©20

14 C

lifto

nLar

sonA

llen

LLP

©20

14 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

Protecting Your Religious Organization Against Cybercrime

A “State of the Union”

©20

14 C

lifto

nLar

sonA

llen

LLP

Disclaimers

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, or tax advice or opinion provided by CliftonLarsonAllen LLP to the user. The user also is cautioned that this material may not be applicable to, or suitable for, the user’s specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The user should contact his or her CliftonLarsonAllen LLP or other tax professional prior to taking any action based upon this information. CliftonLarsonAllen LLP assumes no obligation to inform the user of any changes in tax laws or other factors that could affect the information contained herein.

©20

14 C

lifto

nLar

sonA

llen

LLP

Housekeeping

• If you are experiencing technical difficulties, please dial: 800-422-3623.

• Q&A session will be held at the end of the presentation.

– Your questions can be submitted via the Questions Function at any time during the presentation.

• The PowerPoint presentation, as well as the webinar

recording, will be sent to you within the next 10 business days.

• Please complete our online survey.

©20

14 C

lifto

nLar

sonA

llen

LLP

About CliftonLarsonAllen

• A professional services firm with three distinct business lines – Wealth Advisory – Outsourcing – Audit, Tax, and Consulting

• 3,600 employees • Offices coast to coast • Nonprofit group serves 6,000 clients

across the country

©20

14 C

lifto

nLar

sonA

llen

LLP

Speaker Introduction

Randy Romes • Consultant for over 16 years with a strong background in computer

technology, physics, and education. • Leads a team of technology and industry specialists providing IT audits

and security assessments for clients in a wide range of industries and diverse operating environments.

• Involved in the development of many leading edge hacking/testing methods and the development of numerous security service offerings

• Featured speaker at national conferences and training sessions related to information and security management

©20

14 C

lifto

nLar

sonA

llen

LLP

Learning Objectives

At the end of this webinar, you will be able to: • Recognize the most common methods of

cyberattack • Identify the signs of email spear phishing and

ransomware, and the impact it might have on your organization

• Evaluate what steps you can take to protect your organization, parishioners /donors, and employees against cyberattack

6

©20

14 C

lifto

nLar

sonA

llen

LLP

Risk Themes

• Hackers have “monetized” their activity – More hacking – More sophistication – More “hands-on” effort – Smaller organizations targeted

• Hackers targeting small and medium sized organizations

• Religious organizations are NOT “exempt”… 7

©20

14 C

lifto

nLar

sonA

llen

LLP

Mitigation Themes

• Employees that are aware and savvy

• Networks and computers systems that are resistant to malware

• Relationships with banks maximized

8

©20

14 C

lifto

nLar

sonA

llen

LLP

Three Largest Trends

• Organized Crime – Wholesale theft of personal financial information

and identity information

• CATO– Corporate Account Takeover

– Use of online credentials for ACH, CC and wire fraud – NOT just corporations – anyone with online

banking/cash management (i.e. electronic payroll)

• Ransomware

9

©20

14 C

lifto

nLar

sonA

llen

LLP

• Target • Home Depot • Goodwill/Jimmy Johns

• Neiman Marcus • PF Chang • Dairy Queen • Sally Beauty • Harbor Freight

• University of Maryland • University of Indiana

• Southern MN Medical Center

• Community Health Systems

• Anthem

Theft of PFI

10

©20

14 C

lifto

nLar

sonA

llen

LLP

Stolen Card Data

• Carder or Carding websites

• Dumps vs CVV’s

• A peek inside a carding operation:

http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/

11

©20

14 C

lifto

nLar

sonA

llen

LLP

What do the following all have in common? • Catholic church parish • Public university system • Lutheran college • Main Street newspaper stand • Electrical contractor • Trade association • Rural hospital • Community college • Large mid-west Archdiocese

• On and on and on and on……………..

Corporate Account Takeover

12

©20

14 C

lifto

nLar

sonA

llen

LLP

CATO Lawsuits - UCC

a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

13

©20

14 C

lifto

nLar

sonA

llen

LLP

CATO Lawsuits - UCC

• Tennessee Electric vs TriSummit Bank

• $327,804 stolen via ACH through CATO

• Internet banking site was “down” – DOS?

• Tennessee Electric asserting TriSummit processed bogus ACH file without any call back

14

©20

14 C

lifto

nLar

sonA

llen

LLP

CATO Lawsuits - UCC

• Choice Escrow vs BancorpSouth

• $440,000 stolen via single wire through CATO – CE passed on dual control offered by the bank

• Court ruled in favor of bank

• CE attorneys failed to demonstrate bank’s

procedures were not commercially reasonable

15

©20

14 C

lifto

nLar

sonA

llen

LLP

CATO Defensive Measures

• Multi-layer authentication • Multi-factor authentication • Out of band authentication • Positive pay • ACH block and filter • IP address filtering • Dual control • Activity monitoring

16

©20

14 C

lifto

nLar

sonA

llen

LLP

Ransomware

• Malware encrypts everything it can interact with – i.e. anything the infected

user has access to

• CryptoLocker

• Kovter

– Also displays and adds child pornography images

17

©20

14 C

lifto

nLar

sonA

llen

LLP

Ransomware

May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)

http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966.html

18

©20

14 C

lifto

nLar

sonA

llen

LLP

Ransomware

• Zip file is preferred delivery method – Helps evade virus

protection

• Working (tested)

backups are key

19

©20

14 C

lifto

nLar

sonA

llen

LLP

The Cost? Norton/Symantec Corp: • Cost of global cybercrime: $388 billion • Global black market in marijuana, cocaine and heroin

combined: $288 billion • 2014 Ponemon Institute Research Report

– Cost per stolen record increased from $188 to $201 – Total Average Cost paid by organizations increased

from $5.4M to $5.9M – Average # of breached records is 29,087

20

©20

14 C

lifto

nLar

sonA

llen

LLP

Intrusion Analysis

• Blocking and tackling

• Intrusion Analysis: TrustWave – Annual breach analysis report – https://www.trustwave.com/whitePapers.php

• Intrusion Analysis: Verizon Business Services – Annual breach analysis report – http://www.verizonenterprise.com/DBIR/

• Intrusions are preventable with simple and/or

intermediate controls!

21

©20

14 C

lifto

nLar

sonA

llen

LLP

Keys to Successful Breaches 2013 2014

https://www2.trustwave.com/GSR2014.

22

©20

14 C

lifto

nLar

sonA

llen

LLP

Keys to Successful Breaches…

Reliance/dependence on 3rd party service providers is at root of most breaches

23

©20

14 C

lifto

nLar

sonA

llen

LLP

Verizon • Report is analysis of intrusions

investigated by Verizon and US Secret Service.

• KEY POINTS: – Time from successful intrusion to

compromise of data was days to weeks.

– Log files contained evidence of the intrusion attempt, success, and removal of data.

– Most successful intrusions were not considered highly difficult.

24

©20

14 C

lifto

nLar

sonA

llen

LLP

Spear Phishing “Second Generation” phishing Goal is to “root the network” Install malware

Log system activity to harvest passwords Use automated tools to execute fraudulent payments

Trick users into supplying credentials (passwords)

25

©20

14 C

lifto

nLar

sonA

llen

LLP

SANS – Client Side Vulnerabilities

• Client side vulnerabilities – Missing operating system patches – Missing application patches

◊ Apple QuickTime ◊ Java Vulnerabilities ◊ MS Office Applications ◊ Adobe Vulnerabilities (PDF, Flash, etc…)

• Objective is to get the users to “Open the door”

26

©20

14 C

lifto

nLar

sonA

llen

LLP

Spear Phishing Success Factors

• With so much money at stake hackers are putting in more effort to increase the likelihood that the emailed link will be followed: – “Spoof” the email to appear that it comes from

someone in authority

– Create a customized text that combines with the spoofing to create pressure to act quickly (without thinking)

27

©20

14 C

lifto

nLar

sonA

llen

LLP

28

Email Phishing – Targeted Attack Randall J. Romes [rromes@larsonallen.com]

Two or Three tell-tale signs

Can you find them?

©20

14 C

lifto

nLar

sonA

llen

LLP

29

Email Phishing – Targeted Attack Randall J. Romes [rromes@larsonallen.com]

Two or Three tell-tale signs

Can you find them?

©20

14 C

lifto

nLar

sonA

llen

LLP

30

Email Phishing – Targeted Attack

• Fewer tell tale signs on fake websites

©20

14 C

lifto

nLar

sonA

llen

LLP

31

Email Phishing – Targeted Attack

• Fewer tell tale signs on fake websites

©20

14 C

lifto

nLar

sonA

llen

LLP Email Phishing – “Common Attack”

32

©20

14 C

lifto

nLar

sonA

llen

LLP

©20

14 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

10 Key Defensive Measures Training is Critical (but not easy)

©20

14 C

lifto

nLar

sonA

llen

LLP

Strategies

Our information security strategy should have the following objectives:

• Users who are more aware and savvy

• Networks and computer systems that are resistant to malware

• Relationship with our FI is maximized

34

©20

14 C

lifto

nLar

sonA

llen

LLP

1. Strong Policies -

• Email use

• Website links

• Removable media

• Business operations

• Insurance

Ten Keys to Mitigate Risk

35

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk

2. Defined user access roles and permissions

• Principal of minimum access and least privilege

• Users should NOT have system administrator rights

• “Local Admin” in Windows should be removed (if practical)

• NO email or internet browsing with Admin

credentials

36

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk 3. Hardened internal systems (end points)

• Hardening checklists (see references/resources) • Turn off unneeded services • Change default password

• Use Strong Passwords

37

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk 4. Encryption strategy – data centered

• Email • Laptops and desktops • Thumb drives • Email enabled cell phones • Mobile media • Data at rest??? • Donor data

38

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk 5. Vulnerability management process

• IT needs dedicated time and resources

• Operating system patches

• Application patches

• Testing to validate effectiveness –

• “belt and suspenders”

39

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk 6. Well defined security

layers: • Network segments • Email gateway/filter • Firewall – “Proxy”

integration for traffic in AND out

• Intrusion Detection/Prevention for network traffic, Internet facing hosts, AND workstations (end points)

40

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk 7. Centralized audit logging, analysis, and automated

alerting capabilities • Routing infrastructure • Authentication • Servers • Applications

41

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk 8. Defined Incident Response

• Be prepared • Including data leakage

prevention and monitoring • Up to date documentation

• Forensic preparedness

42

©20

14 C

lifto

nLar

sonA

llen

LLP

Ten Keys to Mitigate Risk

9. Know / use Online Banking Tools • Multi-factor authentication • Dual control / verification • Out of band verification / call back thresholds • ACH positive pay • ACH blocks and filters • Review contracts relative to all these • Monitor account activity daily

• Isolate the PC used for wires/ACH 43

©20

14 C

lifto

nLar

sonA

llen

LLP

10. Test, Test, Test – “Belt and suspenders”

approach – Penetration testing

◊ Internal and external

– Social engineering testing ◊ Simulate spear phishing

– Application testing ◊ Test the tools with your bank ◊ Test internal processes

Ten Keys to Mitigate Risk

44

©20

14 C

lifto

nLar

sonA

llen

LLP

Questions?

Randy Romes, Principal Information Security Services Group

Randy.romes@claconnect.com ***

(612)397-3114

45

©20

14 C

lifto

nLar

sonA

llen

LLP

“Three” Security Reports • Trends: Sans 2009 Top Cyber Security Threats

– http://www.sans.org/top-cyber-security-risks/

• Intrusion Analysis: TrustWave (Annual) – https://www.trustwave.com/whitePapers.php

• Intrusion Analysis: Verizon Business Services (Annual)

– http://www.verizonenterprise.com/DBIR/

46

©20

14 C

lifto

nLar

sonA

llen

LLP

Resources – Hardening Checklists

Hardening checklists from vendors

• CIS offers vendor-neutral hardening resources http://www.cisecurity.org/

• Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true http://technet.microsoft.com/en-us/library/dd366061.aspx

Most of these will be from the “BIG” software and hardware providers

47

©20

14 C

lifto

nLar

sonA

llen

LLP

48

©20

14 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

twitter.com/ CLAconnect

facebook.com/ cliftonlarsonallen

linkedin.com/company/ cliftonlarsonallen

Thank you Randy Romes, Principal randy.romes@CLAconnect.com 612-397-3114