Changing State of Threats and Vulnerabilities FIRMA March 30, 2010.

Slides:



Advertisements
Similar presentations
Complying With Payment Card Industry Data Security Standards (PCI DSS)
Advertisements

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
STRATEGIC INTELLIGENCE MANAGEMENT Chapter by Ivan Launders, Simon Polovina Chapter 13 - A Semantic Approach to Security Policy Reasoning, Pg. 150.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Corporate Account Takeover & Information Security Awareness PRESENTATION FOR BANK CUSTOMERS.
Security Controls – What Works
DELATUSH SYSTEMS, INC. Presents MB SECURE NETWORK MONITORING AND MANAGEMENT.
Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
E-Commerce Technology Risk and Security
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Risk Management. Risk Categories Strategic Credit Market Liquidity Operational Compliance/legal/regulatory Reputation.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
CERN - IT Department CH-1211 Genève 23 Switzerland t Update on the underground economy and making profit on the black market Wojciech Lapka.
© 2012 Lathrop & Gage LLP ILTA SOS Webinar: Remove Administrator Rights and Secure a Law Firm’s Greatest Asset- Its Reputation Sean M. Power Chief Information.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Security Guidelines and Management
Framework for Assessing Risk Managing ACH Risk Coming & Going
PCI DSS Managed Service Solution October 18, 2011.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
Commercial eSecurity Training and Awareness. Common Online Threats Most electronic fraud falls into one of three categories:  PHISHING – Fraudulent s.
Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.
Securing Information Systems
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.
[Name / Title] [Date] Effective Threat Protection Strategies.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Protecting Your Information Assets
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Data Center Firewall. 2 Common IT Security Challenges Does my network security protect my IT environment and sensitive data and meet the regulatory compliances?
© 2009 National Automated Clearing House Association. All rights reserved. Industry Perspectives on Emerging Risks and Public/Private Engagement: Network.
1 Protecting Consumers from Themselves Presented by the State Information Security Office & the California Office of Privacy Protection September 13, 2007.
Network problems Last week, we talked about 3 disadvantages of networks. What are they?
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Fraud and Risk in the Electronic Payment Space Michelle Marshall-Thompson VP, Fraud/Risk Officer FirstMerit Merchant Bankcard.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
SABRE VIRTUAL PAYMENTS Karen Frayer Sabre Virtual Payments Manager.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
FFIEC Cyber Security Assessment Tool
1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Chapter 4: Laws, Regulations, and Compliance
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Corporate Account Takeover & Information Security Awareness.
Working with the banking sector to prevent and detect criminal money flows on the Internet Dave O’Reilly, Chief Technologist, FTR Solutions Co-funded by.
External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.
SAP – our anti-hacking software. Banking customers can do most transactions, payments and transfer online, through very secure encrypted connections.
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
NewCo Logo Keystroke Guard The technology that everybody needs October 15 th, 2014.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Payment Card Industry (PCI) Rules and Standards
Securing Information Systems
Cyber Trends and Market Update
Chapter 9 E-Commerce Security and Fraud Protection
Chip & Pin and Apple Pay: Vulnerabilities of the Changing Payment Systems Jay Isaacson.
Presentation transcript:

Changing State of Threats and Vulnerabilities FIRMA March 30, 2010

 2009 Recap  Evolving Threat – How bad is it?  Changes to Regulatory and PCI Requirements  What are we doing about it?  What should we be doing about it?  What should you be auditing for?

Data Breaches (in 1000s)Causes  Most data breaches externally driven  99% of breaches electronic data  69% discovered by third party  Human-error and multiple issues allows vulnerability  Targeted  Malware-driven

Targeted SectorsSynopsis  Retail and Online-61%  Financial Services-93% or records breached  The Castle and the Villagers  Zeus – Key Stroke Loggers  Systemic Failures

Threat Categories over time by percent of breaches

Malware customization by percent of breaches involving malware

 Readily-available Trojans Toolkits: High-quality trojan toolkits are readily available (~$700) and easy to use.  Toolset Trojans Have Unique Signatures: Trojan toolkits create a new binary file (.exe) for each generated trojan. Therefore, each has a unique signature, making them highly resistant to detection.  Botnet Service Industry: Bot herders lease existing botnets for agreed periods of time, providing the harvested data from the renter’s trojan.

“Data Harvesting” Crimeware* Crimeware is a class of malware targeting PCs that is specifically designed to automate large-scale financial crime. * INFECTING WEBSITES INJECT TROJANS INFECTED PCs (BOTs) EXPORT KEY LOGs KEY-LOG COLLECTORs PARSE/SORT KEY-LOGs Bank Account Logons (Logon, Security Questions) $Management Logons (Logon, Security Questions) Payment Card Data (Card #, CVV2, Expire Date) Sorted by BankSorted by BusinessSorted by Issuer SORTED KEY LOGs WEBSITES Anti-virus & Firewalls Fail to Counter Crimeware

 2005 FFIEC Internet Authentication Guidelines  2006 Federal Judiciary – E-Discovery  2006 FFIEC Information Security Update  The rise of State breach notification laws  2009 PCI v1.2 update  2010 Expert-Metal vs Comerica Bank

es_Data_Breach_Notification_Laws_State_By_State

 Ongoing layered security development  Security Questions for Anomalous Behavior  Second Factor Authentication for High-Risk Transactions (ACH – Wire Transfers)  Mitigation of PCI non-compliance items

Form Field protection from Key-stroke loggers Non-intrusive Active-X control

Ability to Import/Export documents into secure environment Ability to pre- define the websites the customer can use Virtual Desktop operates within customer environment Secure environment protects customer interactions with M & T Bank

 Have no expectation of the customer  Regulatory and association rules must develop to consider third-party malware  Fraud intelligence gathering  International law must be modified to remove cyber-attack “safe havens”  Change the security paradigm

 Loss vs loss avoidance trends  Layered security architecture ◦ Firewall/IDS/IPS ◦ Evidence of continual penetration testing ◦ Aggressive OS patching program ◦ Up to date software  Evidence of compliance  Certified Forensic Examiners

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.