Cyber Security Seminar - 2014

Presenter: Tim Lenhoff, Chief Technology Officer

Agenda

 Introductions and Logistics

 How Safe Are You?
 A Year in Review
 Cyber Security - 2014
 Top 10 Cyber Attack Methods
 Security Counter Measures
 Columbia Bank - Managing Risk

2
How Safe Are You?

3
 How Safe Are You?
Data Breaches by Sector in 2012-2013

3% 3%
4%

5%
Healthcare
6% 36% Education
Government
Accounting
6% Computer Software
Financial
Information Technology
9% Telecom
Computer Hardware
Community/Non Profit

13%
16%

4
Source: Symantec Internet Security Threat Report April 2013
How Safe Are You?

Adobe Systems (Photo Shop and Acrobat products)

On October 3, 2013, Adobe faced two attacks from cyber
criminals who stole credit card data of 2.9 million customers.
Its security team had discovered the sophisticated attacks
involving illegal access of customer information and source
code of many Adobe products.
After further investigation, it was confirmed that the
attackers obtained access to Adobe IDs and what were at the
time valid, encrypted passwords for approximately 38
million active users.

5
How Safe Are You?
Facebook, Gmail and Twitter Breach
November 2013, hackers stole usernames and
passwords for nearly two million accounts at
Facebook, Google, Twitter, Yahoo and ADP.
The massive data breach was a result of key logging
software maliciously installed on an untold number of
computers around the world. The virus captured log-in
credentials for key websites and sending those
usernames and passwords to a server controlled by the
hackers. Approximate numbers of accounts:
•318,000 Facebook •70,000 Gmail, Google+ and
YouTube •60,000 Yahoo •22,000 Twitter •8,000 ADP
•8,000 LinkedIn
6
How Safe Are You?
Target Data Breach
December 2013, credit and debit card information of as many
as 70 million customers was compromised over three weeks
of the holiday shopping season —one of the largest breaches
ever of American consumer data.
Target said that the information compromised included
customer names, card numbers, expiration dates and the
short verification codes known as CVVs.
It is believed that hackers broke into the retailer's network
using login credentials stolen from a heating, ventilation and
air conditioning company that does work for Target at a
number of locations.
7
How Safe Are You?
Blue Cross Blue Shield Breach
December 2013, a pair of laptops containing
unencrypted patient data was stolen from Horizon
Blue Cross Blue Shield of New Jersey’s Newark
headquarters. The Apple MacBook Pros held
information from almost 840,000 Horizon BCBSNJ
members.
It is believed that the laptops, which were cable-
locked to workstations, contained information
including names, addresses, dates of birth, clinical
information, and Social Security numbers.

8
How Safe Are You?
NSA Surveillance Program Breach
Edward Snowden, the high-profile Booz Allan government
contractor, received widespread headlines for releasing
data on the National Security Agency's surveillance
program as part of its counter terrorism activities.
This security breach is an example of the internal threats
posed to organizations.
Snowden was with Booz Allan for only three months,
assigned to a team in Hawaii. Snowden had access to top-
secret data and over time used a thumb drive to take
thousands of confidential documents, damaging to the
NSA.
9
A Year in Review

10
The Cost of Cyber Crime Services
Service for Sale Cost of Service

Trojan for bank account stealing $1,300

Trojan for web page data replacement in a browser $850

Hiring a DDoS attack $30 - $70/day, $1,200 / month

Email Spamming $10 / 1 million emails

Email Spamming using customer database $50 - $500 / 50,000 – 1 mil

SMS Spamming $3 - $150 / 100-10,000 texts

Windows Rootkit $292

Ransom ware $8 - $20

Fake Websites $5 - $50

Zues source code $200 - $500

Hacking Facebook or Twitter account $130

Hacking Gmail account $162

Hacking corporate mailbox $500 11
*Source: TrendMicro Research paper 2012 – Russian Underground 101
 A Year in Review
Information Exposed in Breaches in 2013

70% Real Names

40% Social Security Numbers

40% Birth Dates

36% Home Address

31% Medical Records

12
*Source: Symantec Internet Security Threat Report – December 2013
 A Year in Review
Top 5 Social Media Attacks, 2013
Fake Offering – Invites users to join a fake event
81% Fake Offering or group with incentives such as free gift cards.
Joining often requires users to share credentials
or send a text to a premium rate number.
7% Likejacking
Likejacking – Using fake “Like” buttons to install
malware.
6% Fake Plug-in Fake Plug-in Scams – Tricked into downloading
fake browser extensions on their machines.

2% Fake Apps Fake Apps– Applications provided by attackers

that appear to be legitimate apps; however, they
contain a malicious payload. The attackers often
take legitimate apps, bundle malware with them,
2% Manual Sharing and then re-release it as a free version of the
app.

Manual Sharing – Rely on victims to share

videos, fake offers or messages they share with
their friends.
*Source: Symantec Internet Security Threat Report – December 2013 13
Cyber Security - 2014

14
 Cyber Security - 2014
Priorities and Concerns for 2014
• Social Media Will Continue to Grow
• As they go mobile and add payment mechanisms, they will attract even more attention
from online criminals with malware, phishing, spam and scams.
• Criminals will target teenagers, young adults and other people who may be less guarded
about their personal data and insufficiently security-minded to protect their devices and
avoid scams.

• Websites Will Become More Difficult to Manage / Navigate

• Criminals will increasingly infect websites with Malware and attack kits. Software vendors
will become pressured to “fix” vulnerabilities quicker.
• Users and companies that employ them will need to become more proactive about
maintaining privacy and security.

• Growing Risk of Unpatched Systems

• As of April 8, 2014 no new security patches are available for Windows XP and Office 2003
making home computer systems, specialized markets such as point of sale and medical
equipment extremely vulnerable……Heartbleed….. 15
 Cyber Security - 2014
Priorities and Concerns for 2014
• Phishing
• Identities are valuable. Phishing attacks will continue to get smarter and more
sophisticated.
• Phishing will become more regional and specific.
• Social Media websites and trusted messaging platforms will become bigger targets.

• Managing Mobile Malware

• Mobile Phones and Tablets are becoming the new hardware platform. Prepare for
Ransom ware and website infections on these new devices.
• Consider this security risk when allowing employees to bring their own devices into
the workplace.

16
Anatomy of a Hacked Mobile Device:
How a hacker can profit from your smartphone

17
Top 10 Cyber Attack Methods

18
Top 10 Cyber Attack Methods

1. E-mail Attachments 2. Portable Media

• Common method of distribution • Any device that can store
of malicious code. information. (CD, DVD, HD-DVD,
• E-mail is inherently insecure. Blu-Ray, etc.), tapes, external
hard drives, USB drives, and
• The source of an e-mail address memory cards.
can be easily spoofed as
someone that you trust. • Any storage device can support
both benign and malicious
• Avoid using attachments as a content.
means to exchange files.
Instead, use a third-party file • Be cautious about connecting
exchange system devices it to your system.

19
Top 10 Cyber Attack Methods

3. Malicious Web Sites 4. Downloading Files

• The primary tool used to interact • Files, also includes: plug-ins,
with the Internet. movies, audio files, etc., as well
• Any site can be the victim of an as mobile code, such as ActiveX,
attack. Java, JavaScript, Flash, etc.
• Always be cautious about • Any code that comes from an
following Web links to domain outside source puts you and your
names you don’t generally computer system at risk.
recognize. • Seek out only those locations
that are known to be safe and
trustworthy.

20
Top 10 Cyber Attack Methods

5. P2P File Sharing Services 6. Instant Messaging Clients

• Malicious content grows when • Malware can be seen as a form
that code is obtained through a of parasite that attaches itself to
peer file-sharing system. any popular communication
• The risk is greater not because medium.
the content becomes malicious • User can accept an offered file
when it is exchanged outside of from an unknown source or
ethical channels, but because follow an offered hyperlink to a
the providers of the content often malicious Web site.
include malicious code • Allow remote hackers to upload
intentionally. and/or download files through
holes in IM client software.

21
Top 10 Cyber Attack Methods

7. New Device or Peripheral 8. Social Networking Sites

• Vendors often outsource the • Proliferation of message posting
actual construction and pre- and exchange services.
production of their products to • Trick users into accepting
external manufacturers and fraudulent information that could
assemblers. compromise an account or the
• Mobile phones, digital photo security of a computer.
frames, and even media players • Some in-site applications, written
have been compromised during by malicious entities, attempt to
manufacturing. hijack accounts or distribute
• Don’t be an early adapter. malicious code.

22
Top 10 Cyber Attack Methods

9. Social Engineering 10. Not Following Security

• Phishing is the most popular Guidelines and Policies
• Web - Fake AV • People tend to care less about
• USB Flash Drives company data, then they would
• Be aware that attackers are trying their own.
to trick you into doing things like • Security Awareness Training
following hyperlinks and • Communicate regularly
downloading files. throughout the year.
• Stay current with new security
trends – Be aware that it can
happen to YOU.

23
Security Counter Measures

24
Why do we care about this?…

• Financial Loss
• Customer or personal Data Loss
• Business Disruption
• Closing Accounts
• Reregistering Accounts
• Reputational Business Risks

25
Apply Business Security Policies

Provide a uniform security policy enforced across the business

Admin Rights – network and local
Control Access Based on the Need to Know
Policies and procedures for the following service elements:
End-User Security
Removable Device Security
Network Communications Security
Remote Desktop Security
Software Updates
Uniform Security Settings

26
System Patching

Workstations and Servers

Versions Upgrades
Critical Updates
Operating Systems
Windows Applications
3rd Party Applications
Heartbleed Vulnerability
April 8, 2014
No New Updates are available for Windows XP & Office 2003
Continuous Patching

27
Know your Business Partners

Manage the business’s you do business with

Do the have access to confidential information?
Review them on a recurring basis

28
Cloud Email Anti-SPAM & Anti-Virus

Safeguarding your email with anti-virus, anti-spyware, anti-

spam technology and Phishing Defense.
Stop in the cloud before it reaches your servers or
workstation.
Protection Against Zero-Day

29
Wireless Device Control

Wireless devices are a convenient vector for attackers

Attackers gain wireless access to organizations from outside the
building, bypassing organizations' security by connecting wirelessly to
access points inside the organization.
Wireless mobile devices can be infected during air travel or in cyber
cafes and are then used as back doors when reconnected to your
internal network.
Restrict Access to authorized users only
Scan for Rouge devices
Disable Wireless Access on devices that do not need it

30
Protection on Your Devices and Systems

24/7 Management and Monitoring

Definition file updates
Version updates
Forgotten systems or devices
Reporting/Tracking

Anti-Virus
Anti-Malware
Host Intrusion Prevention
HIPS
Content Filtering
SPAM Filtering
Network Access Control
Application Control 31
Columbia Bank - Managing Risks

32
Managing the Risk
Best Practice # 1 – Separation of Duties

33
Managing the Risk
Best Practice # 2 – Stronger Password

34
Managing the Risk

Best Practice # 3 – Dual Administrative Control

35
Managing the Risk
Best Practice # 4 – Dual Transaction Control

36
Managing the Risk
Best Practice # 5 – Dual Transaction Control Plus

37
Managing the Risk
Best Practice # 6 - Education

• Educate staff on risk and fraud prevention (key)

• Set strong internal control criteria (policy)
• Educate staff on internet browsing risks
• Educate staff on Email Risks

38
Managing the Risk
Best Practice # 7 – Protection

• Email filtering software/service

• Internet browser filtering software/service
• External device (USB) (DVD) control
• Mobile Device Management
• Segregation of workstation for financial transactions
• Insurance – Cyber related

39
Managing the Risk

Best Practice # 8 – Monitoring

• Monitor activity daily

• Utilize Balance Alerts - think fraud protection and prevention
• Limit / Eliminate email and internet on business workstations
• Use a layered security approach – solutions - vendors

40
Managing the Risk
Key solutions for better protection…
• Enhanced Multifactor Authentication (MFA)
• Method for security code delivery

• Tokens
• Protection for ACH and Wire transactions
• Wire procedures
• ACH profile controls

41
Managing the Risk
Key solutions for better protection…
• Browser Security for Columbia Bank Access
• Secures and Encrypts the session
• Alerts of possible issues
• Back End Monitoring Tools
• Advanced activity monitoring
• Based on patterns of behavior
• Alerts of possible issues
• Communication
42
In Summary…

• Review, identify and know your risks

• Put a plan in place to close gaps
• Review Email and Internet browsing habits
• Patching-Operating systems and virus software
• Windows XP and Office Suite sunset

43
In Summary…

• Utilize various layers of protection

• Stay current…news…reports….information
• Regularly review your own security practices
• If it looks, feels or sound strange….it is…
• Money spent now will save you later

44
You can’t do everything….
But don’t do nothing!

45
What Questions do we have?

46
Thank you for your business!
Thank you for attending !

47