The Clear and Present Danger Standard: Its Present Viability
Cybersecurity - A Clear and Present Danger
Transcript of Cybersecurity - A Clear and Present Danger
6/4/2015
1
CybersecurityA Clear and Present Danger
Thomas J. DeMayo, CISSP, CISA, CIPP, CEH, CHFI, MCSEDirectorIT Audit and Consulting [email protected]
Objectives• Gain an understanding of current cyber security
vulnerabilities, such as Ransomware, Mobile Devices and Electronic Fund Transfer Fraud.
• Visualize the “Dark Web” through an exploration of what it is and how it supports the cyber underground
• Identify the Federal and state privacy laws that are applicable to their business
• Leverage the disclosed techniques to perform a true cybersecurity risk assessment
• Utilize the key control considerations discussed in strengthening their own cybersecurity defenses.
• Establish the framework for Business Continuity/Disaster Recovery/Incident Response Plan
HFTP 2
6/4/2015
2
The Many Faces of Cyber Fraud
HFTP 3
Why Attack Hospitality?
• Why Not?• Hospitality companies have:
– Bank accounts– Employee payroll– Employee personal information– Customer personal information– Perform EFT transactions– Process credit card transactions
4
6/4/2015
3
Cyber Fraud is Big Business• Malware is specifically written to target your
bank accounts and sensitive information– ZeuS– SpyEye
• Malware is for sale on the web– Crime gangs are hiring rogue programmers to
create new and modify existing malware to evade detection from anti virus software
5
Cyber Fraud is Big Business
• The cyber underground has developed a business model of providing turnkey cyber crime solutions hosted by criminal organizations
– Malware as a Service (“MaaS”)– Fraud as a Service (“FaaS”) – Attacks as a Service (“AaaS”)
HFTP 6
6/4/2015
4
Cyber Fraud is Big BusinessElectronic Fund Transfers “EFT’s”• Commercial and Consumer EFT’s are protected
differently under the law– Consumers are protected by the Electronic Funds
Transfer Act• Consumers are allowed up to 60 Days to report fraudulent
transactions – Commercial EFT’s are regulated by the Uniform
Commercial Code Article 4A• Businesses are allowed up to two days to report the
fraudulent transaction depending if it was an ACH or Wire Transfer
7
Banking Malware In Action (Ex 1)
8
Initial Balance $5,000
Wire $2,000 to Acct # 54321Bank: XYZ
Wire $500 to Acct # 12345Bank: ABC
Wired $2,000 to Acct # 54321Bank: XYZBalance: $3,000
Wired $500 to Acct # 12345Bank: ABCBalance: $4,500
Final Balance $3,000
6/4/2015
5
Cyber Fraud is Big Business
9
Standard Bank of America Login from a NON infected Machine
Cyber Fraud is Big Business
10
Same page from an infected machine (Part 1)
6/4/2015
6
Cyber Fraud is Big Business
11
Page Scrolled Down on Infected Machine
Cyber Fraud is Big Business
HFTP 12
Img Source - Trusteer
6/4/2015
7
Web Layers
HFTP 13
Img source:http://securityaffairs.co/
Cyber Fraud is Big Business
HFTP 14
Img Source - Trusteer
6/4/2015
8
Cyber Fraud is Big Business
HFTP 15
Img Source - Trusteer
Cyber Fraud is Big Business
16
Img Source - Trusteer
Img Source Krebs on security
6/4/2015
9
Cyber Fraud is Big Business
17
Cyber Fraud is Big Business
HFTP 18
• How do such services exist on the internet without being shutdown?– The different cyber laws in force (or downright
absent) in different countries and their light application in many states has sustained the growth of cyber crime worldwide
6/4/2015
10
Cyber Extortion – A Closer Look
• Cyber Extortion has been on the rise• Companies are being held ransom at the risk
of:– Holding data hostage – Data may be encrypted
and made unusable, placing the company in limbo– An EHR application can have all database contents
encrypted
HFTP 19
Cyber Extortion – A Closer Look (con’t)
• Companies are being held ransom at the risk of:– Releasing protected or personal data
• Threats may be placed to expose employee SSNs or customer information on file
– Denial of service • Systems could be brought to a crawl or taken offline.
HFTP 20
6/4/2015
11
Cyber Extortion – A Closer Look (con’t)
• Companies are being held ransom at the risk of:– A ransomware variant placing child pornography
on your system and threaten to alert the authorities
HFTP 21
Cyber Extortion – A Closer Look (con’t)
22HFTP
6/4/2015
12
Mobile Device Malware - Why Worry?
23HFTP
Mobile Malware grew 614% from March 2012 to March 2013
Mobile Device Malware - Why Worry?
24HFTP
6/4/2015
13
Mobile Device Malware - Why Worry?• What have the attacks accomplished?
– Text messages intercepted and forwarded - specifically when banks send text messages with one-time codes to log in
– Record phone calls - turn on microphone to record conversations
– Track GPS location remotely– Send text messages to premium services increasing fees– Destroy the phone or components (Camera, Messaging,
etc.)
25HFTP
Mobile Device Malware - Why Worry?
26
Source:Webroot
HFTP
6/4/2015
14
Business Continuity/Disaster Recovery/Incident Response• Look Familiar?
27
Business Continuity/Disaster Recovery/Incident Response
• In a time of emergency, a Hospitality company must have a business continuity and disaster recovery plan (“BCP/DR”).
• The plan will be your script to recovery and assurance that your customer needs are met
28
6/4/2015
15
Business Continuity/Disaster Recovery/Incident Response• Take a structured approach to the plans development.
– Identify all your business processes and prioritize them:– Determine how much data loss is acceptable and how long
these business processes can be down– Identify the location of all sensitive information– Identify the people, processes and technology that support
the business processes• TECHNOLOGY ALONE IS NOT THE SOLUTION
– Identify Interdependencies– Create Calling Tree’s
• Internal , client and regulatory.– Define your recovery strategies
29
Business Continuity/Disaster Recovery/Incident Response
30
6/4/2015
16
PCI-DSS vs. State Laws
31
PCI-DSS vs. State Laws
32
= State PCI Law = Breach Notification Laws
6/4/2015
17
PCI-DSS vs. State Laws
• Approximately 47 states have enacted a statute requiring a company to notify state residents if the security of certain sensitive customer information is breached. – This includes credit card information.
• Four states have codified PCI compliance into law (all or parts) – Massachusetts, Nevada, Washington, Minnesota.
• Don’t Ignore state breach notification laws.
33
PCI-DSS vs. State Laws
• In the event of a breach you have an obligation to also comply with:– the state breach notification laws in which you
operate; and– in most cases, the state in which the affected
guest resides.
34
6/4/2015
18
Don’t Ignore Massachusetts
• Massachusetts has some of the strictest information privacy and security laws in the country. In addition, – the law extends to all entities that own, license, or
store personal information on any resident of the state regardless of the location of business operations
35
Don’t Ignore Massachusetts
• Massachusetts Privacy Law RequirementsKey points:– Duty to develop and implement a “comprehensive,
written information security program applicable to any records containing” the personal information of Massachusetts residents
– Security system requirements for computer and wireless networks
– Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly
36
6/4/2015
19
The Perfect Storm
37
Source: Activenetworks.com
How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!
– Do not underestimate your cyber risk and exposure – SIZE DOES NOT MATTER!
– Do not assume that information security is an IT issue alone• IT Security is a business issue that requires the
assistance of a technical solution
38
6/4/2015
20
How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!
– Ensure you have a resource that can effectively communicate the identified risks in understandable and business related terms • In order to manage risk, you need to first
understand it
– Establish or verify you have a strong IT security governance program
39
How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!
– Vendor patches are up to date– Antivirus is installed and active– Password parameters are strong– Network devices (switches and firewalls)
are configured correctly– Effective monitoring (operational and
security)
40
6/4/2015
21
How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!
– Well defined backup and disaster recovery strategy
– Perform due diligence on all third parties• Vendor management and monitoring is critical• Vendors are a means to delegate a task.
Responsibility will always remain with the company and cannot be delegated
41
How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!
– Have independent IT security assessments. • Internal IT sometimes has difficulty seeing the
“forest from the trees”• Security and Operations have different goals
and skill sets• IT is one of the highest risk areas in your
Organization but also the least understood and controlled.
42
6/4/2015
22
How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!
– Provide routine security awareness training• Your employees are your biggest security investment• Good Security Standards follow the "90/10" Rule:
• 10% of security safeguards are technical• 90% of security safeguards rely on the computer user (YOU!) to
adhere to good computing practices
Think of a lock on a door. The lock on the door is the 10%. Remembering to make sure the door is closed, the lock engaged, and keeping control of keys is the 90%.
10% security is worthless without YOU!
43
How Do We Protect the Organization?
• EFT Fraud Protections:– Dedicate computers for online banking– Segregate EFT functions between initiator and
approver– Establish ACH Debit Filters or Blocks– Dedicate clearing accounts using “just-in-time”
deposits – Reconcile EFT Transactions daily– Establish restrictive dollar transfer limits
44
6/4/2015
23
How Do We Protect the Organization? • EFT Fraud Protections:
– Use multifactor authentication– Require additional “out-of-band” authorization or
notifications of transfers (call back, text message, etc)
45
How Do You Protect Your Organization?
• Mobile Devices Protections:– Have a documented and defined mobile device
policy– Require phones be password protected
• Enforce this via a system
control and not the honor system
46
6/4/2015
24
How Do You Protect Your Organization?
• Mobile Devices Protections:– Ensure your organization has the ability to
remotely wipe a device should it be lost or stolen– Encrypt the local hard drive– Prevent the
download of third -party apps
47
How Do You Protect Your Organization?
• Mobile Devices Protections:– Require that mobile devices be kept up to date
with security patches – Require that phones “lock” and require password
re-entry after an idle period.
48
6/4/2015
25
Questions?
49
50
Contact Information
15 Essex RoadParamus, NJ 07652201.712.9800
555 Hudson Valley Avenue New Windsor, NY 12553845.220.2400
500 Mamaroneck AvenueHarrison, NY 10528 914.381.8900
665 Fifth AvenueNew York, NY 10022212.286.2600
3001 Summer Street, 5th Floor EastStamford, CT 06902203.323.2400
Tom DeMayo, Director ([email protected]) 646-449-6353
100 Great Meadow RdWethersfield, CT 06109860.257.1870
20 Commerce DriveCranford, NJ 07016908.272.6200
7272 Wisconsin Avenue, Suite 340Bethesda, MD 20814301.652.3464
www.odpkf.com