Federal Reserve Board

erosjellySecurity

Feb 23, 2014 (3 years and 3 months ago)

69 views

Peter
Fonash


Federal Reserve Board




Evolving Cyber Threat


Addressing the Threat


Financial Sector Activities


Summary

2

Source:
FireEye

Rapidly Evolving Cyber Threat


93% Increase in Web Attacks in 2010 over the volume observed
in 2009


6,253 New Vulnerabilities


Symantec recorded more vulnerabilities in 2010 than in any
previous year since starting this report.


42% More Mobile attacks


Symantec recorded over 3 billion malware attacks in 2010


286M+ types of Malware identified in 2010


260,000 average number identities exposed per breach


Rustock
, the largest
botnet

observed in 2010, had well over 1
million bots under its control


Underground economy advertisement in 2010 promoting 10,000
bots for $15.



Source: Symantec Internet Security Threat Report dated April 2011


4


Corporate Espionage


Malicious threat actors targeting US

companies to gather intelligence and

sensitive corporate data for
competitive advantage


Advanced Persistent Threat


Stealthy, coordinated cyber activity
over long period of time directed
against political, business, and
economic targets


Cyber Threats to
Financial
Infrastructure

5

6

Cyber Threats to
Financial
Infrastructure


Supply Chain Exploitation

ƒ
Cyber exploitation, manipulation,
diversion, or substitution of
counterfeit, suspect, or fraudulent
items impacting US CIKR

ƒ
Disruption


Distributed Denial of Service (DDOS)

attack (effort to prevent site or service

from functioning efficiently or at all,
temporarily or indefinitely)


Cyber Crime

ƒ
Criminals seeking sensitive, protected
information for financial gain

Cyber Threat Actors


Nation states


Terrorist/Violent


Extremists


Hacktivists


Criminals and

organized crime


8


Goal: Hack networks for politically or socially
motivated purpose


Anonymous** conducted
DDoS

attacks against:


Orlando Chamber of Commerce


Amazon

ƒ
PayPal

ƒ
MasterCard and Visa

ƒ
Swiss bank
PostFinance

ƒ
LulzSec

ƒ
May have accessed UK ATM transaction logs,
stealing individual bank account details from
3,100 ATMs


9

**Anonymous and
LulzSec

may have recently consolidated


Malicious criminal actors


Organized crime

ƒ
Russia, Ukraine, and Romania most

sophisticated financial cybercriminals


Tools


Highly capable cyber tools

ƒ
Financially motivated to sell tools and services


Malware used to steal banking credentials:
SpyEye
,
Zeus, and
Coreflood


Social networking/social engineering sites

ƒ
Provide ideal environment for stealing user bank
account access credentials

Unclassified

Unclassified

10

The Criminal Market

11

Source:Symantec

Global Internet Security Threat Report dated April 14, 2009


Social engineering


Spear phishing

ƒ
Spoofing e
-
mail accounts

ƒ
USB thumb drives

ƒ
Supply
-
chain exploitation

ƒ
Leveraging trusted insiders

12

13

Threat Vector

Counter
-
Measure

Threat Response

Malware (virus, worm,
Trojan horse)

Anti
-
virus programs


1.
Attack and
negate anti
-
virus
programs

2.
Fake anti
-
virus programs

Key stroke loggers (stolen
credentials)

Two factor authentication


1.
Exploits against
service
level accounts

2.
Counterfeit credentials

Use non
-
standard ports or
services for malicious C2
or data
exfiltration

Minimize ports and services
available


1.
Encrypt web services traffic

2.
Use legitimate
service ports
maliciously

Install “root
-
kits” for
remote control

Computer forensics tools

androot
-
kit detection tools


1.
Anti
-
forensics techniques

2.
Obfuscate Code

3.
Steganography

Attack and negate anti
-
virus programs

TrustedPlatform Module (TPM)

Remotely deployed BIOS root
-
kit

Code Obfuscation

Hashingalgorithms

MD5 collision
; supply
chain evil
twin

Social Engineering

UserTraining and awareness

Sophisticated social engineering

Exploit operating system
vulnerabilities

Harden the
operating system
;
implement host based security

Exploit applications and web
vulnerabilities

Continuing Evolution of Threat


June 2010 Citigroup hack


Hackers accessed 260K accounts

and stole $2.7M from credit card

holders


one of the largest direct
attacks on a bank


Small
-

to medium
-
sized businesses
perceived to lack strong IT security


Hackers increasingly taking
advantage of lack of sophisticated
security


14

15


Recent
Trends


Smartphones

and fraud


Hackers accessing smart phones to
gather PII and log
-
on credentials

ƒ
As mobile banking popularity
increases, hackers may increasingly
seek to exploit mobile applications
for financial gain


Major encryption providers targeted as
a means to gain trusted access to
government/private sector networks


Computer network exploitation by threat actors enables:


Massive financial losses


Degradation/disruption of services

ƒ
Extortion

ƒ
Intellectual property theft

ƒ
Counterfeiting

ƒ
Theft of proprietary data

ƒ
Identity theft (personally identifiable

information)

ƒ
Access to credit

ƒ
Loss of money, reputation, and credibility

16


The threat takes a holistic approach to you


So you better do the same



Do not expect warning for cyber any better
than you get for the flu.


It’s out there, it’s coming


Technology will fail to stop attacks


It is not just remote hacking


People will make mistakes and perhaps betray you


Products will betray you


Better have business process that
ANTICIPATES
this


And then have a multi
-
faceted, holistic approach


18


Recognize that sophistication is not just technology


Tradecraft

to operate clandestinely and gain access


Resources

and operational infrastructure


Organization

to execute


Knowledge

of your business and infrastructure


And not just remote attacks


Remote hacking most common and largest scale


Manipulate people’s curiosity, greed, and fear (call the IRS)


Insiders still appear to do most damage


Remote recruitment of people (mules)


Physical access enables greater access (wireless, key loggers,
weaken crypto)


Loss and theft of laptops, portable media, and servers


Supply chain, mostly as counterfeit and fraud

19


People with administrative privilege access to
networks


These guys should be audited


They should not have access to critical information


Crypto maintenance should be separate


People with physical access


Maintenance and cleaning (banks)


Thumb drives (one time theft vs. air gap jumping)



People who understand what matters to you


Know where to look or what to break (red teams)

20


If it is
easy and convenient
for you, so it will also
be for the evil people.

¾
If
connected to Internet
and have anything of
value, you will be plundered systematically for
information, access, privilege, money, or
bandwidth.

¾
If doing
anything that matters

on the Internet,
somebody at some point will interfere with or
exploit your activity, perhaps without even
compromising your machines, and you can’t
stop it.


If you are doing anything on the Internet that is
vital and critical
to your livelihood, public safety,
or national security, then
STOP IT.


21


Mobile Machines and data will be
lost or stolen


plan
on it

¾
Once owned by sophisticated adversaries, will never
be
sure of purging
them:


Need to do
complete rebuild
of
ENTIRE

system (
BIOS

level, all network elements, every endpoint)


AND re
-
issue all system
credentials


If you still insist on using the Internet,
have a plan
:


How to backup, restore, and rebuild quickly,
repeatedly


Know your
service providers
(ISPs and proxies).


Encrypt and authenticate
what matters


Like public health
: infrastructure, response, and
hygiene

22


Financial Services Sector Threat Matrix



Federal Financial Institutions Examination
Council (FFIEC) New Guidance



Financial Services
-
Information Sharing and
Analysis Center (FS
-
ISAC)





Threat Matrix Background

The FSSCC Threat Matrix was developed by the
Cybersecurity Committee as a tool to identify threat areas
where members of the Financial Services community felt
additional focus and energy was needed.


The FSSCC Executive Steering Committee recommended

expanding scope of the Threat Matrix to include “all hazards”.


The Long Range Vision Committee updated the Threat Matrix
and developed process for the identification of key threats to
critical sector processes.


Key FSSCC Objective to “Operationalize” the Threat Matrix
and conduct an annual Threat Vulnerability Assessment.





2008





2009



2010




2011

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Goals and Objectives

The goal of the 2011 Financial Services Threat
Vulnerability Assessment is to strengthen the security
and resiliency of the sector through systematic
assessment and preparation for the threats posing the
greatest risk to critical infrastructure and key resources
(CI/KR).


Objectives:



Establish a common framework with a common


terminology and approach, built around basic
plans


that support the all
-
hazards approach to
preparedness



Provide recommendations/priorities to FSSCC


Leadership



Input to the Annual Sector Report



Input to the R&D Research Challenges

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Presidential Policy Directive 8

National Preparedness

March 30, 2011



Assistant to the President for


Homeland Security and


Counterterrorism shall coordinate


the development of plan for


completing the national


preparedness goal and national


preparedness system.



The national preparedness


goal shall be informed by


the risk of specific threats


and vulnerabilities

taking


into account regional


variations and include


concrete, measurable, and


prioritized objectives to


mitigate that risk



Includes all hazards (e.g., acts


of terrorism, cyber attacks,


pandemics, and catastrophic


natural disasters)



Identifies shared responsibility of


all levels of government, the


private and nonprofit sectors,


and individual citizens.

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Threat Vulnerability Assessment Results

* Sample data for illustration only.

NOTIONAL

NOTIONAL


Federal Financial Institutions Examination Council (FFIEC)
issued on June 28
th

2011 supplement to the

Authentication
in an Internet Banking Environment

guidance, issued in
October 2005.


`
Reason:


Growth of electronic banking and greater sophistication of
the associated threats have increased risks for financial
institutions and their customers.


Customers and financial institutions have experienced
substantial losses from online account takeovers.

?C
Effective security is essential for financial institutions to
safeguard customer information, reduce fraud stemming
from the theft of sensitive customer information, a


Promote the legal enforceability of financial institutions'
electronic agreements and transactions.



27



Supplement reinforces the risk
-
management framework
described in the original guidance and updates the FFIEC member
agencies' supervisory expectations regarding customer
authentication, layered security, and other controls in the
increasingly hostile online environment.


`
The supplement stresses the need for:



Performing risk assessments, implementing effective strategies
for mitigating identified risks,


Raising customer awareness of potential risks, but does not
endorse any specific technology for doing so.



The FFIEC member agencies will continue to work closely with
financial institutions to promote security in electronic banking.



Examiners to formally assess financial institutions under the
enhanced expectations outlined in the supplement beginning in
January 2012.



28


FS
-
ISAC was established in 1999 by the financial services sector
in response to 1998's Presidential Directive 63.


Updated by 2003's Homeland Security Presidential Directive 7


Mandated that the public and private sectors share information
about physical and cyber security threats and vulnerabilities to
help protect the U.S. critical infrastructure.




FS
-
ISAC is constantly gathering reliable and timely information
from financial services providers, commercial security firms,
federal, state and local government agencies, law enforcement
and other trusted resources.


`
FS
-
ISAC is now uniquely positioned to quickly disseminate
physical and cyber threat alerts and other critical information.



This information includes analysis and recommended solutions
from leading industry experts.


29


Threat is evolving and becoming more
sophisticated


Banking and Finance are a major
targets


Difficult for smaller organizations to
have capabilities to address


Consider outsourcing


Problem is not
going away

`
Have a plan and constantly reassess

`
Leverage FSSCC and FS
-
ISAC


30


Off game on their turf


You will share and so will they


Physical security is an illusion


Game over


If you accept files


If you use local services


If you lose sight or physical control


If you sleep


If you do travel with IT


Do not connect back to main networks


Rebuild laptops on return and shred mobiles


Connect travel dedicated server in DMZ that strips email
to text


Configure for no downloads and end
-
to
-
end encryption


Carry thumb drive with write block, biometric lock,
encrypted files

32

Definitions



Likelihood
:
The probability that a given critical function may be impacted


by a given threat within the associated control environment.



Severity: The degree of impact resulting from a given threat harming (or



harming confidence in) the confidentiality, integrity, or availability of a
given critical function.

Level

What is the likelihood that a critical
function would be impacted?

5

Very High:
The threat
-
source is actively
harming the critical function or has in the
past and controls have not been
enhanced.

4

High
: The threat
-
source is highly
motivated and sufficiently capable, and
controls to prevent the critical function
from being harmed are ineffective.

3

Medium
: The threat
-
source is motivated
and capable, but controls are in place that
may impede attempted harm to the
critical function.

2


Low
: The threat
-
source lacks motivation
or capability, or controls are in place to
prevent, or at least significantly impede,
the critical function from being harmed.

1


Very Low
: The threat source has a very
low or no chance of causing negative
impact to the critical function.

0

Not Applicable.

Likelihood

Threat Assessment:
Determining Likelihood & Severity

Level

To what degree would
the sector
be
impacted?

5

Catastrophic
: An event causing major and
extended disruptions in production
operations and/or having major impact to
ability to achieve business objectives

4

Major impact
: An event causing serious
disruptions in production operations and/or
having major impact to ability to achieve
business objectives.

3

Moderate impact
: An event with the
potential to cause moderate disruption in
production operations and/or have
significant impact on the ability to achieve
business objectives.

2

Minor impact
: An event causing minimal
to no disruption in production operations
and/or having moderate impact on the
ability to achieve business objectives.

1

Insignificant
: An event causing no
disruption in production operations and
having limited impact on the ability to
achieve business objectives.

0

Not Applicable.

Severity

Long Range Vision Committee


2011 Threat Vulnerability Assessment


Critical Functions

Long Range Vision Committee


2011 Threat Vulnerability Assessment



Clearinghouses



Commercial banks



Credit rating agencies



Electronic payment firms



Exchanges/electronic communication networks



Financial advisory services



Financial utilities



Government and industry regulators



Government subsidized entities



Insurance companies



Investment banks



Merchants



Retail banks

Page |7

Threat Vulnerability Assessment Worksheet

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Page |10

Threat Matrix Ver. 4.0

1 Critical
Infrastructure

Power
Interuption

Loss of Communications

Impared Transportation

Water Availability

Aging Infrastucture

2 Natural Disasters

Earthquake, tsunami

Volcano

Flood

Landslide

3 Health Crisis

Pandemic

Ependemic

Virus Outbreak

4 Severe Weather

Tornado, hurricanes

Snow, ice storms

Heat wave,
drought

5 Arson/Incendary Attack

6 Armed Attack

Small Arms

Stand
-
off Weapons (rocket
propelled,

grenades
,
mortars,
etc.)

7 Civil Unrest

National, soverign

Geopolitical, protests

Civil disobedience

Labor disputes

8 Improvised Explosive Devices
(IED)

Stationary Vehicle

Moving Vehicle

Mail

Supply

Thrown

Placed

Personnel

9 Biological Agent

Anthrax

Botulism

Plague

Smallpox

Toxins

10 Agriterrorism

11 Nuclear

Device detonation
underground, surface, air,
High
altitude

Power Plant

17 Insider Threat

Disgruntled Employee

Consultants

Third Party Services

18 Terrorism

Physical

Cyber

19 Supply Chain Risk

Hardware

Software

Services

20 Cybersecurity

Data Availability,
Confidentiality,
Intergrity

Advanced,
persistient

Threat

Proliferation of exploit tools

Phishing

Logic Bombs

Denial of Service

Sniffer

Zero
-
day exploit

Virus

Trojan Horse

Vishing

Worm

War driving

12 Radiological Agent

Covert
Deposit, Sprayed

Munitions,

Dirty Bomb

Power

Plant

13 Chemical Agent

Blister

Blood

Choking/Lung/Pulmonary

Incapacitating

Nerve

Riot Control/Tear Gas

Vomiting

14 Hazardous
Material

Fixed Site

Transported

15 Critical Operations

Bank Failure

Liquidity

Counterparty
Risk

Currency Crisis

Fraud

Loss of Key Staff

16 Corporate
Espionage/Surveillance

Acoustic

Electronic Eavsesdropping

Visual

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Sector Priority

H

>10 HIGH


Unacceptable,
Major disruption likely.
Different approach required.
Priority management
attention required.

M

5
-
9 MEDIUM


Some
disruption. Different
approach may be required.
Additional management
attention may be needed.

L

< 5 LOW


Minimum impact.
Minimum oversight needed to
ensure risk remains low.

Likelihood

1

2

3

4

5

M
/5

H/10

H/15

H/20

H/25

L/4

M/8

H/12

H/16

H/20

L
/3

L/6

M/9

M/12

H/15

L/2

L
/4

L
/6

M/8

H/10

L/2

L
/3

H/4

M/5

L/1

5

4

3

1

2

L
/4

Priority Rating =

Likelihood
x

Severity of Impact

=

Severity

Threat Assessment:
Determining Priority



Priority is determined by considering Likelihood and Severity of Impact.

Definition

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Page |9

Long Range Vision Committee


2011 Threat Vulnerability Assessment

Assessment Schedule
(1 of 2)

P
hase I


Kickoff / Registration
(July)



Contact member firms to designate



assessment coordinators



Identify the type of assessment(s)


to be conducted



Determine region(s) for assessment



Assign Confidential “
FirmID


Phase II


Firm Assessments
(August)



Complete Organization Assessment Worksheets



Anonymous Submission


Long Range Vision Committee


2011 Threat Vulnerability Assessment

Assessment Schedule
(2 of 2)

P
hase III


Data Analysis
(September
-
October)



The Threat Assessment WG will analyze organization


assessment worksheets and draft sector reports for review


by participants and the LRV Committee

Phase IV


Sector Report
(November)



The Threat Vulnerability Assessment WG will prepare


confidential reports for the FSSCC Executive Steering


Committee