seminar for senior bank supervisors cyber...

World Bank 2 Nov 2017

Baltimore Cyber Range Proprietary

Seminar for Senior Bank Supervisors

Cyber Threat

02 Nov 2017



Presentation Flow

Cyber SecurityIntro - Background

Financial Industry Computer / Network Dependency

ThreatVulnerabilities

Mitigation

CommunicationsOperations Customer

Inter InstitutionOperations

Day-DayAccountingATMReporting

Demo

OperationsShareholdersDepositorsRegulators

ImpactWhy

Nation StateFinancialMischief

TechnicalPersonnel

Technical

Personnel

Operations

‘…financial services firms are a whopping 300 times more likely to be hit by security incidents than other industries’

Lloyd’s

Policies & Procedures



Intro - Background

On April first 2015 then President Obama issued an executive order declaring “the increasing prevalence and severity of malicious cyber-enabled activities… constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States…” The President included $14 billion for cyber security spending in his 2016 budget



Intro - Background

Organizations from the largest International financial institutions to local banks are today part of a world-wide, interconnected financial system

This world-wide system facilitates the high speed, anytime, anywhere financial services customers have come to expect

Technology has become key to the continued access, speed and reliability provided by this interconnected financial system

Unfortunately implementation of the required technology presents operational challenges, risks and liabilities

The Office of the Comptroller of the Currency (OCC) has declared cybersecurity a key risk for banks of all sizes. The volume, sophistication, and impact of cyber threats pose a serious risk for financial institutions

The 2014 JP Morgan Data Breach affected a total of 83 million customers



Financial Industry Dependencies

‘Bank of America spends $400 million on cybersecurity in 2015’

Forbes

Today financial institutions are dependent on technology, technology that supports collecting, processing, analyzing and distributing information

All levels of the industry, including senior management, must understand the limitations, shortcomings and risks associated with the technology utilized

Banks must develop “cyber resiliency” as malware and extortion schemes become more complex and widely deployed

Boards and senior management must recognize and accept responsibility for the critical role they play in establishing sound policies and a secure operational environment



Threat / VulnerabilitiesImpact

The cost of data breaches to grow to $2.1 trillion globally by 2019Juniper

In 2016 the IT industry saw a rapid and ominous expansion of sophisticated cyber exploits

In the last year the industry has seen multi-million dollar bank compromises, nation-state attempts to influence elections, compromise of millions of consumers identity recorders and explosive growth of ransomware

More than half of companies reporting cyber incidences reported that the incidence cost was $100k or more

Twelve percent of the organizations reporting indicate costs of $1,000,000 or more

It is alleged nation state attacks against the banks of only Bangladesh, Vietnam, Ecuador and Poland accounted for more then US $94 million in loses alone

A cyber incident not only has a cost impact it can:Impact reputations and customer confidenceHave regulatory and legal impactPresent liability issues for Boards and senior managementImpact shareholders and stock values



Threat / VulnerabilitiesImpact / Example

Attacks target everything from a single user ATM account to systems like SWIFT

The 2014 JP Morgan Data Breach affected 83 million customers and seven million businesses

This breach exploited malware, social engineering, and spear-phishing attacks to compromise emails, contact information, Social Security Numbers and other customer information

The attacked was orchestrated by two fraternity brothers with little technical experience

Technical work was outsourced to Russian hackers

Utilizing a stock fraud scheme the two defrauded their victims of more then $100 million

This is one of the very few cyber incidents where the attackers were identified and brought to justice



The SWIFT compromise was enabled by poor network engineering, implementation and configuration

Access was facilitated by a set of Bangladesh bank, secondhand routers connected to the network sans a firewall

The attackers used malware to gain control of a SWIFT messaging application

The SWIFT system was then exploited to transfer funds to accounts the attackers controlled

The attackers, believed to be a nation state, transferred $81 million




2017 Equifax cyber attack compromised sensitive data of 143 million consumers

Attack associated with web weaknesses

Consumer confidence plummeted as the Equifax stock price tumbled

The attack lasted months (May – July) and Equifax failed to provide consumers timely notification

Attack triggers class-action lawsuits

Equifax replaced personnel including Chief Information Officer and Chief Security Officer


“It takes an average of 98 days for financial services companies to detect intrusion…”Zdnet



Carberp Trojan (2013-2015)

An attack that went undetected for two years

Resulted in the theft of more than $1 billion

Targeted more than 100 banks around the world

Enabled by a phishing campaign targeting system administrators and bank clerks

Exploited a readily available remote-access tool to impersonate the victims on-line and transfer funding to attacker accounts




Threat / VulnerabilitiesWho

Nation State Activities

IntelligenceSensitive information collectionManipulation (e.g. elections, markets)Disinformation activities

Military (Weaponized Cyber)Disrupts / destroys critical infrastructure

EnergyCommunicationsTransportationDistribution

Cripple war fighting capabilityDeny an opponent of similar capabilities

Financial MotivationTheft ( Recent Asian activity by North Korea)Damage TradeCreate financial turmoil



Threat / VulnerabilitiesWho

Criminal OrganizationsGenerally Financial Motivation

Direct TheftCollection of Identity information for follow on activitiesRansomware activities

Anarchist / Terrorist

IndividualsMischief – Adolescence / Experimenters Financial motivation / TheftActivist

Internal Staff (Insiders)About half of all cyber incidences are the result of ‘insiders’

IgnoranceFailure to follow Policies / Prescribed proceduresPoor System designSystem Misconfiguration Successful Phishing attacksMalice / Theft



Threat / VulnerabilitiesPersonnel

The Insider threat cannot be overemphasized - about half of documented cyber incidences are the result of ‘insider’ activity

Social Engineering –

Phishing -

System design, implementation and or configuration -




Insider compromise is often the result of user ignorance

Cyber security involves active participation of all employees and security layers applied across the entire enterprise –

In reviewing the security impact of technical personnel, job performance is key –

All to often a security breach is traced to human -

Insider malice or theft represents a huge threat -

Employee inadvertent misuse of data represents 36% of all security breaches Forrester



Cyber attacks are regularly successful in part because protection mechanisms are not in place or are misconfigured. This is often in part due to the clear shortage of trained cybersecurity workers

Currently, world-wide, there are more than one million cyber security job vacancies

An Intel Security survey found that 82% of survey respondents believed there is a shortage of skilled cybersecurity workers

The same survey found 71% felt worker shortages had done ‘direct and measurable damage’

The banking and financial sector will continue to struggle to manage cybersecurity risks as long as the skilled worker shortage persists




Threat / VulnerabilitiesTechnical /Email

‘…the cost of data breaches to $2.1 trillion globally by 2019…’Juniper

Email represents a dangerous and widely deployed threat to the financial industry

More then half of the reported cyber attacks are associated with email

Email is by far the most widely deployed business communication technology

It has been estimated one in every 131 emails contains malware (Note: Worldwide, 205 Billion emails are transmitted each day)

Phishing is a common technique utilized to compromise email

Phishing attempts to manipulate the targeted user to open a compromised email or file using a number of techniques including implying urgency or falsifying a message source e.g. generating messages that appear to come from a friend or loved one



Threat / VulnerabilitiesPhishing Example

Hundreds of millions of compromised emails are generated every day

Phishing Email received by MTDoyle on 22 Oct 2017

From:Spouse of my Business Partner(Forged return email address)

Not Linda’s normal Email Address

The attack executable

- This email was sourced by an email service in Hong Kong(Netviagator.com)

- The goal is to get the victim to ‘click’ on the executable- This is an obvious, unsophisticated attempt

Passed the ‘AVG’ Email Virus test



Threat / VulnerabilitiesTypes / Technical

Application-Layer AttackAn application-layer attack targets the host system

Compromised-Key AttackThe attack works to reveal system communication ‘keys’

Denial-of-Service AttackA DoS attack denies system or network access



Threat / VulnerabilitiesNetwork Attacks

IP Spoofing (IP Address Spoofing)Networks generally accept appended IP addresses as valid

Man-in-the-Middle The attacker places themselves between two communication link

Sniffer AttackAn application or device that monitors / captures network data / sniffers



Threat / VulnerabilitiesViruses

Virus - malicious code / malware that replicates itself

A virus, unlike a worm, requires a host file to propagate

A virus requires external support, generally the user

Viruses can be spread by email, text messages attachments, downloaded executables etc.

Many viruses employ detection evasion



Threat / VulnerabilitiesExample Viruses

Rootkit viruses malware that through unauthorized root level (administrator) routines provides full control of the system

Multipartite Virus is malware that delivers multiple payloads or spreads utilizing multiple techniques

Space-filler Viruses inserts itself (stores itself) in the unused space available at the end of a file cluster

Boot-record infectors are viruses that infect the boot sector or the master boot record



Threat / VulnerabilitiesExample Viruses

File infectors come in two flavors Direct Action and Resident:

A direct action virus does not install itself or remain hidden in the victim system

A Resident Virus installs itself allowing independent operation

Macro viruses infect application macro language

Polymorphic viruses Malware that mutates or changes it’s characteristics



Threat / VulnerabilitiesWorms

- Worms replicate themselves without the use of a host file and do not require user interaction

Worm Examples:

- Morris Worm launched by Robert Tappan in 1988 Robert

- Storm Worm debuted on 19 January 2007



Threat / VulnerabilitiesTrojan

A Trojan is malware that looks legitimate but executes some unauthorized, sometimes harmful, function

Social engineering is often utilized to get a trojan installed

Attack functions very widely and include deleting files, installing backdoors, data theft, back door installation etc.

Trojans do not self replicate or reproduce by infecting other files

Trojans are spread through user action



Threat / VulnerabilitiesDoS / DDoS

A denial-of-service attack (DoS) is executed to make the victim network resource or servers unavailable

A distributed denial-of-service attack (DDoS) uses multiple sources to generate the attack

DDoS attacks are generally launched by ‘bots’

Application layer attacks, OSI Layer 7, swap a server with resource-intensive requests

Network layer attacks / Layer 3 and 4 attempt to overload the support network infrastructure



MitigationPolicies / Procedures

Senior manage must act to establish and enforce Cyber security Policies and Procedures

Policies and Procedures must –Emphasize Cyber Security ImportanceIdentify responsibilities to customersEstablish expectations / performance standardsOutline employee responsibilitiesIdentify training requirementsAddress protection of sensitive informationProvide handling of portable devices instructionsEstablish incident reportingAddress regulatory requirementsProvide Recovery / Damage Control plansOutline enforcement mechanism

Cyber security is a managerial issue….Business Insider



MitigationTechnology

Note: Approximately 80% of all cyber attacks utilize widely available tools and well understood techniques

Build and implement networks in compliance with industry standards –e.g. NIST Framework for Improving Critical Infrastructure Cybersecurity Framework //NIST Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations

Implement security in Layers – Security in-depth

Utilize network segmentation – group users, data and activities within boundary constrained ‘segments’ – limit access to each group

Perform regular security testing – internal and regular third party ‘white hat’, penetration testing

Deploy Encryption where feasible – secure communications links and sensitive files



MitigationTechnology

Timely implementation of security updates and patches is Critical -

Log and record everything –

Implement strong Password and access control mechanisms –

Isolate the system control network –

Utilize VPNs for remote access –



MitigationDisaster Recovery

Every IT organization must maintain a disaster recovery (DR) plan to recover from any unforeseen event that might impact system availability or data integrity

A disaster recovery plan is required not only to mitigate cyber attacks but to support recovery from natural disasters, power disruptions etc.

The goal is to maintain and have available the data and other resources required to restore the business to normal operation as soon as possible

The data recovery statistics are shocking: only 44% of businesses are able to recover all data after a disaster, and 90% of businesses that lose data from a disaster don’t serve two years. (source: Storagecraft)

‘The average time to detect a cyber attack is 205 days….’Business Insider



MitigationDisaster Recovery

A disaster recovery plan should include:

An analysis of the threats and potential impacts

Identification of the critical elements of your infrastructure and their vulnerabilities then mitigate the risks

Locating and utilization of an off-site back-up facilities (Physically located elsewhere).

Physical security ,backup power, lighting, environment control and communications Plans

Identification of critical personnel and maintenance of contact information

Training of personnel for the required activities / practice

Generation of a plan with step by step guides for each required action



MitigationPersonnel

A key to Cyber Security is Personnel training

Senior management must institute and enforce a formal employee training program

Employees should receive both initial and periodic training

Successful learning is dependent on student relevance and level of difficulty

Training must be Student-centric – material tailored to the student

The cyber security training needs of a network administrator differ substantially from those of a teller or senior manager

All employees should undergo regular cyber awareness training e.g. dealing with emails, phishing, password control etc.

IT and Cyber staff require detailed network operational and threat training



MitigationPersonnel

Four example Training Groups:

Network UsersThe user category consists of individuals who interact with the services and facilities provided by the organizations’ computers & networks to conduct day to day operations. This group has very limited technical knowledge or interest and little understanding of Cyber Security theory or operations. The training presented to this group must focus on the ‘Why’ of Cyber Security, user practices and organization policies and standards.

IT ProfessionalsThese individuals work with networks, workstations and IT technology on a daily basis. They are the maintenance personnel, technicians, software professionals, etc., that interact with and are comfortable with technology. Most IT professionals have a basic understanding of Cyber Security and the Cyber Threat. Training in support of this group should focus on the ‘Impact’ and ‘How’ of Cyber Security. Course material must include network and data management standards and include a review of organization policies and standards.



MitigationPersonnel

Cyber Security / Engineering StaffThese engineers, computer scientists and software professionals are the most technically experienced individuals in the organization. They design, implement and maintain the systems supporting the organizations’ mission. These individuals are focused on technology and many are Cyber Security specialists. Presenting security basics to these users will only alienate the student. Training should concentrate on Cyber Security current issues / theory / updates, cyber forensics, architecture design and implementation standards. A review of organization policies and standards should be included in the training syllabus.

ManagementManagement sets goals and objectives and manages organization operations. Management is responsible for establishing and enforcing policies and standards and ultimately responsible for mission performance. Most managers have little understanding of technology. Management training should focus on the ‘Why’ of Cyber Security and consequences. Managers should understand policy and standards generation and receive cyber awareness and security technology training at the entry level.



MitigationPersonnel

Training modules for each student category should be optimized to address the specific needs of both the worker category and the organization. The training material should include a mix of student appropriate subjects and material including:

• Cyber Security / Threats and Impact• User Practices - Policies - Standards • Network - Data Management / Operations • Cyber Engineering / Architecture Design / Network optimization• Threat status, analysis and forensics • Cyber Security management requirements / techniques / interaction

The described, four student group, divide and conquer methodology allows training modules of manageable scope to be tailored to seize and maintain the interest of diverse student populations. The material must emphasize and build on those topics most relevant to the student category and be presented at an appropriate level of complexity and detail.



DemoThe Range

"Yes the weak link will always be the customer at the end of the day,"

Swift

Baltimore Cyber Range provides training across the spectrum of managers, IT users and Cyber professionals. We utilize the Cyber Range to addresses the training requirements of the most sophisticated cyber practitioners, SOC operations personnel, Cyber Security experts and system Engineers

The Baltimore Cyber Range is a hyper-realistic cyber security simulation platform that enables cyber security professionals to participate in hands-on threat training in a real-world environment.

The Range accelerates qualification, reduces certification time, and produces staff which is more competent and up to date.

As security staffs continue to ‘churn’ the Range also represents a new and effective approach for qualifying and training cyber security staff.



DemoThe Range

The Range is a virtual environment – a software generated cyber operational environment

It supports training of individuals or teams of SOC staff

The system generates an enterprise class network which acts as the target or victim network – the network includes Windows and Linux servers, firewalls, DNS servers, web servers etc.

Range also includes a complete suite of SOC tools including Arcsight (SIEM), Checkpoint (Firewall), Zenoss etc.

The system maintains a library of real-world threats that are available for the instructor to utilize in attacking the network



DemoThe Range

The instructor builds a scenario and loads the target network, loads the threat and configures variables including execution speed and level of difficulty

Students are provided an opportunity to become familiar with the target network before initiating the attack

Traffic generators fill the network with real traffic and when directed by the instructor the attack begins

Students are expected to recognize / detect the attack, mitigate the attack and remediate network damage

Threat scenario generally run 2 – 3 hours

Post attack scenario review session review the attack and student performance



DemoQuestions

Range Demo



DemoQuestions

Questions / Comments

Baltimore Cyber RangeBaltimore, Maryland

703 795 0843

seminar for senior bank supervisors cyber...

Documents