Peter
Fonash
Federal Reserve Board
Evolving Cyber Threat
Addressing the Threat
Financial Sector Activities
Summary
2
Source:
FireEye
Rapidly Evolving Cyber Threat
93% Increase in Web Attacks in 2010 over the volume observed
in 2009
6,253 New Vulnerabilities
◦
Symantec recorded more vulnerabilities in 2010 than in any
previous year since starting this report.
42% More Mobile attacks
Symantec recorded over 3 billion malware attacks in 2010
286M+ types of Malware identified in 2010
260,000 average number identities exposed per breach
Rustock
, the largest
botnet
observed in 2010, had well over 1
million bots under its control
Underground economy advertisement in 2010 promoting 10,000
bots for $15.
Source: Symantec Internet Security Threat Report dated April 2011
4
Corporate Espionage
Malicious threat actors targeting US
companies to gather intelligence and
sensitive corporate data for
competitive advantage
Advanced Persistent Threat
Stealthy, coordinated cyber activity
over long period of time directed
against political, business, and
economic targets
Cyber Threats to
Financial
Infrastructure
5
6
Cyber Threats to
Financial
Infrastructure
Supply Chain Exploitation
ƒ
Cyber exploitation, manipulation,
diversion, or substitution of
counterfeit, suspect, or fraudulent
items impacting US CIKR
ƒ
Disruption
Distributed Denial of Service (DDOS)
attack (effort to prevent site or service
from functioning efficiently or at all,
temporarily or indefinitely)
Cyber Crime
ƒ
Criminals seeking sensitive, protected
information for financial gain
Cyber Threat Actors
Nation states
Terrorist/Violent
Extremists
Hacktivists
Criminals and
organized crime
8
Goal: Hack networks for politically or socially
motivated purpose
Anonymous** conducted
DDoS
attacks against:
Orlando Chamber of Commerce
Amazon
ƒ
PayPal
ƒ
MasterCard and Visa
ƒ
Swiss bank
PostFinance
ƒ
LulzSec
ƒ
May have accessed UK ATM transaction logs,
stealing individual bank account details from
3,100 ATMs
9
**Anonymous and
LulzSec
may have recently consolidated
Malicious criminal actors
Organized crime
ƒ
Russia, Ukraine, and Romania most
sophisticated financial cybercriminals
Tools
Highly capable cyber tools
ƒ
Financially motivated to sell tools and services
Malware used to steal banking credentials:
SpyEye
,
Zeus, and
Coreflood
Social networking/social engineering sites
ƒ
Provide ideal environment for stealing user bank
account access credentials
Unclassified
Unclassified
10
The Criminal Market
11
Source:Symantec
Global Internet Security Threat Report dated April 14, 2009
Social engineering
Spear phishing
ƒ
Spoofing e
-
mail accounts
ƒ
USB thumb drives
ƒ
Supply
-
chain exploitation
ƒ
Leveraging trusted insiders
12
13
Threat Vector
Counter
-
Measure
Threat Response
Malware (virus, worm,
Trojan horse)
Anti
-
virus programs
1.
Attack and
negate anti
-
virus
programs
2.
Fake anti
-
virus programs
Key stroke loggers (stolen
credentials)
Two factor authentication
1.
Exploits against
service
level accounts
2.
Counterfeit credentials
Use non
-
standard ports or
services for malicious C2
or data
exfiltration
Minimize ports and services
available
1.
Encrypt web services traffic
2.
Use legitimate
service ports
maliciously
Install “root
-
kits” for
remote control
Computer forensics tools
androot
-
kit detection tools
1.
Anti
-
forensics techniques
2.
Obfuscate Code
3.
Steganography
Attack and negate anti
-
virus programs
TrustedPlatform Module (TPM)
Remotely deployed BIOS root
-
kit
Code Obfuscation
Hashingalgorithms
MD5 collision
; supply
chain evil
twin
Social Engineering
UserTraining and awareness
Sophisticated social engineering
Exploit operating system
vulnerabilities
Harden the
operating system
;
implement host based security
Exploit applications and web
vulnerabilities
Continuing Evolution of Threat
June 2010 Citigroup hack
Hackers accessed 260K accounts
and stole $2.7M from credit card
holders
–
one of the largest direct
attacks on a bank
Small
-
to medium
-
sized businesses
perceived to lack strong IT security
Hackers increasingly taking
advantage of lack of sophisticated
security
14
15
Recent
Trends
Smartphones
and fraud
Hackers accessing smart phones to
gather PII and log
-
on credentials
ƒ
As mobile banking popularity
increases, hackers may increasingly
seek to exploit mobile applications
for financial gain
Major encryption providers targeted as
a means to gain trusted access to
government/private sector networks
Computer network exploitation by threat actors enables:
Massive financial losses
Degradation/disruption of services
ƒ
Extortion
ƒ
Intellectual property theft
ƒ
Counterfeiting
ƒ
Theft of proprietary data
ƒ
Identity theft (personally identifiable
information)
ƒ
Access to credit
ƒ
Loss of money, reputation, and credibility
16
The threat takes a holistic approach to you
•
So you better do the same
Do not expect warning for cyber any better
than you get for the flu.
•
It’s out there, it’s coming
‡
Technology will fail to stop attacks
•
It is not just remote hacking
•
People will make mistakes and perhaps betray you
‡
Products will betray you
Better have business process that
ANTICIPATES
this
•
And then have a multi
-
faceted, holistic approach
18
Recognize that sophistication is not just technology
•
Tradecraft
to operate clandestinely and gain access
‡
Resources
and operational infrastructure
•
Organization
to execute
•
Knowledge
of your business and infrastructure
And not just remote attacks
•
Remote hacking most common and largest scale
•
Manipulate people’s curiosity, greed, and fear (call the IRS)
•
Insiders still appear to do most damage
‡
Remote recruitment of people (mules)
‡
Physical access enables greater access (wireless, key loggers,
weaken crypto)
•
Loss and theft of laptops, portable media, and servers
•
Supply chain, mostly as counterfeit and fraud
19
People with administrative privilege access to
networks
•
These guys should be audited
•
They should not have access to critical information
‡
Crypto maintenance should be separate
People with physical access
•
Maintenance and cleaning (banks)
•
Thumb drives (one time theft vs. air gap jumping)
People who understand what matters to you
•
Know where to look or what to break (red teams)
20
If it is
easy and convenient
for you, so it will also
be for the evil people.
¾
If
connected to Internet
and have anything of
value, you will be plundered systematically for
information, access, privilege, money, or
bandwidth.
¾
If doing
anything that matters
on the Internet,
somebody at some point will interfere with or
exploit your activity, perhaps without even
compromising your machines, and you can’t
stop it.
If you are doing anything on the Internet that is
vital and critical
to your livelihood, public safety,
or national security, then
STOP IT.
21
Mobile Machines and data will be
lost or stolen
–
plan
on it
¾
Once owned by sophisticated adversaries, will never
be
sure of purging
them:
•
Need to do
complete rebuild
of
ENTIRE
system (
BIOS
level, all network elements, every endpoint)
‡
AND re
-
issue all system
credentials
If you still insist on using the Internet,
have a plan
:
•
How to backup, restore, and rebuild quickly,
repeatedly
‡
Know your
service providers
(ISPs and proxies).
•
Encrypt and authenticate
what matters
•
Like public health
: infrastructure, response, and
hygiene
22
Financial Services Sector Threat Matrix
Federal Financial Institutions Examination
Council (FFIEC) New Guidance
Financial Services
-
Information Sharing and
Analysis Center (FS
-
ISAC)
Threat Matrix Background
The FSSCC Threat Matrix was developed by the
Cybersecurity Committee as a tool to identify threat areas
where members of the Financial Services community felt
additional focus and energy was needed.
The FSSCC Executive Steering Committee recommended
expanding scope of the Threat Matrix to include “all hazards”.
The Long Range Vision Committee updated the Threat Matrix
and developed process for the identification of key threats to
critical sector processes.
Key FSSCC Objective to “Operationalize” the Threat Matrix
and conduct an annual Threat Vulnerability Assessment.
2008
2009
2010
2011
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Goals and Objectives
The goal of the 2011 Financial Services Threat
Vulnerability Assessment is to strengthen the security
and resiliency of the sector through systematic
assessment and preparation for the threats posing the
greatest risk to critical infrastructure and key resources
(CI/KR).
Objectives:
•
Establish a common framework with a common
terminology and approach, built around basic
plans
that support the all
-
hazards approach to
preparedness
•
Provide recommendations/priorities to FSSCC
Leadership
•
Input to the Annual Sector Report
•
Input to the R&D Research Challenges
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Presidential Policy Directive 8
National Preparedness
March 30, 2011
•
Assistant to the President for
Homeland Security and
Counterterrorism shall coordinate
the development of plan for
completing the national
preparedness goal and national
preparedness system.
•
The national preparedness
goal shall be informed by
the risk of specific threats
and vulnerabilities
–
taking
into account regional
variations and include
concrete, measurable, and
prioritized objectives to
mitigate that risk
•
Includes all hazards (e.g., acts
of terrorism, cyber attacks,
pandemics, and catastrophic
natural disasters)
•
Identifies shared responsibility of
all levels of government, the
private and nonprofit sectors,
and individual citizens.
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Threat Vulnerability Assessment Results
* Sample data for illustration only.
NOTIONAL
NOTIONAL
Federal Financial Institutions Examination Council (FFIEC)
issued on June 28
th
2011 supplement to the
Authentication
in an Internet Banking Environment
guidance, issued in
October 2005.
`
Reason:
◦
Growth of electronic banking and greater sophistication of
the associated threats have increased risks for financial
institutions and their customers.
◦
Customers and financial institutions have experienced
substantial losses from online account takeovers.
?C
Effective security is essential for financial institutions to
safeguard customer information, reduce fraud stemming
from the theft of sensitive customer information, a
◦
Promote the legal enforceability of financial institutions'
electronic agreements and transactions.
27
Supplement reinforces the risk
-
management framework
described in the original guidance and updates the FFIEC member
agencies' supervisory expectations regarding customer
authentication, layered security, and other controls in the
increasingly hostile online environment.
`
The supplement stresses the need for:
◦
Performing risk assessments, implementing effective strategies
for mitigating identified risks,
◦
Raising customer awareness of potential risks, but does not
endorse any specific technology for doing so.
The FFIEC member agencies will continue to work closely with
financial institutions to promote security in electronic banking.
Examiners to formally assess financial institutions under the
enhanced expectations outlined in the supplement beginning in
January 2012.
28
FS
-
ISAC was established in 1999 by the financial services sector
in response to 1998's Presidential Directive 63.
◦
Updated by 2003's Homeland Security Presidential Directive 7
◦
Mandated that the public and private sectors share information
about physical and cyber security threats and vulnerabilities to
help protect the U.S. critical infrastructure.
FS
-
ISAC is constantly gathering reliable and timely information
from financial services providers, commercial security firms,
federal, state and local government agencies, law enforcement
and other trusted resources.
`
FS
-
ISAC is now uniquely positioned to quickly disseminate
physical and cyber threat alerts and other critical information.
◦
This information includes analysis and recommended solutions
from leading industry experts.
29
Threat is evolving and becoming more
sophisticated
Banking and Finance are a major
targets
Difficult for smaller organizations to
have capabilities to address
◦
Consider outsourcing
Problem is not
going away
`
Have a plan and constantly reassess
`
Leverage FSSCC and FS
-
ISAC
30
Off game on their turf
•
You will share and so will they
•
Physical security is an illusion
Game over
•
If you accept files
•
If you use local services
•
If you lose sight or physical control
•
If you sleep
If you do travel with IT
•
Do not connect back to main networks
•
Rebuild laptops on return and shred mobiles
•
Connect travel dedicated server in DMZ that strips email
to text
•
Configure for no downloads and end
-
to
-
end encryption
•
Carry thumb drive with write block, biometric lock,
encrypted files
32
Definitions
Likelihood
:
The probability that a given critical function may be impacted
by a given threat within the associated control environment.
Severity: The degree of impact resulting from a given threat harming (or
harming confidence in) the confidentiality, integrity, or availability of a
given critical function.
Level
What is the likelihood that a critical
function would be impacted?
5
Very High:
The threat
-
source is actively
harming the critical function or has in the
past and controls have not been
enhanced.
4
High
: The threat
-
source is highly
motivated and sufficiently capable, and
controls to prevent the critical function
from being harmed are ineffective.
3
Medium
: The threat
-
source is motivated
and capable, but controls are in place that
may impede attempted harm to the
critical function.
2
Low
: The threat
-
source lacks motivation
or capability, or controls are in place to
prevent, or at least significantly impede,
the critical function from being harmed.
1
Very Low
: The threat source has a very
low or no chance of causing negative
impact to the critical function.
0
Not Applicable.
Likelihood
Threat Assessment:
Determining Likelihood & Severity
Level
To what degree would
the sector
be
impacted?
5
Catastrophic
: An event causing major and
extended disruptions in production
operations and/or having major impact to
ability to achieve business objectives
4
Major impact
: An event causing serious
disruptions in production operations and/or
having major impact to ability to achieve
business objectives.
3
Moderate impact
: An event with the
potential to cause moderate disruption in
production operations and/or have
significant impact on the ability to achieve
business objectives.
2
Minor impact
: An event causing minimal
to no disruption in production operations
and/or having moderate impact on the
ability to achieve business objectives.
1
Insignificant
: An event causing no
disruption in production operations and
having limited impact on the ability to
achieve business objectives.
0
Not Applicable.
Severity
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Critical Functions
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
•
Clearinghouses
•
Commercial banks
•
Credit rating agencies
•
Electronic payment firms
•
Exchanges/electronic communication networks
•
Financial advisory services
•
Financial utilities
•
Government and industry regulators
•
Government subsidized entities
•
Insurance companies
•
Investment banks
•
Merchants
•
Retail banks
Page |7
Threat Vulnerability Assessment Worksheet
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Page |10
Threat Matrix Ver. 4.0
1 Critical
Infrastructure
Power
Interuption
Loss of Communications
Impared Transportation
Water Availability
Aging Infrastucture
2 Natural Disasters
Earthquake, tsunami
Volcano
Flood
Landslide
3 Health Crisis
Pandemic
Ependemic
Virus Outbreak
4 Severe Weather
Tornado, hurricanes
Snow, ice storms
Heat wave,
drought
5 Arson/Incendary Attack
6 Armed Attack
Small Arms
Stand
-
off Weapons (rocket
propelled,
grenades
,
mortars,
etc.)
7 Civil Unrest
National, soverign
Geopolitical, protests
Civil disobedience
Labor disputes
8 Improvised Explosive Devices
(IED)
Stationary Vehicle
Moving Vehicle
Mail
Supply
Thrown
Placed
Personnel
9 Biological Agent
Anthrax
Botulism
Plague
Smallpox
Toxins
10 Agriterrorism
11 Nuclear
Device detonation
underground, surface, air,
High
altitude
Power Plant
17 Insider Threat
Disgruntled Employee
Consultants
Third Party Services
18 Terrorism
Physical
Cyber
19 Supply Chain Risk
Hardware
Software
Services
20 Cybersecurity
Data Availability,
Confidentiality,
Intergrity
Advanced,
persistient
Threat
Proliferation of exploit tools
Phishing
Logic Bombs
Denial of Service
Sniffer
Zero
-
day exploit
Virus
Trojan Horse
Vishing
Worm
War driving
12 Radiological Agent
Covert
Deposit, Sprayed
Munitions,
Dirty Bomb
Power
Plant
13 Chemical Agent
Blister
Blood
Choking/Lung/Pulmonary
Incapacitating
Nerve
Riot Control/Tear Gas
Vomiting
14 Hazardous
Material
Fixed Site
Transported
15 Critical Operations
Bank Failure
Liquidity
Counterparty
Risk
Currency Crisis
Fraud
Loss of Key Staff
16 Corporate
Espionage/Surveillance
Acoustic
Electronic Eavsesdropping
Visual
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Sector Priority
H
>10 HIGH
–
Unacceptable,
Major disruption likely.
Different approach required.
Priority management
attention required.
M
5
-
9 MEDIUM
–
Some
disruption. Different
approach may be required.
Additional management
attention may be needed.
L
< 5 LOW
–
Minimum impact.
Minimum oversight needed to
ensure risk remains low.
Likelihood
1
2
3
4
5
M
/5
H/10
H/15
H/20
H/25
L/4
M/8
H/12
H/16
H/20
L
/3
L/6
M/9
M/12
H/15
L/2
L
/4
L
/6
M/8
H/10
L/2
L
/3
H/4
M/5
L/1
5
4
3
1
2
L
/4
Priority Rating =
Likelihood
x
Severity of Impact
=
Severity
Threat Assessment:
Determining Priority
Priority is determined by considering Likelihood and Severity of Impact.
Definition
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Page |9
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Assessment Schedule
(1 of 2)
P
hase I
–
Kickoff / Registration
(July)
•
Contact member firms to designate
assessment coordinators
•
Identify the type of assessment(s)
to be conducted
•
Determine region(s) for assessment
•
Assign Confidential “
FirmID
”
Phase II
–
Firm Assessments
(August)
•
Complete Organization Assessment Worksheets
•
Anonymous Submission
Long Range Vision Committee
–
2011 Threat Vulnerability Assessment
Assessment Schedule
(2 of 2)
P
hase III
–
Data Analysis
(September
-
October)
•
The Threat Assessment WG will analyze organization
assessment worksheets and draft sector reports for review
by participants and the LRV Committee
Phase IV
–
Sector Report
(November)
•
The Threat Vulnerability Assessment WG will prepare
confidential reports for the FSSCC Executive Steering
Committee
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Commentaires 0
Connectez-vous pour poster un commentaire