20141009 TSCHAUER NCUA SME Conf - ACUIA.org 14 - Data Breach...FireEye caught the initial November 30 infection of Target's ... Do$you$monitor$authorized$user$ ... help$guide$response.$!

Copyright*TrustCC.**All*Rights*Reserved.*

Data$Breach$$and$Fraud$Prevention

By$Tom$Schauer$CEO$TrustCC:$Trusted$Consulting$and$Compliance$

CISA,$CISM,$CISSP,$CEH,$CRISC,$CTGA$

Serving$Financial$Institutions$since$1986

5

5


Thesis

Credit$Unions$and$Community$Banks$are$not$as$secure$as$they$think.$$$!

SubMstandard$security$testing$has$contributed$to$a$false$sense$of$security.

6

6


https://www.privacyrights.org/data2breach

7

7


https://www.privacyrights.org/data2breach January820058to8September82014

8

Type of Breach Number of Breaches

Number of Records Lost

% Breaches

Hacking or Malware

1068 471,676,671 24%

Portable Device 1055 172,707,621 24%Unintended Disclosure

771 225,987,855 18%

Insider 534 32,681,369 12%Physical Loss 522 3,210,802 12%

Stationary Device 246 11,568,743 6%Other 207 12,809,013 4%

TOTAL 4403 930,642,074

8


Of$4403$total$breaches….$160$Breaches$Occurred$at$Banks$and$

Credit$Unions$!

That$is$just$3.6%

9

9

Copyright*TrustCC.**All*Rights*Reserved.*10

10


Why$do$FIs$account$for$so$few$breaches?

• Expectation$of$Security$• Perception$of$Security$• Minimal$Research$or$Proof$of$Insecurity$• Hackers$remain$focused$where$Card$is$Present$• Cardholder$Data$Theft$is$Anonymous$and$Lucrative$(plenty$of$buyers)$• Krebs:$Attackers$“Have$Tunnel$Vision”

11

11


Scientifically$Speaking$M$Current$Testing$is$Woefully$Inadequate

The Oxford English Dictionary defines the scientific method as "a method or procedure that consists of systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses.”!!Scientific inquiry is intended to be as objective as possible in order to minimize bias.

12

12


Traditional$Security$Testing

• We$sent$phishing$emails$to$100$employees,$25$clicked$the$link.$$If$this$had$been$an$actual$attack$we$could$have$gotten$on$the$network.$!!

• Scientific$or$Flawed?

13

13



• We$were$allowed$into$a$conference$room$and$from$a$network$jack$that$was$enabled$for$our$testing$and$using$our$laptop$fully$loaded$with$hacking$tools$we$found$35$vulnerabilities$we$could$exploit.$!!


14

14



• IT$knew$we$were$testing$and$the$IDS$alerted$when$we$ran$the$vulnerability$scanner.$$An$actual$attack$would$be$detected.$!!


15

15


The$BIG$Disconnect

Yes,$HR$has$some$training$to$do.

16

16


Verizon’s$2013$Data$Breach$Investigations$Report

17

17


Recommended$Approach

• Real$Research$• Real$Social$Engineering$• Real$Penetration$Testing$• Real$Incident$Detection$and$Response$!

• Yields$a$Realistic$Evaluation

18

18

Copyright*TrustCC.**All*Rights*Reserved.* 19

Realistic Pen Testing Complements Traditional Testing

19


Five$Real$Reports$from$TrustCC$Social$Engineering$Testing$over$the$last$2$WeeksCU0$M$500$emps,$$1.5B$assets$CU1$M$200$emps,$$1B$assets$CU2$M$250$emps,$<$1B$assets$CU3$M$50$emps,$$600M$assets$CU4$M$150$emps,$$650M$assets$!!


20

20


!

Breached – 63%

Nearly 150 Financial Institutions

Sensitive Data – 79%

Admin Access – 58%

!And we got better as the year progressed…

2013 Results

21

21


Thought$Provoking$Quote…

“The$threat$has$reached$the$point$that,$given$enough$time,$motivation,$and$funding,$a$determined$adversary$will$likely$be$able$to$penetrate$any$system$accessible$from$the$Internet.”$!Joseph$M$Demarest,$Assistant$Director,$Cyber$Division$FBI,$before$the$Senate$Judiciary$Committee,$May$8,$2013

22

22


Incident$Detection$and$Response

How$does$it$work$in$the$real$world?

23

23


Target$Breach$by$the$Numbers…– The Dates the attackers stole card numbers!!– The number of card numbers stolen!!– Percentage decline in profit Q4 2013 vs Q4 2012!!– The cost to banks and credit unions for reissue!!– The number of Target employees with CISO title!!– The median price of cards successfully sold!!– The likely income made by the hackers!! See www.krebsonsecurity.com

24

Nov 27 to Dec 15!!

40,000,000!!

46!!

$200,000,000!!

0!!

$18.00 – $35.70!!

$53,700,000

24


How$did$it$happen?

25

The Target breach began with the phishing of an HVAC contractor that had credentials to access the Target network.

!Hackers and crackers are sophisticated; at this level, they're playing a long game to nail lucrative, high-value targets. !They're looking where they think you're not looking.

!

25


The$weakest$part$of$your$security$is$something$you$haven’t$considered…

1. Social$Engineering$(SE).$$We$know$most$attacks$start$with$SE$because$employees$are$reliably$ineffective$at$stopping$the$attack.$$

2. What$is$my$weakest$link?$$Are$my$risk$assessments$an$effective$tool$or$a$compliance$obligation?

26

26


According to Business Week, Target was running its own security operations center in Minneapolis, !In May 2013 Target implemented best-of-breed malware detection software named FireEye !FireEye caught the initial November 30 infection of Target's payment system by malware. All told, five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale.

!Unfortunately, it appears Target's security team failed to act on the threat indicators."

Missed$Alerts$and$Opportunities

27

27


Its$Vital$to$know$which$Alerts$can$be$Ignored

1. Skills$may$have$been$insufficient.$$Should$this$activity$have$been$outsourced$to$experts?$$!

2. Does$your$organization$perform$‘Covert’$security$testing$in$order$to$be$well$prepared$for$an$actual$event?$!

Test$incident$detection$and$response!

28

28


Class$Action…

29

29


Two$Incredibly$Important$Points

1. “Head$in$the$Sand”$and/or$“Risk$Acceptance”$is$a$risky$management$technique.$$The$risk$does$not$go$away.$$Are$decisions$documented?$!

2. When$an$incident$occurs$the$sharks$may$be$in$a$feeding$frenzy.$$Perception$will$be$as$important$as$reality.

30

30


What$is$unique$about$an$attack$that$starts$from$social$engineering?

31

31


Domain$User$/$Domain$Workstation

Do$you$monitor$authorized$user$activity$or$have$you$been$convinced$that$monitoring$authorized$users$is$a$waste$of$time$and$resources?

32

32


If$your$users$are$Local$Admins…$9$of$10$times$its$game$over!

33

33


Incident$Response$Planning$Imperative

• The$frequency$of$network$breach$at$an$organization$is$likely$to$increase$as$monetization$becomes$clear$and$other$opportunities$fade.$!

• Breach$prevention$is$a$matter$of$being$a$‘harder’$target$when$compared$to$the$next$organization.$

34

34


Start8by8Studying8Breaches

35

Type of Breach Number of Breaches

Number of Records Lost

% Breaches

Hacking or Malware

1068 471,676,671 24%

Portable Device 1055 172,707,621 24%Unintended Disclosure

771 225,987,855 18%

Insider 534 32,681,369 12%Physical Loss 522 3,210,802 12%

Stationary Device 246 11,568,743 6%Other 207 12,809,013 4%

TOTAL 4403 930,642,074

35


Diagram

36

Recovery

Containment

Significant Incident?

Incident Identification

Reporting an Incident

Notification Escalation

ContainmentProtecting Evidence

Eradication Recovery

Follow-up

Pass on to others

Assessment

Ongoing Operation

36


Testing

•Table$Top$Scenario$Testing$•Unplanned$Tests$•Covert$Penetration$Tests

37

37


Documentation$of$Incidents

Documentation$should$not$only$provide$consistent$means$to$record$events$but$should$help$guide$response.$!Sometimes$best$to$have$documentation$off$the$network$and$communications$Out$of$Band.

38

38

HOW TO H-ACH A BANK

39

Thesis

It is possible to extract Millions of dollars from a compromised Institution in a single day using the fundamentally flawed Automated Clearing House (ACH) file submission process.

40

Monetization Is More Complex

41

Old School

Routing # Check Digit Account #

42

Routing # Check Digit Account #

ACH File Format

43

Entry “Hash”Purpose: Confirm Entries are Correct

Entry “Hash”: 0152016604Routing #’s

24823818 72288726

+54904060 152016604

“Hash” Creation

44

FedLine

The FED

Upload ACH File

• Confirm Total Debits!• Confirm Total Credits!• Confirm Total # Batches

45

Windows File Share

ACH

The FED

Upload File to The FED

CORE Banking System

4PM

FedLine ACH

4:15PM

HACKER

4:01PM

46

Altering the ACH file

47


48


49

$3.5 Million

50

0.1 Seconds

51

24 hours

52

Who?

Anybody who is manually uploading ACH files to The FED/EPN.

53

Reaction

• Interesting, we’ve known of ACH file risks for years.!• I believe your letter is misleading.!• Holy Smokes!!!

• Dozens of Financial Institutions have acknowledged.!• The Federal Reserve “Committed” and “Catalyst”

54

Stop Gap Solutions

ACH• Should not be on the Domain (i.e. NAS?) • WORM - Write Once Read Many • Only allow write access from the CORE

• Make Sure Share Permissions are Solid

FedLine• Should not be on the Domain • Isolated to it’s own VLAN • Only allow read from this host

55

Why Disclose Now?

Cardholder Data Theft

56


A$Call$to$Action

• Make$Sure$Credit$Unions:$• Are$performing$adequate$testing$including$effective$testing$of$incident$response.$

• Are$performing$effective$Risk$Assessments$and$are$accepting$risk$wisely$

• Are$aware$of$the$most$likely$targets$in$their$environment$and$are$designing$controls$to$mitigate$risks$to$these$targets$(at$least$ACH)

57

57


Wrap$Up

Questions$and$Answers$!Network

58

58

Copyright*TrustCC.**All*Rights*Reserved.* 59

59

Documents

20141009 TSCHAUER NCUA SME Conf - ACUIA.org 14 - Data Breach...FireEye caught the initial November 30 infection of Target's ... Do$you$monitor$authorized$user$ ... help$guide$response.$!