Cyber Security in the 21st Century Safe Harbor Statement This presentation outlines certain practices that businesses should consider to reduce the likelihood of loss caused by online fraud and identity theft. This presentation does not purport to identify all existing online fraud and identity theft practices and all fraud mitigation measures that your business should consider implementing. There is no way to guarantee that any set of protective measures will eliminate loss caused by online fraud and identify theft. U.S. Bank is not responsible for losses caused by online fraud and identity theft. 2 Agenda 3 Context The Expanding Internet Cyber Crime Scale Today’s Threats Malware Preventing Business Account Takeover Avoid Being a Victim Context • The internet is incredibly convenient – banking and shopping with a few clicks of the mouse. • Personal Banking • 63 million Americans bank online1 • $3,500 average balance in “transaction accounts”2 • ~ $221 Billion managed online • Shopping • $1.042 Billion spent online the day after Thanksgiving 20123 • $1.465 Billion spent online the Monday after Thanksgiving 20123 • The internet holds a wealth of information • Encyclopedia Britannica has 32 volumes - English Wikipedia, if bound identically, would consist of 1,673 volumes • Birthdates, residences, phone numbers, email addresses – all conveniently located in one place – your Facebook or LinkedIn profile page! 1. Pew Research Center, Jan 2012 2. Federal Reserve 2010 Survey of Consumer Finances 3. comScore e-Commerce Measurement 4 The Expanding Internet THE SUPERHIGHWAY, pre-2000 1 2012 3 2 Analogy 5 Pre-2000 2012 1 Cars Billions (1,000,000,000) 60 mph Quintillions (1,000,000,000,000,000,000) 60,000 mph 2 Lanes 4 4,000 3 On/Off Ramps Millions (1,000,000) Hundreds of Millions (800,000,000) Cyber Crime Scale 1 (347M) (431M) 14 adults become victims of cybercrime every second, totaling more than one million victims each day1 Cybercriminals unleash 3.5 new threats targeting businesses every second2 69% of breaches incorporated malware as part of the attack3 1 Norton Cybercrime Report 2011 Micro “Small business is big business in cybercrime” 3 Verizon Breach Report 2012 2 Trend 6 Changing Cyber Threats Insiders • Often undetected for up to 32 months • Culprits are employees- typically managers – with 5 years + experience • Usually low-tech, relying on access privileges Hacktivists • Responsible for 58% of all data stolen in 2011 • Targets include CIA, FBI, Visa, MasterCard, Sony (breached 21 times in 2011), Amazon Organized crime • Cybercrime is maturing as a business, with marketing, support, advertising, R&D, and economies of scale Nation-states • Since 2010, nation-state linked malware IDs increased from 1 to 8; 5 in 2012 • Gauss Malware targets financial services in the Middle East; steals credentials • Technically sophisticated malware for espionage, data breaches, even sabotage 7 Changing Threats: Insiders • Almost 1 in 10 who reported fraud suffered losses of more than $5 million. • 56% of respondents said the most serious fraud was an ‘inside job’. PWC Global Economic Crime Survey November 2011 Perpetrators of fraud by industry Financial services Insurance 38 60 40 Technology 59 45 Communications 3 39 Hospitality & leisure 58 Retail & consumer 59 Entertainment & media 59 5 42 35 6 41 63 24 13 Government/state-owned enterprises 67 29 4 Energy, utilities, & mining 68 28 4 Transportation & logistics 69 27 4 Manufacturing 75 22 3 Pharmaceuticals & life sciences 75 23 2 Engineering & construction 77 0 20 % of reported frauds Internal fraud 8 10 45 56 Automotive 1 45 52 Professional services 2 40 External fraud 21 60 Don't know 80 2 100 Changing Threats: Hacktivists • • • Hacktivism was responsible for 58% of all data stolen last year Hacktivist motives vary; nationalism, digital/electronic rights, privacy issues, copyright issues, Occupy Wall Street, even animal rights Hacktivist tactics depend on the size of the organization and the relative skill levels of its members. Some typical attacks are: Vulnerabilities • Broad scans of identified targets in search of easily-exploitable vulnerabilities • May be the first choice, with DDoS as a last resort if no exploitable vulnerabilities are found • A DDoS attack can be used as cover for a smaller team to exploit previously identified vulnerabilities 9 Denial of service • Hacktivists use software tools to overload target servers and applications with requests; little technical skill required and there is strength in sheer numbers • Goal is to bring down web sites and applications for hours or even days • DDoS attacks like this are planned publicly, so there is usually lead time to prepare Advanced persistent threats • Highly skilled, technologically advanced and stealthy attacks by smaller teams • Goal is to steal IP and authentication information, and PII for individuals & organizations • Often has a spearphishing component, or other social engineering stage • APTs linked with “watering hole” attacks, where malware is seeded at sites where targets of interest gather to see who they can snare Changing Threats: Organized Crime • Traditional organized crime is making inroads and extending operations into digital markets TRADITIONAL INDICATOR Extortion techniques ONLINE PARALLEL • • • Young hacker stereotype turns out not to be the case 43% of organized digital crime associates are over 35 – more than those who are under 25 (29%) – Research indicates this is because technology bar to digital crime has been lowered due to easy availability of ready-made, low-skill toolkits to make malware or manage botnets Control of gambling Control of drug markets Money laundering Counterfeiting Sex & prostitution Threats to close down systems by malware attacks Use of compromising browser records for blackmail • Development of new ‘offshore’ income streams • • Sales of illegal drugs • • Laundering of digital income Development of fake Viagra and other pseudo drug markets / spamming Global money mule systems • Organized DVD copying gangs • Organized intellectual copyright theft • Carding and skimming • Creation of online pornography empires • Links between escort sites, trafficking and organized groups Organized crime in the digital age: the real picture, BAE Systems Delticasponsored study, London Metropolitan University 10 Changing Threats: Nation-state Threats • Double-threat from highly advanced and specialized malware & Advanced Persistent Threats • Targets specific nations through government & civil organizations, commerce & infrastructure: 0 Rise of Malware Linked to Nation-States L Intelligence gathering ~ Sabotage – Gauss focused on financial institutions – Flame targeted companies and institutions in the Middle East • Highly sophisticated and complex: – Stuxnet probably required 10 manyears of development; Flame 20 times more complex • Enables plausible deniability – Researchers who analyze the code can’t be sure that they’re seeing more than what the writers want them to see. 11 L~SHAMOON LGAUSS LIXESHE ? LFLAME MINIFLAME ~WIPER ~ STUXNET 2010 L~DUQU 2011 LMADHI 2012 2013 • Red lines indicate probable family link • Only circumstantial evidence for Wiper link to Stuxnet family (it left very little forensic data) • The status of Shamoon as nation-state malware has been questioned – some attribute it to nationalist hackers or cybercriminals Attacks from Last Traceable Point of Origin 10-30% 3-4% 1% 0.6% 0.3% 32.5% Unknown origin USA • Hosted ~50% of all phishing sites in 1H 2011 • Hosted ~45% of all phishing-based keyloggers or Trojan downloaders 12 Russia • Produces 77% of all spam • Source of many successful botnets; Rustock, Grum, Cutwail , and more China • 55,000 malware/intrusion incidents on DoD systems in 2010; large but unspecified number blamed on China *Trustwave Breach Report 2012 • Highest level of malware infections What is Malware? • “Malware” is an umbrella term used to describe many forms of malicious software • Common forms of malware: • Worms – malware that can spread by itself (most other forms spread by attaching to a file). • Trojans – malware that looks legitimate and tricks the user into activating it. Known to create “backdoors” that give malicious users access to the infected system. • Viruses – malware that replicates itself by inserting itself into and becoming a part of a piece of legitmate software. • Bots – malware that automates the use of system resources on the infected computer to interact with external computers. Causes “Denial of Service (DoS) attacks. 13 The Business of Malware… • 350 to 400 million PCs compromised • $388 billion per year in losses resulting from cybercrime • 431 million adults fall victim per year (69% of those surveyed by Symantec had been victims) A big problem… … getting bigger? *2011 PandaLabs 14 How Malware Works 0 Malware Service Malware Coder 0 1 2 Cyber Theft Malware Service Malware-as-a-Service Malware programmers - sell/lend malware. - purchase/rent malware module from other programmers - use testing services such as checking detection by Anti-Virus software - provide customers with customization, updates, and issue maintenance 15 3 Malware Infection Credential Harvest 1 4 Money Theft Money Mules Victim Malware Infection 3 4 Credential harvest The victims visit their online banking websites and logon per the standard processes. The malware collects and transmits data back to the criminals. Mule Organization Money Theft Criminals leverage the victim’s credentials to initiate funds transfers from the victim’s account to mules. Criminals - trick victims into opening infected attachments or visit nefarious websites - commands bots to download malware (criminals lend/rent botnets) 2 Money Collection Money Collection Mule organizations collect money from mules and laundry money. Malware Infection • Phishing – “phishing” is the use of spam email designed to trick the recipient into clicking a hyperlink or opening an attachment • Phising emails often look official and have a clear “call to action” • Most commonly look like email from banks, delivery services or law enforcement agencies • Spear Phishing • A phising attack that is designed for a specific person. The attacker may conduct extensive research on a specific individual to customize the attack. • Social Networks • Attackers using social networks take advantage of the fact that most everyone is on another user’s “trusted” list 16 Social Engineering / Social Media • Social engineering attacks occur by phone, email, or even in person • A social engineer tricks people into giving away sensitive information, even passwords • Social engineers are ‘hacking the human element’ – it’s easy and untrained employees won’t suspect Typical approaches: • “Do me a favor and help me out or I’ll get in trouble…” • “This is business-critical and time is running out…” • “Hi, I’m from the IT helpdesk and we’re doing a routine but complicated-sounding test, can you give me your…” • “The Sales Director has asked me for this information…” • “Why can’t you hurry this up? I don’t have all day…” 17 Social Media Malware– Automated social engineering: • Malware can take over your social media account to: • Send phishing emails to all your contacts • Set your “like” status to a product you’ve never heard of, or to some malware-infected app • Effective because it exploits the assumed trust we have in our networks – email typically comes from someone we know. • 52% of companies surveyed at end of 2011 said they had seen an increase in social media attacks due to malware. Man-In-The-Browser • One of the most concerning types of malware attacks is called “Man-In-The-Browser” (MITB). • Typically the result of a Trojan infection, MITB permits a cybercriminal to modify the infected machine’s browser and harvest user credentials. • Infected browser looks like an unifected browser, many times prompting the user for token generated passwords and / or transaction PINs. Login screen altered 18 Prevent Business Account Takeover • Dual Authorization • If offered, utilize dual authorization for ACH / wire transactions and account administration • • Do not execute both authorizations from the same computer Business Account Settings • Reset default transaction limits – many institutions set default transaction limits very high • Remove those employees no longer with your organization from payroll rosters immediately • 19 Regularly review your account settings Prevent Business Account Takeover • 20 Dedicated Computer • Use a dedicated computer for online financial transactions • No internet browsing except for bank transactions • No email or internet-accessing applications • Configure user accounts with least necessary privilege How to Avoid Being a Victim • Keep anti-virus software up to date • AV software is not a silver bullet – only catches 40% of all documented malware! Use AV software as one part of your entire strategy to stay safe online. • • 21 Smart internet browsing • Stay away from websites ending in “.ru” • Be very wary about downloading files, even from “trusted” websites • Avoid downloading “plug-ins” for your browser Use strong passwords • The longer the better (12 – 14 characters is optimal) • Do not use dictionary words in your password • Do not re-use passwords on different websites How to Avoid Being a Victim (Continued) • Social Network Safety • Minimize the amount of personal information (birth date, address, etc) you share on social networks • Be careful when clicking on web links at social media sites Nielsen Global Trust in Advertising Report for 2012 “Social media is most influential new media because we consider familiar voices to be trustworthy” 22