Credit Unions - ACUIA 5...mobile devices Certificate issues to connect toto connect to. Credit Union Firewall 26 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls •

012

Clif

tonL

arso

nAlle

n LL

P

Risks and Trends in Network ©20Risks and Trends in Network

Security

Key IT Controls forKey IT Controls for Credit Unions

ACUIA Region 4 MeetingApril 2013 p

©2012 CliftonLarsonAllen LLP1 111

Our perspective…

• CliftonLarsonAllen– Started in 1953 with a goalStarted in 1953 with a goal of total client service

– Today, industry specializedCPA and Advisory firm ranked in the top 10 in the U.S.

– Largest Credit Union Service Practice*

*Callahan and Associates 2011 Guide to Credit Union CPA Auditors.

CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including more than 20 principals The group focuses on audit assurance consulting and advisory

©2012 CliftonLarsonAllen LLP2

more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country.www.larsonallen.com – news release

CliftonLarsonAllen – Randy Romes

• Randy Romes– Professional Student– Pizza GuyHi h S h l S i T h– High School Science Teacher

– Hacker– DadDad


Cub Scouts, IT Professionals, & Hackers

• Cub Scouts

– Be Prepared

Camping Trip– Camping Trip

Preparation

– Road Trip!!!



• Cub Scouts– Camp Tomahawk– Daily RoutineB i U l– Business as Usual…



• Cub Scouts

– Monday Morning…

NOT Business as usual– NOT Business as usual…

Parking

XEcology Camp Sites

Main Lodge


Presentation overview

• Emerging & Continuing Trends

– Industry Security Reports

14 Years of Information Security Audit– 14 Years of Information Security Audit,

Assurance, and Incident Response

• Strategies and Key Controls


Definition of a Secure System

“A secure system is one we can depend on to behave as we expect.”Source: “Web Security and Commerce” by Simson Garfinkel with Gene Spafford

People Rules

by Simson Garfinkel with Gene Spafford

• Confidentiality• Integrity

`

Tools

• Availability

©2012 CliftonLarsonAllen LLP8 8

Tools

Three Reasons Why We Should Care

• Regulatory and industry requirements:– NCUA/FFIEC/GLBA, PCI, State LawsNCUA/FFIEC/GLBA, PCI, State Laws(this list is not getting smaller…)

• Contractual compliance– More and more partners and vendors…– A recent example from “Regulatory Compliance Audit”

• It’s a good idea – Breach Listings– https://www.privacyrights.org/data‐breach


“Three” Security Reports

• Trends: Sans 2009 Top Cyber Security Threats– http://www.sans.org/top‐cyber‐security‐risks/

• Intrusion Analysis: TrustWave (2010 and 2011)– https://www.trustwave.com/whitePapers.php

• Intrusion Analysis: Verizon Business Services• Intrusion Analysis: Verizon Business Services– 2010 report– http://www.verizonbusiness.com/resources/reports/rp_2p p p_010‐DBIR‐combined‐reports_en_xg.pdf

– 2011 reporthttp://www verizonbusiness com/resources/reports/rp d


– http://www.verizonbusiness.com/resources/reports/rp_data‐breach‐investigations‐report‐2011_en_xg.pdf

Trends – 2009 SANS Report

• SANS study: http://www.sans.org/top‐cyber‐security‐risks/http://www.sans.org/top cyber security risks/

• Client Side AttacksClient Side Attacks– End user workstation (vulnerabilities)

Unpatched Applications:•Adobe•Java

• Website ‐ application vulnerabilities– External web sites

•Apple •Etc…•Phishing Attacks

– Organization’s web sites Password Attacks:FTP, SSH, Remote Access

Application Vulnerabilities:


pp•SQL injection•PHP issues

TrustWave – Intrusion Analysis Report 2011

Methods of Entry: Methods of Propagation:


TrustWave – Intrusion Analysis Report 2011

• Most of the compromised psystems were managed by a third party…


TrustWave – Intrusion Analysis Report

•Incident Response – Investigative Conclusions•Window of Data Exposure•Window of Data Exposure

Once inside, attackers have very little reason to think they will be detected…

h b d i id f 1 ½ Y A S b f k !


The bad guys are inside for 1 ½ YEARS before anyone knows!

Verizon

• Report is analysis of intrusions investigated by Verizon and US Secret Service.

• KEY POINTS:– Time from successful intrusion to compromise of data was days tocompromise of data was days to weeks.

– Log files contained evidence of the intrusion attempt successthe intrusion attempt, success, and removal of data.

– Most successful intrusions were t id d hi hl diffi lt


not considered highly difficult.

Hackers, Fraudsters, and Victims 2010

• Opportunistic Attacks

• Targeted Attacks


Hackers, Fraudsters, and Victims 2011

• Opportunistic Attacks

• Targeted Attacks


Verizon 2010 and 2011


Hackers and Fraudsters

• Objectives…– Identity Theft and Account Hijacking– Identity Theft and Account Hijacking

◊ Phishing Identity theft and fraudulent credit◊ ACH fraud Corporate Account Take over's

– Targeted Attacks◊ Internal access for privilege escalation◊ Internal access for privilege escalation◊ Corporate/Government Espionage ‐Mass data theft◊ Access to Intellectual Property (IP) or Financial Information

d “ k ”◊ Targeted “Corporate Account Take Over”

– System Access for “Processing Power”


System Access for Processing Power◊ Bot Nets

Phishing and ACH – Examples (Since Dec)

• Manufacturing Company ($348,000)• Public School District ($110 000)• Public School District ($110,000)• Church ($29,000 and $32,000)• Hospital ($150 000)• Hospital ($150,000)

• Health Care Association ($1 088 000)• Health Care Association ($1,088,000)– Dec 2011*

More on these in next session…


“Emerging Areas” for Risk Management

• Social Engineering (later today…)

• Mobile Banking

• Bring Your Own Device

• Cloud Service ProvidersCloud Service Providers

– Virtualization

• Vendor Management


012

Clif

tonL

arso

nAlle

n LL

P

Mobile Banking ©20Mobile Banking

Understanding the Risks


Mobile Banking Basics

• Mobile Banking is here to stay…y

• More people haveMore people have (smart) phones than computers

• Mobile payments are p yhere



• Different types of mobile banking– SMS mobile bankingSMS mobile banking– Mobile webMobile applications– Mobile applications


Vulnerabilities, Risks, & Controls

• Vulnerabilities and risks at each component• Perform a risk assessment Risk Assessment Heat map• Perform a risk assessment Risk Assessment Heat map

– Server Side Risks(Vendor Risks)– (Vendor Risks)

– Transmission RisksMobile Device Risks– Mobile Device Risks

– Mobile App RisksE d U Ri k– End User Risks



• Server Side Risks – Essentially the same as traditional Internet banking website risks g

◊ Insecure coding practices◊ Default credentials This is◊ Default credentials◊ Patch/update maintenance◊ Certificate issues

This is essentially a web server for the mobile devices to connect to◊ Certificate issues to connect to.

Credit Union FirewallFirewall



• Vendor Risks – Same risks as credit union – now outside of your direct control.y

◊ Insecure coding practices◊ Default credentials Also need

controls on the◊ Default credentials◊ Patch/update maintenance◊ Certificate issues

controls on the dedicated link…

◊ Certificate issues

Credit Union Firewall

This is essentially a web


Credit Union Core System

yserver for the mobile devices to connect to.


• Transmission Risks– Most mobile devices haveMost mobile devices have always on Internet connection◊ Cellular (cell phone service provider)

◊ Wifi (802.11 – home, corporate, “public”)

Need encryption– Need encryption– Common end user practices



• Mobile Device Risks– Multiple hardwareMultiple hardware platforms & multiple operating systemsp g y



• Mobile banking applications (i.e. “mobile apps”)– Various mobile app market placesVarious mobile app market places– iTunes/Apple App StoreAndroid Market– Android Market

– Verizon App StoreBlackBerry App Store– BlackBerry App Store



• Mobile App Risks– Secure coding issuesSecure coding issues– Installation of AppUse and protection of– Use and protection of credentials

– Storage of dataStorage of data– Transmission of data



• End User RisksLose the device– Lose the device

– Don’t use passwords, or use “easy to guess passwords”easy to guess passwords

– Store passwords on the deviceJail break the device– Jail break the device

– Don’t use security software U /d ’t i i– Use/don’t recognize insecure wireless networksLet their kids “use” the device


– Let their kids use the device

Vendor Due Diligence and Management

• All of the above – applies to your vendor(s)– Mobile banking application providerMobile banking application provider– Mobile banking hosting provider

• Contracts with SLA’s• SSAE16 reviews• SSAE16 reviews• Independent code review and testing


012

Clif

tonL

arso

nAlle

n LL

P

Mobile Devices ©20Mobile Devices

“Bring Your Own Device”(BYOD)


BYOD

• People, Rules, and Tools: Standards StandardsData ClassificationAcceptable UseAcceptable Use Incident Response Litigation Preparedness Litigation Preparedness


BYOD

• Controls and Enterprise management of:g

Credentials Login/Screen Saver Login/Screen Saver EncryptionMonitoringMonitoringData Loss Prevention (DLP) Remote Locate and Wipe Remote Locate and Wipe Segregation...


012

Clif

tonL

arso

nAlle

n LL

P

Cloud Services ©20Cloud Services

Benefits and Risks


What is the Cloud?

• Is it a clever marketing term?marketing term?

• Where is the• Where is the cloud?


What is the Cloud?

• The original “cloud computing”: Mainframes


What is the Cloud?

• The next generation: Thin Clients (Citrix, RDP, etc…)


What is the Cloud?

• Today’s cloud: Hosted service or process all the way to hosted infrastructurehosted infrastructure.


What is the Cloud?

• Today’s cloud: Hosted service or process all the way to hosted infrastructurehosted infrastructure.


What is the Cloud?

• National Institute of Standards and Technology (NIST) definition of cloud computing published October 7definition of cloud computing published October 7, 2009:

“Cloud computing is a model for enabling convenient, on‐demand network access to a shared pool of pconfigurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”


Cloud Computing Service Models

• Software as a Service (SaaS) – Capability to use the provider’s applications that run on p y p ppthe cloud infrastructure.

• Platform as a Service (PaaS)– Capability to deploy onto the cloud infrastructure customer‐created or acquired applications created using programming languages and tools supported by theprogramming languages and tools supported by the provider

• Infrastructure as a Service (IaaS)( )– Capability to provision processing, storage, networks and other fundamental computing resources that offer the

t th bilit t d l d bit ft


customer the ability to deploy and run arbitrary software, which can include operating systems and applications

Cloud Computing Service Models

• The KEY takeaway for cloud architecture iscloud architecture is that the lower down the stack the cloud service provide stops, the more capabilities

hand management the users are responsible for implementing andfor implementing and managing themselves


What does that mean?

• Cloud computing means an increased need for: Good policesGood polices

Cl i ti b t th id dClear communication between the provider and the consumer of the services

Ownership and governance of the relationship with the providerwith the provider


Cloud Computing Deployment Models

• Public cloud (commercial):– Made available to the general public or a large industry– Made available to the general public or a large industry group

– Owned by an organization that sells cloud services

• Community cloud:– Shared by several organizations– Supports a specific community that has a shared mission or interestM b d b th i ti thi d t– May be managed by the organizations or a third party

– May reside on or off premise


Cloud Computing Deployment Models cont.

• Hybrid cloud:– Composed of two or more clouds (private community or– Composed of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that

(enables data and application portability (e.g., cloud bursting for load balancing between clouds)

• Private cloud:• Private cloud:– Operated solely for an organization– May be managed by the organization or a third partyMay be managed by the organization or a third party– May exist on or off premise


Examples of Cloud Services

• Hosted applications– GmailGmail– Google AppsHosted accounting– Hosted accounting

• On line/cloud back up services• On‐line/cloud back up services and storage

• Hosted infrastructure

©2012 CliftonLarsonAllen LLP49• Private Clouds

Benefits

• Costd• Administration

• DR/BCP• Compliance


Risks

• Vendor Risksk• Governance Risks

• Data Risks

• Who has your data?y• Where is your data?• Who has access to your data?• Who has access to your data?


Examples in the news…

• Megaupload story: SANS NewsBites Vol. 14 Num. 29http://www wired com/threatlevel/2012/04/megauploadhttp://www.wired.com/threatlevel/2012/04/megaupload‐defense‐hobbled/

• A Megaupload defense attorney maintains that the government has "cherry picked" data from• A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data ‐ 25 petabytes ‐ are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen Carpathia is shouldering the US $9 000 daily cost ofbecause Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13.

• Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and

h d h i i i i f i ( ) h dwants them returned; the Motion Picture association of America (MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the

'


company's assets.

Examples closer to home…

• Recent conferenceBetween sessions vendors describe their service offeringsBetween sessions vendors describe their service offerings…Company X offers online, secure back up to the cloudCompany X has grown “over 300%” in the last yearp y g yBest of all, Company X now provides online, secure, cloud based back up for Company Y – one of the larger Core hosting company

idproviders

Where does the outsourcing chain end?Where does the outsourcing chain end?How many FI’s using Company Y know where their data is


Cloud Computing Controls

• The overall control domain is the same as an in‐house IT environment the challenge is to figure outhouse IT environment, the challenge is to figure out who is doing what.

• Controls in the cloud computing environment may be provided by the consumer/company, the cloud p y / p y,service provider, or a separate 3rd party.

• SSAE 16 SOC2 report from service providers


Evaluate the Control Environment


Things to do…

• Risk Assessment• Cost benefit analysis• Cost benefit analysis• Vendor due diligenceS ti i t t• Scrutinize contracts

• Ongoing vendor managementb h• Be rigorous about where your data is

• Understand vendors responsibility and YOURS• Remember basic security tenants


Ten Things Every Credit Union Should Have1. Strong Policies – Define what is expected

• Foundation for all that follows…


Ten Things Every Credit Union Should Have2. Defined user access roles and permissions

• Principal of minimum access and least privilege

• Most users should NOT have system administrator rights• Most users should NOT have system administrator rights

• Don’t forget your vendorsg y


Ten Things Every Credit Union Should Have

3. Hardened internal systems (end points)

• Hardening checklists

• Turn off unneeded services (minimize attack surface)• Turn off unneeded services (minimize attack surface)

• Change (vendor) default password



4. Encryption strategy (variety of state laws…)

• Email

• Laptops desktops email enabled cell phones• Laptops, desktops, email enabled cell phones

• Thumb drives/Mobile media

• Data at rest?



5. Vulnerability management process

• Operating system patches

li i h• Application patches

• SMS and Shavlik

• Testing to validate effectiveness – find and address the

exceptions



6. Well defined perimeter security layers:

• Network segments

• Email gateway/filter firewall and “Proxy” integration for• Email gateway/filter, firewall, and Proxy integration for

traffic in AND out

• Intrusion Detection/Prevention for network traffic,

Internet facing hosts, AND workstations (end points)



7. Centralized audit logging, analysis, and automated alerting capabilities :Security Information and Event Management (SIEM)

• Routing infrastructure• Routing infrastructure

• Network authentication

• Servers

• Applications


• Archiving vs. Reviewing


8. Defined incident response plan and procedures

• Be prepared

• Documentation and procedures

• Including data leakage prevention and monitoring

• Incident Response testing just like DR testing• Incident Response testing, just like DR testing

• Forensic preparedness



9. Validation that it all works the way you expect (remember the definition?)( )

• (IT) Audits

• Vulnerability Assessments

• Penetration Testing

A bi i f i l d l• A combination of internal and external resources

• Pre‐implementation and post‐implementation


Pre implementation and post implementation


10. Vendor Management• The previous 9 topics should all be applied to yourThe previous 9 topics should all be applied to your

vendors/business partners• Require vendor systems be at least as secure as your own…

d d• For managed services, require vendors to agree to operate up to your standards• Vulnerability managementy g• Secure communication protocols• Incident response capabilities• Right to audit• Right to audit• Understand your contracts and SLAs


Solutions – From SANS Report20 Critical Controls:• http://www.sans.org/critical‐security‐controls/


SANS “First Five”

1. Software white listing

2. Secure standard configurations

3. Application security patch installation within 48 hours

4. System security patch installation within 48 hours

5. Ensuring administrative privileges are not active while g p gbrowsing the Internet or handling email


Questions?


012

Clif

tonL

arso

nAlle

n LL

P

Thank you!

©20

y

Randy Romes CISSP CRISC MCP PCI‐QSARandy Romes, CISSP, CRISC, MCP, PCI‐QSAPrincipal

Information Security ServicesRandy romes@cliftonlarsonallen [email protected]

888.529.264

Slides are available here:http://www.larsonallen.com/Information_Security/

Presentations link/button on lower left.Presentations link/button on lower left.


Common Compliance Requirements

• Compliance Matrix Resources:

• http://net.educause.edu/ir/library/pdf/CSD5876.pdf

• http://www.infosec.co.uk/ExhibitorLibrary/277/Cross_Compliance wp 20 pdfmpliance_wp_20.pdf


Resources – Hardening Checklists

Hardening checklists from vendors

• CIS offers vendor‐neutral hardening resourceshttp://www cisecurity org/http://www.cisecurity.org/

• Microsoft Security Checklists• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=truehttp://technet.microsoft.com/en‐us/library/dd366061.aspx

Most of these will be from the “BIG” software and hardware providers


p

Resources

• Computer Security Institute:http://www gocsi com/soceng htmhttp://www.gocsi.com/soceng.htm

M th d f H ki S i l E i i• Methods of Hacking: Social Engineering– by Rick Nelsonhttp://www isr umd edu/gemstone/infosec/ver2/papers/socialeng htmlhttp://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html

• Computer Security Institute:http://www.sptimes.com/2007/10/28/Business/Here_s_how_a_slick_la.shtml


Resources

• Bank Info Security Resource Centerhttp://ffiec bankinfosecurity com/http://ffiec.bankinfosecurity.com/

• FFIEC Authentication Guidancehttp //www ffiec gov/press/pr062811 htmhttp://www.ffiec.gov/press/pr062811.htm

h // ffi / df/ h i i id dfhttp://www.ffiec.gov/pdf/authentication_guidance.pdf


PCI Standards

• Quarterly external vulnerability scan by an Approved Scanning Vendor (ASV)Scanning Vendor (ASV)

• Quarterly test wireless network security• Annual DSS Assessment (i e SAQ)• Annual DSS Assessment (i.e. SAQ)

– By QSA if level 1

• Annual Penetration Test (not vulnerability scan)• Annual Penetration Test (not vulnerability scan)– External– Internal– And…


https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Resources – In the News• Privacy Rights <dot> org

http://www.privacyrights.org/ar/ChronDataBreaches.htm

• Resource for State Lawshttps://www.privacyrights.org/data‐breach‐FAQ#10


References

• Michigan Company sues bankhttp://www computerworld com/s/article/9156558/Michigan firm sueshttp://www.computerworld.com/s/article/9156558/Michigan_firm_sues

_bank_over_theft_of_560_000_?taxonomyId=17

http://www krebsonsecurity com/2010/02/comerica phish foiled 2http://www.krebsonsecurity.com/2010/02/comerica‐phish‐foiled‐2‐factor‐protection/#more‐973

• Bank sues Texas companyhttp://www.bankinfosecurity.com/articles.php?art_id=2132


References to Specific State Laws

Are there state-specific breach listings?Some states have state laws that require breaches to be reported to a centralized data base These states include Maine Maryland New York New Hampshiredata base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).

However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts Michigan Nebraska Hawaii and WisconsinMassachusetts, Michigan, Nebraska, Hawaii and Wisconsin.

State laws:http://www.privacyrights.org/data-breach#10

For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources


http://www.privacyrights.org/ar/ChronDataBreaches.htm

Credit Unions - ACUIA 5...mobile devices Certificate issues to connect toto connect to. Credit Union Firewall 26 ©2012 CliftonLarsonAllen LLP Vulnerabilities, Risks, & Controls •

Documents