it security and wire fraud awareness slide deck

EMERGING TRENDS IN IT SECURITY / WIRE FRAUDPresented by:

Don Gulling, CEO, Verteks Consulting

Twitter:@dongulling LinkedIn: www.linkedin.com/in/dongulling

My Background• Working in IT since 1987, first job as a mainframe

programmer and software developer• CEO of Verteks Consulting for 18 years• Managing 23 employees, $5M+ per year in revenue• Complex project management for Finance, Insurance,

Healthcare, Local/State/Federal Government, Defense, others

• Author and speaker on IT security and IT trends – • Keynote speaker for 2014 ITen Wired Summit• Featured speaker for Angelbeat Tech/Security Conference• Featured speaker for DataConnectors Tech/Security Conference


You’ve been DRAFTED• During the 30 to 45 minutes of this presentation, a minimum

of 69,750 confidential personal and financial records will be stolen.

• Breach Level Index reported that from January through March of this year, about 93,000 records were stolen each hour of the day. This total is definitely on the low end of what we should expect, since we know many breaches are still unreported or unknown.

• We’ve all been drafted to fight in an ongoing war – a war that has become more costly every day - and some of us don’t even know we’re soldiers in this conflict. Everyone in this room is on the front lines in the war to protect our vital financial data and confidential personal information from criminals and hackers.


Is security evolving fast enough?• Our PCs, our tablets, our smartphones – all of our

computing devices are evolving, and security threats are evolving as well – are we doing our part to protect ourselves, our families, our businesses and our communities from hackers and criminals? Or are we making it easier for them to steal our information and our identities?

• Security and mobility are intertwined and inseparable. The phone will someday replace the wallet, storing sensitive payments information such as credit card accounts, banking data and other personal information, an ‘identity theft kit in your hand’ so to speak.


Our Talk Today• Today we will discuss IT / Cybersecurity in general, and

also discuss the specifics of IT security as they relate to wire fraud.

• An understanding of the types of security attacks and potential ways to defeat them is a critical first step in preventing financial hacks and wire fraud.



Identity Theft / PII Breaches On The Rise

2.28 Billion Stolen since 2013• During the first quarter of 2015, almost 200 million records

were stolen by cybercriminals during data breaches. From January through March of this year, about 93,000 records were stolen each hour of the day. Breach Level Index reports that a minimum of 2.28 Billion records have been lost or stolen since 2013 – based on disclosed incidents.

• This total is definitely on the low end, since we know many breaches are still unreported or unknown.


Top Breach Sources Last Year


Top Breaches By Industry


What’s an Advanced Persistent Threat (APT)?

An Advanced Persistant Threat (APT) is a very high-tech, cutting edge attack leveraged to gain prolonged, stealthy control over a high value political or business target.

Three APT Attributes:1. Targeted2. Advanced3. Persistent

APT: Advanced Attack TechniquesZero day exploits

Zero day malware

Advanced rootkits

Evasive

Targets proprietary systems

Smart cryptography

Traditional Cyber Attack

Advanced Persistent

Threat

Advanced Threats Timeline

GhostNet

Operation Aurora

Stuxnet

RSA/Lockheed

Duqu

Flame

Gauss

NYTimes

Adobe

Target

Mar. 2009

Jan. 2010

Jun. 2010

Mar. 2011

Sep.2011 May

2012Dec. 2013

Jun. 2012

Jan. 2013

2009 2010 2011 2012 2013 2014

Oct. 2013

China-based C&C

Spear PhishingPolitical Targets

IE 0dayComment Crew

(CN)Stole Gmail and

Src

Four 0dayPLC Rootkit

Broke Centrifuges

0day Flash Flaw0dayTrojan

Stole SecureID Info

0day Word flawIran, Sudan,

SyrianCyber

Espionage

0day MS Cert Flaw

Stole IPTarget Iranian Oil

Targeted Lebanon

USB LNK FlawAPT Bank Trojan

152M records0day

ColdfusionStolen source

China-basedSpear

phishing0day

malware

40M CCNs0day

malwarePartner access

Nation-states / Political Criminals / Private

Advanced Threats Require Defense-in-Depth

Advanced threats, by definition, leverage multiple vectors of attack.

No single defense will protect you completely from an APT attacks…

Firewall

Intrusion Prevention System

AntiVirus

AntiSpam

Reputation Services

APT Protection

The more layers of security you have, the higher chance an

additional protection might catch an advanced threat that other layers

might miss.

Apple iCloud• A security researcher who discovered a brute-force attack against Apple's iCloud

service in March — similar to the "iBrute" vulnerability that surfaced in conjunction with the celebrity photo hacking scandal earlier last month — says that the company refused to address the flaw for months after he reported it.

• Computer security expert Ibrahim Balic notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to reporters. At the time, Balic told Apple representatives that he had been able to test as many as 20,000 passwords against specific accounts.

• It is unclear what relationship the bug that Balic discovered — which he believes went unresolved — has to the iBrute tool that allowed a similar attack against Find my iPhone. Apple later denied that the Find my iPhone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" those likely involved years of social engineering against the targets.

• The celebrity hacks underscore the longer-term risks for mobile users as smartphones and tablets increasingly become the repository for far more sensitive education, healthcare and banking data. And that data gets stored increasingly in personal cloud accounts, hosted on the public and private Internet.


Mobility Security Trends• A leading security provider, McAfee, collected 2.47 million samples of new mobile

malware last year with 744,000 being picked up in the fourth quarter of 2013 alone. That is a 197 percent increase over 2012. In Q1 2014 the total malware sample count in the McAfee Labs “zoo” broke the 200 million sample barrier – that is a massive increase in a very short period of time.

• The evidence is crystal clear - criminals are using every avenue available to break into mobile devices. Malware is arriving on mobile devices through just about every attack vector commonly associated with other endpoint devices - usually as a downloaded app, but also from visits to malicious websites, spam, malicious SMS messages, and malware-bearing ads.


Key Takeaways - Cybersecurity• Cybersecurity is no longer only about keeping your PC patched, or using a strong

password. Advanced Persistent Threats are real, they are growing and they require a layered security approach to protect your confidential and critical data.

• What are the minimum components of a threat protection system for business:• Perimeter firewall with unified threat management

• Update firewall software or firmware regularly – once per month

• Internal security with strong, frequently changed passwords on all accounts• DO NOT use the same password across multiple systems

• Up-to-date patches on all applications – not just Microsoft• More than ½ of all malware targets vulnerabilities in Adobe or Java

• Endpoint protection that includes antivirus, antimalware, and data leak prevention• Update endpoint protection regularly – once per week

• Rock-solid, reliable, encrypted data backup plus off-site storage


Key Takeaways - Cybersecurity• Moving your apps or your data ‘To The Cloud’ doesn’t automatically increase security.

The cloud itself isn’t protection.• Mobile platforms are becoming the #1 attack target due to perceived weakness of

security. If you allow mobile devices on the corporate network – protect them with a centrally managed security and a digital policy enforcement tool.

• Odds are not in our favor – have a plan for when things don’t go well. Expect the worst and plan for it, have a “Recovery Strategy” for your data and a “Lockout Plan” for when you believe you’ve been hacked.



Wire Fraud Is On The Rise

Wire Fraud – Are Any Two the Same?

• Fraudsters have developed a variety of methods for initiating fraudulent wire transfers, but a security approach based on data and analytics from customer behavior can be an effective countermeasure to these wire fraud schemes.

• What's great about wires from a customer service perspective – their speed – is also their greatest liability. Fraudsters target wire transfers precisely because of the speed with which the money is moved, making it harder for financial institutions (FIs) to reverse the transactions. Fraudsters have launched a wide range of attacks and schemes, many of which use a combination of banking or communications channels. If the schemes work, they expand quickly. If they don’t, the fraudsters quickly change tactics and launch additional attacks.



Diagram – Many Paths to Wire Fraud

Hundreds of Combinations

Methods of Compromise• Malware – It’s everywhere and therefore nearly impossible to avoid, distributed in

email, on spoofed websites, and arriving in text messages sent to smartphones. According to the Anti-Phishing Working Group, 40% of computers already are infected with malware. Rapid malware innovations create new threats and extend the time to detection, leaving FI’s further exposed. Malware detection providers themselves say that when something new appears, it can take weeks to research and formulate new protections.

• Social Engineering – A recent Gartner report described “fraud scams that took social engineering tactics to new heights of deviousness.” Criminals get credentials or other personal information from prospective victims and trick innocent 3rd parties, such as customer service agents, to actually help them complete a fraudulent wire.

• Phishing – Traditional phishing attacks start with an authentic looking email from a bank, a credit card company, the IRS, or another credible entity asking the victim to provide personal or financial information. The victim clicks on a link that goes to a fake site that collects personal or financial information, or the link installs malware on the victim’s computer.


Methods of Compromise• Vishing & SMishing – In vishing attacks (voicemail phishing) the criminal calls

claiming to be a bank, credit card company, or similar organization (often achieved by spoofing the caller ID so it looks like the call really is from the bank), and asks the victim to confirm personal information over the phone. It’s either a live conversation or urgent sounding voicemail asking victim to call back and leave information to avoid some dire results. Fraudsters also use phishing attacks against mobile devices and tablets (SMS phishing, or SMishing), delivering a convincing and similarly urgent text message either with a link to a malicious payload or with a call-back number. When the victim calls, they’re connected to an Automated Voice Response (AVR) system that asks them for personal or financial information.

• Email Compromise – This works two ways: gaining access to email can lead to online banking access, and visa versa. Either way, the fraudster ends up with access to both systems. What makes it much easier for the criminals is account holders’ tendency to reuse passwords. When a criminal compromises a victim’s email account through other means, he has a reasonably good chance that the online banking password is the same as or very similar to the email password. In addition, compromising an email account provides criminals with access to personal information that could be used to successfully authenticate him in a range of online accounts and services.


Sample Wire Fraud SchemesOnline Wire Request to Defeat Out-of-Band Confirmation – The most common wire scheme starts with compromising an online account and then either disabling all security alerts or entering a new phone number or email address, defeating out-of-band (OOB) confirmation and preventing the victim from knowing that the account has been compromised. The fraudster then simply submits a wire request through the compromised online account and approves his own request. One specific technique to defeat OOB is to compromise the victim’s online banking account and change their email address to a very similar disposable email address (aka [email protected] or [email protected] for example), which doesn’t look particularly suspicious but results in the confirmation email being sent to the fraudster.

Fraud Detection - what to look for:• Unusual time of day for the request• Unusual amount of time since the last request (velocity) or frequency since prior

requests• Unusual amounts and beneficiaries


Sample Wire Fraud SchemesFuneral Scheme Uses Compromised Email Account – The basic version of this scenario starts with the fraudster compromising the victim’s email account. He then uses the compromised email account to send a request to the FI’s relationship manager explaining that he’s out of country for a funeral and needs money for expenses. The FI emails the necessary Letter of Authority, which the fraudster receives, signs and faxes back, preying on the fact that FIs don’t check signatures carefully. Upon receiving the signed form, the FI wires the requested funds to the fraudster’s account. A more sophisticated version starts when the fraudster compromises an online banking account to view check images to get the victim’s signature. The rest of the scheme unfolds the same as above, although this time the form is returned with an accurately forged signature. This scheme could also use other life events, for example an accident where medical expenses are the excuse for needing the funds.

Fraud Detection - what to look for:• First time originator and beneficiary• Inconsistent with prior wire requests• Looks suspicious in context of information from other banking systems; for example,

recent online banking activity may indicate that the victim is not out of the country


Sample Wire Fraud SchemesLand Sale Scheme – Title Companies, Lenders and Homebuyers receive emails alleging to be from other parties involved in their real estate closing. These emails contain false wire instructions and direct the Title Company, Lender and/or Homebuyer to wire closing funds to bank accounts that are actually owned by the hackers themselves. The emails may appear to be genuine and contain the senders company email information and/or logos, etc. It is apparent in all of these types of scams that the hackers monitor the email traffic of at east one of the parties involved in the transaction and are aware of the timing of upcoming transactions and the parties involved.

If there is any indication that buyers, sellers or anyone else has received questionable wiring instructions, the parties should promptly notify their banks, realtors and escrow holders

Fraud Detection - what to look for:• Unusual / new beneficiary• Unusual velocity and/or timing• Variation in how the party typically initiates wires (e.g. typically it’s done personally and

this time it’s through email)


Land Sale Scheme Additional StepsSince these wire schemes involve multiple parties, and frequently involve parties that don’t often collaborate or transfer funds by wire, we recommend having responsible parties (Title Companies, Lenders, Escrow Agents) modify wire-transfer instructions and procedures to include live phone verification.

Buyers and sellers should confirm all email wiring instructions directly with the escrow officer by calling the escrow officer on the telephone. In that conversation, the correct account number information should be repeated verbally before taking any steps to have the funds transferred.

Certainly, if wiring instructions are changed via email, the buyer should confirm that by phone with the escrow officer and the buyer's real estate agent.


Sample Wire Fraud SchemesOnline Live Chat Targets Customer Service – A fraudster compromises an online banking account and gathers (or changes) personal information. He then engages in a live chat session with a customer service agent saying that he’s having trouble sending a wire and asks for help. The agent believes the fraudster is legitimate because he has successfully logged into online banking. If the agent does request additional confirmation, the fraudster has gathered enough personal information to convince the agent that he is the real customer.

Fraud Detection - what to look for:• First-time wire request• Unusual timing of the request• Unusual velocity• A new beneficiary• Variation in how the account holder typically initiates wires (e.g. typically it’s done

personally and this time it’s through a bank employee)


Sample Wire Fraud SchemesCommercial Account Takeover to Defeat Dual Controls – There are several versions of how fraudsters are able to take over commercial accounts and defeat dual controls.

1) A fraudster compromises an online banking admin account and then creates a new user with the authority to approve wire requests. He originates a wire request from the admin account, and then signs into the newly created account and approves his own wire request.

2) It also could work the other way, with the new account originating the wire and the admin account approving it, depending on what privileges the admin account has.

3) A third variation is that the fraudster modifies the privileges of the compromised account so that he can originate and approve a wire transfer from the same account.

Fraud Detection - what to look for:• Unusual beneficiaries and amounts• Suspicious timing or velocity relative to previous wire activity


Sample Wire Fraud SchemesTargeting Employees to Gain Inside Access to the Wire System – Using a spear-phishing scheme, malware designed to compromise the back-end payment system is installed on a bank employee’s computer. The malware takes over the victim’s computer, enabling the fraudster to submit a large-dollar transfer into the wire system (see 2012 FBI alert). This clearly is a more sophisticated attack, but the ability to steal a large amount of money makes it worth the effort to the fraudster.

Fraud Detection - what to look for:• Unusual beneficiaries and amounts• Suspicious timing or velocity relative to previous wire activity


Sample Wire Fraud SchemesUsing DDoS Attack as a Smokescreen – The OCC has reported confirmed examples of DDoS attacks being used as smoke screens for fraud attacks (read the OCC alert). One example is that the fraudsters contact customer service during a DDoS attack to ask for help completing a wire. The customer service agent is aware of the website being down and therefore is particularly eager to help, possibly bypassing some established security procedures and confirmations.

Fraud Detection - what to look for:• First-time wire request• Unusual timing of the request• Unusual velocity• A new beneficiary


Sample Wire Fraud SchemesTemplate Modifications Are Nearly Invisible – This scheme starts with compromising the computer of an employee in the finance department or a corporate online banking account. In both scenarios, the objective is to locate existing wire templates and then modify the beneficiary information, possibly just the account number. These can be templates stored on a corporate server or employee’s computer, or available through the company’s online banking account. After changing the template, the fraudster simply waits for the victim to use the template, hoping that they don’t notice the subtle changes that cause the funds to be wired to the fraudster’s account instead of to the intended beneficiary.

In a variation on this scheme, the fraudster modifies the Originator-to-Beneficiary instructions (OBI) and inserts a request to forward the funds to an account that the fraudster holds (for example, he adds “for the benefit of” or “for further credit” instructions).

Fraud Detection - what to look for:• New beneficiary• Unexpected relationship between originator and beneficiary


Sample Wire Fraud SchemesFake Vendor Invoice – The fraudster mocks up a fake invoice from a known vendor and submits it to a company for payment with fraudulent payment instructions. Especially when the vendor being spoofed has a long-term relationship and is known to submit regular invoices, the victimized company often doesn’t review it quite as closely, but submits it to the bank for payment. Fraudsters will also use this scam to attack many companies simultaneously with the same invoice template, pretending to be a supplier used by a lot of different companies, such as the phone company or the electric utility.

Fraud Detection - what to look for:• New payment details, such as the account number• Unusual velocity of payments to that vendor/beneficiary


Conclusion• Today we discussed IT and Cybersecurity in general, and

we also discussed the specifics of IT security as they relate to wire fraud.

• Your understanding of the vulnerabilities, types of security attacks, and potential ways to defeat them is a critical first step in preventing financial hacks and wire fraud.

• You’ve been drafted – basic training is over – now we all go back to the front lines.


Free Offer – Valid Until May 31st


Verteks Consulting offers a free, no-obligation I.T. Assessment of your existing business technology. Our trained and certified engineers will use state-of-the-art assessment tools to safely scan your systems and provide you with a report and overall risk score. This is a $1,200 value.

Upon conclusion of your free assessment, you’ll receive comprehensive reports that document and encompasses the following areas:

• Network security issues and recommendations for resolution, including open file shares, system vulnerabilities, missing security updates/patches, weak passwords, weak/missing antivirus software, insecure listening ports, external vulnerability scan

• Critical issues which can dramatically impact system/data availability or recoverability and recommendations for resolution

• Data distribution and file server analysis and management recommendations• Report and recommendations for each individual Windows-based server• Active Directory heath and performance analysis with any necessary reconfiguration

recommendations

Reports Included in AssessmentSecurity Risk Report. This executive-level report includes a proprietary Security Risk Score along with summary charts, graphs and an explanation of the risks found in the security scans.

Security Policy Assessment Report. A detailed review of the security policies that are in place on both a domain wide and local machine basis.

Shared Permission Report. Comprehensive lists of all network “shares” by computer, detailing which users and groups have access to which devices and files, and what level of access they have.

User Permissions Report. Organizes permissions by user, showing all shared computers and files to which they have access.

Internal Vulnerabilities Report. Highlights deviation from industry standards compared to outbound port and protocol accessibility, lists available wireless networks as part of a wireless security survey, and provides information on Internet content accessibility.

External Vulnerabilities Full Detail Report. A comprehensive output including security holes, warnings, and informational items that can help you make better network security decisions, plus a full NMap Scan which checks all 65,535 ports and reports which are open. This is an essential item for many standard security compliance reports.


THANK YOU!Don Gulling, CEO, Verteks Consulting

Free Assessment Link

http://www.verteks.com/it-assessment/

Offer Expires May 31st


BACKUP SLIDESSample Assessment Data


Security AssessmentPrepared For:

CLIENT NAME OMITTEDPrepared By:

Share Permissions Report

Agenda

• Security-External & Outbound-Policy Compliance

• Risk and Issue Score• Issue Review• Next Steps

Security - External & Outbound"External Scan Results

Account Lockout Policy Risk and Issue Score

No External Scans

Content Filtering Assessment

Security - Policy Compliance

Password Policy

Policy Setting Computers

Enforce password history 0 passwords remembered

All Sampled

Maximum password age 0 All Sampled

Minimum password age 1 days All Sampled

Minimum password length 4 characters All Sampled

Password must meet complexity requirements

Disabled All Sampled

Store passwords using reversible encryption

Disabled All Sampled

Account Lockout Policy

Policy Setting Computers

Account lockout duration Not Applicable All Sampled

Account lockout threshold Disabled All Sampled

Reset account lockout counter after

Not Applicable All Sampled

Risk and Issue ScoreCurrent Risk Score Current Issue Score

Issue Review

Password complexity not enabled (75 pts)Issue: Enforcing password complexity limits the ability of an attacker to acquire a password through brute force.Recommendation: Enable password complexity to assure domain account passwords are secure.

Issue Review

Automatic screen lock not turned on. (72 pts)Issue: Automatic screen lock prevents unauthorized access when users leave their computers. Having no screen lock enable allows authorized access to network resources.Recommendation: Enable automatic screen lock on the specified computers.

Issue Review

Password history not remembered for at least 6 passwords (72 pts)Issue: Short password histories allow users to rotate through a known set of passwords, thus reducing the effectiveness of a good password management policy.Recommendation: Increase password history to remember at least 6 passwords.

Issue Review

Passwords less than 6 characters allowed (75 pts)Issue: Passwords are not required to be 6 or more characters, allowing users to pick extremely short passwords which are vulnerable to brute force attacks.Recommendation: Enable enforcement of password length to 6 more characters.

Issue Review

Account lockout disabled (77 pts)Issue: Account lockout (disabling an account after a number of failed attempts) significantly reduces the risk of an attacker acquiring a password through a brute force attack.Recommendation: Enable account lockout for all users.

Issue Review

System Protocol Leakage (45 pts)Issue: System protocols were allowed to be sent outbound. To prevent potential loss of data and reduce the risk of malicious behavior by malware, these protocols should be restricted or blocked by external access controls. There are very few instances where system protocols are needed outside of the internal network. Allowing these protocols to \"leak\" does not mean that they are currently posing a threat, but is an indication of a lack of a managed firewall or proper policies to block these protocols. Recommendation: We suggest ensuring adequate access controls in place to block these protocols or note them as acceptable risks.

Next Steps

• Agree on List of Issues to Resolve• Present Project Estimates and Costs• Establish Timelines• Set Milestones• Get Signoff to Begin Work

it security and wire fraud awareness slide deck

Technology

dongulling linkedin

year twitter

security wire fraud

verteks consulting twitter

security threats

financial records

data breaches

types of security attacks