Presentation is loading. Please wait.

Presentation is loading. Please wait.

Changing State of Threats and Vulnerabilities FIRMA March 30, 2010.

Published byHana Harrup Modified over 9 years ago

Similar presentations

Presentation on theme: "Changing State of Threats and Vulnerabilities FIRMA March 30, 2010."— Presentation transcript:

1 Changing State of Threats and Vulnerabilities FIRMA March 30, 2010

2  2009 Recap  Evolving Threat – How bad is it?  Changes to Regulatory and PCI Requirements  What are we doing about it?  What should we be doing about it?  What should you be auditing for?

3 Data Breaches (in 1000s)Causes  Most data breaches externally driven  99% of breaches electronic data  69% discovered by third party  Human-error and multiple issues allows vulnerability  Targeted  Malware-driven

4 Targeted SectorsSynopsis  Retail and Online-61%  Financial Services-93% or records breached  The Castle and the Villagers  Zeus – Key Stroke Loggers  Systemic Failures

5 Threat Categories over time by percent of breaches

6 Malware customization by percent of breaches involving malware

7

8  Readily-available Trojans Toolkits: High-quality trojan toolkits are readily available (~$700) and easy to use.  Toolset Trojans Have Unique Signatures: Trojan toolkits create a new binary file (.exe) for each generated trojan. Therefore, each has a unique signature, making them highly resistant to detection.  Botnet Service Industry: Bot herders lease existing botnets for agreed periods of time, providing the harvested data from the renter’s trojan.

9 “Data Harvesting” Crimeware* Crimeware is a class of malware targeting PCs that is specifically designed to automate large-scale financial crime. * INFECTING WEBSITES INJECT TROJANS INFECTED PCs (BOTs) EXPORT KEY LOGs KEY-LOG COLLECTORs PARSE/SORT KEY-LOGs Bank Account Logons (Logon, Security Questions) $Management Logons (Logon, Security Questions) Payment Card Data (Card #, CVV2, Expire Date) Sorted by BankSorted by BusinessSorted by Issuer SORTED KEY LOGs WEBSITES Anti-virus & Firewalls Fail to Counter Crimeware

10  2005 FFIEC Internet Authentication Guidelines  2006 Federal Judiciary – E-Discovery  2006 FFIEC Information Security Update  The rise of State breach notification laws  2009 PCI v1.2 update  2010 Expert-Metal vs Comerica Bank

11 http://www.csoonline.com/article/221322/CSO_Disclosure_Seri es_Data_Breach_Notification_Laws_State_By_State

12  Ongoing layered security development  Security Questions for Anomalous Behavior  Second Factor Authentication for High-Risk Transactions (ACH – Wire Transfers)  Mitigation of PCI non-compliance items

13 Form Field protection from Key-stroke loggers Non-intrusive Active-X control

14 Ability to Import/Export documents into secure environment Ability to pre- define the websites the customer can use Virtual Desktop operates within customer environment Secure environment protects customer interactions with M & T Bank

15  Have no expectation of the customer  Regulatory and association rules must develop to consider third-party malware  Fraud intelligence gathering  International law must be modified to remove cyber-attack “safe havens”  Change the security paradigm

16  Loss vs loss avoidance trends  Layered security architecture ◦ Firewall/IDS/IPS ◦ Evidence of continual penetration testing ◦ Aggressive OS patching program ◦ Up to date software  Evidence of compliance  Certified Forensic Examiners

Download ppt "Changing State of Threats and Vulnerabilities FIRMA March 30, 2010."

Similar presentations

Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
STRATEGIC INTELLIGENCE MANAGEMENT Chapter by Ivan Launders, Simon Polovina Chapter 13 - A Semantic Approach to Security Policy Reasoning, Pg. 150.

STRATEGIC INTELLIGENCE MANAGEMENT Chapter by Ivan Launders, Simon Polovina Chapter 13 - A Semantic Approach to Security Policy Reasoning, Pg. 150.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Corporate Account Takeover & Information Security Awareness PRESENTATION FOR BANK CUSTOMERS.

Corporate Account Takeover & Information Security Awareness PRESENTATION FOR BANK CUSTOMERS.
Security Controls – What Works

Security Controls – What Works
DELATUSH SYSTEMS, INC. Presents MB SECURE NETWORK MONITORING AND MANAGEMENT.

DELATUSH SYSTEMS, INC. Presents MB SECURE NETWORK MONITORING AND MANAGEMENT.
Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response

Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
E-Commerce Technology Risk and Security

E-Commerce Technology Risk and Security
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Risk Management. Risk Categories Strategic Credit Market Liquidity Operational Compliance/legal/regulatory Reputation.

Risk Management. Risk Categories Strategic Credit Market Liquidity Operational Compliance/legal/regulatory Reputation.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Northern KY University Merchant Training

Northern KY University Merchant Training
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Similar presentations

Ads by Google