Cyber Security in
the 21st Century
Safe Harbor Statement
This presentation outlines certain practices that businesses should
consider to reduce the likelihood of loss caused by online fraud and
identity theft. This presentation does not purport to identify all existing
online fraud and identity theft practices and all fraud mitigation measures
that your business should consider implementing. There is no way to
guarantee that any set of protective measures will eliminate loss caused
by online fraud and identify theft. U.S. Bank is not responsible for losses
caused by online fraud and identity theft.
2
Agenda







3
Context
The Expanding Internet
Cyber Crime Scale
Today’s Threats
Malware
Preventing Business Account Takeover
Avoid Being a Victim
Context
• The internet is incredibly convenient – banking and shopping with a few clicks
of the mouse.
• Personal Banking
• 63 million Americans bank online1
• $3,500 average balance in “transaction accounts”2
• ~ $221 Billion managed online
• Shopping
• $1.042 Billion spent online the day after Thanksgiving 20123
• $1.465 Billion spent online the Monday after Thanksgiving 20123
• The internet holds a wealth of information
• Encyclopedia Britannica has 32 volumes - English Wikipedia, if bound identically,
would consist of 1,673 volumes
• Birthdates, residences, phone numbers, email addresses – all conveniently
located in one place – your Facebook or LinkedIn profile page!
1. Pew Research Center, Jan 2012
2. Federal Reserve 2010 Survey of Consumer Finances
3. comScore e-Commerce Measurement
4
The Expanding Internet
THE SUPERHIGHWAY, pre-2000
1
2012
3
2
Analogy
5
Pre-2000
2012
1
Cars


Billions (1,000,000,000)
60 mph


Quintillions (1,000,000,000,000,000,000)
60,000 mph
2
Lanes

4

4,000
3
On/Off
Ramps

Millions (1,000,000)

Hundreds of Millions (800,000,000)
Cyber Crime Scale
1
(347M)
(431M)
 14 adults become victims of cybercrime every second,
totaling more than one million victims each day1
 Cybercriminals unleash 3.5 new threats targeting businesses every second2
 69% of breaches incorporated malware as part of the attack3
1 Norton
Cybercrime Report 2011
Micro “Small business is big business in cybercrime”
3 Verizon Breach Report 2012
2 Trend
6
Changing Cyber Threats
Insiders
• Often undetected for up to 32 months
• Culprits are employees- typically managers – with 5 years + experience
• Usually low-tech, relying on access privileges
Hacktivists
• Responsible for 58% of all data stolen in 2011
• Targets include CIA, FBI, Visa, MasterCard, Sony (breached 21 times in 2011), Amazon
Organized crime
• Cybercrime is maturing as a business, with marketing, support, advertising,
R&D, and economies of scale
Nation-states
• Since 2010, nation-state linked malware IDs increased from 1 to 8; 5 in 2012
• Gauss Malware targets financial services in the Middle East; steals credentials
• Technically sophisticated malware for espionage, data breaches, even sabotage
7
Changing Threats: Insiders
• Almost 1 in 10 who reported fraud suffered losses of more than $5 million.
• 56% of respondents said the most serious fraud was an ‘inside job’.
PWC Global Economic Crime Survey November 2011
Perpetrators of fraud by industry
Financial services
Insurance
38
60
40
Technology
59
45
Communications
3
39
Hospitality & leisure
58
Retail & consumer
59
Entertainment & media
59
5
42
35
6
41
63
24
13
Government/state-owned enterprises
67
29
4
Energy, utilities, & mining
68
28
4
Transportation & logistics
69
27
4
Manufacturing
75
22
3
Pharmaceuticals & life sciences
75
23
2
Engineering & construction
77
0
20
% of reported frauds
Internal fraud
8
10
45
56
Automotive
1
45
52
Professional services
2
40
External fraud
21
60
Don't know
80
2
100
Changing Threats: Hacktivists
•
•
•
Hacktivism was responsible for 58% of all data stolen last year
Hacktivist motives vary; nationalism, digital/electronic rights, privacy issues, copyright
issues, Occupy Wall Street, even animal rights
Hacktivist tactics depend on the size of the organization and the relative skill levels of its
members. Some typical attacks are:
Vulnerabilities
• Broad scans of identified targets in
search of easily-exploitable
vulnerabilities
• May be the first choice, with DDoS
as a last resort if no exploitable
vulnerabilities are found
• A DDoS attack can be used as
cover for a smaller team to exploit
previously identified vulnerabilities
9
Denial of service
• Hacktivists use software tools to
overload target servers and
applications with requests; little
technical skill required and there is
strength in sheer numbers
• Goal is to bring down web sites
and applications for hours or even
days
• DDoS attacks like this are planned
publicly, so there is usually lead
time to prepare
Advanced persistent
threats
• Highly skilled, technologically
advanced and stealthy attacks by
smaller teams
• Goal is to steal IP and
authentication information, and PII
for individuals & organizations
• Often has a spearphishing
component, or other social
engineering stage
• APTs linked with “watering hole”
attacks, where malware is seeded
at sites where targets of interest
gather to see who they can snare
Changing Threats: Organized Crime
• Traditional organized crime is
making inroads and extending
operations into digital markets
TRADITIONAL INDICATOR
Extortion techniques
ONLINE PARALLEL
•
•
• Young hacker stereotype
turns out not to be the case 43% of organized digital crime
associates are over 35 – more
than those who are under 25
(29%)
– Research indicates this is
because technology bar to digital
crime has been lowered due to
easy availability of ready-made,
low-skill toolkits to make malware
or manage botnets
Control of gambling
Control of drug markets
Money laundering
Counterfeiting
Sex & prostitution
Threats to close down systems by malware
attacks
Use of compromising browser records for
blackmail
•
Development of new ‘offshore’ income streams
•
•
Sales of illegal drugs
•
•
Laundering of digital income
Development of fake Viagra and other pseudo
drug markets / spamming
Global money mule systems
• Organized DVD copying gangs
• Organized intellectual copyright theft
• Carding and skimming
• Creation of online pornography empires
• Links between escort sites, trafficking and
organized groups
Organized crime in the digital age: the real picture, BAE Systems Delticasponsored study, London Metropolitan University
10
Changing Threats: Nation-state Threats
• Double-threat from highly advanced
and specialized malware &
Advanced Persistent Threats
• Targets specific nations through
government & civil organizations,
commerce & infrastructure:
0
Rise of Malware Linked to Nation-States
L Intelligence gathering
~ Sabotage
– Gauss focused on financial
institutions
– Flame targeted companies and
institutions in the Middle East
• Highly sophisticated and complex:
– Stuxnet probably required 10 manyears of development; Flame 20
times more complex
• Enables plausible deniability
– Researchers who analyze the code
can’t be sure that they’re seeing
more than what the writers want
them to see.
11
L~SHAMOON
LGAUSS
LIXESHE ?
LFLAME MINIFLAME
~WIPER
~ STUXNET
2010
L~DUQU
2011
LMADHI
2012
2013
• Red lines indicate probable family link
• Only circumstantial evidence for Wiper link to Stuxnet family
(it left very little forensic data)
• The status of Shamoon as nation-state malware has been
questioned – some attribute it to nationalist hackers or
cybercriminals
Attacks from Last Traceable Point of Origin
10-30%
3-4%
1%
0.6%
0.3%
32.5% Unknown origin
USA
• Hosted ~50% of all phishing
sites in 1H 2011
• Hosted ~45% of all phishing-based
keyloggers or Trojan downloaders
12
Russia
• Produces 77% of all spam
• Source of many successful botnets;
Rustock, Grum, Cutwail , and more
China
• 55,000 malware/intrusion incidents on DoD systems in
2010; large but unspecified number blamed on China *Trustwave Breach Report 2012
• Highest level of malware infections
What is Malware?
•
“Malware” is an umbrella term used to describe many forms of
malicious software
•
Common forms of malware:
•
Worms – malware that can spread by itself (most other forms spread by attaching to
a file).
•
Trojans – malware that looks legitimate and tricks the user into activating it. Known to
create “backdoors” that give malicious users access to the infected system.
•
Viruses – malware that replicates itself by inserting itself into and becoming a part of
a piece of legitmate software.
•
Bots – malware that automates the use of system resources on the infected computer
to interact with external computers. Causes “Denial of Service (DoS) attacks.
13
The Business of Malware…
•
350 to 400 million PCs compromised
•
$388 billion per year in losses resulting from cybercrime
•
431 million adults fall victim per year (69% of those
surveyed by Symantec had been victims)
A big
problem…
… getting
bigger?
*2011 PandaLabs
14
How Malware Works
0
Malware
Service
Malware
Coder
0
1
2
Cyber
Theft
Malware Service
Malware-as-a-Service
Malware programmers
- sell/lend malware.
- purchase/rent malware module from
other programmers
- use testing services such as checking
detection by Anti-Virus software
- provide customers with customization,
updates, and issue maintenance
15
3
Malware
Infection
Credential
Harvest
1
4
Money
Theft
Money
Mules
Victim
Malware Infection
3
4
Credential harvest
The victims visit their online banking
websites and logon per the standard
processes.
The malware collects and transmits data
back to the criminals.
Mule
Organization
Money Theft
Criminals leverage the victim’s
credentials to initiate funds
transfers from the victim’s
account to mules.
Criminals
- trick victims into opening infected
attachments or visit nefarious websites
- commands bots to download malware
(criminals lend/rent botnets)
2
Money
Collection
Money Collection
Mule organizations collect money
from mules and laundry money.
Malware Infection
•
Phishing – “phishing” is the use of spam email designed to trick
the recipient into clicking a hyperlink or opening an attachment
•
Phising emails often look official and have a clear “call to action”
•
Most commonly look like email from banks, delivery services or law enforcement
agencies
•
Spear Phishing
•
A phising attack that is designed for a specific person. The attacker may conduct
extensive research on a specific individual to customize the attack.
•
Social Networks
•
Attackers using social networks take advantage of the fact that most everyone is on
another user’s “trusted” list
16
Social Engineering / Social Media
• Social engineering attacks occur by phone,
email, or even in person
• A social engineer tricks people into giving away
sensitive information, even passwords
• Social engineers are ‘hacking the human
element’ – it’s easy and untrained employees
won’t suspect
Typical approaches:
• “Do me a favor and help me out or I’ll get in trouble…”
• “This is business-critical and time is running out…”
• “Hi, I’m from the IT helpdesk and we’re doing a routine
but complicated-sounding test, can you give me
your…”
• “The Sales Director has asked me for this
information…”
• “Why can’t you hurry this up? I don’t have all day…”
17
Social Media Malware–
Automated social engineering:
• Malware can take over your social
media account to:
•
Send phishing emails to all your
contacts
•
Set your “like” status to a
product you’ve never heard of, or
to some malware-infected app
• Effective because it exploits the
assumed trust we have in our
networks – email typically comes
from someone we know.
• 52% of companies surveyed at end
of 2011 said they had seen an
increase in social media attacks due
to malware.
Man-In-The-Browser
•
One of the most concerning types of malware attacks is called
“Man-In-The-Browser” (MITB).
•
Typically the result of a Trojan infection, MITB permits a cybercriminal to modify
the infected machine’s browser and harvest user credentials.
•
Infected browser looks like an unifected browser, many times prompting the user
for token generated passwords and / or transaction PINs.
Login screen
altered
18
Prevent Business Account Takeover
•
Dual Authorization
•
If offered, utilize dual authorization for ACH / wire transactions and account
administration
•
•
Do not execute both authorizations from the same computer
Business Account Settings
•
Reset default transaction limits – many institutions set default transaction
limits very high
•
Remove those employees no longer with your organization from payroll
rosters immediately
•
19
Regularly review your account settings
Prevent Business Account Takeover
•
20
Dedicated Computer
•
Use a dedicated computer for online financial transactions
•
No internet browsing except for bank transactions
•
No email or internet-accessing applications
•
Configure user accounts with least necessary privilege
How to Avoid Being a Victim
•
Keep anti-virus software up to date
•
AV software is not a silver bullet – only catches 40% of all documented malware!
Use AV software as one part of your entire strategy to stay safe online.
•
•
21
Smart internet browsing
•
Stay away from websites ending in “.ru”
•
Be very wary about downloading files, even from “trusted” websites
•
Avoid downloading “plug-ins” for your browser
Use strong passwords
•
The longer the better (12 – 14 characters is optimal)
•
Do not use dictionary words in your password
•
Do not re-use passwords on different websites
How to Avoid Being a Victim (Continued)
•
Social Network Safety
•
Minimize the amount of personal information (birth date, address, etc) you
share on social networks
•
Be careful when clicking on web links at social media sites
Nielsen Global Trust in Advertising Report for 2012
“Social media is most influential new media because we consider familiar voices to be trustworthy”
22