Post on 08-Jun-2020
©20
14 C
lifto
nLar
sonA
llen
LLP
©20
14 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Protecting Your Religious Organization Against Cybercrime
A “State of the Union”
©20
14 C
lifto
nLar
sonA
llen
LLP
Disclaimers
The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, or tax advice or opinion provided by CliftonLarsonAllen LLP to the user. The user also is cautioned that this material may not be applicable to, or suitable for, the user’s specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The user should contact his or her CliftonLarsonAllen LLP or other tax professional prior to taking any action based upon this information. CliftonLarsonAllen LLP assumes no obligation to inform the user of any changes in tax laws or other factors that could affect the information contained herein.
©20
14 C
lifto
nLar
sonA
llen
LLP
Housekeeping
• If you are experiencing technical difficulties, please dial: 800-422-3623.
• Q&A session will be held at the end of the presentation.
– Your questions can be submitted via the Questions Function at any time during the presentation.
• The PowerPoint presentation, as well as the webinar
recording, will be sent to you within the next 10 business days.
• Please complete our online survey.
©20
14 C
lifto
nLar
sonA
llen
LLP
About CliftonLarsonAllen
• A professional services firm with three distinct business lines – Wealth Advisory – Outsourcing – Audit, Tax, and Consulting
• 3,600 employees • Offices coast to coast • Nonprofit group serves 6,000 clients
across the country
©20
14 C
lifto
nLar
sonA
llen
LLP
Speaker Introduction
Randy Romes • Consultant for over 16 years with a strong background in computer
technology, physics, and education. • Leads a team of technology and industry specialists providing IT audits
and security assessments for clients in a wide range of industries and diverse operating environments.
• Involved in the development of many leading edge hacking/testing methods and the development of numerous security service offerings
• Featured speaker at national conferences and training sessions related to information and security management
©20
14 C
lifto
nLar
sonA
llen
LLP
Learning Objectives
At the end of this webinar, you will be able to: • Recognize the most common methods of
cyberattack • Identify the signs of email spear phishing and
ransomware, and the impact it might have on your organization
• Evaluate what steps you can take to protect your organization, parishioners /donors, and employees against cyberattack
6
©20
14 C
lifto
nLar
sonA
llen
LLP
Risk Themes
• Hackers have “monetized” their activity – More hacking – More sophistication – More “hands-on” effort – Smaller organizations targeted
• Hackers targeting small and medium sized organizations
• Religious organizations are NOT “exempt”… 7
©20
14 C
lifto
nLar
sonA
llen
LLP
Mitigation Themes
• Employees that are aware and savvy
• Networks and computers systems that are resistant to malware
• Relationships with banks maximized
8
©20
14 C
lifto
nLar
sonA
llen
LLP
Three Largest Trends
• Organized Crime – Wholesale theft of personal financial information
and identity information
• CATO– Corporate Account Takeover
– Use of online credentials for ACH, CC and wire fraud – NOT just corporations – anyone with online
banking/cash management (i.e. electronic payroll)
• Ransomware
9
©20
14 C
lifto
nLar
sonA
llen
LLP
• Target • Home Depot • Goodwill/Jimmy Johns
• Neiman Marcus • PF Chang • Dairy Queen • Sally Beauty • Harbor Freight
• University of Maryland • University of Indiana
• Southern MN Medical Center
• Community Health Systems
• Anthem
Theft of PFI
10
©20
14 C
lifto
nLar
sonA
llen
LLP
Stolen Card Data
• Carder or Carding websites
• Dumps vs CVV’s
• A peek inside a carding operation:
http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
11
©20
14 C
lifto
nLar
sonA
llen
LLP
What do the following all have in common? • Catholic church parish • Public university system • Lutheran college • Main Street newspaper stand • Electrical contractor • Trade association • Rural hospital • Community college • Large mid-west Archdiocese
• On and on and on and on……………..
Corporate Account Takeover
12
©20
14 C
lifto
nLar
sonA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
13
©20
14 C
lifto
nLar
sonA
llen
LLP
CATO Lawsuits - UCC
• Tennessee Electric vs TriSummit Bank
• $327,804 stolen via ACH through CATO
• Internet banking site was “down” – DOS?
• Tennessee Electric asserting TriSummit processed bogus ACH file without any call back
14
©20
14 C
lifto
nLar
sonA
llen
LLP
CATO Lawsuits - UCC
• Choice Escrow vs BancorpSouth
• $440,000 stolen via single wire through CATO – CE passed on dual control offered by the bank
• Court ruled in favor of bank
• CE attorneys failed to demonstrate bank’s
procedures were not commercially reasonable
15
©20
14 C
lifto
nLar
sonA
llen
LLP
CATO Defensive Measures
• Multi-layer authentication • Multi-factor authentication • Out of band authentication • Positive pay • ACH block and filter • IP address filtering • Dual control • Activity monitoring
16
©20
14 C
lifto
nLar
sonA
llen
LLP
Ransomware
• Malware encrypts everything it can interact with – i.e. anything the infected
user has access to
• CryptoLocker
• Kovter
– Also displays and adds child pornography images
17
©20
14 C
lifto
nLar
sonA
llen
LLP
Ransomware
May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)
http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966.html
18
©20
14 C
lifto
nLar
sonA
llen
LLP
Ransomware
• Zip file is preferred delivery method – Helps evade virus
protection
• Working (tested)
backups are key
19
©20
14 C
lifto
nLar
sonA
llen
LLP
The Cost? Norton/Symantec Corp: • Cost of global cybercrime: $388 billion • Global black market in marijuana, cocaine and heroin
combined: $288 billion • 2014 Ponemon Institute Research Report
– Cost per stolen record increased from $188 to $201 – Total Average Cost paid by organizations increased
from $5.4M to $5.9M – Average # of breached records is 29,087
20
©20
14 C
lifto
nLar
sonA
llen
LLP
Intrusion Analysis
• Blocking and tackling
• Intrusion Analysis: TrustWave – Annual breach analysis report – https://www.trustwave.com/whitePapers.php
• Intrusion Analysis: Verizon Business Services – Annual breach analysis report – http://www.verizonenterprise.com/DBIR/
• Intrusions are preventable with simple and/or
intermediate controls!
21
©20
14 C
lifto
nLar
sonA
llen
LLP
Keys to Successful Breaches 2013 2014
https://www2.trustwave.com/GSR2014.
22
©20
14 C
lifto
nLar
sonA
llen
LLP
Keys to Successful Breaches…
Reliance/dependence on 3rd party service providers is at root of most breaches
23
©20
14 C
lifto
nLar
sonA
llen
LLP
Verizon • Report is analysis of intrusions
investigated by Verizon and US Secret Service.
• KEY POINTS: – Time from successful intrusion to
compromise of data was days to weeks.
– Log files contained evidence of the intrusion attempt, success, and removal of data.
– Most successful intrusions were not considered highly difficult.
24
©20
14 C
lifto
nLar
sonA
llen
LLP
Spear Phishing “Second Generation” phishing Goal is to “root the network” Install malware
Log system activity to harvest passwords Use automated tools to execute fraudulent payments
Trick users into supplying credentials (passwords)
25
©20
14 C
lifto
nLar
sonA
llen
LLP
SANS – Client Side Vulnerabilities
• Client side vulnerabilities – Missing operating system patches – Missing application patches
◊ Apple QuickTime ◊ Java Vulnerabilities ◊ MS Office Applications ◊ Adobe Vulnerabilities (PDF, Flash, etc…)
• Objective is to get the users to “Open the door”
26
©20
14 C
lifto
nLar
sonA
llen
LLP
Spear Phishing Success Factors
• With so much money at stake hackers are putting in more effort to increase the likelihood that the emailed link will be followed: – “Spoof” the email to appear that it comes from
someone in authority
– Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking)
27
©20
14 C
lifto
nLar
sonA
llen
LLP
28
Email Phishing – Targeted Attack Randall J. Romes [rromes@larsonallen.com]
Two or Three tell-tale signs
Can you find them?
©20
14 C
lifto
nLar
sonA
llen
LLP
29
Email Phishing – Targeted Attack Randall J. Romes [rromes@larsonallen.com]
Two or Three tell-tale signs
Can you find them?
©20
14 C
lifto
nLar
sonA
llen
LLP
30
Email Phishing – Targeted Attack
• Fewer tell tale signs on fake websites
©20
14 C
lifto
nLar
sonA
llen
LLP
31
Email Phishing – Targeted Attack
• Fewer tell tale signs on fake websites
©20
14 C
lifto
nLar
sonA
llen
LLP Email Phishing – “Common Attack”
32
©20
14 C
lifto
nLar
sonA
llen
LLP
©20
14 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
10 Key Defensive Measures Training is Critical (but not easy)
©20
14 C
lifto
nLar
sonA
llen
LLP
Strategies
Our information security strategy should have the following objectives:
• Users who are more aware and savvy
• Networks and computer systems that are resistant to malware
• Relationship with our FI is maximized
34
©20
14 C
lifto
nLar
sonA
llen
LLP
1. Strong Policies -
• Email use
• Website links
• Removable media
• Business operations
• Insurance
Ten Keys to Mitigate Risk
35
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk
2. Defined user access roles and permissions
• Principal of minimum access and least privilege
• Users should NOT have system administrator rights
• “Local Admin” in Windows should be removed (if practical)
• NO email or internet browsing with Admin
credentials
36
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk 3. Hardened internal systems (end points)
• Hardening checklists (see references/resources) • Turn off unneeded services • Change default password
• Use Strong Passwords
37
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk 4. Encryption strategy – data centered
• Email • Laptops and desktops • Thumb drives • Email enabled cell phones • Mobile media • Data at rest??? • Donor data
38
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk 5. Vulnerability management process
• IT needs dedicated time and resources
• Operating system patches
• Application patches
• Testing to validate effectiveness –
• “belt and suspenders”
39
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk 6. Well defined security
layers: • Network segments • Email gateway/filter • Firewall – “Proxy”
integration for traffic in AND out
• Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points)
40
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk 7. Centralized audit logging, analysis, and automated
alerting capabilities • Routing infrastructure • Authentication • Servers • Applications
41
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk 8. Defined Incident Response
• Be prepared • Including data leakage
prevention and monitoring • Up to date documentation
• Forensic preparedness
42
©20
14 C
lifto
nLar
sonA
llen
LLP
Ten Keys to Mitigate Risk
9. Know / use Online Banking Tools • Multi-factor authentication • Dual control / verification • Out of band verification / call back thresholds • ACH positive pay • ACH blocks and filters • Review contracts relative to all these • Monitor account activity daily
• Isolate the PC used for wires/ACH 43
©20
14 C
lifto
nLar
sonA
llen
LLP
10. Test, Test, Test – “Belt and suspenders”
approach – Penetration testing
◊ Internal and external
– Social engineering testing ◊ Simulate spear phishing
– Application testing ◊ Test the tools with your bank ◊ Test internal processes
Ten Keys to Mitigate Risk
44
©20
14 C
lifto
nLar
sonA
llen
LLP
Questions?
Randy Romes, Principal Information Security Services Group
Randy.romes@claconnect.com ***
(612)397-3114
45
©20
14 C
lifto
nLar
sonA
llen
LLP
“Three” Security Reports • Trends: Sans 2009 Top Cyber Security Threats
– http://www.sans.org/top-cyber-security-risks/
• Intrusion Analysis: TrustWave (Annual) – https://www.trustwave.com/whitePapers.php
• Intrusion Analysis: Verizon Business Services (Annual)
– http://www.verizonenterprise.com/DBIR/
46
©20
14 C
lifto
nLar
sonA
llen
LLP
Resources – Hardening Checklists
Hardening checklists from vendors
• CIS offers vendor-neutral hardening resources http://www.cisecurity.org/
• Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en-us/library/dd366061.aspx
Most of these will be from the “BIG” software and hardware providers
47
©20
14 C
lifto
nLar
sonA
llen
LLP
48
©20
14 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
twitter.com/ CLAconnect
facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
Thank you Randy Romes, Principal randy.romes@CLAconnect.com 612-397-3114