Cybersecurity Landscape

Paul LoveChief Information Security Officer, CO-OP Financial Services

Topics

Impact

Motivations

How

The Future

Open Q&A

5.30%

6.15%

2015 2016

of U.S. Consumers Impacted

of U.S. Consumers Impacted

More Consumers are Affected by Fraud

Source: Javelin - 2017 Identity Fraud: Securing the Connected Life

Overall Fraud Incidence Rose 16%

The Big Story in 2017

Source: 2017 Identity Fraud Study, Javelin Strategy & Research

CARD-NOT-PRESENT FRAUD

40%

UP

ACCOUNT TAKOVER FRAUD

60%

UP

Both were driven by EMV migration in the U.S. making in-store fraud more difficult

2017 Breaches

HEALTH CARE

Motivations

Vernacular of Hacking

Motivation/SupportSkill LabelsMotivation Labels

• Hacker (white hat)

• Grey Hat

• Bad Hacker (black hat)

• Blue Hat

• Elite Hacker

• Script Kiddie

• Neophyte/Noob

• Lone attacker

• Hacktivist

• Nation State

• Organized Criminal Gangs (OCG)

History

Late 50’s – Late 70’sPhreaking/System Exploration

Late 80’s – Late 90’sHacking Increases

Nation State

1983Wargames

Movie

1986Computer Fraud

and Abuse Act

1988Morris Worm

1989First Ransomware

detected (PC Cyborg)

19921260 Polymorphic Virus

1993First DEFCON Conference

1994Citibank

1996Cryptovirology(basis of Modern Ransomware)

2000ILOVEYOU

Worm

2001Code Red

2003Blaster

2005CardSystemsSolutions

2007TJ Maxx

2009Conficker

2010Stuxnet

2013Target/Yahoo

2014Sony

2015Ashley Madison

2016Bangladesh Bank Robbery

2000’s and BeyondMonetary/Political attacks

1950 1960 1970 1980 1990 2000 2010

Why

Money

Resources (medical)

Impersonation for non monetary (criminal arrest)

Extension of Political goals

Other (prestige, etc)

How

Cybercrime Business Model

Individual or small team who created malware, delivered malware and exploited malware.

(CyberCrime as a Service or CAAS)

• Project Manager

• Coder/Malware developer

• Bot herder (as needed)

• Intrusion Specialist

• Data Miner

• Money Specialist

These roles can be further specialized to component parts, initial access tools all the way to full service models

PAST CURRENT

CyberCrime as a Service (CAAS)

Can consist of specializations

Malware as a service

Counter AV as a Service

Ransomware as a service

Fraud as a service

Escrow Services

Drop Services

And others

Costs

Type Amount

Server Hacking Approximately $250

Home Computer Hacking Approximately $150

Creating Malware Approximately $200

Bulk Stolen Data depending on gigabytes stolen

Hack Service Rental (depending on size) $200 - $1000

Full project hack (end to end) Varies depend and can include fixed fee

or portion of proceeds

How a Typical Attack Happens

Tools

Networks

Deep Web

Dark Web/Darknet

Public/Internet/Clearnet

Botnets

Approaches

Watering Hole attacks

Malvertisements

DDOS

Ransomware

Malware

BlackHat – DefCon Security Conference

Hacker conference discussing new trends, attacks and intelligence sharing

Approximately 25,000-30,000 attendees from law enforcement, InfoSec and hacker communities.

Key learnings

Crime as a Service is growing

IoT, Vehicles and Voting Machines can be hacked in minutes

Thermostats and other IoT are susceptible to ransomware

Mobile wallets are a target. One attacker showed how a hacker could make fraudulent payments through Samsung Pay1.

Mag Stripes are susceptible to guessing (brute force) allowing attackers to create mag stripe cards on the fly for POS, hotel rooms and other uses2.

1 http://www.itproportal.com/2016/08/10/fraudulent-payments-through-samsung-pay-are-real/2 http://www.esecurityplanet.com/hackers/hacking-hotel-keys-and-point-of-sale-systems-at-defcon.html

Many Sites to Support Attackers

Remote Administration Spreaders

Other Services• Full fledged services (MAAS)

• Marketing services

• Training

• Support

Information Sharing

Source: https://www.hackaday.com

Security Testing Tools Available

Source: https://www.hak5.org/

Skimming and Fraud

Skimming is a common form of criminal activity where data is captured from the magnetic stripe

Phishing Example

Phishing Example

Phishing Example

Source: https://www.irs.gov/pub/irs-utl/phishing_email.pdf

Phishing Example

Source: https://www.ups.com/media/news/en/fraud_email_examples.pdf

Smishing Example

The Future

Nation State

More sophisticated criminal networks

More focus on Small to Medium sized businesses as targets of opportunity

How to Protect Yourself and Company

User education

Don’t click on links in emails you weren’t expecting

Don’t download or click on attachments in emails

If it feels suspicious, assume it is and contact your security team

Keep systems and antivirus patched