A Brief Look at Cybersecurity May 14, 2015 Nate Gravel CISA, CISM, CRISC Director – Information Security Practice W. Jackson Schultz Security Consultant – Information Security Practice
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Brief Look at CybersecurityMay 14, 2015
Nate Gravel CISA, CISM, CRISCDirector – Information Security Practice
W. Jackson SchultzSecurity Consultant – Information Security Practice
Founded in 1994
Located in Peabody
Family-Owned and Operated
Information Security Practice Risk Management and Compliance
IT Assurance
IT Audit
GraVoc Associates, Inc.
Recent Events & Regulatory Developments
Cybercrime Markets & Business Models
Cybersecurity Trends & Emerging Threats
Countermeasures & Security Best Practices
Question & Answer
Today’s Agenda
Recent Events & Regulatory Developments
Recent Events
Target: 40 Million Credit
Cards Compromised
- CNN, December 19, 2013
Recent Events
OpenSSL Heartbleed: The Bug That Could Affect Two-Thirds of Web- ABC, April 12, 2014
Recent Events
Home Depot Hack Could Lead to $3 Billion in Fraudulent Charges- CBS News, September 16, 2014
Recent Events
Shellshock makes Heartbleed
Look Insignificant
- ZDNet, September 29, 2014
Recent Events
JPMorgan Chase Says 76 Million Households Affected by Data Breach- NBC News, October 3, 2014
Recent Events
Cyber Attack Could Cost Sony
Studios as Much as $100 Million
- Reuters, December 10, 2014
Recent Events
Millions of Anthem Customers
Targeted in Cyber Attack
- The New York Times, February 5, 2015
Recent Events
Fraudsters Drain Starbucks
Accounts
- BankInfoSecurity, May 13, 2015
Recent Regulatory Developments
Cybersecurity FrameworkFebruary, 2014
Summary:
Identify, Protect, Detect, Respond, Recover
Recent Regulatory Developments
Joint Statements on Cybersecurity Threats
April, 2014 - Present
Including:
DDoS, Shellshock, ATM Cash Out, Malware, Credentials
Recent Regulatory Developments
Cybersecurity Assessment General Observations
November, 2014
Areas for Improvement:
Threat Intelligence & Collaboration
Cyber Incident Management & Resilience
External Dependency (Vendor) Management
Cybercrime Markets & Business Models
In 2014, the cybercrime market caused an estimated $120 billion in direct cash loss to U.S. businesses and consumers.
Cybercrime Market
$120 billion could buy:
Cybercrime Market
Cybercrime: The Underground Economy
Stolen Assets/ Criminal Activity Payout
Credit Card Numbers $5- $10 for virgin account
Bank Credentials $80 - $700
Bank Transfers 10% - 50%
Social Security Number $30 - $50
Zero Day Exploits $1,000 - $100,000
Exploits for Known Vulnerabilities $500 - $2,000
Malware (Pay per Install) Up to $1.50 (U.S. victims)
Hacktivist
Government/state-sponsored
Cyber-terrorist
Black Hat
White Hat
Grey Hat
Cybercrime Market:Types of Hackers
Create Revenue-Generating Framework
Assign Unique Roles Amongst Members
Share Profits (% depends on role)
Cybercrime Business Models
Organized.
Traditional mafia families have moved into cyber crime space
Leader
Malware Developer
Rootkit Developer
Exploit Developer
Hacker
Cybercrime Business Model:Typical Group Roles
Botnet Services
DDoS Attacks
Malware (Rogue Antivirus, Ransomware)
Access to Corporate Networks
Hackers for Hire
Cybercrime Business Models:Verticals
Cybersecurity Trends & Emerging Threats
Social engineering:
The art of manipulating people into performing actions or divulging confidential information.
Cybersecurity Trends: Social Engineering
Cybersecurity Trends: Social Engineering
Phishing
Pretext Calling
Baiting
Tailgating
Impersonation
Cybersecurity Trends: Social Engineering
A primary threat of the “Information Age”
Becoming increasingly sophisticated
Used to gather information (TMI)
Trusted community
Easy target for social engineers and hackers
Malware
Cybersecurity Trends:Social Engineering & Social Media
Targeted attacks
Get most information from legitimate sources like Registry of Deeds
Cybersecurity Trends: Social EngineeringHELOC Wire Fraud
Throughout MA (2012-2013)FIs: Multiple
Targets business online banking accounts
Relies on weaknesses in multifactor authentication and end-user (customer) control environment
Some experts estimate $754 million in losses from CATO by 2016
Cybersecurity Trends:Corporate Account Takeover (CATO)
$588,851 stolen
Changed liability landscape for financial institutions
Cybersecurity Trends:Corporate Account Takeover (CATO)
PATCO (2009-2012)FI: Ocean Bank (People’s United)
Difficult to Defend
Use Network of Compromised Systems (Botnet) to Create Flood of Traffic
Rely on General Lack of Security Awareness
Cybersecurity Trends:Distributed Denial of Service (DDoS)
Over $900,000 stolen
DDoS on Bank website used as decoy for CATO
Cybersecurity Trends:Distributed Denial of Service (DDoS)
Ascent Builders (2012)FI: Bank of the West
ATMs, gas pumps, point of sale (POS) terminals
Can be added and removed by attackers in seconds.
Used to steal card data and PIN
Cybersecurity Trends: Skimming Devices
Malicious code or virus
Used to steal data or remotely control infected device (botnet) to carry out attacks (DoS and DDoS)
Prolific: 40,000 new strains per day
Cybersecurity Trends: Malware
Viruses
Trojans
Worms and Bugs
Adware
Spyware
Ransomware
Cybersecurity Trends: Types of Malware
OpenSSL Heartbleed
Shellshock (BashBug)
POODLE (SSL v3)
Sandworm
Venom
Emerging Threats:Web-Based & Zero-Day Vulnerabilities
Zero Day Exploit: Venom Vulnerability
Announced yesterday
Likely affects millions of devices
Allows hackers to break into every CPU on a datacenter’s network by accessing all virtual machines.
Emerging Threats: Internet Of Things
All devices connect and interact via Internet
Mostly consumer technology and household appliances
Represents major threat to infrastructure
Countermeasures &Security Best Practices
Foster a “security culture” (rather than a compliance culture)
Monitor risk identified by internal/external assessments and testing
Begin to recognize security as its own business process/department
Countermeasures: Management
Create a governance process that ensures security incidents are escalated appropriately from IT and risk management personnel to Management and, eventually, to the Board
Ensure cybersecurity threats are considered as part of vendor management and due diligence
Countermeasures: Management
Increase frequency and scope of patching, system hardening, and vulnerability assessment
Improve detection and response controls through security information and event management (SIEM)
Countermeasures: Technology
More in-depth security awareness training and social engineering testing at all levels: staff, management, Board
Continually share information on cyber threats internally and with peer institutions
Increase efforts to educate customers
Countermeasures: Training
Question & Answer
Question & Answer
Nate GravelDirector – Information Security Practice
978-538-9055 ext. 129
W. Jackson SchultzSecurity Consultant – Information Security Practice
978-538-9055 ext. 131
Thank You!
Related Documents
