Cybersecurity Landscape Threats to Banking Sector · iSPA Copyright © 2019. All Rights Reserved...
Transcript of Cybersecurity Landscape Threats to Banking Sector · iSPA Copyright © 2019. All Rights Reserved...
1iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Cybersecurity Landscape – Threats to Banking SectorFortifying Financial Services: From the Cyber Threats October 25, 2019 Hotel Aloft, Chhaya Devi Complex, Thamel, Kathmandu
Sujit Christy CISA, CRISC, CISSP, Dip in Cyber Law, ISO 27001:2013 Lead Auditor
Director – Professional ServicesInformation Security Professional Associates Private Limited
Board Member, ISACA Sri Lanka Chapter, Sri LankaFounder, (ISC)2 Chennai Chapter, IndiaDirector – Layers-7 Seguro Consultoria Private LimitedVolunteer, Safe & Secure Online, (ISC)2 Foundation, USAPanel Member, (ISC)2 Scholarships, (ISC)2 Foundation, USAPast President, (ISC)2 Chennai Chapter, IndiaPast Secretary, (ISC)2 Chennai Chapter, IndiaPast Board Member, (ISC)2 Colombo Chapter, Sri Lanka
2iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Computer Security
Network Security
Information Security
Cybersecurity
Security
Describe P
rote
ction o
f In
form
ation A
ssets
Confidentiality
Integrity
Availability
“the protection of
information assets by
addressing threats to
information processed,
stored and
transported by
internetworked
information systems’’
3iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
The current wave of
cybercrime largely unseen,
but the chances of being
successfully investigated
and prosecuted for a cyber
attack in the US are now
estimated at 0.05%. This
mirrors similar reports from
around the world. This is for
a crime type that is predicted
to be costing the global
economy $6 trillion by 2021
4iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Cyberattacks Rank
Source: Executive Opinion Survey 2015, World Economic Forum.
Note: The darker colour, the higher the concern.
Current Status: Target Countries
Latin America
Africa: Congo, Ghana, Ivory Coast, Cameroon and Equatorial Guinea, South Africa
South Asia
5iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
The Global Risks Landscape 2016
Source: Global Risks Perception Survey 2015
World Economic Forum..
Critical Information
Infrastructure Breakdown
Adverse consequences of
technological advances
Cyberattacks
Data fraud or theft
6iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
The Global Risks Landscape 2016
Source: Global Risks Perception Survey 2015
World Economic Forum..
Critical Information
Infrastructure Breakdown
Adverse consequences of
technological advances
Cyberattacks
Data fraud or theft
7iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Nation StatesCorporations Cyber Terrorists
Cyber Criminals
Threat Actors
“Destructive Attacks” and “Attacks focused on theft & espionage”
8iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Bad Actors Not Constrained by
• Jurisdictions
• Laws & Regulations
• Limits on sharing data
• Working inside or outside of an organization
• Priorities
• Legacy technology
• Skill sets and or training
• Lack of resources
9iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Cybercrime Ecosystem: Everything Is for Sale
10iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
How the Underground Economy Works
11iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
12iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Wire Fraud Tactics
13iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Top 5 in Numbers
Leaked Credentials Leaked Documents Leaked Credit Cards
Malicious Apps Black Market
14iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Most Common Attacks
Vulnerabilities in SS7 Malware ATM Attacks
Ransomware
Mobile BankingDDoSInsiders
Phishing
15iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Malware
Trojan.AdLoad
• Open a backdoor
• Install Adware & Potentially Unwanted Programs
• Gather information about the affected system and send them to a
remote location e.g.: username and computer name
ATRPAS
Emotet
• Worm like capabilities
• Dropper of other banking Trojans or install additional malware
such as other banking Trojans,
• Act as a dumping ground for stolen information such as financial
credentials, usernames and passwords, and email addresses.
16iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
• Maersk ship docks somewhere in the world every 15 minutes
• Unloading between 10,000 to 20,000 containers
• 20% of World trade
• Only “a 20 per cent drop in volumes”
Attack it endured, cost it between $250m and $300m
Staff managed to revert to manual systems with
- "human resilience"
17iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Hacking the Worldwide Banking System
18iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
ATM Attack Vectors
BRUTE FORCEREQUIRES SOMEHOW
GETTING PHYSICAL ACCESS TO THE VAULT. THE MOST
POPULAR METHODS BEING EXPLOSIVES.
OS LEVELOPERATING LEVEL ATTACKS
TAKE ADVANTAGE OF OS LEVEL CONFIG. SOFTWARE
VULNERABILITIES AND BYPASSING KIOSK MODE.
HARDWAREACCESS VIA SERVICE AREA OR DRILLING, BYPASSING OS AND
CONNECTING BLACKBOXDIRECTLY TO THE DISPENSER.
NETWORKMAKING THE USE OF
NETWORK. UNAUTHORIZED VPN CONNECTION, MALWARE,
VULNERABILITIES IN PROTOCOLS.
19iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
ATM Network based Attacks
Taiwan
US $2.5 Million
Cosmos Bank
US$ 13.5 million
20iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
ATM Skimming
21iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Jackpotting
22iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
People Make Mistakes
Cybersecurity Threat #1:
The Inside Man (Or Woman)
23iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
• Simple mistakes
Falling for phishing attempts
Visiting malware - laden websites
Bringing compromised USB drives to work
Bringing compromised personal devices to work
Sharing User credentials with someone else
4% of people will click on any given phishing campaign
Source: 2018 Data Breach Investigations Report
24iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Phishing Email
25iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Investigation
• The pdf file was detected containing Stream Objects.
• The PDF contained injection malcode.
26iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Attachment in Sandbox Environment:
27iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
vzturl.com/boy15
Password Compromising URL
28iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
29iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Ransomware is the top variety of malicious software
Cybersecurity Threat #2:
Ransomware
30iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
All because ONE asset in a network lacks some key security measure used
to protect everything else
Cybersecurity Threat #3:
Uneven Cybersecurity Protections
31iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Who Accepted the Risk?ISSUE #1
POS Upgrade
• Credit Card Data in the
clear between POS and
Register
ISSUE #2
Default Password
• User Account with
Global Administrative
Rights in System
Management Server
ISSUE #3
Notifications
• 3rd Party Security
Monitoring Team
32iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Data Privacy
Cybersecurity Threat #4:
Uneven Cybersecurity Protections
33iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Personal Data
34iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Excessive Calls
Valid User Misuse & Abuse
Stolen Credentials
Bot Attacks
API Probing
API Specific DDOS
Irregular API Traffic
Web Application Vulnerabilities
Volumetric DDOS
BOT DETECT
WAF
API GATEWAY
CDN
Is you API Protected Adequately?
35iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
36iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Image Source: www.dailynews.lk
DEFENSE
Failing
37iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
It’s time to act
Source: 2018 Data Breach Investigations Report
38iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Where do we start?
Source: rtrsports.co.uk
39iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
The Three Lines of Defense
Ma
na
ge
me
nt C
on
tro
ls
Inte
rnal C
ontr
ol
Me
asu
res
Financial Control
Cybersecurity
Risk Management
Quality
Inspection
Compliance
Inte
rnal A
ud
it
Exte
rna
l Au
dit
Re
gu
lato
r
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Senior Management
Governing Body/Board/Audit Committee
40iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
THE
ADVERSARY
Terrorist
Foreign Intelligence Services
Lone Wolf
Organized Criminal Groups
Image Source: www.dailynews.lk
41iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Image Source: www.dailynews.lk
MITIGATE
Vulnerability
Threat
Worm
42iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Cybersecurity Framework
43iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Cybersecurity Framework
Identify cybersecurity risks and vulnerabilities
Protect critical infrastructure asset
Detect the occurrence of a cyber event
Respond to a detected event
Recover from a cyber event
44iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Key Functions of Compliance
Identify the risks that an organisation faces and advise on them
Design and implement controls to protect an organisation from
those risks
Monitor and report on the effectiveness of those controls in
the management of an organisations exposure to risks
Resolve compliance difficulties as they occur
Advise the business on rules and controls
45iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
46iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Crisis/Incident Management
What to do if you suspect a breach?
47iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Crisis/Incident Management
48iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
Communication
49iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
50iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
51iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
See Everything
Protect What Matters
And Find Risk
Before It Finds You!
Perceive that which cannot be seen with the eye
- Miyamoto Mushashi
51
52iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com
…..until will meet again
Are you scrambling to meet a deadline?
Sujit Christy CISA, CRISC, CISSP, Dip in Cyber Law, ISO 27001:2013 Lead Auditor
Director – Professional ServicesInformation Security Professional Associates Private Limited
Board Member, ISACA Sri Lanka Chapter, Sri LankaFounder, (ISC)2 Chennai Chapter, IndiaDirector – Layers-7 Seguro Consultoria Private LimitedVolunteer, Safe & Secure Online, (ISC)2 Foundation, USAPanel Member, (ISC)2 Scholarships, (ISC)2 Foundation, USAPast President, (ISC)2 Chennai Chapter, IndiaPast Secretary, (ISC)2 Chennai Chapter, IndiaPast Board Member, (ISC)2 Colombo Chapter, Sri Lanka
Mobile: +94714808663e-mail: [email protected]: sujitchristyWeb: www.layers-7.com