6/4/2015

1

CybersecurityA Clear and Present Danger

Thomas J. DeMayo, CISSP, CISA, CIPP, CEH, CHFI, MCSEDirectorIT Audit and Consulting ServicesTDeMayo@odpkf.com

Objectives• Gain an understanding of current cyber security

vulnerabilities, such as Ransomware, Mobile Devices and Electronic Fund Transfer Fraud.

• Visualize the “Dark Web” through an exploration of what it is and how it supports the cyber underground

• Identify the Federal and state privacy laws that are applicable to their business

• Leverage the disclosed techniques to perform a true cybersecurity risk assessment

• Utilize the key control considerations discussed in strengthening their own cybersecurity defenses.

• Establish the framework for Business Continuity/Disaster Recovery/Incident Response Plan

HFTP 2

6/4/2015

2

The Many Faces of Cyber Fraud

HFTP 3

Why Attack Hospitality?

• Why Not?• Hospitality companies have:

– Bank accounts– Employee payroll– Employee personal information– Customer personal information– Perform EFT transactions– Process credit card transactions

4

6/4/2015

3

Cyber Fraud is Big Business• Malware is specifically written to target your

bank accounts and sensitive information– ZeuS– SpyEye

• Malware is for sale on the web– Crime gangs are hiring rogue programmers to

create new and modify existing malware to evade detection from anti virus software

5

Cyber Fraud is Big Business

• The cyber underground has developed a business model of providing turnkey cyber crime solutions hosted by criminal organizations

– Malware as a Service (“MaaS”)– Fraud as a Service (“FaaS”) – Attacks as a Service (“AaaS”)

HFTP 6

6/4/2015

4

Cyber Fraud is Big BusinessElectronic Fund Transfers “EFT’s”• Commercial and Consumer EFT’s are protected

differently under the law– Consumers are protected by the Electronic Funds

Transfer Act• Consumers are allowed up to 60 Days to report fraudulent

transactions – Commercial EFT’s are regulated by the Uniform

Commercial Code Article 4A• Businesses are allowed up to two days to report the

fraudulent transaction depending if it was an ACH or Wire Transfer

7

Banking Malware In Action (Ex 1)

8

Initial Balance $5,000

Wire $2,000 to Acct # 54321Bank: XYZ

Wire $500 to Acct # 12345Bank: ABC

Wired $2,000 to Acct # 54321Bank: XYZBalance: $3,000

Wired $500 to Acct # 12345Bank: ABCBalance: $4,500

Final Balance $3,000

6/4/2015

5

Cyber Fraud is Big Business

9

Standard Bank of America Login from a NON infected Machine

Cyber Fraud is Big Business

10

Same page from an infected machine (Part 1)

6/4/2015

6

Cyber Fraud is Big Business

11

Page Scrolled Down on Infected Machine

Cyber Fraud is Big Business

HFTP 12

Img Source - Trusteer

6/4/2015

7

Web Layers

HFTP 13

Img source:http://securityaffairs.co/

Cyber Fraud is Big Business

HFTP 14

Img Source - Trusteer

6/4/2015

8

Cyber Fraud is Big Business

HFTP 15

Img Source - Trusteer

Cyber Fraud is Big Business

16

Img Source - Trusteer

Img Source Krebs on security

6/4/2015

9

Cyber Fraud is Big Business

17

Cyber Fraud is Big Business

HFTP 18

• How do such services exist on the internet without being shutdown?– The different cyber laws in force (or downright

absent) in different countries and their light application in many states has sustained the growth of cyber crime worldwide

6/4/2015

10

Cyber Extortion – A Closer Look

• Cyber Extortion has been on the rise• Companies are being held ransom at the risk

of:– Holding data hostage – Data may be encrypted

and made unusable, placing the company in limbo– An EHR application can have all database contents

encrypted

HFTP 19

Cyber Extortion – A Closer Look (con’t)

• Companies are being held ransom at the risk of:– Releasing protected or personal data

• Threats may be placed to expose employee SSNs or customer information on file

– Denial of service • Systems could be brought to a crawl or taken offline.

HFTP 20

6/4/2015

11

Cyber Extortion – A Closer Look (con’t)

• Companies are being held ransom at the risk of:– A ransomware variant placing child pornography

on your system and threaten to alert the authorities

HFTP 21

Cyber Extortion – A Closer Look (con’t)

22HFTP

6/4/2015

12

Mobile Device Malware - Why Worry?

23HFTP

Mobile Malware grew 614% from March 2012 to March 2013

Mobile Device Malware - Why Worry?

24HFTP

6/4/2015

13

Mobile Device Malware - Why Worry?• What have the attacks accomplished?

– Text messages intercepted and forwarded - specifically when banks send text messages with one-time codes to log in

– Record phone calls - turn on microphone to record conversations

– Track GPS location remotely– Send text messages to premium services increasing fees– Destroy the phone or components (Camera, Messaging,

etc.)

25HFTP

Mobile Device Malware - Why Worry?

26

Source:Webroot

HFTP

6/4/2015

14

Business Continuity/Disaster Recovery/Incident Response• Look Familiar?

27

Business Continuity/Disaster Recovery/Incident Response

• In a time of emergency, a Hospitality company must have a business continuity and disaster recovery plan (“BCP/DR”).

• The plan will be your script to recovery and assurance that your customer needs are met

28

6/4/2015

15

Business Continuity/Disaster Recovery/Incident Response• Take a structured approach to the plans development.

– Identify all your business processes and prioritize them:– Determine how much data loss is acceptable and how long

these business processes can be down– Identify the location of all sensitive information– Identify the people, processes and technology that support

the business processes• TECHNOLOGY ALONE IS NOT THE SOLUTION

– Identify Interdependencies– Create Calling Tree’s

• Internal , client and regulatory.– Define your recovery strategies

29

Business Continuity/Disaster Recovery/Incident Response

30

6/4/2015

16

PCI-DSS vs. State Laws

31

PCI-DSS vs. State Laws

32

= State PCI Law = Breach Notification Laws

6/4/2015

17

PCI-DSS vs. State Laws

• Approximately 47 states have enacted a statute requiring a company to notify state residents if the security of certain sensitive customer information is breached. – This includes credit card information.

• Four states have codified PCI compliance into law (all or parts) – Massachusetts, Nevada, Washington, Minnesota.

• Don’t Ignore state breach notification laws.

33

PCI-DSS vs. State Laws

• In the event of a breach you have an obligation to also comply with:– the state breach notification laws in which you

operate; and– in most cases, the state in which the affected

guest resides.

34

6/4/2015

18

Don’t Ignore Massachusetts

• Massachusetts has some of the strictest information privacy and security laws in the country. In addition, – the law extends to all entities that own, license, or

store personal information on any resident of the state regardless of the location of business operations

35

Don’t Ignore Massachusetts

• Massachusetts Privacy Law RequirementsKey points:– Duty to develop and implement a “comprehensive,

written information security program applicable to any records containing” the personal information of Massachusetts residents

– Security system requirements for computer and wireless networks

– Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly

36

6/4/2015

19

The Perfect Storm

37

Source: Activenetworks.com

How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!

– Do not underestimate your cyber risk and exposure – SIZE DOES NOT MATTER!

– Do not assume that information security is an IT issue alone• IT Security is a business issue that requires the

assistance of a technical solution

38

6/4/2015

20

How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!

– Ensure you have a resource that can effectively communicate the identified risks in understandable and business related terms • In order to manage risk, you need to first

understand it

– Establish or verify you have a strong IT security governance program

39

How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!

– Vendor patches are up to date– Antivirus is installed and active– Password parameters are strong– Network devices (switches and firewalls)

are configured correctly– Effective monitoring (operational and

security)

40

6/4/2015

21

How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!

– Well defined backup and disaster recovery strategy

– Perform due diligence on all third parties• Vendor management and monitoring is critical• Vendors are a means to delegate a task.

Responsibility will always remain with the company and cannot be delegated

41

How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!

– Have independent IT security assessments. • Internal IT sometimes has difficulty seeing the

“forest from the trees”• Security and Operations have different goals

and skill sets• IT is one of the highest risk areas in your

Organization but also the least understood and controlled.

42

6/4/2015

22

How Do We Protect the Organization?• Strong IT Controls are CRITICAL!!

– Provide routine security awareness training• Your employees are your biggest security investment• Good Security Standards follow the "90/10" Rule:

• 10% of security safeguards are technical• 90% of security safeguards rely on the computer user (YOU!) to

adhere to good computing practices

Think of a lock on a door. The lock on the door is the 10%. Remembering to make sure the door is closed, the lock engaged, and keeping control of keys is the 90%.

10% security is worthless without YOU!

43

How Do We Protect the Organization?

• EFT Fraud Protections:– Dedicate computers for online banking– Segregate EFT functions between initiator and

approver– Establish ACH Debit Filters or Blocks– Dedicate clearing accounts using “just-in-time”

deposits – Reconcile EFT Transactions daily– Establish restrictive dollar transfer limits

44

6/4/2015

23

How Do We Protect the Organization? • EFT Fraud Protections:

– Use multifactor authentication– Require additional “out-of-band” authorization or

notifications of transfers (call back, text message, etc)

45

How Do You Protect Your Organization?

• Mobile Devices Protections:– Have a documented and defined mobile device

policy– Require phones be password protected

• Enforce this via a system

control and not the honor system

46

6/4/2015

24

How Do You Protect Your Organization?

• Mobile Devices Protections:– Ensure your organization has the ability to

remotely wipe a device should it be lost or stolen– Encrypt the local hard drive– Prevent the

download of third -party apps

47

How Do You Protect Your Organization?

• Mobile Devices Protections:– Require that mobile devices be kept up to date

with security patches – Require that phones “lock” and require password

re-entry after an idle period.

48

6/4/2015

25

Questions?

49

50

Contact Information

15 Essex RoadParamus, NJ 07652201.712.9800

555 Hudson Valley Avenue New Windsor, NY 12553845.220.2400

500 Mamaroneck AvenueHarrison, NY 10528 914.381.8900

665 Fifth AvenueNew York, NY 10022212.286.2600

3001 Summer Street, 5th Floor EastStamford, CT 06902203.323.2400

Tom DeMayo, Director (TDeMayo@odpkf.com) 646-449-6353

100 Great Meadow RdWethersfield, CT 06109860.257.1870

20 Commerce DriveCranford, NJ 07016908.272.6200

7272 Wisconsin Avenue, Suite 340Bethesda, MD 20814301.652.3464

www.odpkf.com