6/11/2014
1
Cyber Fraud – What can you do about it?
Eric WrightShareholder
June 10, 2014
What is Cyber Fraud?
• NetLingo definition:
– “Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain that occurs online
– Key: PROTECTING INFORMATION ‐‐‐‐‐‐‐‐‐‐>
• Threats not limited to Internet hackers
– Social engineering
– Phishing
– Disgruntled employees
– Human error
2
• Theft• Misuse• Manipulation• Damage• Loss
6/11/2014
2
What Cyber crimals Steal – And Why
• Bank credentials
– Theft of funds
• Personally Identifiable Information (PII)
– Identity theft
• Debit/credit card data
– Access to credit, sale of data
• Intellectual property, data, other content
– Blackmail, sale of data, avoid paying IP royalties, sabotage
3
Verizon Data Breach Report ‐ Takeaways
• 92% of breaches came from outside the organization
– 55% from organized crime
– 19% affiliated with other state agencies
• 75% of breaches driven by financial motives
• 76% exploited weak or stolen credentials
• 69% discovered by external parties
• 66% took months or more to discover
4
6/11/2014
3
Verizon Data Breach Report – Other Takeaways
• 19% of attacks combined multiple techniques (phishing, malware, hacking, etc.)
• 75% of attacks were opportunistic (companies not targeted directly)
• 78% of intrusions took little or no special skills/resources
5
Verizon Data Breach Report – Industry Dispersion
6
6/11/2014
4
Verizon Data Breach Report – Attack Origin
7
Verizon Data Breach Report – Malware Sources
8
6/11/2014
5
Attackers Time to Exploit Vulnerability versus…
Source: Verizon Risk
9
…Organization’s Ability to Defend
Source: Verizon Risk
10
6/11/2014
6
Notable Data Breaches in US History
• 2014 USX, ATI, UPMC, Westinghouse, Alcoa (Employee information and intellectual property)
• 2013 Target – 110 million customers (40 million credit cards)
• 2013 Adobe Systems – 130 million customers• 2011 Sony – 77 million customers• 2008 Heartland Payment Systems – 130 million customers• 2007 TJX Companies – 94 million customers (46 million
credit card)• 1984 TRW/Sears – 90 million customers
Source: CNN Money
Where is this happening?
Continent Percent of online Transactions hacked
Sites Targeted Data Stolen
Africa 7 % Online datingRetail
IdentitiesCredit Cards
Asia 5% RetailOnline datingGambling
Credit CardsIdentitiesGold farming
South America 4% RetailOnline dating
Credit CardsIdentities
Europe 2% Evenly spread Identities
North America 1% RetailGamingFinancial Services
Credit CardsIdentitiesAccounts
12
6/11/2014
7
Target Breach
13
Target Response to Hack
• Target had already deployed $1.6 million malware detection tool (FireEye).
– Round‐the‐clock monitoring from security specialists in Bangalore
• November 30: FireEye detects loading of exfiltration software.
– Target security team in Minneapolis notified
– No action taken
• Mid‐December: Security experts monitoring underground markets for stolen data detect large influx of credit card information.
– US Department of Justice notified
• December 12: Target notified by Department of Justice of potential breach.
• December 15: Target confirms breach.
• December 19: Target releases public statement confirming breach.
• March 5: Target CIO Beth Jacob resigns14
6/11/2014
8
Target Control Failures
15
Target Breach – Inherent Flaws
16
• Flaws in system design
– Lack of network segmentation
– Lack of encryption of credit card data while stored in RAM
• Flaws in internal control
– Lack of third‐party oversight and compliance
– Lack of monitoring and reaction
6/11/2014
9
Target Breach – Limitations in Audit Approach
• Audits take only a snapshot of an organization’s security
• Auditors rely on the organization to provide timely, accurate and complete information about systems
• Inherent time/resource limitations
• Over‐reliance on PCI standard (Gartner analyst: “PCI standard is weak”)
– Data in transit over a private network does not have to be encrypted
– Data at rest in RAM does not have to be encrypted
17
Is Your Organization Prepared?
Source: IIA Tone at the Top; April 2014
6/11/2014
10
What can you do to minimize your risks?
• Design and implement security plan
• Respond to threats
• Maintain vigilance and level of knowledge
• Identify, understand and respond to changes in your operating environment
19
Steps for an Effective Cybersecurity Defense
1. Adopt a Framework
2. Understand the Environment
3. Assess Risk
4. Establish Audit Objectives
5. Planning and Scoping
6. Perform the Audit
7. Identify/Remediate Vulnerabilities
8. Monitor/Refresh
20
6/11/2014
11
1. Adopt a Framework ‐ Examples
• ISO 27000 Series
• Department of Energy
– Cybersecurity Capability Maturity Model (C2M2)
• Electronic Subsector (ES‐C2M2)
• Oil and Gas Subsector (ONG‐C2M2)
• National Institute of Standards and Technology (NIST)
– Cybersecurity Framework
– Roadmap for Improving Critical Infrastructure Cybersecurity
• National Initiative for Cybersecurity Education (NICE)
– Capability Maturity Model (CMM)
• ISACA ‐ Transforming Cybersecurity Using COBIT 5
1. Areas Covered in C2M2
• Risk Management
• Asset, change, and configuration management
• Identity and access management
• Threat and vulnerability management
• Situational Awareness
• Information sharing and communications
• Event and incident response, continuity of operations
• Supply chain and external dependencies management
• Workforce management
• Cybersecurity program management 22
6/11/2014
12
1. C2M2 Maturity Levels
23
1. C2M2 – Recommended Approach
24
6/11/2014
13
1. NIST Framework Objectives
1. NIST Framework Objectives ‐ Continued
• Identify
– Asset Management
– Governance
– Risk Assessment
• Protect
– ITGCs (Access Control)
– Awareness and Training
– Data Security
– Information/Asset Protection
– Maintenance
– Protective Technology
26
• Detect
– Monitoring• Respond
– Planning
– Communications
– Analysis
– Mitigation• Recover
– Improvement
6/11/2014
14
Steps for an Effective Cybersecurity Defense
1. Adopt a Framework
2. Understand the Environment
3. Assess Risk
4. Establish Audit Objectives
5. Planning and Scoping
6. Perform the Audit
7. Identify/Remediate Vulnerabilities
8. Monitor/Refresh
27
2. Understand the Environment
• Operating environment
• Hardware type and location
• Applications
• Databases
• File systems
• Security
• Network architecture
• Third‐parties
• Middleware
28
6/11/2014
15
2. Start with Asset Identification
• Identify all assets:
– Databases
– Files
– Servers
– Applications
– Hardware
– Web sites
• Asset classification
– Location
– Owner
– Usage
– Type
– Status
– Risk level29
Steps for an Effective Cybersecurity Defense
1. Adopt a Framework
2. Understand the Environment
3. Assess Risk
4. Establish Audit Objectives
5. Planning and Scoping
6. Perform the Audit
7. Identify/Remediate Vulnerabilities
8. Monitor/Refresh
30
6/11/2014
16
3. Assess Risk
• Identify risks (interviews, artifact review)
• Assign risk ranking
• Determine risk tolerance
• Address areas at or above threshold
• Isolate/note threats covered by standard ITGCs
• Look at external and internal threats, and differentiate between them
• Added emphasis on areas inherent to cybersecurity
• Identify recent/ongoing changes in the environment
3. Assessing Risk: Common Mistakes
• Not understanding the environment (see step 2)
• Avoiding unfamiliar technical content
• Underestimating the complexity of cybersecurity threats and/or overestimating management’s knowledge of network architectures
• Not allocating sufficient time for a comprehensive review
• Making assumptions about IS’s level of knowledge/proficiency (taking them at their word)
6/11/2014
17
3. What’s Wrong With This Picture?
33
3. Typical Network Security Audit Questions
• Security policy?
• Network diagram?
• Firewall and intrusion detection/prevention?
• DMZ?
• Anti‐virus/Malware/Spam Filters?
• Server and workstation hardening standards?
• Vulnerability scan and penetration test performed?
• Logging and monitoring?
34
6/11/2014
18
Recommendation ‐ Tone at the top
Create and reinforce the perception/understanding of cybersecurity threats
• Established, supported and communicated by senior management
• Establish awareness that controls and processes have been specifically designed to prevent attacks
– New hire orientation
– Ongoing awareness and communication
– Visible to the organization
35
Other Recommendations
• Ongoing Security Education and involvement of management and staff
• Integrate cyber risk strategy into the organization’s strategic plan
• Have a team/person dedicated to managing cyber threats
• Identify areas of high risk and train internal/external resources to monitor and manage
• Automate as much as possible• Collaborate internally AND externally
36
6/11/2014
19
Questions
37