seminar for senior bank supervisors cyber...
TRANSCRIPT
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Seminar for Senior Bank Supervisors
Cyber Threat
02 Nov 2017
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Presentation Flow
Cyber SecurityIntro - Background
Financial Industry Computer / Network Dependency
ThreatVulnerabilities
Mitigation
CommunicationsOperations Customer
Inter InstitutionOperations
Day-DayAccountingATMReporting
Demo
OperationsShareholdersDepositorsRegulators
ImpactWhy
Nation StateFinancialMischief
TechnicalPersonnel
Technical
Personnel
Operations
‘…financial services firms are a whopping 300 times more likely to be hit by security incidents than other industries’
Lloyd’s
Policies & Procedures
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Intro - Background
On April first 2015 then President Obama issued an executive order declaring “the increasing prevalence and severity of malicious cyber-enabled activities… constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States…” The President included $14 billion for cyber security spending in his 2016 budget
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Intro - Background
Organizations from the largest International financial institutions to local banks are today part of a world-wide, interconnected financial system
This world-wide system facilitates the high speed, anytime, anywhere financial services customers have come to expect
Technology has become key to the continued access, speed and reliability provided by this interconnected financial system
Unfortunately implementation of the required technology presents operational challenges, risks and liabilities
The Office of the Comptroller of the Currency (OCC) has declared cybersecurity a key risk for banks of all sizes. The volume, sophistication, and impact of cyber threats pose a serious risk for financial institutions
The 2014 JP Morgan Data Breach affected a total of 83 million customers
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Financial Industry Dependencies
‘Bank of America spends $400 million on cybersecurity in 2015’
Forbes
Today financial institutions are dependent on technology, technology that supports collecting, processing, analyzing and distributing information
All levels of the industry, including senior management, must understand the limitations, shortcomings and risks associated with the technology utilized
Banks must develop “cyber resiliency” as malware and extortion schemes become more complex and widely deployed
Boards and senior management must recognize and accept responsibility for the critical role they play in establishing sound policies and a secure operational environment
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesImpact
The cost of data breaches to grow to $2.1 trillion globally by 2019Juniper
In 2016 the IT industry saw a rapid and ominous expansion of sophisticated cyber exploits
In the last year the industry has seen multi-million dollar bank compromises, nation-state attempts to influence elections, compromise of millions of consumers identity recorders and explosive growth of ransomware
More than half of companies reporting cyber incidences reported that the incidence cost was $100k or more
Twelve percent of the organizations reporting indicate costs of $1,000,000 or more
It is alleged nation state attacks against the banks of only Bangladesh, Vietnam, Ecuador and Poland accounted for more then US $94 million in loses alone
A cyber incident not only has a cost impact it can:Impact reputations and customer confidenceHave regulatory and legal impactPresent liability issues for Boards and senior managementImpact shareholders and stock values
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesImpact / Example
Attacks target everything from a single user ATM account to systems like SWIFT
The 2014 JP Morgan Data Breach affected 83 million customers and seven million businesses
This breach exploited malware, social engineering, and spear-phishing attacks to compromise emails, contact information, Social Security Numbers and other customer information
The attacked was orchestrated by two fraternity brothers with little technical experience
Technical work was outsourced to Russian hackers
Utilizing a stock fraud scheme the two defrauded their victims of more then $100 million
This is one of the very few cyber incidents where the attackers were identified and brought to justice
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
The SWIFT compromise was enabled by poor network engineering, implementation and configuration
Access was facilitated by a set of Bangladesh bank, secondhand routers connected to the network sans a firewall
The attackers used malware to gain control of a SWIFT messaging application
The SWIFT system was then exploited to transfer funds to accounts the attackers controlled
The attackers, believed to be a nation state, transferred $81 million
Threat / VulnerabilitiesImpact / Example
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
2017 Equifax cyber attack compromised sensitive data of 143 million consumers
Attack associated with web weaknesses
Consumer confidence plummeted as the Equifax stock price tumbled
The attack lasted months (May – July) and Equifax failed to provide consumers timely notification
Attack triggers class-action lawsuits
Equifax replaced personnel including Chief Information Officer and Chief Security Officer
Threat / VulnerabilitiesImpact / Example
“It takes an average of 98 days for financial services companies to detect intrusion…”Zdnet
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Carberp Trojan (2013-2015)
An attack that went undetected for two years
Resulted in the theft of more than $1 billion
Targeted more than 100 banks around the world
Enabled by a phishing campaign targeting system administrators and bank clerks
Exploited a readily available remote-access tool to impersonate the victims on-line and transfer funding to attacker accounts
Threat / VulnerabilitiesImpact / Example
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesWho
Nation State Activities
IntelligenceSensitive information collectionManipulation (e.g. elections, markets)Disinformation activities
Military (Weaponized Cyber)Disrupts / destroys critical infrastructure
EnergyCommunicationsTransportationDistribution
Cripple war fighting capabilityDeny an opponent of similar capabilities
Financial MotivationTheft ( Recent Asian activity by North Korea)Damage TradeCreate financial turmoil
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesWho
Criminal OrganizationsGenerally Financial Motivation
Direct TheftCollection of Identity information for follow on activitiesRansomware activities
Anarchist / Terrorist
IndividualsMischief – Adolescence / Experimenters Financial motivation / TheftActivist
Internal Staff (Insiders)About half of all cyber incidences are the result of ‘insiders’
IgnoranceFailure to follow Policies / Prescribed proceduresPoor System designSystem Misconfiguration Successful Phishing attacksMalice / Theft
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesPersonnel
The Insider threat cannot be overemphasized - about half of documented cyber incidences are the result of ‘insider’ activity
Social Engineering –
Phishing -
System design, implementation and or configuration -
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesPersonnel
Insider compromise is often the result of user ignorance
Cyber security involves active participation of all employees and security layers applied across the entire enterprise –
In reviewing the security impact of technical personnel, job performance is key –
All to often a security breach is traced to human -
Insider malice or theft represents a huge threat -
Employee inadvertent misuse of data represents 36% of all security breaches Forrester
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Cyber attacks are regularly successful in part because protection mechanisms are not in place or are misconfigured. This is often in part due to the clear shortage of trained cybersecurity workers
Currently, world-wide, there are more than one million cyber security job vacancies
An Intel Security survey found that 82% of survey respondents believed there is a shortage of skilled cybersecurity workers
The same survey found 71% felt worker shortages had done ‘direct and measurable damage’
The banking and financial sector will continue to struggle to manage cybersecurity risks as long as the skilled worker shortage persists
Threat / VulnerabilitiesPersonnel
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesTechnical /Email
‘…the cost of data breaches to $2.1 trillion globally by 2019…’Juniper
Email represents a dangerous and widely deployed threat to the financial industry
More then half of the reported cyber attacks are associated with email
Email is by far the most widely deployed business communication technology
It has been estimated one in every 131 emails contains malware (Note: Worldwide, 205 Billion emails are transmitted each day)
Phishing is a common technique utilized to compromise email
Phishing attempts to manipulate the targeted user to open a compromised email or file using a number of techniques including implying urgency or falsifying a message source e.g. generating messages that appear to come from a friend or loved one
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesPhishing Example
Hundreds of millions of compromised emails are generated every day
Phishing Email received by MTDoyle on 22 Oct 2017
From:Spouse of my Business Partner(Forged return email address)
Not Linda’s normal Email Address
The attack executable
- This email was sourced by an email service in Hong Kong(Netviagator.com)
- The goal is to get the victim to ‘click’ on the executable- This is an obvious, unsophisticated attempt
Passed the ‘AVG’ Email Virus test
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesTypes / Technical
Application-Layer AttackAn application-layer attack targets the host system
Compromised-Key AttackThe attack works to reveal system communication ‘keys’
Denial-of-Service AttackA DoS attack denies system or network access
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesNetwork Attacks
IP Spoofing (IP Address Spoofing)Networks generally accept appended IP addresses as valid
Man-in-the-Middle The attacker places themselves between two communication link
Sniffer AttackAn application or device that monitors / captures network data / sniffers
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesViruses
Virus - malicious code / malware that replicates itself
A virus, unlike a worm, requires a host file to propagate
A virus requires external support, generally the user
Viruses can be spread by email, text messages attachments, downloaded executables etc.
Many viruses employ detection evasion
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesExample Viruses
Rootkit viruses malware that through unauthorized root level (administrator) routines provides full control of the system
Multipartite Virus is malware that delivers multiple payloads or spreads utilizing multiple techniques
Space-filler Viruses inserts itself (stores itself) in the unused space available at the end of a file cluster
Boot-record infectors are viruses that infect the boot sector or the master boot record
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesExample Viruses
File infectors come in two flavors Direct Action and Resident:
A direct action virus does not install itself or remain hidden in the victim system
A Resident Virus installs itself allowing independent operation
Macro viruses infect application macro language
Polymorphic viruses Malware that mutates or changes it’s characteristics
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesWorms
- Worms replicate themselves without the use of a host file and do not require user interaction
Worm Examples:
- Morris Worm launched by Robert Tappan in 1988 Robert
- Storm Worm debuted on 19 January 2007
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesTrojan
A Trojan is malware that looks legitimate but executes some unauthorized, sometimes harmful, function
Social engineering is often utilized to get a trojan installed
Attack functions very widely and include deleting files, installing backdoors, data theft, back door installation etc.
Trojans do not self replicate or reproduce by infecting other files
Trojans are spread through user action
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
Threat / VulnerabilitiesDoS / DDoS
A denial-of-service attack (DoS) is executed to make the victim network resource or servers unavailable
A distributed denial-of-service attack (DDoS) uses multiple sources to generate the attack
DDoS attacks are generally launched by ‘bots’
Application layer attacks, OSI Layer 7, swap a server with resource-intensive requests
Network layer attacks / Layer 3 and 4 attempt to overload the support network infrastructure
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationPolicies / Procedures
Senior manage must act to establish and enforce Cyber security Policies and Procedures
Policies and Procedures must –Emphasize Cyber Security ImportanceIdentify responsibilities to customersEstablish expectations / performance standardsOutline employee responsibilitiesIdentify training requirementsAddress protection of sensitive informationProvide handling of portable devices instructionsEstablish incident reportingAddress regulatory requirementsProvide Recovery / Damage Control plansOutline enforcement mechanism
Cyber security is a managerial issue….Business Insider
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationTechnology
Note: Approximately 80% of all cyber attacks utilize widely available tools and well understood techniques
Build and implement networks in compliance with industry standards –e.g. NIST Framework for Improving Critical Infrastructure Cybersecurity Framework //NIST Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations
Implement security in Layers – Security in-depth
Utilize network segmentation – group users, data and activities within boundary constrained ‘segments’ – limit access to each group
Perform regular security testing – internal and regular third party ‘white hat’, penetration testing
Deploy Encryption where feasible – secure communications links and sensitive files
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationTechnology
Timely implementation of security updates and patches is Critical -
Log and record everything –
Implement strong Password and access control mechanisms –
Isolate the system control network –
Utilize VPNs for remote access –
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationDisaster Recovery
Every IT organization must maintain a disaster recovery (DR) plan to recover from any unforeseen event that might impact system availability or data integrity
A disaster recovery plan is required not only to mitigate cyber attacks but to support recovery from natural disasters, power disruptions etc.
The goal is to maintain and have available the data and other resources required to restore the business to normal operation as soon as possible
The data recovery statistics are shocking: only 44% of businesses are able to recover all data after a disaster, and 90% of businesses that lose data from a disaster don’t serve two years. (source: Storagecraft)
‘The average time to detect a cyber attack is 205 days….’Business Insider
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationDisaster Recovery
A disaster recovery plan should include:
An analysis of the threats and potential impacts
Identification of the critical elements of your infrastructure and their vulnerabilities then mitigate the risks
Locating and utilization of an off-site back-up facilities (Physically located elsewhere).
Physical security ,backup power, lighting, environment control and communications Plans
Identification of critical personnel and maintenance of contact information
Training of personnel for the required activities / practice
Generation of a plan with step by step guides for each required action
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationPersonnel
A key to Cyber Security is Personnel training
Senior management must institute and enforce a formal employee training program
Employees should receive both initial and periodic training
Successful learning is dependent on student relevance and level of difficulty
Training must be Student-centric – material tailored to the student
The cyber security training needs of a network administrator differ substantially from those of a teller or senior manager
All employees should undergo regular cyber awareness training e.g. dealing with emails, phishing, password control etc.
IT and Cyber staff require detailed network operational and threat training
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationPersonnel
Four example Training Groups:
Network UsersThe user category consists of individuals who interact with the services and facilities provided by the organizations’ computers & networks to conduct day to day operations. This group has very limited technical knowledge or interest and little understanding of Cyber Security theory or operations. The training presented to this group must focus on the ‘Why’ of Cyber Security, user practices and organization policies and standards.
IT ProfessionalsThese individuals work with networks, workstations and IT technology on a daily basis. They are the maintenance personnel, technicians, software professionals, etc., that interact with and are comfortable with technology. Most IT professionals have a basic understanding of Cyber Security and the Cyber Threat. Training in support of this group should focus on the ‘Impact’ and ‘How’ of Cyber Security. Course material must include network and data management standards and include a review of organization policies and standards.
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationPersonnel
Cyber Security / Engineering StaffThese engineers, computer scientists and software professionals are the most technically experienced individuals in the organization. They design, implement and maintain the systems supporting the organizations’ mission. These individuals are focused on technology and many are Cyber Security specialists. Presenting security basics to these users will only alienate the student. Training should concentrate on Cyber Security current issues / theory / updates, cyber forensics, architecture design and implementation standards. A review of organization policies and standards should be included in the training syllabus.
ManagementManagement sets goals and objectives and manages organization operations. Management is responsible for establishing and enforcing policies and standards and ultimately responsible for mission performance. Most managers have little understanding of technology. Management training should focus on the ‘Why’ of Cyber Security and consequences. Managers should understand policy and standards generation and receive cyber awareness and security technology training at the entry level.
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
MitigationPersonnel
Training modules for each student category should be optimized to address the specific needs of both the worker category and the organization. The training material should include a mix of student appropriate subjects and material including:
• Cyber Security / Threats and Impact• User Practices - Policies - Standards • Network - Data Management / Operations • Cyber Engineering / Architecture Design / Network optimization• Threat status, analysis and forensics • Cyber Security management requirements / techniques / interaction
The described, four student group, divide and conquer methodology allows training modules of manageable scope to be tailored to seize and maintain the interest of diverse student populations. The material must emphasize and build on those topics most relevant to the student category and be presented at an appropriate level of complexity and detail.
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
DemoThe Range
"Yes the weak link will always be the customer at the end of the day,"
Swift
Baltimore Cyber Range provides training across the spectrum of managers, IT users and Cyber professionals. We utilize the Cyber Range to addresses the training requirements of the most sophisticated cyber practitioners, SOC operations personnel, Cyber Security experts and system Engineers
The Baltimore Cyber Range is a hyper-realistic cyber security simulation platform that enables cyber security professionals to participate in hands-on threat training in a real-world environment.
The Range accelerates qualification, reduces certification time, and produces staff which is more competent and up to date.
As security staffs continue to ‘churn’ the Range also represents a new and effective approach for qualifying and training cyber security staff.
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
DemoThe Range
The Range is a virtual environment – a software generated cyber operational environment
It supports training of individuals or teams of SOC staff
The system generates an enterprise class network which acts as the target or victim network – the network includes Windows and Linux servers, firewalls, DNS servers, web servers etc.
Range also includes a complete suite of SOC tools including Arcsight (SIEM), Checkpoint (Firewall), Zenoss etc.
The system maintains a library of real-world threats that are available for the instructor to utilize in attacking the network
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
DemoThe Range
The instructor builds a scenario and loads the target network, loads the threat and configures variables including execution speed and level of difficulty
Students are provided an opportunity to become familiar with the target network before initiating the attack
Traffic generators fill the network with real traffic and when directed by the instructor the attack begins
Students are expected to recognize / detect the attack, mitigate the attack and remediate network damage
Threat scenario generally run 2 – 3 hours
Post attack scenario review session review the attack and student performance
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
DemoQuestions
Range Demo
World Bank 2 Nov 2017
Baltimore Cyber Range Proprietary
DemoQuestions
Questions / Comments
Baltimore Cyber RangeBaltimore, Maryland
703 795 0843