it security and wire fraud awareness slide deck
TRANSCRIPT
EMERGING TRENDS IN IT SECURITY / WIRE FRAUDPresented by:
Don Gulling, CEO, Verteks Consulting
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
My Background• Working in IT since 1987, first job as a mainframe
programmer and software developer• CEO of Verteks Consulting for 18 years• Managing 23 employees, $5M+ per year in revenue• Complex project management for Finance, Insurance,
Healthcare, Local/State/Federal Government, Defense, others
• Author and speaker on IT security and IT trends – • Keynote speaker for 2014 ITen Wired Summit• Featured speaker for Angelbeat Tech/Security Conference• Featured speaker for DataConnectors Tech/Security Conference
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
You’ve been DRAFTED• During the 30 to 45 minutes of this presentation, a minimum
of 69,750 confidential personal and financial records will be stolen.
• Breach Level Index reported that from January through March of this year, about 93,000 records were stolen each hour of the day. This total is definitely on the low end of what we should expect, since we know many breaches are still unreported or unknown.
• We’ve all been drafted to fight in an ongoing war – a war that has become more costly every day - and some of us don’t even know we’re soldiers in this conflict. Everyone in this room is on the front lines in the war to protect our vital financial data and confidential personal information from criminals and hackers.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Is security evolving fast enough?• Our PCs, our tablets, our smartphones – all of our
computing devices are evolving, and security threats are evolving as well – are we doing our part to protect ourselves, our families, our businesses and our communities from hackers and criminals? Or are we making it easier for them to steal our information and our identities?
• Security and mobility are intertwined and inseparable. The phone will someday replace the wallet, storing sensitive payments information such as credit card accounts, banking data and other personal information, an ‘identity theft kit in your hand’ so to speak.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Our Talk Today• Today we will discuss IT / Cybersecurity in general, and
also discuss the specifics of IT security as they relate to wire fraud.
• An understanding of the types of security attacks and potential ways to defeat them is a critical first step in preventing financial hacks and wire fraud.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Identity Theft / PII Breaches On The Rise
2.28 Billion Stolen since 2013• During the first quarter of 2015, almost 200 million records
were stolen by cybercriminals during data breaches. From January through March of this year, about 93,000 records were stolen each hour of the day. Breach Level Index reports that a minimum of 2.28 Billion records have been lost or stolen since 2013 – based on disclosed incidents.
• This total is definitely on the low end, since we know many breaches are still unreported or unknown.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Top Breach Sources Last Year
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Top Breaches By Industry
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
What’s an Advanced Persistent Threat (APT)?
An Advanced Persistant Threat (APT) is a very high-tech, cutting edge attack leveraged to gain prolonged, stealthy control over a high value political or business target.
Three APT Attributes:1. Targeted2. Advanced3. Persistent
APT: Advanced Attack TechniquesZero day exploits
Zero day malware
Advanced rootkits
Evasive
Targets proprietary systems
Smart cryptography
Traditional Cyber Attack
Advanced Persistent
Threat
Advanced Threats Timeline
GhostNet
Operation Aurora
Stuxnet
RSA/Lockheed
Duqu
Flame
Gauss
NYTimes
Adobe
Target
Mar. 2009
Jan. 2010
Jun. 2010
Mar. 2011
Sep.2011 May
2012Dec. 2013
Jun. 2012
Jan. 2013
2009 2010 2011 2012 2013 2014
Oct. 2013
China-based C&C
Spear PhishingPolitical Targets
IE 0dayComment Crew
(CN)Stole Gmail and
Src
Four 0dayPLC Rootkit
Broke Centrifuges
0day Flash Flaw0dayTrojan
Stole SecureID Info
0day Word flawIran, Sudan,
SyrianCyber
Espionage
0day MS Cert Flaw
Stole IPTarget Iranian Oil
Targeted Lebanon
USB LNK FlawAPT Bank Trojan
152M records0day
ColdfusionStolen source
China-basedSpear
phishing0day
malware
40M CCNs0day
malwarePartner access
Nation-states / Political Criminals / Private
Advanced Threats Require Defense-in-Depth
Advanced threats, by definition, leverage multiple vectors of attack.
No single defense will protect you completely from an APT attacks…
Firewall
Intrusion Prevention System
AntiVirus
AntiSpam
Reputation Services
APT Protection
The more layers of security you have, the higher chance an
additional protection might catch an advanced threat that other layers
might miss.
Apple iCloud• A security researcher who discovered a brute-force attack against Apple's iCloud
service in March — similar to the "iBrute" vulnerability that surfaced in conjunction with the celebrity photo hacking scandal earlier last month — says that the company refused to address the flaw for months after he reported it.
• Computer security expert Ibrahim Balic notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to reporters. At the time, Balic told Apple representatives that he had been able to test as many as 20,000 passwords against specific accounts.
• It is unclear what relationship the bug that Balic discovered — which he believes went unresolved — has to the iBrute tool that allowed a similar attack against Find my iPhone. Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" those likely involved years of social engineering against the targets.
• The celebrity hacks underscore the longer-term risks for mobile users as smartphones and tablets increasingly become the repository for far more sensitive education, healthcare and banking data. And that data gets stored increasingly in personal cloud accounts, hosted on the public and private Internet.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Mobility Security Trends• A leading security provider, McAfee, collected 2.47 million samples of new mobile
malware last year with 744,000 being picked up in the fourth quarter of 2013 alone. That is a 197 percent increase over 2012. In Q1 2014 the total malware sample count in the McAfee Labs “zoo” broke the 200 million sample barrier – that is a massive increase in a very short period of time.
• The evidence is crystal clear - criminals are using every avenue available to break into mobile devices. Malware is arriving on mobile devices through just about every attack vector commonly associated with other endpoint devices - usually as a downloaded app, but also from visits to malicious websites, spam, malicious SMS messages, and malware-bearing ads.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Key Takeaways - Cybersecurity• Cybersecurity is no longer only about keeping your PC patched, or using a strong
password. Advanced Persistent Threats are real, they are growing and they require a layered security approach to protect your confidential and critical data.
• What are the minimum components of a threat protection system for business:• Perimeter firewall with unified threat management
• Update firewall software or firmware regularly – once per month
• Internal security with strong, frequently changed passwords on all accounts• DO NOT use the same password across multiple systems
• Up-to-date patches on all applications – not just Microsoft• More than ½ of all malware targets vulnerabilities in Adobe or Java
• Endpoint protection that includes antivirus, antimalware, and data leak prevention• Update endpoint protection regularly – once per week
• Rock-solid, reliable, encrypted data backup plus off-site storage
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Key Takeaways - Cybersecurity• Moving your apps or your data ‘To The Cloud’ doesn’t automatically increase security.
The cloud itself isn’t protection.• Mobile platforms are becoming the #1 attack target due to perceived weakness of
security. If you allow mobile devices on the corporate network – protect them with a centrally managed security and a digital policy enforcement tool.
• Odds are not in our favor – have a plan for when things don’t go well. Expect the worst and plan for it, have a “Recovery Strategy” for your data and a “Lockout Plan” for when you believe you’ve been hacked.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Wire Fraud Is On The Rise
Wire Fraud – Are Any Two the Same?
• Fraudsters have developed a variety of methods for initiating fraudulent wire transfers, but a security approach based on data and analytics from customer behavior can be an effective countermeasure to these wire fraud schemes.
• What's great about wires from a customer service perspective – their speed – is also their greatest liability. Fraudsters target wire transfers precisely because of the speed with which the money is moved, making it harder for financial institutions (FIs) to reverse the transactions. Fraudsters have launched a wide range of attacks and schemes, many of which use a combination of banking or communications channels. If the schemes work, they expand quickly. If they don’t, the fraudsters quickly change tactics and launch additional attacks.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Diagram – Many Paths to Wire Fraud
Hundreds of Combinations
Methods of Compromise• Malware – It’s everywhere and therefore nearly impossible to avoid, distributed in
email, on spoofed websites, and arriving in text messages sent to smartphones. According to the Anti-Phishing Working Group, 40% of computers already are infected with malware. Rapid malware innovations create new threats and extend the time to detection, leaving FI’s further exposed. Malware detection providers themselves say that when something new appears, it can take weeks to research and formulate new protections.
• Social Engineering – A recent Gartner report described “fraud scams that took social engineering tactics to new heights of deviousness.” Criminals get credentials or other personal information from prospective victims and trick innocent 3rd parties, such as customer service agents, to actually help them complete a fraudulent wire.
• Phishing – Traditional phishing attacks start with an authentic looking email from a bank, a credit card company, the IRS, or another credible entity asking the victim to provide personal or financial information. The victim clicks on a link that goes to a fake site that collects personal or financial information, or the link installs malware on the victim’s computer.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Methods of Compromise• Vishing & SMishing – In vishing attacks (voicemail phishing) the criminal calls
claiming to be a bank, credit card company, or similar organization (often achieved by spoofing the caller ID so it looks like the call really is from the bank), and asks the victim to confirm personal information over the phone. It’s either a live conversation or urgent sounding voicemail asking victim to call back and leave information to avoid some dire results. Fraudsters also use phishing attacks against mobile devices and tablets (SMS phishing, or SMishing), delivering a convincing and similarly urgent text message either with a link to a malicious payload or with a call-back number. When the victim calls, they’re connected to an Automated Voice Response (AVR) system that asks them for personal or financial information.
• Email Compromise – This works two ways: gaining access to email can lead to online banking access, and visa versa. Either way, the fraudster ends up with access to both systems. What makes it much easier for the criminals is account holders’ tendency to reuse passwords. When a criminal compromises a victim’s email account through other means, he has a reasonably good chance that the online banking password is the same as or very similar to the email password. In addition, compromising an email account provides criminals with access to personal information that could be used to successfully authenticate him in a range of online accounts and services.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesOnline Wire Request to Defeat Out-of-Band Confirmation – The most common wire scheme starts with compromising an online account and then either disabling all security alerts or entering a new phone number or email address, defeating out-of-band (OOB) confirmation and preventing the victim from knowing that the account has been compromised. The fraudster then simply submits a wire request through the compromised online account and approves his own request. One specific technique to defeat OOB is to compromise the victim’s online banking account and change their email address to a very similar disposable email address (aka [email protected] or [email protected] for example), which doesn’t look particularly suspicious but results in the confirmation email being sent to the fraudster.
Fraud Detection - what to look for:• Unusual time of day for the request• Unusual amount of time since the last request (velocity) or frequency since prior
requests• Unusual amounts and beneficiaries
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesFuneral Scheme Uses Compromised Email Account – The basic version of this scenario starts with the fraudster compromising the victim’s email account. He then uses the compromised email account to send a request to the FI’s relationship manager explaining that he’s out of country for a funeral and needs money for expenses. The FI emails the necessary Letter of Authority, which the fraudster receives, signs and faxes back, preying on the fact that FIs don’t check signatures carefully. Upon receiving the signed form, the FI wires the requested funds to the fraudster’s account. A more sophisticated version starts when the fraudster compromises an online banking account to view check images to get the victim’s signature. The rest of the scheme unfolds the same as above, although this time the form is returned with an accurately forged signature. This scheme could also use other life events, for example an accident where medical expenses are the excuse for needing the funds.
Fraud Detection - what to look for:• First time originator and beneficiary• Inconsistent with prior wire requests• Looks suspicious in context of information from other banking systems; for example,
recent online banking activity may indicate that the victim is not out of the country
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesLand Sale Scheme – Title Companies, Lenders and Homebuyers receive emails alleging to be from other parties involved in their real estate closing. These emails contain false wire instructions and direct the Title Company, Lender and/or Homebuyer to wire closing funds to bank accounts that are actually owned by the hackers themselves. The emails may appear to be genuine and contain the senders company email information and/or logos, etc. It is apparent in all of these types of scams that the hackers monitor the email traffic of at east one of the parties involved in the transaction and are aware of the timing of upcoming transactions and the parties involved.
If there is any indication that buyers, sellers or anyone else has received questionable wiring instructions, the parties should promptly notify their banks, realtors and escrow holders
Fraud Detection - what to look for:• Unusual / new beneficiary• Unusual velocity and/or timing• Variation in how the party typically initiates wires (e.g. typically it’s done personally and
this time it’s through email)
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Land Sale Scheme Additional StepsSince these wire schemes involve multiple parties, and frequently involve parties that don’t often collaborate or transfer funds by wire, we recommend having responsible parties (Title Companies, Lenders, Escrow Agents) modify wire-transfer instructions and procedures to include live phone verification.
Buyers and sellers should confirm all email wiring instructions directly with the escrow officer by calling the escrow officer on the telephone. In that conversation, the correct account number information should be repeated verbally before taking any steps to have the funds transferred.
Certainly, if wiring instructions are changed via email, the buyer should confirm that by phone with the escrow officer and the buyer's real estate agent.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesOnline Live Chat Targets Customer Service – A fraudster compromises an online banking account and gathers (or changes) personal information. He then engages in a live chat session with a customer service agent saying that he’s having trouble sending a wire and asks for help. The agent believes the fraudster is legitimate because he has successfully logged into online banking. If the agent does request additional confirmation, the fraudster has gathered enough personal information to convince the agent that he is the real customer.
Fraud Detection - what to look for:• First-time wire request• Unusual timing of the request• Unusual velocity• A new beneficiary• Variation in how the account holder typically initiates wires (e.g. typically it’s done
personally and this time it’s through a bank employee)
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesCommercial Account Takeover to Defeat Dual Controls – There are several versions of how fraudsters are able to take over commercial accounts and defeat dual controls.
1) A fraudster compromises an online banking admin account and then creates a new user with the authority to approve wire requests. He originates a wire request from the admin account, and then signs into the newly created account and approves his own wire request.
2) It also could work the other way, with the new account originating the wire and the admin account approving it, depending on what privileges the admin account has.
3) A third variation is that the fraudster modifies the privileges of the compromised account so that he can originate and approve a wire transfer from the same account.
Fraud Detection - what to look for:• Unusual beneficiaries and amounts• Suspicious timing or velocity relative to previous wire activity
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesTargeting Employees to Gain Inside Access to the Wire System – Using a spear-phishing scheme, malware designed to compromise the back-end payment system is installed on a bank employee’s computer. The malware takes over the victim’s computer, enabling the fraudster to submit a large-dollar transfer into the wire system (see 2012 FBI alert). This clearly is a more sophisticated attack, but the ability to steal a large amount of money makes it worth the effort to the fraudster.
Fraud Detection - what to look for:• Unusual beneficiaries and amounts• Suspicious timing or velocity relative to previous wire activity
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesUsing DDoS Attack as a Smokescreen – The OCC has reported confirmed examples of DDoS attacks being used as smoke screens for fraud attacks (read the OCC alert). One example is that the fraudsters contact customer service during a DDoS attack to ask for help completing a wire. The customer service agent is aware of the website being down and therefore is particularly eager to help, possibly bypassing some established security procedures and confirmations.
Fraud Detection - what to look for:• First-time wire request• Unusual timing of the request• Unusual velocity• A new beneficiary
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesTemplate Modifications Are Nearly Invisible – This scheme starts with compromising the computer of an employee in the finance department or a corporate online banking account. In both scenarios, the objective is to locate existing wire templates and then modify the beneficiary information, possibly just the account number. These can be templates stored on a corporate server or employee’s computer, or available through the company’s online banking account. After changing the template, the fraudster simply waits for the victim to use the template, hoping that they don’t notice the subtle changes that cause the funds to be wired to the fraudster’s account instead of to the intended beneficiary.
In a variation on this scheme, the fraudster modifies the Originator-to-Beneficiary instructions (OBI) and inserts a request to forward the funds to an account that the fraudster holds (for example, he adds “for the benefit of” or “for further credit” instructions).
Fraud Detection - what to look for:• New beneficiary• Unexpected relationship between originator and beneficiary
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Sample Wire Fraud SchemesFake Vendor Invoice – The fraudster mocks up a fake invoice from a known vendor and submits it to a company for payment with fraudulent payment instructions. Especially when the vendor being spoofed has a long-term relationship and is known to submit regular invoices, the victimized company often doesn’t review it quite as closely, but submits it to the bank for payment. Fraudsters will also use this scam to attack many companies simultaneously with the same invoice template, pretending to be a supplier used by a lot of different companies, such as the phone company or the electric utility.
Fraud Detection - what to look for:• New payment details, such as the account number• Unusual velocity of payments to that vendor/beneficiary
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Conclusion• Today we discussed IT and Cybersecurity in general, and
we also discussed the specifics of IT security as they relate to wire fraud.
• Your understanding of the vulnerabilities, types of security attacks, and potential ways to defeat them is a critical first step in preventing financial hacks and wire fraud.
• You’ve been drafted – basic training is over – now we all go back to the front lines.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Free Offer – Valid Until May 31st
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Verteks Consulting offers a free, no-obligation I.T. Assessment of your existing business technology. Our trained and certified engineers will use state-of-the-art assessment tools to safely scan your systems and provide you with a report and overall risk score. This is a $1,200 value.
Upon conclusion of your free assessment, you’ll receive comprehensive reports that document and encompasses the following areas:
• Network security issues and recommendations for resolution, including open file shares, system vulnerabilities, missing security updates/patches, weak passwords, weak/missing antivirus software, insecure listening ports, external vulnerability scan
• Critical issues which can dramatically impact system/data availability or recoverability and recommendations for resolution
• Data distribution and file server analysis and management recommendations• Report and recommendations for each individual Windows-based server• Active Directory heath and performance analysis with any necessary reconfiguration
recommendations
Reports Included in AssessmentSecurity Risk Report. This executive-level report includes a proprietary Security Risk Score along with summary charts, graphs and an explanation of the risks found in the security scans.
Security Policy Assessment Report. A detailed review of the security policies that are in place on both a domain wide and local machine basis.
Shared Permission Report. Comprehensive lists of all network “shares” by computer, detailing which users and groups have access to which devices and files, and what level of access they have.
User Permissions Report. Organizes permissions by user, showing all shared computers and files to which they have access.
Internal Vulnerabilities Report. Highlights deviation from industry standards compared to outbound port and protocol accessibility, lists available wireless networks as part of a wireless security survey, and provides information on Internet content accessibility.
External Vulnerabilities Full Detail Report. A comprehensive output including security holes, warnings, and informational items that can help you make better network security decisions, plus a full NMap Scan which checks all 65,535 ports and reports which are open. This is an essential item for many standard security compliance reports.
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
THANK YOU!Don Gulling, CEO, Verteks Consulting
Free Assessment Link
http://www.verteks.com/it-assessment/
Offer Expires May 31st
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
BACKUP SLIDESSample Assessment Data
Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling
Security AssessmentPrepared For:
CLIENT NAME OMITTEDPrepared By:
Share Permissions Report
Agenda
• Security-External & Outbound-Policy Compliance
• Risk and Issue Score• Issue Review• Next Steps
Security - External & Outbound"External Scan Results
Account Lockout Policy Risk and Issue Score
No External Scans
Content Filtering Assessment
Security - Policy Compliance
Password Policy
Policy Setting Computers
Enforce password history 0 passwords remembered
All Sampled
Maximum password age 0 All Sampled
Minimum password age 1 days All Sampled
Minimum password length 4 characters All Sampled
Password must meet complexity requirements
Disabled All Sampled
Store passwords using reversible encryption
Disabled All Sampled
Account Lockout Policy
Policy Setting Computers
Account lockout duration Not Applicable All Sampled
Account lockout threshold Disabled All Sampled
Reset account lockout counter after
Not Applicable All Sampled
Risk and Issue ScoreCurrent Risk Score Current Issue Score
Issue Review
Password complexity not enabled (75 pts)Issue: Enforcing password complexity limits the ability of an attacker to acquire a password through brute force.Recommendation: Enable password complexity to assure domain account passwords are secure.
Issue Review
Automatic screen lock not turned on. (72 pts)Issue: Automatic screen lock prevents unauthorized access when users leave their computers. Having no screen lock enable allows authorized access to network resources.Recommendation: Enable automatic screen lock on the specified computers.
Issue Review
Password history not remembered for at least 6 passwords (72 pts)Issue: Short password histories allow users to rotate through a known set of passwords, thus reducing the effectiveness of a good password management policy.Recommendation: Increase password history to remember at least 6 passwords.
Issue Review
Passwords less than 6 characters allowed (75 pts)Issue: Passwords are not required to be 6 or more characters, allowing users to pick extremely short passwords which are vulnerable to brute force attacks.Recommendation: Enable enforcement of password length to 6 more characters.
Issue Review
Account lockout disabled (77 pts)Issue: Account lockout (disabling an account after a number of failed attempts) significantly reduces the risk of an attacker acquiring a password through a brute force attack.Recommendation: Enable account lockout for all users.
Issue Review
System Protocol Leakage (45 pts)Issue: System protocols were allowed to be sent outbound. To prevent potential loss of data and reduce the risk of malicious behavior by malware, these protocols should be restricted or blocked by external access controls. There are very few instances where system protocols are needed outside of the internal network. Allowing these protocols to \"leak\" does not mean that they are currently posing a threat, but is an indication of a lack of a managed firewall or proper policies to block these protocols. Recommendation: We suggest ensuring adequate access controls in place to block these protocols or note them as acceptable risks.
Next Steps
• Agree on List of Issues to Resolve• Present Project Estimates and Costs• Establish Timelines• Set Milestones• Get Signoff to Begin Work