How Can I Bank Online Securely? Bradford Rand V.P. Information Technology Infrastructure Manager Information Security Officer Online Security Approach • Online Security Is Not A Single Solution. • The Best Security Is A Layered Approach • “Defense In Depth” • Internet • Firewall • Intrusion Detection / Prevention • Open Port Limitation • Local Workstation • Anti-Virus • Anti-Malware • Security Patching • Operating System • Third Party Applications • Education • Email Phishing • Phone Calls “Vishing” How Do I Bank Online Securely? • The safest PC is one that is not connected to the internet. • Once a PC is placed “online” with the internet, it will be • • • • compromised within 7 minutes.** SANS Survival Times https://isc.sans.edu//survivaltime.html A dedicated workstation, used just for online banking, is the most secure solution for performing online transactions. Patching is critical. Most compromised PC’s were not up to date with Operating System updates. Email: Phishing / Trojan Malware is overwhelming. Hosting Banks / FI’s have multiple Security Controls Who Is Responsible? • Both the Client and the FI share responsibility. • FI has many policies and procedures that are closely followed. • Documentation and constant audits of controls / processes. • Will not call you and ask for any NPI. (Non Public Information) • Work with Clients to know the customer. • Complies to stringent rules regarding web hosting. • PCI Compliance (Payment Card Industry) • Extended Validation on web sites. (HTTPS://greenbar) • Good SFA (Second Factor Authentication) controls. • FI can not control the Client’s Workstation • Patching • Email Configuration / Filtering • Web Browsing • End User Access How Does It Happen? • Every compromised incident I have been involved was initiated from the client / end user workstation. • The compromised computer was the result of inadequate patching and / or email phishing. Local Workstation • Can Download Malware From Many Areas • Phishing: • Email sent to you appearing as a known source • Contains attachment: Word / PDF / Excel / Text File • Contains hyperlink to contaminated web site. • Click on the link and download the program • Downloaded program takes advantage of known vulnerabilities. • Portable Media • USB sticks carry malware • Seeding / Leave one in the parking lot. • Has label “Payroll” / Eye Candy • You plug it in at work, it autoloads. • Browsing Web Pages • Ads on the sidebar • Google does not verify “clean” sites well. • Redirect to compromised sites. • Download application. • P2P File Sharing • Music download / Bit Torrent “Trojan” Malware • Trojan Horse • Free Gift / Special Offer • Email or Web Browsing • Click on Link • File Appears as “Friendly” • Request to Open File • Allow Execution / Installation • Wrapper Opens and Runs a Script • Sets Up Shop • Cloaks Itself • Calls Home • Begins Data Transfer Keystroke Loggers • Most Common Form Of Malware • Easy To Deploy • End user does the work by loading the application • “Calls Home” When Set Up • Sniffs All Traffic From PC Going Out To Web • Has search criteria (Filters) • Login ID / Passwords • 9 digit socials • May use a dictionary • Records Any String Of Data Behind Keywords • Send back data in complete format • Complete report of compromised data at end of the day • Programmable application • Possibility Of Remote Control • Removes IP location restriction in “cookies” • Performs banking from your PC. Keystroke Logging Example • Switch Over To Compromised Computer • Keystroke Logging Questions? What Can I Do? • Keep Operating System up to date. • Microsoft – Upload of patching for a reason. • Patch Tuesday / second Tuesday of the month. • Remediates known vulnerabilities. • Set Updates to automatically update. • MS Office updates. (Recently compromised) • Browser • Internet Explorer – (Now becoming “Spartan”) • FireFox – Automatically Updates • Chrome – Automatically Updates • Third Party Application Patching • Adobe Products • Reader / Writer / Flash / Air / Shockwave • Be careful of “Toolbar” baggage applications. • Ask / Google / default checked off to load with patch. • Result is more crowded browser and slower PC. • Adware follows your browsing habits. • Google ads on the sidebar change to fit you. What Can I Do? • Dedicated Workstation is the best solution. • Can be outdated PC. • Will run quick enough, minimal applications running on it. • Needs Windows 7 and up. • Anti-Virus / Malware Detection • Keep up on Operating System Patching! • Limit Access To Local Workstation • Location, location, location • Keep it close. • Lock it up when not in use. • Require separate local accounts. • Create Administrative account. • Limit “Basic” user accounts to not allow running of executables. • “Run As” will require administrator password to install applications • Disable “AutoRun” • Will require a double click on the file to execute. Email Phishing Examples • Contained In Email • Mouse Over Hyperlink To Reveal Actual Site Address • not www.verizon.com - instead • www.clownpages.hk/nothinghere/ • Attachment could be .pdf / .exe / .gif Top Level Domain Extensions • “Normal” Business Usage • .gov • .com • .net • .edu • .org • “New” But Not Used As Much • .tv • .biz • tax • mobi • On The Horizon • .bank Internet Country Codes • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • “AF - Afghanistan AL - Albania DZ - Algeria AS - American Samoa AD - Andorra AO - Angola Av - Anguilla AQ - Antarctica AG - Antigua and Barbuda AR - Argentina AM - Armenia AA - Aruba AU - Australia AT - Austria AZ - Azerbaijan BF - Bahamas BH - Bahrain BB - Barbados BD - Bangladesh BY - Belarus BE - Belgium BZ - Belize BJ - Benin BM - Bermuda BS - Bahamas BT - Bhutan BW - Botswana BO - Bolivia BA - Bosnia and Herzegovina BV - Bouvet Island BR - Brazil IO - British Indian Ocean Territory BN - Brunei Darussalam BG - Bulgaria BF - Burkina Faso BI - Burundi KH – Cambodia (Internet) CB - Cambodia (CIA World Fact Book) CM - Cameroon CA - Canada CV - Cape Verde KY - Cayman Islands CF - Central African Republic TD - Chad CL - Chile CN - China CX - Christmas Island CC - Cocos (Keeling) Islands CO - Colombia KM - Comoros CG - Congo CD - Congo, Democratic Republic CK - Cook Islands CR - Costa Rica CI - Cote D'Ivoire (Ivory Coast) HR - Croatia (Hrvatska) CU - Cuba CY - Cyprus CZ - Czech Republic CS - Czechoslovakia (former) DK - Denmark DJ - Djibouti DM - Dominica DO - Dominican Republic TP - East Timor EC - Ecuador EG - Egypt SV - El Salvador GQ - Equatorial Guinea ER - Eritrea EE - Estonia ET - Ethiopia FK - Falkland Islands (Malvinas) FO - Faroe Islands FJ - Fiji FI - Finland FR - France FX - France, Metropolitan GF - French Guiana PF - French Polynesia TF - French Southern Territories MK - F.Y.R.O.M. (Macedonia) GA - Gabon GM - Gambia GE - Georgia DE - Germany GH - Ghana GI - Gibraltar GB - Great Britain (UK) GR - Greece GL - Greenland GD - Grenada GP - Guadeloupe GU - Guam GT - Guatemala GN - Guinea GW - Guinea-Bissau GY - Guyana HT - Haiti HM - Heard and McDonald Islands HN - Honduras HK - Hong Kong HU - Hungary IS - Iceland IN - India ID - Indonesia IR - Iran IQ - Iraq IE - Ireland IL - Israel IT - Italy JM - Jamaica JP - Japan JO - Jordan KZ - Kazakhstan KE - Kenya KI - Kiribati KP - Korea (North) KR - Korea (South) KW - Kuwait KG - Kyrgyzstan LA - Laos LV - Latvia LB - Lebanon LI - Liechtenstein LR - Liberia LY - Libya LS - Lesotho LT - Lithuania LU - Luxembourg MO - Macau MG - Madagascar MW - Malawi MY - Malaysia MV - Maldives ML - Mali MT - Malta MH - Marshall Islands MQ - Martinique MR - Mauritania MU - Mauritius YT - Mayotte MX - Mexico FM - Micronesia MC - Monaco MD - Moldova MA - Morocco MN - Mongolia MS - Montserrat MZ - Mozambique MM - Myanmar NA - Namibia NR - Nauru NP - Nepal NL - Netherlands AN - Netherlands Antilles NT - Neutral Zone NC - New Caledonia NZ - New Zealand (Aotearoa) NI - Nicaragua NE - Niger NG - Nigeria NU - Niue NF - Norfolk Island MP - Northern Mariana Islands NO - Norway OM - Oman PK - Pakistan PW - Palau PA - Panama PG - Papua New Guinea PY - Paraguay PE - Peru PH - Philippines PN - Pitcairn PL - Poland PT - Portugal PR - Puerto Rico QA - Qatar RE - Reunion RO - Romania RU - Russian Federation RW - Rwanda GS - S. Georgia and S. Sandwich Isls. KN - Saint Kitts and Nevis LC - Saint Lucia VC - Saint Vincent and the Grenadines WS - Samoa SM - San Marino ST - Sao Tome and Principe SA - Saudi Arabia SN - Senegal SC - Seychelles SL - Sierra Leone SG - Singapore SI - Slovenia SK - Slovak Republic Sb - Solomon Islands SO - Somalia ZA - South Africa ES - Spain LK - Sri Lanka SH - St. Helena PM - St. Pierre and Miquelon SD - Sudan SR - Suriname SJ - Svalbard and Jan Mayen Islands SZ - Swaziland SE - Sweden CH - Switzerland SY - Syria TW - Taiwan TJ - Tajikistan TZ - Tanzania TH - Thailand TG - Togo TK - Tokelau TO - Tonga TT - Trinidad and Tobago TN - Tunisia TR - Turkey TM - Turkmenistan TC - Turks and Caicos Islands TV - Tuvalu UG - Uganda UA - Ukraine AE - United Arab Emirates UK - United Kingdom US - United States UM - US Minor Outlying Islands UY - Uruguay SU - USSR (former) UZ - Uzbekistan VU - Vanuatu VA - Vatican City State (Holy See) VE - Venezuela VN - Viet Nam VG - Virgin Islands (British) VI - Virgin Islands (U.S.) WF - Wallis and Futuna Islands EH - Western Sahara YE - Yemen YU - Yugoslavia ZM - Zambia (ZR - Zaire) - See CD Congo, Democratic Republic ZW - Zimbabwe Phishing Demonstration • Switch to Compromised PC. What Can I Do? • Use Email and Common Sense: • Never a “free” gift. (Too good to be true) • Do I know you? • Do I perform business with you? • I don’t remember applying for that? • Opening Attachments: • Malware can be contained in: • Word / Excel / Adobe pdf’s / Pictures • Usually asks to load the file • That is the clue, never allow an application to run ! • Use: “Save As” Download file locally, scan for viruses before double clicking. Email Security Questions? What Can I Do? • Change Your Passwords Frequently • Use Complexity, not your dogs / Children / Birthdates • Personal FaceBook? Reveals Passwords by “Creeping” on your page. • Do Not “AutoSave” or “Remember” Passwords In Browsers • Ensure Anti Virus Is Installed • Auto update of definitions • Threat detection installed • IPS / not just IDS • Free AV will cost you in the long run! • You get what you pay for Windows Versions • Windows XP EOL / EOS • April 8th, 2014 • No Auto Update / Reboot • Critical Patches Ceased • Call In Support Terminated • Windows 7 or 8.1 • 7 Is Very Compatible • 8.1 Is Better Version Than 8.0 • Shock Factor / “Skins” Can Be Installed • classicshell.net Skin makes it look like XP or 7. Financial Institution Controls • Many Online Security Measures Available • Administration: • Dual Control (One user creates / edits users, another approves. • Administrators and users “Principal of Least Privilege” applies • Minimal set of tools to perform your job, no more. • IP Restriction – Can only log in from one location. • “Someplace you are” Authentication Mechanisms • Day / Time Restrictions for access. • Wires / ACH: • Dual Control: (One user creates a transaction, the other approves.) • Transaction Limits • Daily Limits • Email Alerts / Warns of transaction created or sent. • Ensure information@yourfi.com is whitelisted in email. Other Resources • Malwarebytes.org • Anti-Malware Scanning Application • Free Version Download • Auto Update When Installed • Very Powerful Scanning Engine • Reveals “Cookies” and Temp Internet Files • Best Of Breed In “Free” Applications Other Resources • Microsoft Removal Tools • http://support.microsoft.com/botnets • http://support.microsoft.com/security/scanner/en-us/default.aspx • Be Careful – Creates “Best Practices” On Your PC. • Firewall Turns On • Sets Up Automatic Update For Windows • Enables Internet Explorer’s Privacy Settings • Turns On User Account Control (UAC) • Cleans Out Your Internet Cache and Browsing History • May Shut Off Other Applications • Seek I.T. Support If Available Good Too Great • Current: • SFA Tokens (number on display) • Cell Phone – SMS Texts a number to enter • “Sandbox” Application USB / Icon • Near Future: (Here now) • Remote Web Server will scan your computer. • Detect and report malware. • Prevent transaction from processing. • IBM PinPoint / Trusteer combination. Smart Phone Payments • Is Using a Smart Phone Safe? • Apple Apps are screened for malware and viruses • Droid Apps can contain malware and viruses • Anti Virus available Thank You! • Malwarebytes.org • http://www.malwarebytes.org/ • Microsoft Removal Tools: • http://support.microsoft.com/botnets • http://support.microsoft.com/security/scanner/en-us/default.aspx • Download This Presentation: • www.bradrand.com/presentations • Windows Shell (Appearance of XP / Vista) • http://www.classicshell.net/