Cybersecurity Landscape

Home , Hacker, Phreaking, Script kiddie

Paul Love Chief Information Security Officer, CO-OP Financial Services Topics

Impact

Motivations

How

The Future

Open Q&A More Consumers are Affected by Fraud

Overall Fraud Incidence Rose 16%

6.15% of U.S. Consumers Impacted

5.30% of U.S. Consumers Impacted

2015 2016 Source: Javelin - 2017 Identity Fraud: Securing the Connected Life The Big Story in 2017

CARD-NOT-PRESENT FRAUD ACCOUNT TAKOVER FRAUD

UP UP 40% 60%

Both were driven by EMV migration in the U.S. making in-store fraud more difficult

Source: 2017 Identity Fraud Study, Javelin Strategy & Research 2017 Breaches

HEALTH CARE Motivations Vernacular of Hacking

Motivation Labels Skill Labels Motivation/Support

• Hacker (white hat) • Elite Hacker • Lone attacker • Grey Hat • Script Kiddie • Hacktivist • Bad Hacker (black hat) • Neophyte/Noob • Nation State • Blue Hat • Organized Criminal Gangs (OCG) History

1989 1992 2001 2013 First Ransomware 1260 Polymorphic Code Red Target/Yahoo detected (PC Cyborg) Virus 2003 2014 1993 Blaster Sony 1988 First DEFCON Morris Worm Conference 2005 CardSystems 2015 1994 Solutions Ashley Madison Citibank 1986 Computer Fraud 1996 2007 2016 and Abuse Act Cryptovirology TJ Maxx Bangladesh (basis of Modern Bank Robbery Ransomware) 2009 1983 2000 Conficker Wargames ILOVEYOU 2010 Movie Worm Stuxnet

1950 1960 1970 1980 1990 2000 2010

Late 50’s – Late 70’s Late 80’s – Late 90’s 2000’s and Beyond Phreaking/System Hacking Increases Monetary/Political attacks Exploration Nation State Why

Money

Resources (medical)

Impersonation for non monetary (criminal arrest)

Extension of Political goals

Other (prestige, etc) How Cybercrime Business Model

PAST CURRENT

Individual or small team who (CyberCrime as a Service or CAAS) created malware, delivered malware • Project Manager and exploited malware. • Coder/Malware developer • Bot herder (as needed) • Intrusion Specialist • Data Miner • Money Specialist

These roles can be further specialized to component parts, initial access tools all the way to full service models CyberCrime as a Service (CAAS)

Can consist of specializations Malware as a service Counter AV as a Service Ransomware as a service Fraud as a service Escrow Services Drop Services And others Costs

Type Amount

Server Hacking Approximately $250

Home Computer Hacking Approximately $150

Creating Malware Approximately $200

Bulk Stolen Data depending on gigabytes stolen

Hack Service Rental (depending on size) $200 - $1000

Varies depend and can include fixed fee Full project hack (end to end) or portion of proceeds How a Typical Attack Happens Tools

Networks Approaches

Deep Web Watering Hole attacks Dark Web/Darknet Malvertisements Public/Internet/Clearnet DDOS Botnets Ransomware Malware BlackHat – DefCon Security Conference

Hacker conference discussing new trends, attacks and intelligence sharing

Approximately 25,000-30,000 attendees from law enforcement, InfoSec and hacker communities.

Key learnings Crime as a Service is growing IoT, Vehicles and Voting Machines can be hacked in minutes Thermostats and other IoT are susceptible to ransomware Mobile wallets are a target. One attacker showed how a hacker could make fraudulent payments through Samsung Pay1. Mag Stripes are susceptible to guessing (brute force) allowing attackers to create mag stripe cards on the fly for POS, hotel rooms and other uses2. 1 http://www.itproportal.com/2016/08/10/fraudulent-payments-through-samsung-pay-are-real/ 2 http://www.esecurityplanet.com/hackers/hacking-hotel-keys-and-point-of-sale-systems-at-defcon.html Many Sites to Support Attackers

Remote Administration Spreaders

Other Services • Full fledged services (MAAS) • Marketing services • Training • Support Information Sharing

Source: https://www.hackaday.com Security Testing Tools Available

Source: https://www.hak5.org/ Skimming and Fraud

Skimming is a common form of criminal activity where data is captured from the magnetic stripe Phishing Example Phishing Example Phishing Example

Source: https://www.irs.gov/pub/irs-utl/phishing_email.pdf Phishing Example

Source: https://www.ups.com/media/news/en/fraud_email_examples.pdf Smishing Example The Future

Nation State

More sophisticated criminal networks

More focus on Small to Medium sized businesses as targets of opportunity How to Protect Yourself and Company

User education

Don’t click on links in emails you weren’t expecting

Don’t download or click on attachments in emails

If it feels suspicious, assume it is and contact your security team

Keep systems and antivirus patched