2009 CPE By The Sea Presentation Objectives - …conferences.tscpa.org/cpefamily/materials/Rick Murray - 2009 - Rick... · 2009 CPE By The Sea Presentation Objectives ... – FRB,

Rick Murray

1

Rick MurrayExecutive Vice President & Chief Financial Officer

Commerce Union Bank

2009 CPE By The Sea2009 CPE By The Sea

Presentation ObjectivesPresentation ObjectivesTo educate To educate youyou about emerging information and about emerging information and technologies/related risks and how they are impacting technologies/related risks and how they are impacting accountantsaccountantsTo provide To provide youyou with the latest available information with the latest available information about IT Security threats and risksabout IT Security threats and risks

22 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP

yyTo help To help youyou develop a strategy for implementing and develop a strategy for implementing and managing IT security and risk assessment processes managing IT security and risk assessment processes within your firm or companywithin your firm or companyTo help To help youyou recognize and address new threats recognize and address new threats before they endanger your companybefore they endanger your companyTo empower To empower youyou to bolster overall security efforts to bolster overall security efforts through proactive risk management strategiesthrough proactive risk management strategies


IT 2009 IT 2009 ––What’s New?What’s New?


Rick Murray

2


Continuing IT Security ThreatContinuing IT Security ThreatMany companies are spending as much as Many companies are spending as much as 1010--20%20% of of their IT budgets on security their IT budgets on security –– lost resourceslost resourcesOverall intrusion activities (hacking/cracking/viruses) Overall intrusion activities (hacking/cracking/viruses) resulted in resulted in $1 trillion in losses$1 trillion in losses during 2008during 2008Internet fraud loss exceeded Internet fraud loss exceeded $265 million $265 million in 2008in 2008


More than More than 285 million records 285 million records compromised during compromised during 2008 2008 –– 4 times 2007 levels 4 times 2007 levels –– January 2009 Heartland January 2009 Heartland data breach (potentially data breach (potentially 40 million debit/credit cards40 million debit/credit cards))Long term damage to Long term damage to business and consumer business and consumer confidenceconfidence may exceed direct dollar lossesmay exceed direct dollar lossesElectronic transaction and Electronic transaction and payments systems payments systems are are complicating the situationcomplicating the situation

Sources: CNET, Yahoo


Growing Internet Security Threat

IT Security Threats ContinueIT Security Threats Continue


1995

1997

1999

2000

2001

2002

2003

2005

2007

2010

Company Ability To RespondE-Mail VirusDenial of ServiceHostile Remote ControlE-Mail Server AssaultApplication Layer Assault

Are you caughtAre you caughtin the gap?in the gap?


Continuing Compliance PressureContinuing Compliance PressureDespite 2009 recession concerns, Despite 2009 recession concerns, government emphasis upon compliance government emphasis upon compliance continues to growcontinues to grow

PrivacyPrivacyConfidentialityConfidentialityHomeland SecurityHomeland Security


Money LaunderingMoney LaunderingIdentity Theft Identity Theft –– continued emphasis in 2009continued emphasis in 2009

Federal, State and private regulatory Federal, State and private regulatory agencies are contributing to the compliance agencies are contributing to the compliance workloadworkload

FFIEC FFIEC –– Federal Financial Institution Federal Financial Institution Examination Council Examination Council –– FRB, FDIC, OCC, OTS FRB, FDIC, OCC, OTS and NCUAand NCUAFRB FRB –– Federal Reserve Board Reg. E Federal Reserve Board Reg. E , CC, D, CC, D

Rick Murray

3


Federal, State and private regulatory agencies are Federal, State and private regulatory agencies are contributing to the compliance workloadcontributing to the compliance workload

31 CFR 203 (taxes), 210 (Fed payments), 370 (ACH and 31 CFR 203 (taxes), 210 (Fed payments), 370 (ACH and Fed Securities)Fed Securities)UCC Articles 3 (Commercial Paper), 4 (Items), 4A (EFT)UCC Articles 3 (Commercial Paper), 4 (Items), 4A (EFT)GLB GLB -- GrammGramm--Leech Bliley ActLeech Bliley Act

Continuing Compliance PressureContinuing Compliance Pressure


yyFair Credit Reporting ActFair Credit Reporting ActCheck 21Check 21FACTAFACTASOXSOXBSABSAUSA Patriot ActUSA Patriot ActNACHA Operating RulesNACHA Operating Rules

What will the current Administration and What will the current Administration and Congress mandate next?Congress mandate next?


Emerging Technologies 2009…Emerging Technologies 2009…


Long Live the Universal Device!Long Live the Universal Device!


Emerging Technologies 2009Emerging Technologies 2009AICPA Top Ten Technologies ListAICPA Top Ten Technologies List

Information Security ManagementInformation Security ManagementPrivacy ManagementPrivacy ManagementSecure Date Storage, Transmission & Secure Date Storage, Transmission & ExchangeExchange


Business Process Improvement Business Process Improvement –– Workflow Workflow and Process Exception Alertsand Process Exception AlertsMobile and Remote ComputingMobile and Remote ComputingTraining and CompetencyTraining and CompetencyIdentity & Access ManagementIdentity & Access ManagementImproved Application and Data IntegrationImproved Application and Data IntegrationDocument, Content and Knowledge Document, Content and Knowledge ManagementManagementElectronic Data Retention StrategyElectronic Data Retention Strategy

Rick Murray

4


Honorable Mention 2009Honorable Mention 2009AICPA Top Ten Technologies ListAICPA Top Ten Technologies List

Business Continuity Management and Business Continuity Management and Disaster Recovery PlanningDisaster Recovery PlanningConformance with Assurance and Conformance with Assurance and Compliance StandardsCompliance StandardsC ll b i d I f i P lC ll b i d I f i P l


Collaboration and Information PortalsCollaboration and Information PortalsBusiness IntelligenceBusiness IntelligenceCustomer Relationship Management Customer Relationship Management (CRM)(CRM)

As usual, the lists are long on As usual, the lists are long on generalities and short on details…generalities and short on details…


How Will These Technologies How Will These Technologies Impact You?Impact You?



Remote Deposit/CaptureRemote Deposit/CaptureWhat is it?What is it?

Remote Deposit/Capture (RDC) Remote Deposit/Capture (RDC) moves check processing out to moves check processing out to customer officescustomer offices

What’s cool…What’s cool…


Reduces processing costs for FIsReduces processing costs for FIsReduces costs for merchantsReduces costs for merchantsImproves funds availabilityImproves funds availabilityFacilitates paperless operationsFacilitates paperless operations

What’s not…What’s not…Risk of duplicate item scansRisk of duplicate item scansPrivacy concernsPrivacy concernsHeightened regulatory scrutiny Heightened regulatory scrutiny (FFIEC January 2009)(FFIEC January 2009)

Fidelity, Fiserv, Fidelity, Fiserv, ProfitStars, ProfitStars,

GoldleafGoldleaf

Rick Murray

5


Online Cash ManagementOnline Cash ManagementWhat is it?What is it?

Online Cash Management permits Online Cash Management permits businesses to control their treasury businesses to control their treasury management activities in housemanagement activities in house



Multiple services Multiple services –– ACH, wires, ACH, wires, positive pay, stop payments, etc.positive pay, stop payments, etc.Reduces costs FIs, merchantsReduces costs FIs, merchantsImproves funds availabilityImproves funds availabilityImproves disbursement controlImproves disbursement control

What’s not…What’s not…ACH origination managementACH origination managementPotential reduction in internal controlsPotential reduction in internal controlsCompliance concernsCompliance concerns

Fidelity, Fiserv, Fidelity, Fiserv, Jack HenryJack Henry


Universal Device (Smart Phone)Universal Device (Smart Phone)What is it?What is it?

One mobile device to manage multiple One mobile device to manage multiple work and personal functionswork and personal functions

What’s cool…What’s cool…Single device Single device –– single interfacesingle interface


Multiple functions out of the box (e.g. Multiple functions out of the box (e.g. phone, media player, ephone, media player, e--mail)mail)Unlimited expansion (e.g. iPhone and Unlimited expansion (e.g. iPhone and RIM application stores)RIM application stores)Facilitates mobile paymentsFacilitates mobile payments

What’s not…What’s not…Risk of theft/lossRisk of theft/lossLearning curveLearning curveCarrier interoperabilityCarrier interoperability

Apple, RIM, Apple, RIM, Google, Verizon, Google, Verizon,

AT&TAT&T


Mobile BroadbandMobile BroadbandWhat is it?What is it?

Enables wireless broadband access Enables wireless broadband access anywhere, anytimeanywhere, anytime

What’s cool…What’s cool…High speed Internet access similar to a High speed Internet access similar to a


typical LAN environmenttypical LAN environmentWorks with a variety of devices, Works with a variety of devices, including laptops, netbooks, PDAsincluding laptops, netbooks, PDAsNo need for WIFI access pointsNo need for WIFI access points

What’s not…What’s not…Recurring monthly costs for dataRecurring monthly costs for dataLimited range (although improving)Limited range (although improving)Encryption concernsEncryption concernsCarrier interoperabilityCarrier interoperability

Verizon, AT&T, Verizon, AT&T, Sprint, TSprint, T--MobileMobile

Rick Murray

6


Digital Television (HDTV)Digital Television (HDTV)What is it?What is it?

High definition video and audio High definition video and audio television presentation (up to 1080P)television presentation (up to 1080P)

What’s cool…What’s cool…High resolution facilitates digital High resolution facilitates digital


conversionconversion16 x 9 format good for data displays16 x 9 format good for data displaysTruly usable teleconferencingTruly usable teleconferencingRapidly falling costsRapidly falling costs

What’s not…What’s not…Digital conversion Digital conversion –– June 12, 2009June 12, 2009Technology confusion (decreasing)Technology confusion (decreasing)Set up and support issuesSet up and support issuesContent provider/support issuesContent provider/support issues

Sony, Samsung, Sony, Samsung, Vizeo, DirecTV, Vizeo, DirecTV,

ComcastComcast


VirtualizationVirtualizationWhat is it?What is it?

Operating multiple servers, storage Operating multiple servers, storage units or applications within a virtual units or applications within a virtual hardware environmenthardware environment



Reduced IT costs Reduced IT costs -- large reduction in large reduction in server hardware and software licensesserver hardware and software licensesIncreasingly accepted by application Increasingly accepted by application providersprovidersHardware independenceHardware independenceFacilitates rapid BCP/DR responsesFacilitates rapid BCP/DR responses

What’s not…What’s not…Can provide false sense of securityCan provide false sense of securityRequires complex BCP/DR planningRequires complex BCP/DR planning

IBM, Cisco, IBM, Cisco, VMware, Dell, VMware, Dell,

Microsoft, Red HatMicrosoft, Red Hat


Evolving Storage TechnologyEvolving Storage TechnologyWhat is it?What is it?

Continued growth in high capacity, Continued growth in high capacity, high speed data storage deviceshigh speed data storage devices

What’s cool…What’s cool…Solid state disk drives (SSDD) are Solid state disk drives (SSDD) are b i i i 2009b i i i 2009


becoming mainstream in 2009becoming mainstream in 2009Cheap, reliable hard disk drivesCheap, reliable hard disk drivesFlash memory standardizationFlash memory standardizationBluBlu--ray standardizationray standardizationOnline storage/archivalOnline storage/archival

What’s not…What’s not…Online storage/archival costsOnline storage/archival costsSecurity concerns (online)Security concerns (online)Inconsistent data retention standardsInconsistent data retention standards

Toshiba, Amazon, Toshiba, Amazon, IBM, Seagate, Dell, IBM, Seagate, Dell,

IntelIntel

Rick Murray

7


Web 2.0 and Social NetworkingWeb 2.0 and Social NetworkingAlthough initially designed for and targeted Although initially designed for and targeted at younger people, at younger people, Web 2.0 and Social Web 2.0 and Social Networking Networking technologies are changing the technologies are changing the way we do businessway we do business

Text messaging (SMS)Text messaging (SMS)


Social sites (Facebook, My Space)Social sites (Facebook, My Space)Professional sites (LinkedIn)Professional sites (LinkedIn)Instant Messaging (AOL, MSN)Instant Messaging (AOL, MSN)Video (YouTube)Video (YouTube)Web logs or Blogs (WordPress)Web logs or Blogs (WordPress)PodcastsPodcastsChat technologies (technical support)Chat technologies (technical support)Information feeds Information feeds -- RSS, DiggRSS, Digg


Social NetworkingSocial NetworkingWhat is it?What is it?

Social networking sites are changing Social networking sites are changing interaction and information sharinginteraction and information sharing

What’s cool…What’s cool…RealReal--time interaction and sharingtime interaction and sharingGl b l hGl b l h lti l dilti l di


Global reach Global reach –– multiple media sourcesmultiple media sourcesCrossCross--generational communicationsgenerational communicationsGrowing business uses Growing business uses -- FacebookFacebookProfessional uses Professional uses -- LinkedInLinkedIn

What’s not…What’s not…“Loose lips sink ships… or careers”“Loose lips sink ships… or careers”Wasted productivityWasted productivityPrivacy Privacy –– fraudulent applicationsfraudulent applicationsHeightened exposure to malwareHeightened exposure to malware

Facebook, Facebook, MySpace, MySpace,

LinkedIn, FlickrLinkedIn, Flickr


TwitterTwitterWhat is it?What is it?

Twitter is a form of social network site Twitter is a form of social network site that works through short messagesthat works through short messages

What’s cool…What’s cool…RealReal--time interaction via “Tweets”time interaction via “Tweets”Gl b l hGl b l h


Global reachGlobal reachEasy to use “What are you doing?”Easy to use “What are you doing?”Well suited for mobile devices (SMS)Well suited for mobile devices (SMS)

What’s not…What’s not…“Loose lips sink ships… or careers”“Loose lips sink ships… or careers”Wasted productivityWasted productivityPrivacyPrivacyCan facilitate false rumors (swine flu)Can facilitate false rumors (swine flu)Few defined business uses Few defined business uses –– yet…yet…

Rick Murray

8


Google ApplicationsGoogle ApplicationsWhat is it?What is it?

Google has evolved far beyond its Google has evolved far beyond its world class search engineworld class search engine

What’s cool…What’s cool…Google is offering increasing array of Google is offering increasing array of web apps e g Picasa Gweb apps e g Picasa G Mail GoogleMail Google


web apps, e.g. Picasa, Gweb apps, e.g. Picasa, G--Mail, Google Mail, Google Earth, Google Checkout, AlertsEarth, Google Checkout, AlertsGoogle apps are browser independentGoogle apps are browser independentAndroid phone OSAndroid phone OSGoogle Labs Google Labs –– watch the future unfoldwatch the future unfoldMost apps are freeMost apps are free

What’s not…What’s not…Privacy concerns (Checkout, Profiles)Privacy concerns (Checkout, Profiles)Web dependenceWeb dependence


Microsoft VistaMicrosoft VistaWhat is it?What is it?

Microsoft’s current desktop operating Microsoft’s current desktop operating system (32system (32--bit and 64bit and 64--bit variants)bit variants)

What’s cool…What’s cool…Enhanced graphics Enhanced graphics –– Aero interfaceAero interfaceImproved security features (UAC)Improved security features (UAC)


p y ( )p y ( )Enhanced RAM accessEnhanced RAM accessImproved multitasking capabilitiesImproved multitasking capabilities

What’s not…What’s not…Resource hog Resource hog –– although partially although partially mitigated by 64mitigated by 64--bit versionbit version6464--bit Vista incompatible with many bit Vista incompatible with many applications/devices (e.g. banks)applications/devices (e.g. banks)Poor performance (mitigated by new Poor performance (mitigated by new hardware)hardware)


Microsoft Windows 7Microsoft Windows 7What is it?What is it?

Microsoft’s next desktop operating Microsoft’s next desktop operating system system –– likely late 09/early 10 releaselikely late 09/early 10 release

What’s cool…What’s cool…Best Vista features that workBest Vista features that workImproved security features (UAC)Improved security features (UAC)


p y ( )p y ( )Enhanced, MacEnhanced, Mac--like interfacelike interfaceWill run existing Vista HW/SW as isWill run existing Vista HW/SW as isWindows XP emulation modeWindows XP emulation modeEnhanced builtEnhanced built--in appsin appsCustomizable system trayCustomizable system tray

What’s not…What’s not…No direct Windows XP to Win 7 pathNo direct Windows XP to Win 7 pathBusiness reluctance after VistaBusiness reluctance after Vista

Rick Murray

9


Netbook ComputersNetbook ComputersWhat is it?What is it?

Ultra small notebook computers Ultra small notebook computers designed for mobile web usedesigned for mobile web use

What’s cool…What’s cool…Lightweight, capable PCs (Intel Atom)Lightweight, capable PCs (Intel Atom)Enhanced power managementEnhanced power management


p gp gWindows XP, Linux (Win 7 coming)Windows XP, Linux (Win 7 coming)Many offer SSDDs Many offer SSDDs –– some HDDssome HDDsInexpensive ($200 and up)Inexpensive ($200 and up)

What’s not…What’s not…No optical drives, limited RAMNo optical drives, limited RAMRestricted expansion capabilityRestricted expansion capabilitySmall screens, smaller keyboardsSmall screens, smaller keyboardsLow cost laptops Low cost laptops -- “bang for the buck”“bang for the buck”

Dell, Acer, HP, Dell, Acer, HP, LenovoLenovo


Internet Explorer 8Internet Explorer 8What is it?What is it?

Microsoft’s latest web browserMicrosoft’s latest web browser

What’s cool…What’s cool…Faster and more stable than IE 7Faster and more stable than IE 7More secure (better malware defense)More secure (better malware defense)InPrivate browsingInPrivate browsing


InPrivate browsingInPrivate browsingAccelerators permit faster data accessAccelerators permit faster data accessIE 7 compatibility modeIE 7 compatibility modeWeb Slices will automate data updatesWeb Slices will automate data updatesCrash recovery Crash recovery –– recover open sitesrecover open sites

What’s not…What’s not…Sporadic upgrade issues (Vista Ultimate)Sporadic upgrade issues (Vista Ultimate)Competitive browsers (e.g. Firefox)Competitive browsers (e.g. Firefox)InPrivate business issuesInPrivate business issues


Coming AttractionsComing AttractionsMicrosoft Microsoft -- Office 2010, Exchange 2010Office 2010, Exchange 2010SubscriptionSubscription--based Applicationsbased ApplicationsUSB 3.0 (5 Gbps)USB 3.0 (5 Gbps)Broadband BluetoothBroadband BluetoothWireless 802 11N (up to 300 Mbps)Wireless 802 11N (up to 300 Mbps)


Wireless 802.11N (up to 300 Mbps)Wireless 802.11N (up to 300 Mbps)Dual screen notebooks (e.g. Lenovo Dual screen notebooks (e.g. Lenovo W700)W700)Secure flash drives (IronKey)Secure flash drives (IronKey)Electronic paperElectronic paperNetwork access control (SSO on steroids)Network access control (SSO on steroids)Practical encryptionPractical encryptionNew web portals (e.g. BillShrink, Knowx)New web portals (e.g. BillShrink, Knowx)

Rick Murray

10


Where Do We Go From Here?Where Do We Go From Here?



Time For A Reality Check…Time For A Reality Check…Do you know how personnel are using the Internet Do you know how personnel are using the Internet (time spent, sites visited, social networking, etc.)?(time spent, sites visited, social networking, etc.)?Are you taking steps to deter Are you taking steps to deter Identity Theft?Identity Theft?How dependent are you upon the How dependent are you upon the Internet?Internet?Are employees alert for Are employees alert for Phishing/SEPhishing/SE scams?scams?


p yp y ggIs your web site secure Is your web site secure (e.g. URL obfuscation)?(e.g. URL obfuscation)?Are your Are your remote accessremote access processes secure?processes secure?Is your network secured Is your network secured (patched)(patched) and monitored?and monitored?Are your Are your IT policies and procedures IT policies and procedures upup--toto--date?date?Have you conducted a recent Have you conducted a recent business impact business impact analysisanalysis and and risk assessment?risk assessment?


Is your Is your BCP/DRBCP/DR plan current? plan current? Has it been tested?Has it been tested?Do you have an Do you have an incident responseincident response strategy? strategy? Are confidential company and customer records Are confidential company and customer records secure secure (e.g. GLB, SOX, various privacy acts)(e.g. GLB, SOX, various privacy acts)??Is your company eIs your company e--mail secure mail secure (e.g. encrypted)(e.g. encrypted)??

Time For A Reality Check…Time For A Reality Check…


y p yy p y ( g yp )( g yp )Are your Are your Malware/Spyware Malware/Spyware defenses updefenses up--toto--date? date? Are your prepared to deal with the risks presented Are your prepared to deal with the risks presented by high capacity portable computing devices by high capacity portable computing devices (e.g. (e.g. flash memory drives, iPods, flash memory drives, iPods, iPhonesiPhones)?)?Are your external trading partners secure Are your external trading partners secure (e.g. (e.g. payment systems, payroll providers)?payment systems, payroll providers)?Have you evaluated the risks posed by emerging Have you evaluated the risks posed by emerging information technologies?information technologies?

Rick Murray

11


Security Issues And Risks 2009Security Issues And Risks 2009MalwareMalwareSpywareSpywareScarewareScarewareIdentity TheftIdentity TheftPhi hiPhi hi


PhishingPhishingSpamSpamDisaster Disaster Preparedness and Preparedness and Business Continuity Business Continuity PlanningPlanning


Malicious Code (Malware)Malicious Code (Malware)VirusesVirusesTrojansTrojansWormsWormsSpywareSpyware


SpywareSpywareBrowser HijackersBrowser HijackersDenial of ServiceDenial of ServiceHacking toolsHacking toolsPopPop--UpsUps Is your firmIs your firm

NEXT?NEXT?


Malware Malware –– How Do We Get It?How Do We Get It?Web browsing Web browsing –– particularly particularly social social networking networking sites sites –– e.g. e.g. Facebook (over 200 Facebook (over 200 million users), MySpace (over 150 million million users), MySpace (over 150 million users)users)Remote accessRemote accessO li fil h iO li fil h i (P(P P kP k


Online file sharing Online file sharing (Peer(Peer--toto--Peer networks Peer networks ––e.g. e.g. BitTorrentBitTorrent))–– Note: litigation has reduced Note: litigation has reduced (but not eliminated) this problem(but not eliminated) this problemMedia (e.g. disks, CD/DVDMedia (e.g. disks, CD/DVD--ROMs, ROMs, Flash Flash keyskeysEE--mail (attachments)mail (attachments)Adware and SpywareAdware and Spyware programsprogramsInstant Messenger/chat programsInstant Messenger/chat programs

Rick Murray

12


SpywareSpywareSoftware that captures information Software that captures information transmits it to unauthorized (and transmits it to unauthorized (and usually unknown) external parties usually unknown) external parties (including confidential Internet (including confidential Internet Banking and online account Banking and online account credentials) credentials) –– increased risk of increased risk of


Identity Theft (robots, zombies)Identity Theft (robots, zombies)Some Spyware applications take Some Spyware applications take control of Internet browsers control of Internet browsers (e.g. (e.g. Browser Hijackers)Browser Hijackers)Spyware applications cause Spyware applications cause significant degradationsignificant degradation in in performanceperformanceRecent examples Recent examples –– ConfickerConfickerworm set to activate 4/1/09worm set to activate 4/1/09


ScarewareScarewareOne of the latest malware variants is One of the latest malware variants is commonly known as commonly known as “Scareware”“Scareware”Scareware tricks users into Scareware tricks users into downloading software onto their downloading software onto their computers by telling them that “a computers by telling them that “a virus has been detected”virus has been detected”


virus has been detectedvirus has been detectedTypical forms Typical forms –– fake A/V programs, fake A/V programs, registry cleaners,registry cleaners,Examples of fraudulent software Examples of fraudulent software ––Spyware Cleaner, Registry Cleaner Spyware Cleaner, Registry Cleaner XP, WinFixer, WinAntivirus, XP, WinFixer, WinAntivirus, DriveCleaner, ErrorSafe DriveCleaner, ErrorSafe Examples of dangerous scareware Examples of dangerous scareware --SpySheriffSpySheriff


Identity TheftIdentity TheftIdentity TheftIdentity Theft is a fast rising crimeis a fast rising crimeFACTA (26 “Red Flag” Rules)FACTA (26 “Red Flag” Rules)Identity Theft occurs from a variety of Identity Theft occurs from a variety of sourcessources

User ManipulationUser Manipulation (“Social Engineering”)(“Social Engineering”)


User Manipulation User Manipulation ( Social Engineering )( Social Engineering )Interception of discarded equipment and Interception of discarded equipment and trash trash (“Dumpster Diving”)(“Dumpster Diving”)Network Attacks (e.g. data stolen from file Network Attacks (e.g. data stolen from file servers)servers)Media Loss/Theft (e.g. backup tapes, disk)Media Loss/Theft (e.g. backup tapes, disk)Internet AttacksInternet Attacks

Risk rising due to Risk rising due to Universal Universal devices/devices/SmartphonesSmartphones

Rick Murray

13


PhishingPhishingPhishingPhishing ––attempts to obtain confidential attempts to obtain confidential information from users by tricking them into information from users by tricking them into responding to bogus requests responding to bogus requests -- of particular of particular concern to econcern to e--commerce vendors (Passwords, PINs)commerce vendors (Passwords, PINs)

Regions Bank, Bank of America, SunTrust, Capital One Regions Bank, Bank of America, SunTrust, Capital One –– requests updated customer account information due requests updated customer account information due


security threatsecurity threatee--Bay/Pay Pal scamsBay/Pay Pal scams –– requests updated credit card requests updated credit card information due to account having been compromisedinformation due to account having been compromised“Republic of the Congo” or Nigerian 411 scams“Republic of the Congo” or Nigerian 411 scams ––requests money to be wired to assist in a get rich moneyrequests money to be wired to assist in a get rich money--laundering schemelaundering schemeSome scams are easy to spot Some scams are easy to spot (misspellings, inaccurate (misspellings, inaccurate information, moronic subject matters) information, moronic subject matters) , but “, but “PhishersPhishers” are ” are getting more sophisticated (e.g. recent bank scams) getting more sophisticated (e.g. recent bank scams)


PhishingPhishingPhishing scams are growing in complexity Phishing scams are growing in complexity –– the the loss potential is enormous loss potential is enormous –– approximately 40% approximately 40% increase during 2008increase during 2008))Phishing uses several techniques, includingPhishing uses several techniques, including

Mass eMass e--mailsmails


Targeted eTargeted e--mails mails (“Spear Phishing”)(“Spear Phishing”)Disguised web pagesDisguised web pagesPop Ups or Page Concealment techniquesPop Ups or Page Concealment techniquesURL confusion (address bar URL differs from address URL confusion (address bar URL differs from address shown at bottom of browser)shown at bottom of browser)Hacking Hacking –– e.g. using hidden scripts on web pages to e.g. using hidden scripts on web pages to force page redirection and/or to capture informationforce page redirection and/or to capture informationPharmingPharming identifies potential lists that can be targeted identifies potential lists that can be targeted for subsequent phishing attemptsfor subsequent phishing attempts


Phishing Phishing –– Password Password -- 20092009


Source: AntiSource: Anti--Phishing Working Group 2009Phishing Working Group 2009

Rick Murray

14


Phishing Reports Phishing Reports –– Late 2008Late 2008




Phishing Phishing –– Most Targeted Most Targeted -- 20092009



Note the shiftNote the shifttoward paymenttoward payment

services!services!


Phishing Phishing –– Rise of “Scareware”Rise of “Scareware”



Rick Murray

15


SpamSpamSpamSpam involves sending/receiving unsolicited einvolves sending/receiving unsolicited e--mailmailExcessive receipt of spam messages can cripple Excessive receipt of spam messages can cripple company ecompany e--mail systemsmail systems

Heavy message volume robs server and telecom resources Heavy message volume robs server and telecom resources (similar to junk faxes, only worse)(similar to junk faxes, only worse)


Traveling usersTraveling users with dialwith dial--up access are particularly up access are particularly inconvenienced due to bandwidth clogginginconvenienced due to bandwidth cloggingImportant Important messages may be ignored and/or deletedmessages may be ignored and/or deleted in in overused inboxes overused inboxes (potential regulatory/legal issues)(potential regulatory/legal issues)Users may become desensitizedUsers may become desensitized to opening messages, to opening messages, thereby opening the door for malicious code assaultsthereby opening the door for malicious code assaultsPotential Potential legal riskslegal risks (e.g. sexual harassment)(e.g. sexual harassment)

Companies who send out Spam can be Companies who send out Spam can be blacklistedblacklistedby Internet Service Providersby Internet Service Providers


Continuity PlanningContinuity PlanningRecent experiences with local and regional Recent experiences with local and regional disasters have challenged company continuity disasters have challenged company continuity plans plans (e.g. March 2009 Middle Tennessee (e.g. March 2009 Middle Tennessee tornados, Texas hurricane impacts)tornados, Texas hurricane impacts)Along with the potential loss of facilities and Along with the potential loss of facilities and


equipment, companies must be prepared to deal equipment, companies must be prepared to deal with data loss/ID theft problems that could rapidly with data loss/ID theft problems that could rapidly escalate to disaster level escalate to disaster level (e.g. debit card breaches)(e.g. debit card breaches)Statistics repeatedly show that most companies Statistics repeatedly show that most companies who experience a major data disaster who experience a major data disaster go out of go out of business within 24 monthsbusiness within 24 monthsCan you recover your client records in the event Can you recover your client records in the event of fire, weather or intentional destruction?of fire, weather or intentional destruction?


IT Risk Management SolutionsIT Risk Management Solutions


Rick Murray

16


Risk Management PlanningRisk Management PlanningBusiness Impact AnalysisBusiness Impact AnalysisRisk AssessmentRisk AssessmentBusiness Continuity PlanningBusiness Continuity PlanningPolicies and ProceduresPolicies and Procedures

IT Risk Management SolutionsIT Risk Management Solutions


Policies and ProceduresPolicies and ProceduresAuthenticationAuthenticationPerimeter DefensePerimeter DefenseVulnerability AssessmentVulnerability AssessmentMalicious CodeMalicious CodeIdentity TheftIdentity TheftInternal Control SolutionsInternal Control Solutions


Security Policy

Risk Assessment

Select Security Measures

Plan Deployment

Security planning is Security planning is a a methodical processmethodical processwhich repeatedly which repeatedly recycles throughout recycles throughout the firm’s life cyclethe firm’s life cycle

IT Risk Management ProcessIT Risk Management Process


p y

Training

Implement Security Measures

Operate/Mainta in Security Measures

Audit Security (Internal, External)

Evaluate Effectiveness

Incorporate Enhancements

the firm s life cyclethe firm s life cycle

It must be driven by It must be driven by management and management and board of directorsboard of directors


Risk management process should be Risk management process should be balancedbalanced ––protection weighed against information availability, protection weighed against information availability,

integrity and confidentiality integrity and confidentiality

AvailabilityAvailability

IT Risk Management ProcessIT Risk Management Process


yy

IntegrityIntegrity ConfidentialityConfidentiality

IT SecurityIT Security

Rick Murray

17


Adopt an Adopt an IT Governance IT Governance modelmodelConduct a Conduct a Business Impact Business Impact Analysis/Risk AssessmentAnalysis/Risk AssessmentDevelop Develop IT Security Policies, IT Security Policies, Standards and ProceduresStandards and Procedures

IT Risk Management StepsIT Risk Management Steps


Standards and ProceduresStandards and ProceduresDevelop a Develop a Business Continuity PlanBusiness Continuity PlanTrainingTrainingTest and AuditTest and AuditRepeat the processRepeat the process


BIA/RA Factors To ConsiderBIA/RA Factors To ConsiderLoss of critical recordsLoss of critical recordsAdded external expensesAdded external expensesAdded internal personnel Added internal personnel expenses during the incident expenses during the incident and recovery periods and recovery periods (e.g. (e.g. absenteeism during aabsenteeism during a

Repair/replacement costsRepair/replacement costsLoss of reputation Loss of reputation Impact upon employees Impact upon employees –– the the “Human Element”“Human Element”Insurance liability claims Insurance liability claims --subsequent increase insubsequent increase in


absenteeism during a absenteeism during a pandemic)pandemic)Loss of revenue Loss of revenue (cash flow)(cash flow)due to damaged/closed due to damaged/closed facilitiesfacilitiesReduction in customer Reduction in customer service levels service levels (potential lost (potential lost customers)customers)Facilities repair and/or Facilities repair and/or replacement costsreplacement costs

subsequent increase in subsequent increase in premiums or loss of coveragepremiums or loss of coverageTraining costs for personnelTraining costs for personnelAdvertising and PR costs Advertising and PR costs (e.g. damage control)(e.g. damage control)Legal or regulatory fines and Legal or regulatory fines and penaltiespenaltiesIntegration with external Integration with external payment systemspayment systems


Business Continuity Plan Business Continuity Plan Threat identificationThreat identification and and analysis analysis ––internal, externalinternal, externalSystems ranking bySystems ranking by mission mission criticalitycriticalityITIT policies and procedurespolicies and proceduresAlternate operatingAlternate operating

Hardware/software failureHardware/software failure(e.g. hot sites)(e.g. hot sites)Damaged orDamaged or destroyed filesdestroyed filesFacilities evacuationFacilities evacuationAtackAtack response proceduresresponse proceduresArchival/Archival/backup systemsbackup systems


arrangements and sitesarrangements and sitesSystemSystem documentationdocumentationIdentification ofIdentification of critical critical nonnon--ITIT processes and processes and functionsfunctionsPhysical securityPhysical security (e.g. (e.g. locks, fire suppression, locks, fire suppression, power conditioning)power conditioning)Contact informationContact information (e.g. (e.g. company personnel, company personnel, vendors, utilities, etc.)vendors, utilities, etc.)

System System inventoryinventorySystemSystem topology maptopology mapIP IP addressing schemeaddressing schemeTelecom Telecom configurationsconfigurations(e.g. routers)(e.g. routers)UserUser account and password account and password proceduresproceduresExternal vendor integrationExternal vendor integrationPlan test/review processPlan test/review processPandemic planning (04/09)Pandemic planning (04/09)

Rick Murray

18


Testing the PlanTesting the PlanTabletopTabletop tests vs. tests vs. “Full“Full--blown” blown” BCP testsBCP testsIT recovery testsIT recovery tests

HardwareHardwareSoftwareSoftwareData/databasesData/databases


TelecommunicationsTelecommunications

Operational testingOperational testingResource intensiveResource intensiveResource allocation Resource allocation (e.g. What will employees (e.g. What will employees do while waiting for recovery?)do while waiting for recovery?)

Have your plan externally reviewed!Have your plan externally reviewed!


Policies and Procedures Policies and Procedures Roles and ResponsibilitiesRoles and ResponsibilitiesIT Audit and ReviewIT Audit and ReviewSystems MonitoringSystems MonitoringBusiness Impact Analysis/Risk Business Impact Analysis/Risk AssessmentAssessmentBusiness Continuity PlanningBusiness Continuity Planning

Incident ResponseIncident ResponseAcceptable Internet/eAcceptable Internet/e--Mail Mail UsageUsageVirus/MalwareVirus/MalwareBackup/ArchivalBackup/ArchivalPatch ManagementPatch Management


Business Continuity PlanningBusiness Continuity PlanningData Ownership and Security Data Ownership and Security (e.g. Queries)(e.g. Queries)Software Management/Change Software Management/Change ControlControlNetwork Management Network Management (including portable devices)(including portable devices)User Authentication and User Authentication and Password ManagementPassword ManagementIT Outsourcing/ProcurementIT Outsourcing/Procurement

Patch ManagementPatch ManagementWireless/Remote AccessWireless/Remote AccessPhysical SecurityPhysical SecurityPrivacy and ConfidentialityPrivacy and ConfidentialityWindows Security StandardsWindows Security StandardsIT TrainingIT TrainingHR HR –– including new hire including new hire screening, background check screening, background check proceduresprocedures


Traditional authentication systems have been Traditional authentication systems have been built upon a single factor “what you know” built upon a single factor “what you know” model model –– e.g. the users “knows” both the user ID e.g. the users “knows” both the user ID and passwordand passwordSingle factor or password user authentication Single factor or password user authentication systems are highly vulnerablesystems are highly vulnerable

AuthenticationAuthentication


systems are highly vulnerablesystems are highly vulnerableWeak or nonWeak or non--existent passwordsexistent passwordsInfrequent password rotation (if any)Infrequent password rotation (if any)Passwords written down or known by other usersPasswords written down or known by other usersDefault accounts (e.g. anonymous, guest) activeDefault accounts (e.g. anonymous, guest) activeToo many passwords for many usersToo many passwords for many users

Growing trend toward Growing trend toward MultiMulti--Factor Factor authentication systems authentication systems –– e.g. what you know, e.g. what you know, what you have, who you arewhat you have, who you are

Rick Murray

19


“What You Know”“What You Know”User IDs/PasswordsUser IDs/PasswordsPIN codes PIN codes –– e.g. ATM/Debit cardse.g. ATM/Debit cardsTax ID or SSN numbersTax ID or SSN numbersPersonal information Personal information -- e.g. “mother’s maiden name”e.g. “mother’s maiden name”

MultiMulti--Factor AuthenticationFactor Authentication


Knowledge of specific transactions Knowledge of specific transactions –– e.g. “what did you e.g. “what did you buy on August 24, 2008 at Best Buy”buy on August 24, 2008 at Best Buy”

“What You Have”“What You Have”TokensTokensSmart CardsSmart CardsOne Time PadsOne Time PadsEncryption keysEncryption keysDigital CertificatesDigital Certificates


“Who You Are” “Who You Are” -- BiometricsBiometricsVoice pattern recognitionVoice pattern recognitionHand geometryHand geometryFinger print analysis Finger print analysis –– e.g. thumb print e.g. thumb print scannersscannersF i l itiF i l iti

MultiMulti--Factor AuthenticationFactor Authentication


Facial recognitionFacial recognitionOcular recognition Ocular recognition –– e.g. retina/iris scanse.g. retina/iris scansHandwriting/signature recognitionHandwriting/signature recognition

Other authentication methodsOther authentication methodsIP fingerprintingIP fingerprintingAntiAnti--phishing imagesphishing imagesGPS location authentication (e.g. cellular GPS location authentication (e.g. cellular phones, Universal devices)phones, Universal devices)


IT risk assessment should include an analysis of IT risk assessment should include an analysis of network exposure via network exposure via penetration or intrusion testingpenetration or intrusion testingPenetration testing requires specialized expertisePenetration testing requires specialized expertisePenetration testing poses risks to information systemsPenetration testing poses risks to information systems

False alarmsFalse alarms from intrusion detection softwarefrom intrusion detection software

Vulnerability AssessmentVulnerability Assessment


DowntimeDowntime resulting from system exploitationresulting from system exploitationLoss of programs and dataLoss of programs and dataCompromised security informationCompromised security informationAlienation of internal IT personnelAlienation of internal IT personnel

Have written test plan and scope before testingHave written test plan and scope before testingMake sure that the BCP is in place prior to testingMake sure that the BCP is in place prior to testingMake sure Make sure social engineering social engineering defense is testeddefense is testedHave verified system backups availableHave verified system backups available

Rick Murray

20


Simple Secure TopologySimple Secure Topology

External UserExternal User

RouterRouter

External FirewallExternal FirewallUntrusted NetworkUntrusted Network

InternetInternet

Virus WallVirus Wall


Internal FirewallInternal FirewallInternal Information SystemsInternal Information Systems

Web ServerWeb Server Trusted NetworkTrusted Network

IDSIDS


User education User education –– including policies, procedures, scamsincluding policies, procedures, scamsInstall/update antivirus software Install/update antivirus software (e.g. Symantec, Trend)(e.g. Symantec, Trend)Use AntiUse Anti--Spyware softwareSpyware software (e.g. Microsoft Defender, (e.g. Microsoft Defender, AdAd--Aware)Aware)Use multiple software scans (from different vendors)Use multiple software scans (from different vendors)

Malware DefenseMalware Defense


Use multiple software scans (from different vendors) Use multiple software scans (from different vendors) whenever possiblewhenever possibleUse PopUse Pop--Up blocking softwareUp blocking software (e.g. Google Toolbar)(e.g. Google Toolbar)Use AntiUse Anti--Spam technologySpam technology (e.g. (e.g. TrustWaveTrustWave, , PostiniPostini, , Barracuda)Barracuda)Use Use protected document formatsprotected document formats (e.g. PDF)(e.g. PDF)Employ Employ patch managementpatch management (e.g. WSUS)(e.g. WSUS)


Defense against Defense against Identity TheftIdentity Theft (e.g. Phishing (e.g. Phishing schemes) involves vigilance on the part of schemes) involves vigilance on the part of companies and consumerscompanies and consumers

Employee Security ProgramsEmployee Security Programs –– employees must be employees must be trained to spot schemes before they fall victimtrained to spot schemes before they fall victimCustomer Awareness ProgramsCustomer Awareness Programs –– customers andcustomers and

Identity Theft DefenseIdentity Theft Defense


Customer Awareness ProgramsCustomer Awareness Programs customers and customers and consumers should be made aware of current schemes consumers should be made aware of current schemes (e.g. web site notices, statement stuffers)(e.g. web site notices, statement stuffers)Document DestructionDocument Destruction –– e.g. use of “crosse.g. use of “cross--cut” cut” shredders or secure document disposal companies shredders or secure document disposal companies (e.g. Shred(e.g. Shred--it)it)Proper Equipment/Media DisposalProper Equipment/Media Disposal –– e.g. destruction e.g. destruction of hard drives, backup tapesof hard drives, backup tapesMultiMulti--Factor AuthenticationFactor Authentication –– e.g. Bank of America e.g. Bank of America Site KeySite KeyVulnerability AssessmentVulnerability Assessment –– e.g. penetration testinge.g. penetration testing

Rick Murray

21


Implement improved Implement improved internal auditinternal audit process with process with added riskadded risk--based focus on information based focus on information technology issuestechnology issuesImplement software licensing and accounting Implement software licensing and accounting proceduresprocedures

IT/Internal Control SolutionsIT/Internal Control Solutions


ppPerform extensive Perform extensive background checksbackground checks on all on all employees who work with sensitive dataemployees who work with sensitive dataReview Review external auditexternal audit requirements and requirements and processes processes –– make sure that auditor is proficient in make sure that auditor is proficient in reviewing Internetreviewing Internet--based IT systemsbased IT systemsRegularly review all 3Regularly review all 3rdrd party processing party processing agreements agreements (e.g. ACH/Merchant Capture (e.g. ACH/Merchant Capture origination agreements)origination agreements)


IT/Internal Control SolutionsIT/Internal Control SolutionsReview trading partner contingency plansReview trading partner contingency plansEmploy Employ access control access control systems with user names systems with user names and and strongstrong passwordspasswords

Passwords should be Passwords should be regularly rotatedregularly rotated (30 to 90 days)(30 to 90 days)Passwords should be Passwords should be complexcomplex (8 or more characters, (8 or more characters, including upper/lower case numbers special symbols)including upper/lower case numbers special symbols)


including upper/lower case, numbers, special symbols)including upper/lower case, numbers, special symbols)Passwords should Passwords should not be reusednot be reused (at least for 12 changes)(at least for 12 changes)

Employ Employ data encryptiondata encryption technologies on remote technologies on remote access mechanisms access mechanisms (e.g. 128(e.g. 128--bit SSL, PKI)bit SSL, PKI)Develop secure alternative communications links Develop secure alternative communications links to key data sources to key data sources –– Particularly important as Particularly important as applications shift to the webapplications shift to the webDisable 3Disable 3rdrd party vendor accounts when not in use party vendor accounts when not in use –– log all activity when activelog all activity when active


Questions And AnswersQuestions And Answers


Documents

2009 CPE By The Sea Presentation Objectives - …conferences.tscpa.org/cpefamily/materials/Rick Murray - 2009 - Rick... · 2009 CPE By The Sea Presentation Objectives ... – FRB,