III Congreso de Prevención del Fraude y Seguridad Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 2 Director with Forward Discovery, an expert information security company with offices in the United States and UAE Formerly the Director of Corporate Information Security for USAA, a Fortune 200 financial services firm in the United States Previously assistant director of information security for Northrop Grumman Corporation Prior FBI Supervisory Special Agent in the Computer Investigations Unit at FBI Headquarters Former Adjunct Professor at George Washington, Georgetown and Duke Universities on information security and cyber crimes Created information security programs to protect data from external and internal compromise Art Ehuan, CISSP Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 3 The financial services industry faces unprecedented threats in protecting customer data from cyber compromise The threats are from cyber criminals and Organized Crime (OC) groups that use the Internet and technology to commit massive information and monetary theft from financial institutions The cyber threats from these groups will continue to increase for the foreseeable future The monetary losses to the United States financial sector is estimated in the hundreds of millions of US dollars ( The worldwide figure is probably in the billions of US dollarswww.ic3.gov Threats to the Financial Services Industry Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 4 Threats to the Financial Services Industry Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 5 Willie Horton, an infamous American banker robber in the 1920’s was asked “Why he robbed banks”. His reply: “Because that is where the money is” The average bank robbery nets the thief approximately $5,000 The risk is great for a low very gain –Bodily injury or death from security or police –High jail sentence for bank robbery Bank Robbery, Old Crime Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 6 Cyber threats can be classified as internal or external The cyber threat can be known or unknown The external known threat is composed of: –Cyber criminals and Organized Crime (OC) that have efficiently and effectively adapted to bank robbery in the high technology age –Web and application compromise –Account takeover The external unknown threat is composed of: –Nation-States that have the ability to conduct offensive activity against financial institutions –Web and application compromise –Account takeover –Terrorist organizations External Threat Classification Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 7 Cyber threats can be classified as internal or external The cyber threat can be known or unknown The internal known threat is composed of: –Financial sector employees that steal sensitive data for illicit purposes (In 2004, the United States Secret Service, which has concurrent jurisdiction with the FBI to investigate cyber crime, published an insider threat study on illicit cyber activity in the financial sector) –Expanded access devices brought in by employees like iPhones, iPods, USB drives, etc The internal unknown threat is composed of: –Corporate espionage by organizations that are interested in strategic information of competitors –Partner organizations that have network connections to the company –Supply chain via software/hardware that has been compromised and installed in the financial organization Internal Threat Classification Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc % increase in cyber attacks – US Department of Homeland Security statistics show that there were over 37,000 attempted and reported breaches of government and private computer systems in fiscal year ,900,000 personal records that have been stolen since 2005 (Privacy right Clearing House 2008) 10% devaluation – In 2006, the Congressional Research Services estimate that a New York Stock Exchange (NYSE) company suffered shareholder losses of $ million dollars US 9 out of 10 businesses were impacted by cyber crime (FBI statistics 2005) Cyber Threat Statistics Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 9 This type of illicit activity targets the financial sector customer to acquire access to passwords, pins and other identifiable information Financial Sector Account Takeover Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 10 OC and cyber criminals are attacking and stealing customer data from bank databases Financial Sector Organization Attack Cyber Threats to the Financial Service Industry and Response 1. Cyber Compromise of Bank 7. Compromise of Bank HSM by Cyber Criminal PIN Customer Enters Card & Pin Number 3. Encryption of Account Number & Pin Provides Pin Block 4. Pin Block Provided to Hardware Security Module (HSM) 6. Pin Block Provided to Hardware Security Module (HSM) 5. Old Pin Block, Account Number and Pin Generate New Pin Block 8. Old Pin Block, Account Number and Pin Generate New Pin Block 9. New Pin Block is Provided to Customer Bank

© 2008 Forward Discovery, Inc. 11 OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Web Browser compromise or Redirection (IFrame) Financial Sector Client Attack 1. Cyber Compromise 2. Customer System Rootkit 4. User ID & PW Stolen 3. Customer Online Login 5. Cyber Criminal Login with Stolen Customer Credentials Cyber Threats to the Financial Service Industry and Response 6. Customer Funds Transferred

© 2008 Forward Discovery, Inc. 12 OC and cyber criminals are stealing customer bank credentials by account takeover and manipulation from Phishing Financial Sector Client Attack 1. Cyber Fraudster Phishing 2.. Victim Receives and Clicks on Link 3. System Rootkit and/or Redirection Cyber Threats to the Financial Service Industry and Response Fake Website 4. Customer Credentials Sent to Fraudster

© 2008 Forward Discovery, Inc. 13 The following strategies will assist financial institutions in protecting their information assets: Develop and implement a CERT and Incident Response capability Extrusion detection of network traffic Create information sharing forums (formal/informal) with other financial institutions Conduct scheduled/unscheduled vulnerability assessments and identify risk to the organization from employees, partners and suppliers Provide regular customer and employee cyber security awareness Prepare for regulatory activity from government agencies Financial Sector Strategies Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 14 Develop and implement a CERT and Incident Response capability Every financial institution requires a centralized capability to manage cyber incidents A Computer Emergency Response Team (CERT) is the primary line of defense when an incident is suspected A CERT must have a formal framework with executive support Maintain dedicated personnel, software, hardware to respond to incidents Identify and track anomalous activity on the network Cyber threat exercises should be conducted to test framework on a regular basis CERT and IR Capability Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 15 Extrusion Detection of External Traffic All financial institutions monitor external network traffic coming in for unauthorized cyber activity Monitoring of anomalous network traffic that is exiting the network is equally as important A baseline should be established that provides information on normal versus abnormal outbound network traffic The cyber criminal will get in and it is critical that monitoring take place to identify network traffic leaving the organization Example of network activity that extrusion detection should identify: non-HTTP traffic over port 80 non-DNS traffic over port 53 non-SSL traffic over port 443 Extrusion Detection Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 16 Create information sharing forums with other financial institutions The sharing of information on cyber threats is critical for financial organizations to respond to new and emerging threats Financial institutions should coordinate information on cyber threats that are observed or identified and make this available to the group The sharing can either be formal or informal without a need for attribution to a particular institution In a formal information sharing model, a database repository can be utilized to capture and share “feeds” from members The United States financial sector information sharing model is the Financial Services Information Sharing and Analysis Center (FS-ISAC) Information Sharing Forum Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 17 Conduct vulnerability assessments to identify risk to the financial services organization from employees, partners and suppliers Vulnerability assessments are crucial for identifying risk for a financial institution A framework should be utilized in conducting a vulnerability assessment like the ISO 27001/27002 Assessments should be conducted on a scheduled and unscheduled basis Develop a framework whereby partners that are connected to the organization are required to conduct assessments to identify threats from partners Follow up and mitigate or eliminate risk that is identified as soon as possible Vulnerability Assessments Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. Interviews Information Requests Asset Inventory Best Practices Process Maps Policies & Procedures Human Resources Security Communications & Operations Business Continuity Planning Access Controls Compliance  Provides qualitative assessment of security posture  Establishes security baseline for use in future assessments  Identifies areas of opportunities  Drives investment decisions Outcome Control Assessment Input Only 6 of the 11 ISO areas depicted DetectionDeterrenceMitigationPrevention Vulnerability Assessment Approach Cyber Threats to the Financial Service Industry and Response 18

© 2008 Forward Discovery, Inc. Business Case Driven RoadmapInformation Security Risk Assessment Data Classification Asset Identification High Level Processes Process Review Level 0 Underlying IT Assets Underlying Assets Asset Asset Usage  Linkages between process, asset and underlying supporting components  Confirmation of owners and custodians  Catalogue of process maps and assets identified Multiple Interviews IT Assets Used by Processes of Consequence Business Owner Interviews Interviews with Business Units Opportunities & Unmitigated Risks Vulnerability Assessment Approach Cyber Threats to the Financial Service Industry and Response19

© 2008 Forward Discovery, Inc. 20 Customer and employee cyber security awareness Provide regularly scheduled information/messages to all employees on cyber threats that have impacted the financial institution Require partners to provide information security training to partner organization employees that will be managing, maintaining, handling, storing sensitive company or customer data Provide cyber security awareness messages to customers to make them aware of cyber threats that may be directed at them, i.e. the fact that a financial institution will never require a customer to provide personnel identifiable information from an Cyber Security Awareness Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 21 Prepare for regulatory activity from government agencies Suspicious Activity Reports (SARs) Money laundering With the increasing incidents of cyber attacks reported by the financial sector, the United States Treasury Department added computer intrusion as a new category of suspicious activity in mid-2000 Banks must now fill out Suspicious Activity Reports (SARs) if they suspect someone has gained access to their computer network to steal funds or customer information, or to disable the institution's computer network Web sites defaced by a hacker banks do not have to report such incidents, because no funds or sensitive information is stolen Regulatory Activity Response Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 22 The Future of Cyber Crime Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 23 The Future of Cyber Crime Cyber Threats to the Financial Service Industry and Response

© 2008 Forward Discovery, Inc. 24Cyber Threats to the Financial Service Industry and Response Forward Discovery Contact Art Ehuan, CISSP, CCNP, EnCE