©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

©2014 C

lifto

nLars

onA

llen L

LP

CLAconnect.com

Cyber Crime TrendsLeadingAge Missouri

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Three Questions About the

• What are hackers doing?

• Who are the hackers?

• How do hack so well?

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Themes

• Hackers have “monetized” their activity

– More hacking

– More sophistication

– More “hands-on” effort

– Smaller organizations targeted◊ 62% hit small and medium size entities

◊ http://www.propertycasualty360.com/2015/05/27/small-mid-sized-businesses-hit-by-62-of-all-cyber?slreturn=1473190537

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Mitigation Themes

• Employees that are aware and savvy

• Networks resistant to penetration and malware

• Relationships with banks maximized

• Proper insurance coverage

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

What are they doing?

• PFI – Personal Financial Information

– Wholesale theft of personal financial information

• PHI – Personal Health Information

– Wholesale theft of patients health records

• CATO– Corporate Account Takeover

– Use of online credentials for ACH, CC and wire fraud

• Ransomware

– Lock down of a system with ransom demands

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

• Target

• Goodwill

• Jimmy Johns

• University of Maryland

• University of Indiana

• Olmsted Medical Center

• Community Health Systems

Black Market Economy - Theft of PFI and PII

6

• Anthem

• Blue Cross Primera

Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities.

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

• Advocate Health Care Network fined $5.550,000 (Federal Fine)

• http://www.cnbc.com/2016/08/04/huge-data-breach-at-health-system-leads-to-biggest-ever-settlement.html

Black Market Economy - Theft of PFI and PHI

7

Active campaigns involving targeted phishing and often targeted industries and institutions.

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Black Market Economy – Stolen Card Data

• Carder or Carding websites

• Dumps vs CVV’s

• A peek inside a carding operation:

http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/

8

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Black Market Economy – “Carder Boards”

• Easy to use!

9

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Credit Card Data For Sale

10

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

• Catholic church parish

• Hospice

• Collection agency

• Main Street newspaper stand

• Electrical contractor

• Health care trade association

• Health care facility

• Rural hospital

• Mining company

• On and on and on and on……………..

Corporate Financial Account Takeover

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Corporate Account Take Over – 3 Versions

1. Deploy malware – keystroke logger

2. Deploy malware – man in the middle

3. Recon / email persuasion

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Multi-Factor Authentication Solutions

• MFA is critical

• Silver bullet?

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

• CEO asks the CFO…

• Common mistakes

1. Use of private email

2. “Don’t tell anyone”

• http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-after-spearphishing-attack.html

14

V3 Case Study – Please Wire $ to….

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

CATO Defensive Measures

• Multi-layer authentication

• Multi-factor authentication

• Out of band authentication

• Positive pay

• ACH block and filter

• IP address filtering

• Dual control

• Activity monitoring

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ransomware

• Malware encrypts everything it can interact with

– V1: Everything where it lands

– V2: Everything where it lands plus everything user has rights to on the network

– V3: Everything where it lands plus everything on the network

• CryptoLocker / Cryptowall

• Kovter

– Also displays and adds child pornography images

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ransomware

• McAfee saw 4,000,000 ransomware versions in late 2015

• Ransomware is expected to explode in 2016

• http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ransomware

• Zip file is preferred delivery method

– Helps evade virus protection

• Working (tested) backups are key

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

The Cost?Norton/Symantec Corp:

• Cost of global cybercrime: $388 billion

• Global black market in marijuana, cocaine and heroin combined: $288 billion

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Who?

• Chinese

– State sponsored

– Goal is to supplant US as #1 economic power

• Russians

– State “protected”

– Goal is simpler, steal money

• Copycats

– Koreans, Africans, others use the tools of the Chinese and Russians

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

How do hackers and fraudsters break in?

• Modern hacking relies on malware

• Social engineering

• Drive by surfing

– Infected websites

• Easy password attacks

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Social Engineering

Pretext phone calls

Building penetration

Email attacks

“Amateurs hack systems, professionals hack people.”Bruce Schneier

22

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Pre-text Phone Calls• “Hi, this is Randy from Fiserv users support. I am

working with Dave, and I need your help…”

– Name dropping

– Establish a rapport

– Ask for help

– Inject some techno-babble

– Think telemarketers script

• Home Equity Line of Credit (HELOC) fraud calls

• Ongoing high-profile ACH frauds

23

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Physical (Facility) SecurityCompromise the site:

• “Hi, Joe said he would let you know I was coming to fix the printers…”

Plant devices:

• Keystroke loggers

• Wireless access point

• Thumb drives (“Switch Blade”)

24

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Email Attacks - Spoofing and Phishing

• Impersonate someone in authority and:

– Ask them to visit a web-site

– Ask them to open an attachment or run update

• Examples

– Better Business Bureau complaint

– http://www.millersmiles.co.uk/email/visa-usabetter-business-bureaucall-for-action-visa

– Microsoft Security Patch Download

– Important software update from management

25

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Email Phishing – “Targeted Attack”

26

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Strategies to Combat Social Engineering• (Ongoing) user awareness training

• SANS “First Five” – Layers “behind the people”

1. Secure/Standard Configurations (hardening)

2. Critical Patches – Operating Systems

3. Critical Patches – Applications

4. Application White Listing

5. Minimized user access rights

No browsing/email with admin rights

27

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

The Cyber Insurance Maze• Local agents unaware, uninformed or uninterested

• Lack of standardized policy language

• Generic “one size fits all” applications

• Evolution at the actuarial process

• Evolution at the underwriter

28

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Cyber Insurance Protection Basics

• Errors and omission

– Typically associated with software providers

• Media and intellectual property

– Media placed on website or made available

• Network and systems security

– Extensive and broad category (common considerations)

• Breach of privacy

– Disclosure of PFI, PII, HIPAA and others (donor info)

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Cyber Insurance Coverage

• Forensic services

• Business interruption coverage

• Credit monitoring – Often by state regulations

• Technical consulting and system repair

• Legal costs

• Cost of issuance of new credit cards

• Certain fines from regulatory bodies

• Lawsuit related settlements and costs

• Cost of informing impacted entities and persons

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Cyber Insurance Procurement

• Obtain multiple quotes

– Not necessarily based on cost

– Exposure of an uninformed quote

– Exposure of the “one size fits all” application

– Education of dollar coverage amounts as recommended by broker

• Obtain an objective third party review

• Discuss with peers

• DO IT!

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

©2014 C

lifto

nLars

onA

llen L

LP

CLAconnect.com

10 Key Defensive Measures

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Attacks are Preventable!

• Intrusion Analysis: TrustWave

• Intrusion Analysis: Verizon Business Services

• Intrusion Analysis: CERT Coordination Center

• Intrusion Analysis: CLA Incident Handling Team

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Strategies

Our information security strategy should have the following objectives:

• Users who are more aware and savvy

• Networks that are resistant to malware

• Relationship with our FI is maximized

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

1. Strong Policies -

• Email use

• Website links

• Removable media

• Users vs Admin

• Insurance

Ten Keys to Mitigate Risk

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ten Keys to Mitigate Risk

2. Defined user access roles and permissions

• Principal of minimum access and least privilege

• Users should NOT have system administrator rights

• “Local Admin” in Windows should be removed (if practical)

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ten Keys to Mitigate Risk

3. Hardened internal systems (end points)

• Hardening checklists

• Turn off unneeded services

• Change default password

• Use Strong Passwords

• Consider application white-listing

4. Encryption strategy – data centered

• Email

• Laptops and desktops

• Thumb drives

• Email enabled cell phones

• Mobile media

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ten Keys to Mitigate Risk

5. Vulnerability management process

• Operating system patches

• Application patches

• Testing to validate effectiveness –

• “belt and suspenders”

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ten Keys to Mitigate Risk

6. Well defined perimeter security layers:• Network segments• Email gateway/filter• Firewall – “Proxy” integration for traffic in AND out• Intrusion Detection/Prevention for network traffic, Internet

facing hosts, AND workstations (end points)

7. Centralized audit logging, analysis, and automated alerting capabilities

• Routing infrastructure• Network authentication• Servers• Applications

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ten Keys to Mitigate Risk

8. Defined incident response plan and procedures

• Be prepared

• Including data leakage prevention and monitoring

• Forensic preparedness

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Ten Keys to Mitigate Risk

9. Know / use Online Banking Tools

• Multi-factor authentication

• Dual control / verification

• Out of band verification / call back thresholds

• ACH positive pay

• ACH blocks and filters

• Review contracts relative to all these

• Monitor account activity daily

• Isolate the PC used for wires/ACH

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

10. Test, Test, Test

– “Belt and suspenders” approach

– Penetration testing◊ Internal and external

– Social engineering testing

◊ Simulate spear phishing

– Application testing◊ Test the tools with your

bank

◊ Test internal processes

Ten Keys to Mitigate Risk

©2

01

4 C

lifto

nLa

rso

nA

llen

LLP

Questions?

Hang on, it’s going to be a wild ride!!

Darrell Songer, Principal

Information Security Services Group

Darrell.Songer@claconnect.com

***

(314-925-4300)