Embed Size (px)
Citation preview
©2012 CliftonLarsonAllen LLP1 111
©2012 C
liftonLars
onA
llen L
LP
Risk Management and IT Security: A High Priority for
State and Local Governments
CliftonLarsonAllen Webinar
November 15, 2012
©2012 CliftonLarsonAllen LLP2
About CliftonLarsonAllen
• One of the nation’s top 10 CPA and consulting firms
• Service areas include audit, accounting, tax, consulting, and advisory
• 3,600+ professionals
• 90 offices nationwide
• 600 state and local government professionals
©2012 CliftonLarsonAllen LLP3
Presentation overview
• Emerging & Continuing Trends
– Industry Security Reports
• Examples of IT Related Fraud
• Strategies and Key Controls
©2012 CliftonLarsonAllen LLP4
Three Reasons Why We Should Care
• Organized Crime
– Wholesale theft of personal financial information
• Payment Fraud
– Use of online credentials for ACH, CC and wire fraud
• Publicity
– Privacy Rights <dot> org breach notification site
©2012 CliftonLarsonAllen LLP5
Definition of a Secure System
Security is a Business Issue, NOT a Technology Issue…
“A secure system is one we can depend on to
behave as we expect.”Source: “Web Security and Commerce”
by Simson Garfinkel with Gene SpaffordPeople Rules
`
Tools
• Confidentiality
• Integrity
• Availability
©2012 CliftonLarsonAllen LLP6
“Three” Security Reports
• Trends: Sans 2009 Top Cyber Security Threats– http://www.sans.org/top-cyber-security-risks/
• Intrusion Analysis: TrustWave– https://www.trustwave.com/global-security-report/
• Intrusion Analysis: Verizon Business Services– 2011 report
– http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
– 2012 report
– http://www.verizonbusiness.com/about/events/2012dbir/
©2012 CliftonLarsonAllen LLP7
SANS – Client Side Vulnerabilities
• Client side vulnerabilities
– Missing operating system patches
– Missing application patches
– Objective is to get the users to “Open the door”
• Vulnerable Web sites
– Password guessing
– Attacks on application interfaces with “input fields”
©2012 CliftonLarsonAllen LLP8
TrustWave – Intrusion Analysis Report
Methods of Entry: Methods of Propagation:
©2012 CliftonLarsonAllen LLP9
TrustWave – Intrusion Analysis Report
• Most of the compromised systems were managed by a third party…
©2012 CliftonLarsonAllen LLP10
TrustWave – Intrusion Analysis Report
•Incident Response – Investigative Conclusions
•Window of Data Exposure
Once inside, attackers have very little reason to think they will be detected…
The bad guys are inside for 1 ½ YEARS before anyone knows!
©2012 CliftonLarsonAllen LLP11
Verizon
• Report is analysis of intrusions investigated by Verizon and US Secret Service.
• KEY POINTS:– Time from successful intrusion to
compromise of data was days to weeks.
– Log files contained evidence of the intrusion attempt, success, and removal of data.
– Most successful intrusions were not considered highly difficult.
©2012 CliftonLarsonAllen LLP12
Hackers, Fraudsters, and Victims
• Opportunistic Attacks
• Targeted Attacks
©2012 CliftonLarsonAllen LLP13
Verizon 2011
• Anatomy of a data breach - Opportunities
©2012 CliftonLarsonAllen LLP14
Phone Fraud
• Pre-text phone calls
• Validation
– What to do for name dropping
– Can’t rely on caller ID
– Procedures for “IT service calls”
©2012 CliftonLarsonAllen LLP15
Our Website Has Been Hacked…
• Saturday morning at 8:30 AM…
• Is there “data”… Is there “data”… Is there “data”
– 4th time is the charm…
• Can we get access to investigate
• Root cause(s)
• Default credentials
• Default “additional features”
©2012 CliftonLarsonAllen LLP16
Our Website Has Been Hacked…
• Harden the web server AND applications
– Change default credentials
– Periodically review processes to identify high risk activities
– Who is responsible for website? “Marketing”?
• Understand implications of lower cost solutions
• Contracts
– Right to audit
– Right to investigate
– Who has access to your data and where it is
©2012 CliftonLarsonAllen LLP17
Credit Card Fraud
• We just received call from Visa…
• Charges in Toronto, Mexico City, and Alabama
©2012 CliftonLarsonAllen LLP18
Credit Card Fraud
• Unsecured Wireless
• Wireless on same network as POS
• Default open internal systems
– Missing patches
– Excessive services
– Staff passwords
• Vendor defaults
– Vendor passwords
©2012 CliftonLarsonAllen LLP19
Phishing and ACH
• “Mr. Jessie James, why do you rob banks???”
• Online banking convenience …
• Global economy…
• On-line availability of ACH
• “Corporate account take over”
• Targeting municipalities and school districts… NOT JUST BANKS!
©2012 CliftonLarsonAllen LLP20
Phishing and ACH – In the News
Google: “ACH fraud suit”
Bank Sues Customer
• $800,000 fraudulent ACH transfer
• Bank retrieves $600,000
• What happens to the other $200,000?
©2012 CliftonLarsonAllen LLP21
Phishing and ACH – In the News
Customer Sues Bank• $560,000 in fraudulent ACH transfers to bank accounts in Russia,
Estonia, Scotland, Finland, China and the US; withdrawn soon after the deposits were made.
• Alleges that the bank failed to notice unusual activity.
• Until the fraudulent transactions were made customer had made just two wire transfers ever
• In just a three-hour period, 47 wire transfers requests were made.
• In addition, after customer became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.
©2012 CliftonLarsonAllen LLP22
Phishing and ACH – Two Direct Examples
• Business owner receives multiple emails:
• “Wire Transfer Cancelled”
• Finance staff open message – follow links
• Key logging software installed
• Fraudsters use obtained credentials
• Create 2 payroll ACH files - $500,000
©2012 CliftonLarsonAllen LLP23
Phishing and ACH – Two Direct Examples
• Finance person receives “2000 spam messages”
• Later in the day, fraudsters make three ACH transfers all within 30 minutes:
– $8,000 to Houston
– Two transfers for $540,000 each to Romania
• In this case, business insists the following controls were not followed:
– Dollar limit/thresholds were exceeded
– Call back verification did not occur
• This one is on-going…
©2012 CliftonLarsonAllen LLP24
Updated Authentication Guidance
• Risk Assessment, Risk Assessment, Risk Assessment…
• At least annually or after “changes”
Changes in the internal and external threat environment,
– including those discussed in the Appendix of the Supplement
Changes in the customer base
Changes in the customer functionality
Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry
©2012 CliftonLarsonAllen LLP25
Updated Authentication Guidance
• Do not rely on single control
– Controls need to increase as risk increases
– Multi-layer
– Additional controls at different points in
transaction/interaction with member
• Technical (IT/systems) controls
©2012 CliftonLarsonAllen LLP26
Updated Authentication Guidance (2)
• Specific authentication guidance
– Device identification
– Challenge questions
– Multifactor and two factor authentication
– “Out of band” authentication
©2012 CliftonLarsonAllen LLP27
Controls for Layered Security
• Control of administrative functions
• Enhanced controls around payment authorization
and verification
– “Positive Pay” features
– Dual authorization
– “Call back” verification
• Detection and response to suspicious activity
©2012 CliftonLarsonAllen LLP28
Controls for Layered Security (2)
• Customer awareness and education
– Explanation of protections provided and not provided
– How the financial institution may contact a member on an unsolicited basis
– A suggestion that commercial online banking members perform assessment and controls evaluation periodically
– A listing of alternative risk control mechanisms that members may consider implementing to mitigate their own risk
– A listing of financial institution contacts for members discretionary use to report suspected fraud
©2012 CliftonLarsonAllen LLP29
Ten Things Every Organization Should Have
1. Strong Policies – Define what is expected
• Foundation for all that follows…
©2012 CliftonLarsonAllen LLP30
Ten Things Every Organization Should Have
2. Defined user access roles and permissions
• Principal of minimum access and least privilege
• Most users should NOT have system administrator rights
• Don’t forget your vendors
©2012 CliftonLarsonAllen LLP31
Ten Things Every Organization Should Have
3. Hardened internal systems (end points)
• Hardening checklists
• Turn off unneeded services (minimize attack surface)
• Turn off Telnet
• Turn off FTP
• Turn off SMTP…
• Change (vendor) default password
©2012 CliftonLarsonAllen LLP32
Ten Things Every Organization Should Have
4. Encryption strategy (variety of state laws…)
• Laptops, desktops, email enabled cell phones
• Thumb drives/Mobile media
• Data at rest?
©2012 CliftonLarsonAllen LLP33
Ten Things Every Organization Should Have
5. Vulnerability management process
• Operating system patches
• Application patches
• SMS and Shavlik
• Testing to validate effectiveness – find and address the
exceptions
©2012 CliftonLarsonAllen LLP34
Ten Things Every Organization Should Have
6. Well defined perimeter security layers:
• Network segments
• Email gateway/filter, firewall, and “Proxy” integration for traffic in AND out
• Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points)
©2012 CliftonLarsonAllen LLP35
Ten Things Every Organization Should Have
7. Centralized audit logging, analysis, and automated alerting capabilities (SIEM)
• Routing infrastructure
• Network authentication
• Servers
• Applications
• Archiving vs. Reviewing
©2012 CliftonLarsonAllen LLP36
Recognize, React, and Respond
©2012 CliftonLarsonAllen LLP37
Ten Things Every Organization Should Have
8. Defined incident response plan and procedures
• Be prepared
• Documentation and procedures
• Including data leakage prevention and monitoring
• Incident Response testing, just like DR testing
• Forensic preparedness
©2012 CliftonLarsonAllen LLP38
Ten Things Every Organization Should Have
9. Validation that it all works the way you expect (remember the definition?)
• (IT) Audits
• Vulnerability Assessments
• Penetration Testing
• A combination of internal and external resources
• Pre-implementation and post-implementation
©2012 CliftonLarsonAllen LLP39
Validation…
©2012 CliftonLarsonAllen LLP40
Ten Things Every Organization Should Have
10. Vendor Management
• The previous 9 topics should all be applied to your vendors/business partners
• Require vendor systems be at least as secure as your own…
• For managed services, require vendors to agree to operate up to your standards
• Vulnerability management
• Secure communication protocols
• Incident response capabilities
• Right to audit
• Understand your contracts and SLAs
©2012 CliftonLarsonAllen LLP41
Questions?
©2012 CliftonLarsonAllen LLP42424242
©2012 C
liftonLars
onA
llen L
LP
Thank you!
Randy Romes, CISSP, CRISC, MCP, PCI-QSA
Principal
Information Security Services
888.529.264
©2012 CliftonLarsonAllen LLP43
Solutions – From SANS Report
20 Critical Controls:
• http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf
Additional Critical Controls (not directly supported by automated measurement and validation):
16. Secure Network Engineering17. Penetration Tests and Red Team
Exercises18. Incident Response Capability19. Data Recovery Capability20. Security Skills Assessment and
Appropriate Training to Fill Gaps
1. Inventory of Authorized and Unauthorized Devices2. Inventory of Authorized and Unauthorized Software3. Secure Configurations for Hardware and Software on
Laptops, Workstations, and Servers4. Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches5. Boundary Defense6. Maintenance, Monitoring, and Analysis of Security Audit Logs7. Application Software Security8. Controlled Use of Administrative Privileges9. Controlled Access Based on Need to Know10. Continuous Vulnerability Assessment and Remediation11. Account Monitoring and Control12. Malware Defenses13. Limitation and Control of Network Ports, Protocols, and
Services14. Wireless Device Control15. Data Loss Prevention
©2012 CliftonLarsonAllen LLP44
Solutions – From TrustWave Report
Rank Strategic Initiative
1 Perform and Maintain a Complete Asset Inventory; Decommission Old Systems
2 Monitor Third Party Relationships
3 Perform Internal Segmentation
4 Rethink Wireless
5 Encrypt Your Data
6 Investigate Anomalies
7 Educate Your Staff
8 Implement and Follow a Software Development Life Cycle (SDLC)
9 Lock Down User Access
10 Use Multifactor Authentication Every Where Possible
©2012 CliftonLarsonAllen LLP45
Common Compliance Requirements
• Compliance Matrix Resources:
• http://net.educause.edu/ir/library/pdf/CSD5876.pdf
• http://www.infosec.co.uk/ExhibitorLibrary/277/Cross_Compliance_wp_20.pdf
©2012 CliftonLarsonAllen LLP46
Resources – Hardening Checklists
Hardening checklists from vendors
• CIS offers vendor-neutral hardening resources
http://www.cisecurity.org/
• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true
http://technet.microsoft.com/en-us/library/dd366061.aspx
Most of these will be from the “BIG” software and hardware providers
©2012 CliftonLarsonAllen LLP47
Resources
• Computer Security Institute:
http://www.gocsi.com/soceng.htm
• Methods of Hacking: Social Engineering
– by Rick Nelsonhttp://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html
• Computer Security Institute:http://www.sptimes.com/2007/10/28/Business/Here_s_how_a_slick_la.shtml
©2012 CliftonLarsonAllen LLP48
Resources
• Bank Info Security Resource Center
http://ffiec.bankinfosecurity.com/
• FFIEC Authentication Guidance
http://www.ffiec.gov/press/pr062811.htm
http://www.ffiec.gov/pdf/authentication_guidance.pdf
©2012 CliftonLarsonAllen LLP49
PCI Standards
• Quarterly external vulnerability scan by an Approved Scanning Vendor (ASV)
• Quarterly test wireless network security
• Annual DSS Assessment (i.e. SAQ)
– By QSA if level 1
• Annual Penetration Test (not vulnerability scan)
– External
– Internal
– And…
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
©2012 CliftonLarsonAllen LLP50
Resources – In the News
• Privacy Rights <dot> orghttp://www.privacyrights.org/ar/ChronDataBreaches.htm
• Resource for State Lawshttps://www.privacyrights.org/data-breach-FAQ#10
©2012 CliftonLarsonAllen LLP51
References
• FFIEC
• http://ffiec.bankinfosecurity.com/
• http://www.ffiec.gov/pdf/pr080801.pdf (2001)
• http://www.ffiec.gov/pdf/authentication_guidance.pdf (2005)
• http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf (2011)
51
©2012 CliftonLarsonAllen LLP52
References
• Bank Info Security:
• http://ffiec.bankinfosecurity.com/
• FDIC ACH Advisories:
• http://www.fdic.gov/news/news/SpecialAlert/2011/index.html
• SANS report (2009)
• http://www.sans.org/top-cyber-security-risks/summary.php
52
©2012 CliftonLarsonAllen LLP53
References
• Michigan Company sues bankhttp://www.computerworld.com/s/article/9156558/Michigan_firm_sues
_bank_over_theft_of_560_000_?taxonomyId=17
http://www.krebsonsecurity.com/2010/02/comerica-phish-foiled-2-factor-protection/#more-973
• Bank sues Texas companyhttp://www.bankinfosecurity.com/articles.php?art_id=2132
©2012 CliftonLarsonAllen LLP54
References to Specific State Laws
Are there state-specific breach listings?
Some states have state laws that require breaches to be reported to a centralized
data base. These states include Maine, Maryland, New York, New Hampshire,
North Carolina, Vermont and Virginia (Virginia’s notification law only applies to
electronic breaches affecting more than 1,000 residents).
However, a number of other states have some level of notification that has been
made publicly available, primarily through Freedom of Information
requests. These states include California, Colorado, Florida, Illinois,
Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin.
State laws:
http://www.privacyrights.org/data-breach#10
For details, see the Open Security Foundation Datalossdb website:
http://datalossdb.org/primary_sources
http://www.privacyrights.org/ar/ChronDataBreaches.htm
