Upload
vuminh
View
214
Download
1
Embed Size (px)
Citation preview
9/20/2013
Restricted FR 1
Cyber CrimeCyber Crime
September 20, 2013Senior IT Examiner Gene Lilienthal
1
The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank of San Francisco or the Board of Governors.
Agenda
• Headlines• Cyber Threat Landscape
F d• Fraud• Espionage• Disruption & Destruction• Mitigating Actions• Questions
2
9/20/2013
Restricted FR 2
HEADLINES
3
Headlines
• FBI Alerts• Threats to Mobile Devices Using the Android Operating System• Threats to Mobile Devices Using the Android Operating System,
August 2013
• Cyber Criminals Continue to Use Spear‐Phishing Attacks to Compromise Computer Networks FBI, July 2013
• Brobot attack scripts modified to attack login capabilities of a financial institution’s website, April 2013
• St. Mary’s Bank notified 116,000 people that personal information may be exposed after malware compromise, New Hampshire Business Review July 2013
• University Federal Credit Union, Austin, Texas hit by DDoS attacks January 24 andUniversity Federal Credit Union, Austin, Texas hit by DDoS attacks January 24 and February 25, 2013 with e‐banking down for 6 hours and 40 minutes, PR Web
• Foreign hackers stole 160 million credit card numbers from more than a dozen companies, New York Times July 2013
4
9/20/2013
Restricted FR 3
THREAT LANDSCAPE
5
Threat Landscape
• Types of threats:• Fraud ‐ Account takeovers, ID theft, synthetic IDs, etc.• Espionage ‐ Intrusion to gain unauthorized access to information• Disruption/ ‐ DDoS attack
destruction ‐Malicious software (malware)
• Threats may be combined:• Disruption to mask theft or espionage• Espionage to facilitate later theft or disruptionp g p
• Financial institutions are targets of all three types of threats
6
9/20/2013
Restricted FR 4
Threat Landscape
2013 Verizon Data Breach Investigations Report• 37% of breaches affected financial institutions• 37% of breaches affected financial institutions
• 92% of breaches perpetrated by outsiders
• Financial industry
• Perpetrators ‐ organized crime & insiders
• Region of operation – Eastern Europe & North America
• Common actions – Tampering, brute force, malware and social engineering
• Targeted assets – ATMs, POS terminals and controllers, databases, desktops, financial institution customers, employees and service providers
• Desired data – payment cards, NPPI and bank credentials
7
8
9/20/2013
Restricted FR 6
Cyber Threat Landscape: Fraud
• Account takeover and debit card skimming
I tit ti d th i i id• Institutions and their service providers targeted directly
• Payment applications, such as credit, debit, ATM, and funds transfer infrastructures, are targeted
• Malware sophistication continually increasing
• Mobile platforms increasingly targeted to carry out account takeover fraud
11
Cyber Threat Landscape: Fraud
• DDoS attacks employed as diversion for fraud
– DDoS occurs after fraudulent wire, ACH or credit/debit card transaction
– Used to confuse, distract or block security response
– DDoS and account takeover tools developed and marketed by same groups and being integrated into existing malware
12
9/20/2013
Restricted FR 7
ESPIONAGE
13
Cyber Threat Landscape: Espionage
• Financial institutions protect high‐value information assets with:– Customer information, proprietary information, application and
operations processes, etc.
• Espionage may occur preparatory to fraud or destructive cyber attack.
• Advanced persistent threats may target financial institutions with:– Zero day vulnerabilities– Social engineering– Exploitation of utility software– Exploitation of service providers
14
9/20/2013
Restricted FR 8
DISRUPTION & DESTRUCTION
15
Disruption/Destruction Background
• Motive ‐ political (domestic & nation state) or fi i lfinancial
• DDoS a resiliency issue
– DDoS attack overwhelm target
• Malicious destructive software emerging security issuesecurity issue
– Malicious software (malware) data destruction, system disablement, and information theft
16
9/20/2013
Restricted FR 9
Disruption/Destruction Risks
• Prolonged disruptions may result in loss of customer confidence in specific bank or financial system
• Impacts to banks include:– Customer delays in accessing Internet‐based services – Costs of implementing and maintaining defense solutions– Greater demands on technical support, customer support and management resources
• All FIs are threatened:– Directly targeted– Collateral damage (from service provider)
17
DDoS Points of Attack
Which communications are legitimate?
Customers and Attackers Bank Network or Service Provider Network
Trading
Internet Service
Provider (ISP)
Firewall
Electronic Banking
Mobile Banking
Firewall
Internal Bank Servers and PCs
18
9/20/2013
Restricted FR 10
DDoS Key Trends
• Politically motivated attack trends L t ll FI– Largest smaller FIs
– Hacktivism & coordination (social media)
– Average DDoS duration 38 hours Prolexic
– Average attack 49 Gbps Prolexic
– Peer‐to‐peer structure
• Global average broadband speed rose 25% in 2012 AT&T
19
Restricted FR 20
9/20/2013
Restricted FR 11
More DDoS Trends
• Commercialization of DDoS
• DDoS rentals are cheap!
• Roughly 75% of DDoS attacks are network layer
• Continued use of compromised web and DNS servers to amplify traffic volumeservers to amplify traffic volume
• Application and multi‐vector attacks
• Application‐based attack volume tough to spot
21
Malicious Software
• Emerging threat ‐ sophisticated adversaries• From attacker’s perspective ‐ war is won before the battle starts• Targeted persistent attacks:
– Target has something attacker wants to destroy– Execution – spear phishing, USB sticks or malicious insider – Customized destructive malware– Workstation Domain Controller Patching Server
• Very difficult, time consuming and expensive to recover• Most applicable to large banks, technology service providers and
other forms of critical infrastructureother forms of critical infrastructure• Examples three South Korean banks, Saudi Aramco & RASGAS
22
9/20/2013
Restricted FR 12
MITIGATING ACTIONS
23
General Mitigating Actions• Continue to evaluate and update security and resiliency
technologies and processes.• Maintain comprehensive and effective information security p y
programs that reduce information security risks, including:– Assessment of current and emerging threats– Information security risk assessment processes– Vulnerability scanning and penetration testing– Identity and access management programs– Need‐to‐know and least privilege access controls– Operations‐based security controlsOperations based security controls– Secure application development and maintenance – Process controls, including separation of duties – Management and testing of outsourced technology services– Inclusion of cyber threats in resiliency and event management
planning and testing
24
9/20/2013
Restricted FR 13
Effective Practices ‐ Fraud
• Fraud prevention, detection and mitigation mechanisms:– Bank customer education, awareness and use of available tools,
such as secure browsers, dedicated computers, software updates and anti‐malware products
– Periodic risk assessments and risk management approaches, including:
• Understanding the benefits of particular layered security and anomaly detection tools for an organization’s specific environment
– Anomaly detection, including:• During login• When there are electronic funds transfer requests• Escalation when thresholds or sequences of anomalous activities are exceeded
– Information sharing through financial industry associations, FS_ISAC and among peers
25
Effective Practices –Disruption/Destruction
• Board and senior management awareness• Realistic thorough and ongoing assessments of• Realistic, thorough and ongoing assessments of evolving threats and risks related to cyber attacks
• Well documented incident response program for the timely mitigation of the threat
• Defense‐in‐depth approach for protecting systems, applications and infrastructure
• Deployment of automated security event monitoring and network vulnerability scanning tools, as well as remediation of identified vulnerabilities
26
9/20/2013
Restricted FR 14
Effective Practices –Disruption/Destruction (Continued)
• Formal incident reporting process to: – Provide key stakeholders with timely informationProvide key stakeholders with timely information.– Alert the fraud detection group when a Cyber attack occurs
– Notify regulator promptly of all significant cyber attacks.
• Engagement with industry groups (Financial Services Sector Coordinating Council, FS‐ISAC) g , )that share information on cyber incidents with government and law enforcement agencies (DHS and FBI)
27
Effective Practices –Disruption/Destruction (Continued)
• Analyzing the firm’s dependence on 3rd party service providers who may also be vulnerable to service providers who may also be vulnerable toattacks.
• Comprehensive, sustained engagement with service providers to assess and manage cyber risks and to test resiliency plans
• Following up attacks by conducting a “root cause” analysis and identifying opportunities toanalysis and identifying opportunities to strengthen the firm’s defenses.
28