Vous êtes sur la page 1sur 23

Copyright 2010

TrustCC ITAudit, SecurityandBCP

byTomSchauer
CISSP,CISA,CISM,GCIH,CTGA CEOofTrustCC

Agenda

BackgroundandIntroduction SMBHacksandOnlineBankingFraud SocialNetworkingDeception MFP:MultiFunctionPeripheralorMadefor exPloitation PatchManagementorPatchMayhem HackersforHire

Copyright 2010, TrustCC.

AllRightsReserved.

IntheWorldofNetworked ComputersEverysociopathis yourneighbor!

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

ChronologyofDataBreachessince2005

500 Million Sensitive Records Breached Since 2005


The most recent total from the Privacy Rights Clearinghouses Chronology of Data Breached shows more than a half billion sensitive records breached since 2005, leaving Americans vulnerable to identity theft. Employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online the Chronology of Data Breaches shows hundreds of ways that the personal information of consumers is lost, stolen or exposed. The Chronology of Data Breaches, a project of the Privacy Rights Clearinghouse since 2005, lists incidents involving breached consumer information, such as personal medical records, credit card numbers and Social Security Numbers. The most recent total, published August 24, 2010, is a wake-up call to consumers who think identity theft cant happen to them. The Privacy Rights Clearinghouse estimates that the Chronology shows only a fraction of the total number of data breaches.

510,528,937 RECORDS BREACHED


From 1,714 DATA BREACHES made public since 2005

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

AllRightsReserved.

CyberCrimeexceedsDrugTrafficking

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

LostLaptopsandMobileMedia

Copyright 2010, TrustCC.

AllRightsReserved.

WirelessTechnologyRisks

Copyright 2010, TrustCC.

AllRightsReserved.

HouseSitesHacked

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

OnePWforEverything

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Spam,SpamandmoreSpam

Copyright 2010, TrustCC.

AllRightsReserved.

IsMacmoresecurethanWindows?

Copyright 2010, TrustCC.

AllRightsReserved.

Vishing,Phishing,OhMy

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

PhishingeMail

Copyright 2010, TrustCC.

AllRightsReserved.

Botnets

authoritiesinSpain announcedthebreakupof amassivebotnetcalled Mariposa,comprising morethan12million infectedPCsin190 countries.


USAToday

Copyright 2010, TrustCC.

AllRightsReserved.

SecurityPopUpAds

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

BeingSecure

Copyright 2010, TrustCC.

AllRightsReserved.

SecuretheRightThings

Copyright 2010, TrustCC.

AllRightsReserved.

CustomersSuingBanks severalcases

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

KeyPointsintheFraud

1. Firstthebusinessiscompromised(web,email,botnet) 2. Credentialsstolenandusedtocommitfraud 3. TheBusinesssview


1. 2. 3. 4. 5. 6. FraudcomesfromnonlocalIP Simultaneouslogins Unusualamountsandtiming Noverificationprocedures OtherFis domore Youdidntwarnme

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

TrustCCs EFTFraudRecommendations
1. Offerstronganddynamicauthentication 2. Contractuallyadvisecustomersoftheneedtocomplywith securitybestpractices 3. Educatecustomersaboutthreatandcontrols 4. RecommendaSecuritySelfAssessmentandencourage customerstoremediateidentifiedsecurityweaknesses 5. Monitorregularlytodetectunusualactivity OurTrustED BriefingandSelfAssessmentoffers unprecedentedhelptoFinancialInstitutions.

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

AllRightsReserved.

SocialNetworkingRisksandReward

For many people, social networking has become as much of a daily routine as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it. Bill Brenner

Copyright 2010, TrustCC.

AllRightsReserved.

SocialNetworkingAdvantages

Sustainexistingrelationships Getconnectedtoothers Findtalentinthetrenches Viralmarketingonthecheap

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

10

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

Buttheindividualmight

Misrepresent Befooled Wastetime Installmalware

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

11

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Whataboutanemployeesaccount?

Copyright 2010, TrustCC.

AllRightsReserved.

WhoisChipConley?

Copyright 2010, TrustCC.

AllRightsReserved.

ImposterProfiles

Assumingtheidentityofaprominentpersoninan organizationandthenfriendingasmanypeople aspossible. Assumingtheidentityofanattractiveand availablepersonwhoworksatatargeted organization,thenworkthenetwork.

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

12

Copyright 2010

TrustCC ITAudit, SecurityandBCP

ChallengeResponseQuestions

Whatpercentageofonlinebankingchallenge responsequestionscananswersbefoundonthe net?


Whatyearwasyouroldestchildborn? Whatwasyourfavoritesportinhighschool? Whatwasyourfirstcar?

Copyright 2010, TrustCC.

AllRightsReserved.

AnotherDEFCONContest

Oneofthemoreinterestingeventsatthisyear'sDefcon hackerconferenceinLasVegaswasasocialengineering contestthattargetedbigcompanieslikeMicrosoft,Google andApple.Participantspretendingtobeheadhuntersand surveytakerswereabletotrickemployeesatthecompanies intogivingoutinformationoverthephonethatifitlandedin thewronghandscouldbeusedtosneakmalwareonto machinesatthecompanyorotherwisegetaccesstothe company'sdata.

Copyright 2010, TrustCC.

AllRightsReserved.

Poll

Whatconcernsyoumostaboutsocialnetworking?
A)impacttoproductivity B)Informationleakage C)Misrepresentation D)Malwaredistribution E)Alloftheaboveandmore

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

13

Copyright 2010

TrustCC ITAudit, SecurityandBCP

HowtoDoSocialMedia

EstablishGoals SetupaWeb/MediaAdvisoryCommitteewith someofyouryoungertechsavvystaff. EstablishSocialMediaPolicies Determinewhowillhaveaccesstosocialmedia fromtheworkplace

Copyright 2010, TrustCC.

AllRightsReserved.

AdministrativeControl

HaveaPolicythatisappropriateforyour environment. HaveanAcknowledgementandAcceptanceof Policy ProvideTraining MonitorSocialMediaSites HaveanIncident/CrisisResponseTeam

Copyright 2010, TrustCC.

AllRightsReserved.

TechnicalControls

BlockaccesstowellknownSNsitesby unauthorizedindividuals Ensureantimalwareiseffective Ensuresystemsarealwayspatched Dontallowgeneralemployeestobelocal administratorsontheircomputers(Win7) Monitoronlineactivities

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

14

Copyright 2010

TrustCC ITAudit, SecurityandBCP

MultiFunctionPeripheralorMadeforexPloitation

IneedanothermeaningfortheacronymMFPconsidered madeforpenetrationbutitsoundsxrated. WhatdoMFPs doforHackers? MFPharddrivesstorepreviouslyprinteddocuments MFPs likelyhavealocaladministratoraccountthatcould havethesamepasswordasothersystems MFPs canberootedandthenmadetophonehome

Copyright 2010, TrustCC.

AllRightsReserved.

PrinterPopping

WearepoppingPrintersatabout85%ofourclients. Inonerecentcase,aprinterwasallwegot.Itledto LocalAdmin,thenanadministratorsbox,thenakey strokelogger,thenDomainAdmin! GameOver!

Copyright 2010, TrustCC.

AllRightsReserved.

PatchManagementorPatchMayhem
MicrosoftreleasesOutofBandupdatesasfrequentlyas LindsayLohan goestojailordrugrehab. StandardMicrosoftPatchingToolssuchasWindowsServer UpdateServices(WSUS)regularlyprovidefalsereporting. Someupdatesreintroducepreviouslypatched vulnerabilities Microsoftupdatesarejustonebrandofthemanyupdates thatareneeded:Adobe,Cisco,Symantec,BackupExec,etc Somevendorsareresistantorlatefordinnerwhenit comestopatchsupport
Copyright 2010, TrustCC. AllRightsReserved.

Check usoutatwww.trustcc.com!

15

Copyright 2010

TrustCC ITAudit, SecurityandBCP

88isabignumber

Copyright 2010, TrustCC.

AllRightsReserved.

Everysystemneedsupdates

Copyright 2010, TrustCC.

AllRightsReserved.

Solutions

Subscribetoeverypatchreleasefromeverypiece ofsoftwareyouown(oroutsourcetoHEIT) Evaluateallreleasedupdatesforapplicability Testwhenyoucanyetdeployexpeditiously RunNessus oranequallyeffectivepatch verificationutilityonaveryregularbasis Holdvendorfeettothefire.Berelentless. UseourHardeningStandards

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

16

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

AllRightsReserved.

HackersforHire Why

GLBAsaysRegularlytestthekeycontrols, systemsandproceduresoftheinformation securityprogram.Thefrequencyandnatureof suchtestsshouldbedeterminedbythecredit unionsriskassessment.Testsshouldbe conductedorreviewedbyindependentthird partiesorstaffindependentofthosethatdevelop ormaintainthesecurityprograms.

Copyright 2010, TrustCC.

AllRightsReserved.

KeyControls

Also, Note the format of the table specifically meets GLBA ISRA Guidelines.

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

17

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Whoshouldyouhire?
FFIECsays History, Reputation,References, Experiencedwith ControlsandFinancial Institutions,Capability, Certifications,Insured, InternalControls, Current,Financially Sound,Compliant,etc

Copyright 2010, TrustCC.

AllRightsReserved.

WhatShouldYouTest?

Whatareyourkeycontrols?
Physical Administrative Technical

Youwilllikelyneedavarietyofskillstotestallkey controls.Forexample,isyourpentestingfirmthe rightgrouptotestyourfireextinguishersor alarms?Probablynot.


Copyright 2010, TrustCC. AllRightsReserved.

BoardGovernance

MoreExaminersarelookingtotheBoardorasubcommittee tocarefullyoverseetheinformationsecurityfunction.Yetthe followingchallengesexist: 1. MostBoardmembersarelesstechnical 2. MostBoardsarepreoccupiedwithbankingmatters 3. MostBoarddislikegovernanceandcompliance 4. ThefutureofyourFinancialInstitutioncouldlieinthe handsofyourRegulator

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

18

Copyright 2010

TrustCC ITAudit, SecurityandBCP

TheBuckStopsHere!

PerformBoardTrainingon: 1. GLBA 2. RiskAssessmentCulture 3. FFIECExamGuidance 4. BCP

Copyright 2010, TrustCC.

AllRightsReserved.

SampleOnePageSecurityReport

Copyright 2010, TrustCC.

AllRightsReserved.

ATMInsecurity ShouldIbeConcerned?

Youshouldbeconcernedif:
YourunTritonorTranex ATMs YoudontphysicallyinspectyourATMseveryday YouhavenotperformedaTR39review YoucannotspellATM YourATMsaremissingsecuritypatches

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

19

Copyright 2010

TrustCC ITAudit, SecurityandBCP

BarnabyJack

Duringwhat'sbeendescribedasadramatic displayattheBlackHatConference,BarnabyJack demonstratedhoweffortlesslyahackercould infecttwoATMs.

AndtheATMsspilledthecash!

Copyright 2010, TrustCC.

AllRightsReserved.

ATMSkimmingEquipment

Copyright 2010, TrustCC.

AllRightsReserved.

ATMPINManagement(TG3nowTR39)
IfaSTARMemberweretofailtocomplywithsuch requirementsandacompromiseweretooccurthatcould havebeenpreventedifthatSTARMemberhadbeen compliant,STARwillholdthatSTARMemberliableforthe resultantfraudlossesincurredbyeachotherparticipantin theSTARNetwork. EachSTARMembershould,therefore, continuetoconductaperiodicreviewofitsenvironmentto ensurethatitandanythirdpartyactingonitsbehalfis compliantwithSTARsecurityrequirements.
TR39looksatphysical,administrativeandtechnicalsecurity requirementsandcouldpreventskimmingandotherATMfraud.

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

20

Copyright 2010

TrustCC ITAudit, SecurityandBCP

TR39ReviewQuestions
Doyouhavewrittenproceduresthatyoufollow thatprovidefortheremovalofKeysfromanATM whensendingtheATMforservice? Doyouhavefulldualcontrolandseparate knowledgeforallKeycomponentsinallstagesof thekeylifecycle? DoyoudoublelengthKeysinyourATMs? DoesyourvendormaintainarecordofeveryKey managementactivity?

Copyright 2010, TrustCC.

AllRightsReserved.

ATMsfrequentlyhavevulnerabilities

MissingCriticalSecurityPatches: IPAddress:10.137.190.250 System:MainBranchATM MS08067,MS06035,MS09001,MS06040

Copyright 2010, TrustCC.

AllRightsReserved.

HelpYourCustomers/Members!

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

21

Copyright 2010

TrustCC ITAudit, SecurityandBCP

Copyright 2010, TrustCC.

AllRightsReserved.

Copyright 2010, TrustCC.

AllRightsReserved.

ContactUS!

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

22

Copyright 2010

TrustCC ITAudit, SecurityandBCP

TrustCC Resources

Copyright 2010, TrustCC.

AllRightsReserved.

ReadOurBlog

Copyright 2010, TrustCC.

AllRightsReserved.

QuestionsandConversation

TomSchauer tschauer@trustcc.com 253.468.9750 Callme,nochargeforgoodquestions!

Copyright 2010, TrustCC.

AllRightsReserved.

Check usoutatwww.trustcc.com!

23