Vulbllnerable Web sites Recent – Password guessing Facebook example… – Attack s on applica tion itinter faces with “input fields”

Once inside, attackers have very little reason to think they will be detected…

The bad guys are inside for 1 ½ YEARS before anyone knows!

•KEY POINTS: –Time from successful intrusion to compromise of data was days to weeks. – Log files contained evidence of the intrusion attempt, success, and removal of data. –Most successful intrusions were not considere d hig hly difficu lt.

• Opportunistic Attacks

•Targeted Attacks

Social Engineering relies on the following:

• People want to help

• People want to trust

• The appearance of “authority”

• People want to avoid inconvenience

• Timing, timing, timing…

13 ©2012 CliftonLarsonAllen LLP Pre‐text Phone Calls •“Hi, this is Randy from Comcast. I am working with Dave, and I need your help…” –Name dropping – Establish a rapport – Ask for help –Inject some techno‐babble – Think telemarketers script

• Home EitEquity Line of CditCredit (HELOC) fdfraud calls • Recent string of high‐profile ACH frauds

• Impersonate someone in authority and: – Ask them to visit a web‐site – Ask them to open an attachment or run update

•Examples – Better Business Bureau complaint – http://scmagazine.com/us/news/article/660941/better‐business‐ bureau‐target‐phishing‐scam/ – Microsoft Security Patch Download – http://www.scmagazine.com/us/news/article/667467/researchers‐ warn‐bogus‐microsoft‐patch‐spam/

Two or Three tell- tale signs Can you find them?

• Fewer ttllell ttlale signs on fake websites

Plant devices: • Keystroke loggers • Wireless access point • Thumb drives (“Switch Blade”)

Examples… Steal hardware (laptops) http://www.sptimes .com/2007/10/28/Business/Here _ s_ how_ a_ slick_ la. shtml http://www.privacyrights.org/ar/ChronDataBreaches.htm

• (Ongoing) user awareness training • Network perimeter security layers –Mail filter, mail gateway, hardened workstations – Antivirus software (3 places) and anti‐malware software – Internet browser proxies and filtering • Minimized user access rights • Application white listing • Logging and Monitoring capabilities (SIEM and DLP) –“The 3 R’s”: Recognize, React, Respond • VALIDATION  Periodic testing  People, Rules, Tools, and Spaces

the the

CliftonLarsonAllen

Risks Risks

the LLP

Cloud

as as

You You

•Is it a clever marketing term?

• Where is the cloud?

Describe types of Cloud List Cloud Services YOU Services currently use 1. 1. 2. 2. 3. 3. 4. 4. 5. 5.

•The original “cloud computing”: Mainframes

•The next generation: Thin Clients (Citrix, RDP, etc…)

•Today’s cloud: Hosted service or process all the way to hosted infrastructure.

•National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009:

“Cloud computing is a model for enabling convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

• Hosted Email: Hosted Exchange, Gmail • Hosted productivity applications and enterprise applications – Google Apps, Amazon Web Services •On‐line/cloud back up services • Hosted infrastructure •Private Clouds

• Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS)

•Low upfront/entry cost • Pay as you go • Reduced support needs • Faster deployment speeds • Simpler/easier upgrades •Business agility – ability to scale

• Reduced hardware costs • Reduced software costs • Reduced maintenance/service costs

• Redundancy & Resiliency • Disaster recovery and business continuity • Specialized support expertise • Compliance benefits

• Ability to focus on the core of your business

• Vendor Risks – Vendor selection and due diligence – Vendor viability – Vendor management • Governance Ris ks –Risk Management –Legal and compliance issues –Life cycle management and portability

• Who has your data? • Where is your data? • Who has access to your data?

•Data Risks –Data location –Data segregation –Data recovery – Investigative support

•End User Risks –Privileged user access – Normal users – Malicious insiders

• Technology Risks –Quick scalability –Pace of change –Outage downtime – Application level DDOS attacks –(Hacker) ease of access

• Megaupload story: SANS NewsBites Vol. 14 Num. 29 http://www. wired. com/threatlevel/2012/04/megaupload‐ defense‐hobbled/

• A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data ‐ 25 petabytes ‐ are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. • Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture associiiation of America (()MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets.

• Recent client experience  18 months ago we outsourced our email to a cloud based email solution with Company A  6 months ago Company A was purchased by Company B  2 months ago Company B was purchased by Company C

I don’t know where my data is… I don’t know who has access to my data… I d’tdon’t know where my dtdata is bkdbacked up at any more… I don’t know…

• Recent conference  Between sessions vendors describe their service offerings…  Company X offers online, secure back up to the cloud  Comppyany X has grown “over 300%” in the last year  Best of all, Company X now provides online, secure, cloud based back up for Company Y –one of the larger Core hosting company providers

Where does the outsourcing chain end? How many using Company Y know where their data is

•Risk Assessment • Cost benefit analysis • Vendor due diligence (Pre‐contract) • StiiScrutinize contttracts • Ongoing vendor management •Be disciplined about where your data is –DOCUMENT IT –an “inventory”! • UdUnderstand vendors responsibility and YOURS • Remember basic security tenants

CliftonLarsonAllen

Devices Devices

LLP

the

Risks

• More people have (smart) phones than computers

• Mobile ppyayments are coming (already here?) – Topic for another time

42 ©2012 CliftonLarsonAllen LLP Mobile Banking Basics • Mobile banking applications (i.e. “mobile apps”) – Various mobile app market places – iTunes/Apple App Store – Android Market –Verizon App Store – BlackBerry App Store

45 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Vulnerabilities and risks at each component • Perform a risk assessment Risk Assessment Heat map –Server Side Risks – (Vendor Risks) –Transmission Risks – Mobile Device Risks – Mobile App Risks – EdEnd User Ris ks

◊ Default credentials This is essentially a web ◊ Patch/update maintenance server for the mobile devices ◊ Certificate issues to connect to.

47 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Vendor Risks –Same risks as banks –now outside of your direct control. ◊ Insecure coding practices Also need ◊ Default credentials controls on the dedicated link… ◊ Patch/update maintenance ◊ Certificate issues

This is essentially a web server for the mobile devices to connect to.

48 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Transmission Risks – Most mobile devices have always on Internet connection ◊ Cellular (cell phone service provider) ◊ Wifi (802.11 – home, corporate, “public”) – Need encryption – Common end user practices

50 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls • Mobile App Risks – Secure coding issues – Installation of App – Use and protection of credentials – Storage of data –Transmission of data

• End User Risks – Lose the device –Don’t use passwords, or use “easy to guess passwords” –Store passwords on the device – Jail break the device –Don’t use security software – U/d’tUse/don’t recognize insecure wireless networks – Let their kids “use” the device

• Contracts with SLA’s • SSAE16 reviews • Independent code review and testing

CliftonLarsonAllen Controls

LLP

for

Google: “ACH fraud suit”

Bank Sues Customer • $800,000 fraudulent ACH transfer

•Bank retrieves $600,000

• Wha t happens to the other $200,000?

56 ©2012 CliftonLarsonAllen LLP Phishing and ACH –In the News Customer Sues Bank • $560,000 in fraudulent ACH transfers to bank accounts in Russia, Estonia, Scotland, Finland, China and the US; withdrawn soon after the deposits were made.

• Alleges that the bank failed to notice unusual activity.

• Until the fraudulent transactions were made customer had made just two wire transfers ever

• In just a three‐hour period, 47 wire transfers requests were made.

•In addition, after customer became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.

57 ©2012 CliftonLarsonAllen LLP Phishing and ACH – Examples •Finance person receives “2000 spam messages” • Later in the day, fraudsters make three ACH transfers all within 30 minutes: – $$,8,000 to Houston – Two transfers for $540,000 each to Romania •In this case, business insists the following controls were not followed: – Dollar limit/thresholds were exceeded – Call back verification did not occur •This one was just “resolved”…

 Changes in the internal and external threat environment, – including those discussed in the Appendix of the Supplement  Changes in the member base  Changes in the member functionality  AtActual iidtincidents of security bhbreaches, iden tity the ft, or fdfraud experienced by the institution or industry

•Do not rely on single control

– Controls need to increase as risk increases

– Multi‐layer

– Additional controls at different points in transaction/interaction with member

• Technical (IT/systems) controls

•Specific authentication guidance

– Device identification

– Challenge questions

– Multifactor and two factor authentication

– “Out of band” authentication

• Control of administrative functions

• Enhanced controls around payment authorization and verification

–“Positive Pay” features

–Dual authorization

– “Call back” verification

• Detection and response to suspicious activity

62 ©2012 CliftonLarsonAllen LLP Controls for Layered Security (2) • Member awareness and education – Explanation of protections provided and not provided –How the financial institution may contact a member on an unsolicited basis – A suggestion that commercial online banking members perform assessment and controls evaluation periodically – A listing of alternative risk control mechanisms that members may consider implementing to mitigate their own risk –A listing of financial institution contacts for members discretionary use to report suspected fraud

CISSP CISSP 888.529.264

Principal CliftonLarsonAllen

Security ,

CRISC CRISC

LLP ou! ,

Services

MCP MCP ,

PCI PCI . com ‐ QSA

1. Inventory of Authorized and Unauthorized Devices Additional Critical Controls (not directly 2. Inventory of Authorized and Unauthorized Software supported by automated 3. Secure Configurations for Hardware and Software on measurement and validation): Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, 16. Secure Network Engineering Routers, and Switches 17. Penetration Tests and Red Team 5. Boundary Defense Exercises 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 18. Incident Response Capability 7. Application Software Security 19. Data Recovery Capability 8. Controlled Use of Administrative Privileges 20. Security Skills Assessment and 9. Controlled Access Based on Need to Know Appropriate Training to Fill Gaps 10. Con tinuous Vu lnera bility Assessmen t an d Reme dia tion 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention

• http://net.educause.edu/ir/library/pdf/CSD5876.pdf

• http://www.infosec.co.uk/ExhibitorLibrary/277/Cross_Co mpliance_ wp_ 20. pdf

Hardening checklists from vendors

•CIS offers vendor‐neutral hardening resources http://www. cisecurity. org/

• Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en‐us/library/dd366061.aspx

Most of these will be from the “BIG” software and hardware providers

•Resource for State Laws https://www.privacyrights.org/data‐breach‐FAQ#10

•Bank Info Security: • http://ffiec. bankinfosecurity. com/

• FDIC ACH Advi sor ies: • http://www.fdic.gov/news/news/SpecialAlert/2011/i ndex.html

• SANS report (2009) • http://www.sans.org/top‐cyber‐security‐ risks/summary. php

•Michigan Company sues bank http://www.computerworld .com/s/article/9156558/Michigan _firm _sues _bank_over_theft_of_560_000_?taxonomyId=17

http://www.krebsonsecurity .com/2010/02/comerica ‐phish‐foiled‐2‐ factor‐protection/#more‐973 •Bank sues Texas company http://www.bankinfosecurity.com/articles.php?art_id=2132

• Google: “cloud service outage” • Microsoft Windows Azure Cloud Suffers Outage; Blame Leap Year ... •Feb 29, 2012 – Microsoft Windows Azure, the software company's cloud computing service, has been suffering through a lengthy outage today, preventing ...

• Amazon gets 'black eye' from cloud outage – Computerworld •Apr 21, 2011 Keith Shaw chats with Network World's Jon Brodkin about the Amazon EC2 cloud service outage that ...

• Chinese Gmail Attack Compromises Hundreds of Accounts • http://www.pcmag.com/article2/0,2817,2386287,00.asp

• June 3, 2012 – Earlier this week, Google discovered that a number of its Gmail account user names and passwords of personal accounts blbelong ing to senior government offic ia ls, activists, and journalists, had been compromised. The hack appears to have originated from Jinan, China, although Google did not accuse any individuals or governments of orchestrating the attack.

“Cloud Computing Service Outages in 2011” • http: //new tec h.a bou t.com /o d/c lou dcompu ting /tp /Clou d‐ Computing‐Major‐Service‐Outages‐In‐2011.htm •Playstation Network 4///21/11 25 days • Amazon Web Services 4/21/11 4 days • Twitter 2/25, 3/16, 3/25, 3/27 hours at a time •Gmail and Google Apps 2/27/11 2 days • Intuit Service &Quickbooks 3/28/11 2‐5 days

Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base . These states include Maine , Maryland , New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).

However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan , Nebraska, Hawaii and Wisconsin.

State laws: http://www.privacyrights.org/data-breach#10

For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources

http://www.privacyrights.org/ar/ChronDataBreaches.htm