Cybersecurity Landscape Threats to Banking Sector · iSPA Copyright © 2019. All Rights Reserved...

1iSPA Copyright © 2019. All Rights Reserved Governance І Risk І Compliance Proprietary & Confidentialwww.ispacyberpro.com

Cybersecurity Landscape – Threats to Banking SectorFortifying Financial Services: From the Cyber Threats October 25, 2019 Hotel Aloft, Chhaya Devi Complex, Thamel, Kathmandu

Sujit Christy CISA, CRISC, CISSP, Dip in Cyber Law, ISO 27001:2013 Lead Auditor

Director – Professional ServicesInformation Security Professional Associates Private Limited

Board Member, ISACA Sri Lanka Chapter, Sri LankaFounder, (ISC)2 Chennai Chapter, IndiaDirector – Layers-7 Seguro Consultoria Private LimitedVolunteer, Safe & Secure Online, (ISC)2 Foundation, USAPanel Member, (ISC)2 Scholarships, (ISC)2 Foundation, USAPast President, (ISC)2 Chennai Chapter, IndiaPast Secretary, (ISC)2 Chennai Chapter, IndiaPast Board Member, (ISC)2 Colombo Chapter, Sri Lanka


Computer Security

Network Security

Information Security

Cybersecurity

Security

Describe P

rote

ction o

f In

form

ation A

ssets

Confidentiality

Integrity

Availability

“the protection of

information assets by

addressing threats to

information processed,

stored and

transported by

internetworked

information systems’’


The current wave of

cybercrime largely unseen,

but the chances of being

successfully investigated

and prosecuted for a cyber

attack in the US are now

estimated at 0.05%. This

mirrors similar reports from

around the world. This is for

a crime type that is predicted

to be costing the global

economy $6 trillion by 2021

https://www.herjavecgroup.com/the-2019-official-annual-cybercrime-report/


Cyberattacks Rank

Source: Executive Opinion Survey 2015, World Economic Forum.

Note: The darker colour, the higher the concern.

Current Status: Target Countries

Latin America

Africa: Congo, Ghana, Ivory Coast, Cameroon and Equatorial Guinea, South Africa

South Asia


The Global Risks Landscape 2016

Source: Global Risks Perception Survey 2015

World Economic Forum..

Critical Information

Infrastructure Breakdown

Adverse consequences of

technological advances

Cyberattacks

Data fraud or theft


Nation StatesCorporations Cyber Terrorists

Cyber Criminals

Threat Actors

“Destructive Attacks” and “Attacks focused on theft & espionage”


Bad Actors Not Constrained by

• Jurisdictions

• Laws & Regulations

• Limits on sharing data

• Working inside or outside of an organization

• Priorities

• Legacy technology

• Skill sets and or training

• Lack of resources


Cybercrime Ecosystem: Everything Is for Sale


How the Underground Economy Works


Wire Fraud Tactics


Top 5 in Numbers

Leaked Credentials Leaked Documents Leaked Credit Cards

Malicious Apps Black Market


Most Common Attacks

Vulnerabilities in SS7 Malware ATM Attacks

Ransomware

Mobile BankingDDoSInsiders

Phishing


Malware

Trojan.AdLoad

• Open a backdoor

• Install Adware & Potentially Unwanted Programs

• Gather information about the affected system and send them to a

remote location e.g.: username and computer name

ATRPAS

Emotet

• Worm like capabilities

• Dropper of other banking Trojans or install additional malware

such as other banking Trojans,

• Act as a dumping ground for stolen information such as financial

credentials, usernames and passwords, and email addresses.


• Maersk ship docks somewhere in the world every 15 minutes

• Unloading between 10,000 to 20,000 containers

• 20% of World trade

• Only “a 20 per cent drop in volumes”

Attack it endured, cost it between $250m and $300m

Staff managed to revert to manual systems with

- "human resilience"


Hacking the Worldwide Banking System


ATM Attack Vectors

BRUTE FORCEREQUIRES SOMEHOW

GETTING PHYSICAL ACCESS TO THE VAULT. THE MOST

POPULAR METHODS BEING EXPLOSIVES.

OS LEVELOPERATING LEVEL ATTACKS

TAKE ADVANTAGE OF OS LEVEL CONFIG. SOFTWARE

VULNERABILITIES AND BYPASSING KIOSK MODE.

HARDWAREACCESS VIA SERVICE AREA OR DRILLING, BYPASSING OS AND

CONNECTING BLACKBOXDIRECTLY TO THE DISPENSER.

NETWORKMAKING THE USE OF

NETWORK. UNAUTHORIZED VPN CONNECTION, MALWARE,

VULNERABILITIES IN PROTOCOLS.


ATM Network based Attacks

Taiwan

US $2.5 Million

Cosmos Bank

US$ 13.5 million


ATM Skimming


Jackpotting


People Make Mistakes

Cybersecurity Threat #1:

The Inside Man (Or Woman)


• Simple mistakes

Falling for phishing attempts

Visiting malware - laden websites

Bringing compromised USB drives to work

Bringing compromised personal devices to work

Sharing User credentials with someone else

4% of people will click on any given phishing campaign

Source: 2018 Data Breach Investigations Report


Phishing Email


Investigation

• The pdf file was detected containing Stream Objects.

• The PDF contained injection malcode.


Attachment in Sandbox Environment:


vzturl.com/boy15

Password Compromising URL


Ransomware is the top variety of malicious software


Ransomware


All because ONE asset in a network lacks some key security measure used

to protect everything else


Uneven Cybersecurity Protections


Who Accepted the Risk?ISSUE #1

POS Upgrade

• Credit Card Data in the

clear between POS and

Register

ISSUE #2

Default Password

• User Account with

Global Administrative

Rights in System

Management Server

ISSUE #3

Notifications

• 3rd Party Security

Monitoring Team


Data Privacy


Uneven Cybersecurity Protections


Personal Data


Excessive Calls

Valid User Misuse & Abuse

Stolen Credentials

Bot Attacks

API Probing

API Specific DDOS

Irregular API Traffic

Web Application Vulnerabilities

Volumetric DDOS

BOT DETECT

WAF

API GATEWAY

CDN

Is you API Protected Adequately?


Image Source: www.dailynews.lk

DEFENSE

Failing


It’s time to act

Source: 2018 Data Breach Investigations Report


Where do we start?

Source: rtrsports.co.uk


The Three Lines of Defense

Ma

na

ge

me

nt C

on

tro

ls

Inte

rnal C

ontr

ol

Me

asu

res

Financial Control

Cybersecurity

Risk Management

Quality

Inspection

Compliance

Inte

rnal A

ud

it

Exte

rna

l Au

dit

Re

gu

lato

r

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

Senior Management

Governing Body/Board/Audit Committee


THE

ADVERSARY

Terrorist

Foreign Intelligence Services

Lone Wolf

Organized Criminal Groups




MITIGATE

Vulnerability

Threat

Worm


Cybersecurity Framework


Cybersecurity Framework

Identify cybersecurity risks and vulnerabilities

Protect critical infrastructure asset

Detect the occurrence of a cyber event

Respond to a detected event

Recover from a cyber event


Key Functions of Compliance

Identify the risks that an organisation faces and advise on them

Design and implement controls to protect an organisation from

those risks

Monitor and report on the effectiveness of those controls in

the management of an organisations exposure to risks

Resolve compliance difficulties as they occur

Advise the business on rules and controls


Crisis/Incident Management

What to do if you suspect a breach?


Crisis/Incident Management


Communication


See Everything

Protect What Matters

And Find Risk

Before It Finds You!

Perceive that which cannot be seen with the eye

- Miyamoto Mushashi

51


…..until will meet again

Are you scrambling to meet a deadline?

Sujit Christy CISA, CRISC, CISSP, Dip in Cyber Law, ISO 27001:2013 Lead Auditor

Director – Professional ServicesInformation Security Professional Associates Private Limited

Board Member, ISACA Sri Lanka Chapter, Sri LankaFounder, (ISC)2 Chennai Chapter, IndiaDirector – Layers-7 Seguro Consultoria Private LimitedVolunteer, Safe & Secure Online, (ISC)2 Foundation, USAPanel Member, (ISC)2 Scholarships, (ISC)2 Foundation, USAPast President, (ISC)2 Chennai Chapter, IndiaPast Secretary, (ISC)2 Chennai Chapter, IndiaPast Board Member, (ISC)2 Colombo Chapter, Sri Lanka

Mobile: +94714808663e-mail: [email protected]: sujitchristyWeb: www.layers-7.com

Cybersecurity Landscape Threats to Banking Sector · iSPA Copyright © 2019. All Rights Reserved...

Documents

Transcript of Cybersecurity Landscape Threats to Banking Sector · iSPA Copyright © 2019. All Rights Reserved...