Cyber Security in the Mortgage Industry … and What YOU Can Do About It April 3, 2018 Page 1

Who Am I? Chief Information Security Officer for Pulte Financial Services Pulte Mortgage PGP Title Pulte Insurance Agency Over 18 year in Information Security IT Managed Services, Telecom, Energy, Healthcare, and Financial Services Former Denver Chapter and International Board member for the Information Systems Security Association (ISSA) Co-host of the Colorado = Security Podcast www.colorado-security.com Page 2

Cyber Security Goals Protect Confidentiality Integrity Availability Limit impact to usability and speed Limit impact to user bad choices Page 3

Recent Security Events

Equifax Breach 143 Million consumers affected Unpatched Application (Apache Struts) Poor incident response What we can learn from this: Vulnerability management isn’t “one guy’s job” Incident response must be practiced Page 5

Facebook Data Leakage 87 Million users affected Not actually a data breach Lack of control processes What we can learn from this: Understand data flows Legal agreements don’t prevent incidents Communication needs to be part of incident response Page 6

DeepRoot Analytics Breach 198M US citizens’ data PII but not SSNs Amazon cloud storage left unprotected What we can learn from this: You are responsible for security in the cloud Correlated public data can be dangerous Page 7

SEC EDGAR DB Breach EDGAR DB breached in 2016 Access to non-public financial information Information led to stock trading gains What we can learn from this: Attackers follow the money Financial gain not limited to PII or credit card numbers Page 8

Security Trends

Ransomware Ransomware ~60% malware payloads ransomware WannaCry Ransomware-as-a-service Healthcare especially hard hit What we can learn from this: Don’t allow SMB from the Internet Upgrade malware defenses Take away admin rights Page 10

Availability Attacks NotPetya caused significant damage BickerBot “bricked” over 10 million devices IoT used in DDoS networks What we can learn from this: Availability attacks rising Incident response IoT security Page 11

Wire Fraud Phishing is easy Over $1B in real estate wire fraud Realtors are big targets What we can learn from this: Path of least resistance Very little data needed Make attackers work harder Page 12

Blockchain Blockchain is going to save the world Cryptomining malware Attackers follow the money What we can learn from this: Account for attacks using resources Secure blockchain technologies Secure digital wallets Page 13

Takeaways Basics are important and we still don’t do them well Proper incident response can make or break you Your data is everywhere Attackers will follow the money Page 14

How Do We Solve These Problems? Page 15

Security Program NIST Cybersecurity Framework MBA’s “The Basic Components of an Information Security Program” Risk Based Metrics 3rd party oversight Dedicated Security Personnel Page 16

Incident Response Plan What do you do when you suspect a problem? Who do you involve? What do you do when you know you have a problem? Who do you contact and how fast? Practice, practice, practice Page 17

Multi-Factor Authentication A single secret isn’t good enough for most cases Makes account compromise much more difficult Use a modern MFA (or even risk based) product NIST Digital Identity Guidelines Page 18

Attack Surface Reduction Threat Modeling Only collect and share the data you need Least privilege access Segmentation DMARC Page 19

Data Security Know where your data is stored Know your data flows Encryption Know what 3rd parties you share data with Page 20

Questions? Contact Email: alex.wood@pulte.com Twitter: @abwoodrow Website: www.colorado-security.com Page 21