March 2015 Presentation to Municipal Departments

advertisement
How Can I Bank Online Securely?
Bradford Rand
V.P. Information Technology
Infrastructure Manager
Information Security Officer
Online Security Approach
• Online Security Is Not A Single Solution.
• The Best Security Is A Layered Approach
• “Defense In Depth”
• Internet
• Firewall
• Intrusion Detection / Prevention
• Open Port Limitation
• Local Workstation
• Anti-Virus
• Anti-Malware
• Security Patching
• Operating System
• Third Party Applications
• Education
• Email Phishing
• Phone Calls “Vishing”
How Do I Bank Online Securely?
• The safest PC is one that is not connected to the internet.
• Once a PC is placed “online” with the internet, it will be
•
•
•
•
compromised within 7 minutes.** SANS Survival Times https://isc.sans.edu//survivaltime.html
A dedicated workstation, used just for online banking, is
the most secure solution for performing online
transactions.
Patching is critical. Most compromised PC’s were not up
to date with Operating System updates.
Email: Phishing / Trojan Malware is overwhelming.
Hosting Banks / FI’s have multiple Security Controls
Who Is Responsible?
• Both the Client and the FI share responsibility.
• FI has many policies and procedures that are closely followed.
• Documentation and constant audits of controls / processes.
• Will not call you and ask for any NPI. (Non Public Information)
• Work with Clients to know the customer.
• Complies to stringent rules regarding web hosting.
• PCI Compliance (Payment Card Industry)
• Extended Validation on web sites. (HTTPS://greenbar)
• Good SFA (Second Factor Authentication) controls.
• FI can not control the Client’s Workstation
• Patching
• Email Configuration / Filtering
• Web Browsing
• End User Access
How Does It Happen?
• Every compromised incident I have been involved was initiated from
the client / end user workstation.
• The compromised computer was the result of inadequate patching
and / or email phishing.
Local Workstation
• Can Download Malware From Many Areas
• Phishing:
• Email sent to you appearing as a known source
• Contains attachment: Word / PDF / Excel / Text File
• Contains hyperlink to contaminated web site.
• Click on the link and download the program
• Downloaded program takes advantage of known vulnerabilities.
• Portable Media
• USB sticks carry malware
• Seeding / Leave one in the parking lot.
• Has label “Payroll” / Eye Candy
• You plug it in at work, it autoloads.
• Browsing Web Pages
• Ads on the sidebar
• Google does not verify “clean” sites well.
• Redirect to compromised sites.
• Download application.
• P2P File Sharing
• Music download / Bit Torrent
“Trojan” Malware
• Trojan Horse
• Free Gift / Special Offer
• Email or Web Browsing
• Click on Link
• File Appears as “Friendly”
• Request to Open File
• Allow Execution / Installation
• Wrapper Opens and Runs a Script
• Sets Up Shop
• Cloaks Itself
• Calls Home
• Begins Data Transfer
Keystroke Loggers
• Most Common Form Of Malware
• Easy To Deploy
• End user does the work by loading the application
• “Calls Home” When Set Up
• Sniffs All Traffic From PC Going Out To Web
• Has search criteria (Filters)
• Login ID / Passwords
• 9 digit socials
• May use a dictionary
• Records Any String Of Data Behind Keywords
• Send back data in complete format
• Complete report of compromised data at end of the day
• Programmable application
• Possibility Of Remote Control
• Removes IP location restriction in “cookies”
• Performs banking from your PC.
Keystroke Logging Example
• Switch Over To Compromised Computer
• Keystroke Logging Questions?
What Can I Do?
• Keep Operating System up to date.
• Microsoft – Upload of patching for a reason.
• Patch Tuesday / second Tuesday of the month.
• Remediates known vulnerabilities.
• Set Updates to automatically update.
• MS Office updates. (Recently compromised)
• Browser
• Internet Explorer – (Now becoming “Spartan”)
• FireFox – Automatically Updates
• Chrome – Automatically Updates
• Third Party Application Patching
• Adobe Products
• Reader / Writer / Flash / Air / Shockwave
• Be careful of “Toolbar” baggage applications.
• Ask / Google / default checked off to load with patch.
• Result is more crowded browser and slower PC.
• Adware follows your browsing habits.
• Google ads on the sidebar change to fit you.
What Can I Do?
• Dedicated Workstation is the best solution.
• Can be outdated PC.
• Will run quick enough, minimal applications running on it.
• Needs Windows 7 and up.
• Anti-Virus / Malware Detection
• Keep up on Operating System Patching!
• Limit Access To Local Workstation
• Location, location, location
• Keep it close.
• Lock it up when not in use.
• Require separate local accounts.
• Create Administrative account.
• Limit “Basic” user accounts to not allow running of executables.
• “Run As” will require administrator password to install applications
• Disable “AutoRun”
• Will require a double click on the file to execute.
Email Phishing Examples
• Contained In Email
• Mouse Over Hyperlink To Reveal Actual Site Address
• not www.verizon.com - instead
• www.clownpages.hk/nothinghere/
• Attachment could be .pdf / .exe / .gif
Top Level Domain Extensions
• “Normal” Business Usage
• .gov
• .com
• .net
• .edu
• .org
• “New” But Not Used As Much
• .tv
• .biz
• tax
• mobi
• On The Horizon
• .bank
Internet Country Codes
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
“AF - Afghanistan
AL - Albania
DZ - Algeria
AS - American Samoa
AD - Andorra
AO - Angola
Av - Anguilla
AQ - Antarctica
AG - Antigua and Barbuda
AR - Argentina
AM - Armenia
AA - Aruba
AU - Australia
AT - Austria
AZ - Azerbaijan
BF - Bahamas
BH - Bahrain
BB - Barbados
BD - Bangladesh
BY - Belarus
BE - Belgium
BZ - Belize
BJ - Benin
BM - Bermuda
BS - Bahamas
BT - Bhutan
BW - Botswana
BO - Bolivia
BA - Bosnia and Herzegovina
BV - Bouvet Island
BR - Brazil
IO - British Indian Ocean Territory
BN - Brunei Darussalam
BG - Bulgaria
BF - Burkina Faso
BI - Burundi
KH – Cambodia (Internet)
CB - Cambodia (CIA World Fact Book)
CM - Cameroon
CA - Canada
CV - Cape Verde
KY - Cayman Islands
CF - Central African Republic
TD - Chad
CL - Chile
CN - China
CX - Christmas Island
CC - Cocos (Keeling) Islands
CO - Colombia
KM - Comoros
CG - Congo
CD - Congo, Democratic Republic
CK - Cook Islands
CR - Costa Rica
CI - Cote D'Ivoire (Ivory Coast)
HR - Croatia (Hrvatska)
CU - Cuba
CY - Cyprus
CZ - Czech Republic
CS - Czechoslovakia (former)
DK - Denmark
DJ - Djibouti
DM - Dominica
DO - Dominican Republic
TP - East Timor
EC - Ecuador
EG - Egypt
SV - El Salvador
GQ - Equatorial Guinea
ER - Eritrea
EE - Estonia
ET - Ethiopia
FK - Falkland Islands (Malvinas)
FO - Faroe Islands
FJ - Fiji
FI - Finland
FR - France
FX - France, Metropolitan
GF - French Guiana
PF - French Polynesia
TF - French Southern Territories
MK - F.Y.R.O.M. (Macedonia)
GA - Gabon
GM - Gambia
GE - Georgia
DE - Germany
GH - Ghana
GI - Gibraltar
GB - Great Britain (UK)
GR - Greece
GL - Greenland
GD - Grenada
GP - Guadeloupe
GU - Guam
GT - Guatemala
GN - Guinea
GW - Guinea-Bissau
GY - Guyana
HT - Haiti
HM - Heard and McDonald Islands
HN - Honduras
HK - Hong Kong
HU - Hungary
IS - Iceland
IN - India
ID - Indonesia
IR - Iran
IQ - Iraq
IE - Ireland
IL - Israel
IT - Italy
JM - Jamaica
JP - Japan
JO - Jordan
KZ - Kazakhstan
KE - Kenya
KI - Kiribati
KP - Korea (North)
KR - Korea (South)
KW - Kuwait
KG - Kyrgyzstan
LA - Laos
LV - Latvia
LB - Lebanon
LI - Liechtenstein
LR - Liberia
LY - Libya
LS - Lesotho
LT - Lithuania
LU - Luxembourg
MO - Macau
MG - Madagascar
MW - Malawi
MY - Malaysia
MV - Maldives
ML - Mali
MT - Malta
MH - Marshall Islands
MQ - Martinique
MR - Mauritania
MU - Mauritius
YT - Mayotte
MX - Mexico
FM - Micronesia
MC - Monaco
MD - Moldova
MA - Morocco
MN - Mongolia
MS - Montserrat
MZ - Mozambique
MM - Myanmar
NA - Namibia
NR - Nauru
NP - Nepal
NL - Netherlands
AN - Netherlands Antilles
NT - Neutral Zone
NC - New Caledonia
NZ - New Zealand (Aotearoa)
NI - Nicaragua
NE - Niger
NG - Nigeria
NU - Niue
NF - Norfolk Island
MP - Northern Mariana Islands
NO - Norway
OM - Oman
PK - Pakistan
PW - Palau
PA - Panama
PG - Papua New Guinea
PY - Paraguay
PE - Peru
PH - Philippines
PN - Pitcairn
PL - Poland
PT - Portugal
PR - Puerto Rico
QA - Qatar
RE - Reunion
RO - Romania
RU - Russian Federation
RW - Rwanda
GS - S. Georgia and S. Sandwich Isls.
KN - Saint Kitts and Nevis
LC - Saint Lucia
VC - Saint Vincent and the Grenadines
WS - Samoa
SM - San Marino
ST - Sao Tome and Principe
SA - Saudi Arabia
SN - Senegal
SC - Seychelles
SL - Sierra Leone
SG - Singapore
SI - Slovenia
SK - Slovak Republic
Sb - Solomon Islands
SO - Somalia
ZA - South Africa
ES - Spain
LK - Sri Lanka
SH - St. Helena
PM - St. Pierre and Miquelon
SD - Sudan
SR - Suriname
SJ - Svalbard and Jan Mayen Islands
SZ - Swaziland
SE - Sweden
CH - Switzerland
SY - Syria
TW - Taiwan
TJ - Tajikistan
TZ - Tanzania
TH - Thailand
TG - Togo
TK - Tokelau
TO - Tonga
TT - Trinidad and Tobago
TN - Tunisia
TR - Turkey
TM - Turkmenistan
TC - Turks and Caicos Islands
TV - Tuvalu
UG - Uganda
UA - Ukraine
AE - United Arab Emirates
UK - United Kingdom
US - United States
UM - US Minor Outlying Islands
UY - Uruguay
SU - USSR (former)
UZ - Uzbekistan
VU - Vanuatu
VA - Vatican City State (Holy See)
VE - Venezuela
VN - Viet Nam
VG - Virgin Islands (British)
VI - Virgin Islands (U.S.)
WF - Wallis and Futuna Islands
EH - Western Sahara
YE - Yemen
YU - Yugoslavia
ZM - Zambia
(ZR - Zaire) - See CD Congo, Democratic Republic
ZW - Zimbabwe
Phishing Demonstration
• Switch to Compromised PC.
What Can I Do?
• Use Email and Common Sense:
• Never a “free” gift. (Too good to be true)
• Do I know you?
• Do I perform business with you?
• I don’t remember applying for that?
• Opening Attachments:
• Malware can be contained in:
• Word / Excel / Adobe pdf’s / Pictures
• Usually asks to load the file
• That is the clue, never allow an application to run !
• Use: “Save As” Download file locally, scan for viruses before double
clicking.
Email Security Questions?
What Can I Do?
• Change Your Passwords Frequently
• Use Complexity, not your dogs / Children / Birthdates
• Personal FaceBook? Reveals Passwords by “Creeping” on your page.
• Do Not “AutoSave” or “Remember” Passwords In Browsers
• Ensure Anti Virus Is Installed
• Auto update of definitions
• Threat detection installed
• IPS / not just IDS
• Free AV will cost you in the long run!
• You get what you pay for
Windows Versions
• Windows XP EOL / EOS
• April 8th, 2014
• No Auto Update / Reboot
• Critical Patches Ceased
• Call In Support Terminated
• Windows 7 or 8.1
• 7 Is Very Compatible
• 8.1 Is Better Version Than 8.0
• Shock Factor / “Skins” Can Be Installed
• classicshell.net Skin makes it look like XP or 7.
Financial Institution Controls
• Many Online Security Measures Available
• Administration:
• Dual Control (One user creates / edits users, another approves.
• Administrators and users “Principal of Least Privilege” applies
• Minimal set of tools to perform your job, no more.
• IP Restriction – Can only log in from one location.
• “Someplace you are” Authentication Mechanisms
• Day / Time Restrictions for access.
• Wires / ACH:
• Dual Control: (One user creates a transaction, the other approves.)
• Transaction Limits
• Daily Limits
• Email Alerts / Warns of transaction created or sent.
• Ensure information@yourfi.com is whitelisted in email.
Other Resources
• Malwarebytes.org
• Anti-Malware Scanning Application
• Free Version Download
• Auto Update When Installed
• Very Powerful Scanning Engine
• Reveals “Cookies” and Temp Internet Files
• Best Of Breed In “Free” Applications
Other Resources
• Microsoft Removal Tools
• http://support.microsoft.com/botnets
• http://support.microsoft.com/security/scanner/en-us/default.aspx
• Be Careful – Creates “Best Practices” On Your PC.
• Firewall Turns On
• Sets Up Automatic Update For Windows
• Enables Internet Explorer’s Privacy Settings
• Turns On User Account Control (UAC)
• Cleans Out Your Internet Cache and Browsing History
• May Shut Off Other Applications
• Seek I.T. Support If Available
Good Too Great
• Current:
• SFA Tokens (number on display)
• Cell Phone – SMS Texts a number to enter
• “Sandbox” Application USB / Icon
• Near Future: (Here now)
• Remote Web Server will scan your computer.
• Detect and report malware.
• Prevent transaction from processing.
• IBM PinPoint / Trusteer combination.
Smart Phone Payments
• Is Using a Smart Phone Safe?
• Apple Apps are screened for malware and viruses
• Droid Apps can contain malware and viruses
• Anti Virus available
Thank You!
• Malwarebytes.org
• http://www.malwarebytes.org/
• Microsoft Removal Tools:
• http://support.microsoft.com/botnets
• http://support.microsoft.com/security/scanner/en-us/default.aspx
• Download This Presentation:
• www.bradrand.com/presentations
• Windows Shell (Appearance of XP / Vista)
• http://www.classicshell.net/
Download