Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Human Resource Management

Cybersecurity

advertisement 
The Value of Membership
Why the Attention to Cyber Security?
Responsibility of Board and Management
Incident Response
Current Cyber Threats
DDoS, Types of Hacking, ext.
Hacking Lesson
Password Lesson
Methods used to effectively implement
security into daily operations.
The Value of Membership
Recent Breaches:
AshleyMadison.com
Home Depot
Dairy Queen
Target
Yahoo
Michaels
eBay
Experian
NoMoreRack
Sally Beauty
California DMV
P.F. Chang’s
Anthem
Neiman Marcus
Citigroup
IRS
The Value of Membership
Among 21 Industries:
3rd in confirmed in data losses
4th in security incidents
The Value of Membership
FFIEC Urges Boards and
Management to:
Per FFIEC Information Technology Examination Handbook
Management NOVEMBER 2015:
Understand the institution’s
cybersecurity inherent risk; routinely
discussing cybersecurity issues in
meetings;
Monitor and maintain sufficient
awareness of threats and
vulnerabilities;
The Value of Membership
FFIEC Urges Boards and
Management to:
Establish and maintain a dynamic
control environment;
Manage connections to third parties;
and
Develop and test business continuity
and disaster recovery plans that
incorporate cyber incident scenarios.
The Value of Membership
Incident vs. Breach
The Value of Membership
Breach Response
Scenario Exercise
Incident Response
NIST Special Publication 800-61
Computer Security Incident
Handling Guide
The Value of Membership
DDoS
Hacking
Social Engineering
Non-Conformance to:
Industry Best Practice Standards
Current Polices
Methods used to effectively implement
security into daily operations.
The Value of Membership
Distributed Denial-ofService (DDoS)
Attackers use compromised systems
(zombies / bots) to attack a specific target
Compromised systems send an
overwhelming number of connections
requests it floods the target
The target receives so many connections,
it shuts down denying service to legitimate
requests
May be a distraction
The Value of Membership
Assess Risk / Remediation
Targets are Internet Facing
Website
Home Banking
Internet Service Provider
Allowed timeframe
Due Diligence
Include vendor’s plan into credit
union’s disaster recovery
The Value of Membership
Types of Hackers
White hat hacker - breaks security for nonmalicious reasons (i.e. network penetration
testing)
Grey hat hacker - uses their skills for legal or
illegal acts, but not for personal gains
A black hat hacker - someone who breaks
computer security without authorization or uses
technology (usually a computer, phone system or
network) for vandalism, credit card fraud, identity
theft, piracy, or other types of illegal activity
A social engineer uses non-technical skills to
gain assess to information.
Texas Credit Union League © 2013
The Value of Membership
Types of Hacks
Security exploit
Packet sniffer
Password cracking
Spoofing attack
Key loggers
Trojan horse
Virus
Malware
Social engineering
Texas Credit Union League © 2012
The Value of Membership
How Protect from Threats
Risk Assessment
Encryption
In storage
In transit
Training
Testing
Multi-layered Security
Deploy administratively
Deploy physically
Deploy technically
Rule of Least Privileges
The Value of Membership
How Protect from Threats
Assume you are the target
The Value of Membership
First Line of Security Employees
Your ammunition is:
Knowing that:
COMPLIANCE
SECURITY
Educating employees, members,
friends, and family
Altered frame of mind
Cognizant of new security threats
Texas Credit Union League © 2013
The Value of Membership
Hacking Lesson for the
Non-Techie
Create a malicious Trojan Horse.
Texas Credit Union League © 2013
The Value of Membership
Hacking Lesson for the
Non-Techie
Install a virus.
Texas Credit Union League © 2012
The Value of Membership
Hacked by:
Poor system security
Antivirus
Antispyware
Operating System Updates
Computer / System Privileges
USER KNOWLEDGE
Texas Credit Union League © 2012
The Value of Membership
Hacking Lesson for the
Non-Techie
Hack a Password
Texas Credit Union League © 2012
The Value of Membership
Hack a Password
The Value of Membership
Texas Credit Union League © 2012
The Value of Membership
Hacked by:
Weak password
Computer / System Privileges
(allowed a key logger to be installed)
USER KNOWLEDGE
If a non-techie hacks your
password: You’ve been SOCIALLY
ENGINEERED!!!!!!!
Texas Credit Union League © 2012
The Value of Membership
Fundamental Network Security
Practices
Framework to setup and remember
passwords meeting complex policy
requirements
Step 1 – Think of a sentence (pass
phrase)
My wife Elsa and I live in El Paso, Texas.
– Step 2 – Extract the first letters of each
word in the pass phrase
My wife Elsa and I live in El Paso Texas
The Value of Membership
Fundamental Network Security
Practices
Framework to setup and remember
passwords meeting complex policy
requirements
Step 3 – Place the first letters together
MwEailiEPT
Step 4 – Substitute characters
A or a = @
L or l / I or I = !
S or s = $
After the substitution, the password would be
Mw3@!1!3PT
The Value of Membership
Non-Technical Hack
Social Engineering
Psychological manipulation
The act of manipulating people into performing
actions or divulging confidential information,
rather than by breaking in or using technical
hacking techniques.
Trickery or deception for the purpose of
information gathering, fraud, or computer
system access. In most cases the attacker
never comes face-to-face with the victim.
Technical way of lying
Texas Credit Union League © 2012
The Value of Membership
Current Methods of Attack
Vishing is a
combination of the
words voice and
phishing
SMsphISHINGSMS
(Short Message
Service) is the
technology used for
text messages on
cell phones
SIM-swap
Caller ID Spoofing
Calls
Pretexting - Get
significant data
Test security
posture
Gain small amount
of data
Texas Credit Union League © 2012
The Value of Membership
How / Why It Works
Humans inherently:
Are trusting
Have fear of authority
Are courteous
Want to help
Desire to be liked
Are social
Are curious
Texas Credit Union League © 2012
The Value of Membership
Social Engineering – ID Theft
Full name
Address / phone numbers (past and present)
Date of birth
Social security number
Mother’s maiden name
Children’s name
Bonus
Loan information
Account numbers
Credit Card information
Employment information
Passwords
Texas Credit Union League © 2012
The Value of Membership
Current Methods of Attack, cont.
Pharming - Planting bogus websites
www.redcross.org
www.redcrosss.com
www.redcross.org
Phishing – Usually through e-mail
Website spoofing
Spear phishing – your credit union is the
target
Whaling – high profile employee is the
target
Texas Credit Union League © 2012
The Value of Membership
Current Methods of Attack
Use of fear
Angry Member
Senior Executive
Law enforcement
Credit Collector
Physical bait
USB
CD
Acting – Third Party
AT&T
Building
maintenance
Law enforcement
IT Vendor
Examiner
Flirting
Texas Credit Union League © 2012
The Value of Membership
Where is your stolen
information?
Carding / Hackers Forums
Supply Chain
Harvesters
Phishing, Key Logging, ext.
Brokers
Sell the harvested credit card,
account, password, personal
information
Distribution
ID Theft - use information to
purchase tangible items then sold
for cash.
Texas Credit Union League © 2012
The Value of Membership
The Value of Membership
The Value of Membership
The Value of Membership
The Value of Membership
Don’t Throw your Security
Investment away!
Bypass physical security (e.g., perimeter
alarm sensors, motion ext.)
Bypass all doors, locks, keys
Firewalls
Intrusion Detection / Prevention Systems
(IDS/IPS)
Network access levels
Data processor access levels
Many more…
Texas Credit Union League © 2012
The Value of Membership
Security Posture Result
Reactive Credit Union
Lack of knowledge of current methods
No testing
Proactive Credit Union
Semi-annual training
Testing result positive
Texas Credit Union League © 2012
The Value of Membership
Summary
Train – EVERYONE and Often
Test – EVERYONE and Often
First Line of Security - Employees
Your ammunition is:
Knowledge of the following material
Creativity to build on the material
Educating employees, members, friends, and
family
Be vigilant and alert
Be abreast to the new methods
Trust – but be suspicious and verify
Assume you are the target
Share stories
The Value of Membership
Information security management for a
credit union begins with managing risks
The Value of Membership
Idrees Rafiq
AVP - IT Consulting
Credit Union Resources, Inc.
Toll free: (800) 442-5762 ext. 6799
Direct: (469) 385-6799
Cell: 915-449-4456
irafiq@curesources.coop
The Value of Membership
Related documents
TEMI.Parent
TEMI.Parent
REQUEST FOR PROJECT ANALYSIS - Texas Facilities Commission
REQUEST FOR PROJECT ANALYSIS - Texas Facilities Commission
flyer
flyer
Print › US History
Print › US History
Located 5 KM South of Perimeter off Waverley Street
Located 5 KM South of Perimeter off Waverley Street
23. Project Analysis Form - Texas Facilities Commission
23. Project Analysis Form - Texas Facilities Commission
Download
advertisement