Cybersecurity Landscape
Paul Love Chief Information Security Officer, CO-OP Financial Services Topics
Impact
Motivations
How
The Future
Open Q&A More Consumers are Affected by Fraud
Overall Fraud Incidence Rose 16%
6.15% of U.S. Consumers Impacted
5.30% of U.S. Consumers Impacted
2015 2016 Source: Javelin - 2017 Identity Fraud: Securing the Connected Life The Big Story in 2017
CARD-NOT-PRESENT FRAUD ACCOUNT TAKOVER FRAUD
UP UP 40% 60%
Both were driven by EMV migration in the U.S. making in-store fraud more difficult
Source: 2017 Identity Fraud Study, Javelin Strategy & Research 2017 Breaches
HEALTH CARE Motivations Vernacular of Hacking
Motivation Labels Skill Labels Motivation/Support
• Hacker (white hat) • Elite Hacker • Lone attacker • Grey Hat • Script Kiddie • Hacktivist • Bad Hacker (black hat) • Neophyte/Noob • Nation State • Blue Hat • Organized Criminal Gangs (OCG) History
1989 1992 2001 2013 First Ransomware 1260 Polymorphic Code Red Target/Yahoo detected (PC Cyborg) Virus 2003 2014 1993 Blaster Sony 1988 First DEFCON Morris Worm Conference 2005 CardSystems 2015 1994 Solutions Ashley Madison Citibank 1986 Computer Fraud 1996 2007 2016 and Abuse Act Cryptovirology TJ Maxx Bangladesh (basis of Modern Bank Robbery Ransomware) 2009 1983 2000 Conficker Wargames ILOVEYOU 2010 Movie Worm Stuxnet
1950 1960 1970 1980 1990 2000 2010
Late 50’s – Late 70’s Late 80’s – Late 90’s 2000’s and Beyond Phreaking/System Hacking Increases Monetary/Political attacks Exploration Nation State Why
Money
Resources (medical)
Impersonation for non monetary (criminal arrest)
Extension of Political goals
Other (prestige, etc) How Cybercrime Business Model
PAST CURRENT
Individual or small team who (CyberCrime as a Service or CAAS) created malware, delivered malware • Project Manager and exploited malware. • Coder/Malware developer • Bot herder (as needed) • Intrusion Specialist • Data Miner • Money Specialist
These roles can be further specialized to component parts, initial access tools all the way to full service models CyberCrime as a Service (CAAS)
Can consist of specializations Malware as a service Counter AV as a Service Ransomware as a service Fraud as a service Escrow Services Drop Services And others Costs
Type Amount
Server Hacking Approximately $250
Home Computer Hacking Approximately $150
Creating Malware Approximately $200
Bulk Stolen Data depending on gigabytes stolen
Hack Service Rental (depending on size) $200 - $1000
Varies depend and can include fixed fee Full project hack (end to end) or portion of proceeds How a Typical Attack Happens Tools
Networks Approaches
Deep Web Watering Hole attacks Dark Web/Darknet Malvertisements Public/Internet/Clearnet DDOS Botnets Ransomware Malware BlackHat – DefCon Security Conference
Hacker conference discussing new trends, attacks and intelligence sharing
Approximately 25,000-30,000 attendees from law enforcement, InfoSec and hacker communities.
Key learnings Crime as a Service is growing IoT, Vehicles and Voting Machines can be hacked in minutes Thermostats and other IoT are susceptible to ransomware Mobile wallets are a target. One attacker showed how a hacker could make fraudulent payments through Samsung Pay1. Mag Stripes are susceptible to guessing (brute force) allowing attackers to create mag stripe cards on the fly for POS, hotel rooms and other uses2. 1 http://www.itproportal.com/2016/08/10/fraudulent-payments-through-samsung-pay-are-real/ 2 http://www.esecurityplanet.com/hackers/hacking-hotel-keys-and-point-of-sale-systems-at-defcon.html Many Sites to Support Attackers
Remote Administration Spreaders
Other Services • Full fledged services (MAAS) • Marketing services • Training • Support Information Sharing
Source: https://www.hackaday.com Security Testing Tools Available
Source: https://www.hak5.org/ Skimming and Fraud
Skimming is a common form of criminal activity where data is captured from the magnetic stripe Phishing Example Phishing Example Phishing Example
Source: https://www.irs.gov/pub/irs-utl/phishing_email.pdf Phishing Example
Source: https://www.ups.com/media/news/en/fraud_email_examples.pdf Smishing Example The Future
Nation State
More sophisticated criminal networks
More focus on Small to Medium sized businesses as targets of opportunity How to Protect Yourself and Company
User education
Don’t click on links in emails you weren’t expecting
Don’t download or click on attachments in emails
If it feels suspicious, assume it is and contact your security team
Keep systems and antivirus patched