Mobile Banking Basics • Different Types of Mobile Banking – SMS Mobile Banking – Mobile Web – Mobile Applications

Mobile Banking Basics • Different Types of Mobile Banking – SMS Mobile Banking – Mobile Web – Mobile Applications

12 CliftonLarsonAllen 12 CliftonLarsonAllen LLP 00 Risks and Trends in IT ©2 (Security and Compliance) ACUIA Region 3 Meeting September 2012 1 1 ©2012 CliftonLarsonAllen LLP Our perspective… • CliftonLarsonAllen – Started in 1953 with a goal of total client service – Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. 2 ©2012 CliftonLarsonAllen LLP Presentation overview • Emerging & Continuing Trends – Industry Security Reports – 12 Years of Information Security Audit, Assurance, and Incident Response •Social Engineering • The Cloud • Mobile and Electronic Banking •Strategies and Key Controls 3 ©2012 CliftonLarsonAllen LLP Definition of a Secure System “A secure system is one we can depend on to behave as we expect.” Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford People Rules • Confidentiality • Integrity • Availability ` Tools 4 ©2012 CliftonLarsonAllen LLP 4 “Three” Security Reports • Trends: Sans 2009 Top Cyber Security Threats – http://www.sans.org/top‐cyber‐security‐risks/ •Intrusion Analysis: TrustWave (Annual) – https://www.trustwave.com/whitePapers.php • Intrusion Analysis: Verizon Business Services (Annual) – 2010 report – httpppp_://www.verizonbusiness.com/resources/reports/rp_20 10‐DBIR‐combined‐reports_en_xg.pdf – 2011 report – http://www. verizonbusiness. com/resources/reports/rp_ dat a‐breach‐investigations‐report‐2011_en_xg.pdf 5 ©2012 CliftonLarsonAllen LLP SANS – Client Side Vulnerabilities • Client side vulnerabilities – Missing operating system patches – Missing application patches –Objective is to get the users to “Open the door” •Vulbllnerable Web sites Recent – Password guessing Facebook example… – Attack s on applica tion itinter faces with “input fields” 6 ©2012 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report Methods of Entry: Methods of Propagation: 7 ©2012 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report • Most of the compromised systems were managed by a third party… 8 ©2012 CliftonLarsonAllen LLP TrustWave – Intrusion Analysis Report •Incident Response –Investigative Conclusions •Window of Data Exposure Once inside, attackers have very little reason to think they will be detected… The bad guys are inside for 1 ½ YEARS before anyone knows! 9 ©2012 CliftonLarsonAllen LLP Verizon • Report is analysis of intrusions investigated by Verizon and US Secret Service. •KEY POINTS: –Time from successful intrusion to compromise of data was days to weeks. – Log files contained evidence of the intrusion attempt, success, and removal of data. –Most successful intrusions were not considere d hig hly difficu lt. 10 ©2012 CliftonLarsonAllen LLP Hackers, Fraudsters, and Victims • Opportunistic Attacks •Targeted Attacks 11 ©2012 CliftonLarsonAllen LLP Verizon 2011 •Anatomy of a data breach ‐ Opportunities 12 ©2012 CliftonLarsonAllen LLP How do hackers and fraudsters break in? Social Engineering relies on the following: • People want to help • People want to trust • The appearance of “authority” • People want to avoid inconvenience • Timing, timing, timing… 13 ©2012 CliftonLarsonAllen LLP Pre‐text Phone Calls •“Hi, this is Randy from Comcast. I am working with Dave, and I need your help…” –Name dropping – Establish a rapport – Ask for help –Inject some techno‐babble – Think telemarketers script • Home EitEquity Line of CditCredit (HELOC) fdfraud calls • Recent string of high‐profile ACH frauds 14 ©2012 CliftonLarsonAllen LLP Email Attacks ‐ Spoofing and Phishing • Impersonate someone in authority and: – Ask them to visit a web‐site – Ask them to open an attachment or run update •Examples – Better Business Bureau complaint – http://scmagazine.com/us/news/article/660941/better‐business‐ bureau‐target‐phishing‐scam/ – Microsoft Security Patch Download – http://www.scmagazine.com/us/news/article/667467/researchers‐ warn‐bogus‐microsoft‐patch‐spam/ 15 ©2012 CliftonLarsonAllen LLP Email Phishing –Targeted Attack Randall J. Romes [rromes@larsonallen. com] Two or Three tell- tale signs Can you find them? 16 ©2012 CliftonLarsonAllen LLP Email Phishing –Targeted Attack • Fewer tlltell tltale signs on fake websites 17 ©2012 CliftonLarsonAllen LLP Physical (Facility) Security Compromise the site: •“Hi, Joe said he would let you know I was coming to fix the printers…” Plant devices: • Keystroke loggers • Wireless access point • Thumb drives (“Switch Blade”) Examples… Steal hardware (laptops) http://www.sptimes .com/2007/10/28/Business/Here _ s_ how_ a_ slick_ la. shtml http://www.privacyrights.org/ar/ChronDataBreaches.htm 18 ©2012 CliftonLarsonAllen LLP Strategies to Combat Social Engineering • (Ongoing) user awareness training • Network perimeter security layers –Mail filter, mail gateway, hardened workstations – Antivirus software (3 places) and anti‐malware software – Internet browser proxies and filtering • Minimized user access rights • Application white listing • Logging and Monitoring capabilities (SIEM and DLP) –“The 3 R’s”: Recognize, React, Respond • VALIDATION Periodic testing People, Rules, Tools, and Spaces 19 ©2012 CliftonLarsonAllen LLP Questions? 20 ©2012 CliftonLarsonAllen LLP 12 CliftonLarsonAllen 12 CliftonLarsonAllen LLP 00 Managing the Risks as You ©2 Outsource to the Cloud 2121 ©2012 CliftonLarsonAllen LLP What is the Cloud? •Is it a clever marketing term? • Where is the cloud? 22 ©2012 CliftonLarsonAllen LLP Cloud Services Describe types of Cloud List Cloud Services YOU Services currently use 1. 1. 2. 2. 3. 3. 4. 4. 5. 5. 23 ©2012 CliftonLarsonAllen LLP What is the Cloud? •The original “cloud computing”: Mainframes 24 ©2012 CliftonLarsonAllen LLP What is the Cloud? •The next generation: Thin Clients (Citrix, RDP, etc…) 25 ©2012 CliftonLarsonAllen LLP What is the Cloud? •Today’s cloud: Hosted service or process all the way to hosted infrastructure. 26 ©2012 CliftonLarsonAllen LLP What is the Cloud? •Today’s cloud: Hosted service or process all the way to hosted infrastructure. 27 ©2012 CliftonLarsonAllen LLP What is the Cloud? •National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009: “Cloud computing is a model for enabling convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” 28 ©2012 CliftonLarsonAllen LLP Examples of Cloud Services • Hosted Email: Hosted Exchange, Gmail • Hosted productivity applications and enterprise applications – Google Apps, Amazon Web Services •On‐line/cloud back up services • Hosted infrastructure •Private Clouds • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) 29 ©2012 CliftonLarsonAllen LLP Benefits •Low upfront/entry cost • Pay as you go • Reduced support needs • Faster deployment speeds • Simpler/easier upgrades •Business agility – ability to scale • Reduced hardware costs • Reduced software costs • Reduced maintenance/service costs 30 ©2012 CliftonLarsonAllen LLP Benefits • Redundancy & Resiliency • Disaster recovery and business continuity • Specialized support expertise • Compliance benefits • Ability to focus on the core of your business 31 ©2012 CliftonLarsonAllen LLP Risks • Vendor Risks – Vendor selection and due diligence – Vendor viability – Vendor management • Governance Ris ks –Risk Management –Legal and compliance issues –Life cycle management and portability • Who has your data? • Where is your data? • Who has access to your data? 32 ©2012 CliftonLarsonAllen LLP Risks •Data Risks –Data location –Data segregation –Data recovery – Investigative support •End User Risks –Privileged user access – Normal users – Malicious insiders 33 ©2012 CliftonLarsonAllen LLP Risks • Technology Risks –Quick scalability –Pace of change –Outage downtime – Application level DDOS attacks –(Hacker) ease of access 34 ©2012 CliftonLarsonAllen LLP Examples in the news… • Megaupload story: SANS NewsBites Vol. 14 Num. 29 http://www. wired. com/threatlevel/2012/04/megaupload‐ defense‐hobbled/ • A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data ‐ 25 petabytes ‐ are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9, 000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. • Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture associiiation of America ()(MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets. 35 ©2012 CliftonLarsonAllen LLP Examples closer to home… • Recent client experience 18 months ago we outsourced our email to a cloud based email solution with Company A 6 months ago Company A was purchased by Company B 2 months ago Company B was purchased by Company C I don’t know where my data is… I don’t

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    75 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us