Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

!!!

!

© 2014 Traina & Associates 1

Lisa D. Traina, CPA, CITP, CGMA

Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA to assist financial institutions, hospitals, CPA firms and their clients in implementing measures to secure data and manage risks.

Traina & Associates, an IT security audit firm, has been honored four times as a member of the LSU 100 list of the top 100 fastest growing Tiger-led businesses.

Traina Advisory Services, LLC offers additional consulting services. In response to client requests for assistance with third party due diligence, Managed Vendor Program (MVP) was launched in 2014.

Lisa was named to the Baton Rouge Business Report 2014 list of Influential Women in Business and also to the CPA Practice Advisor Magazine 2012 list of 25 ‘Most Powerful Women in Accounting’.

Traina & Associates Traina & Associates helps secure your data. The fact is that a single hacker could ruin your company’s reputation or drain your bank account. We provide IT Security Audit services to help you prevent that from happening.

Since 1999, we have been a trusted provider serving financial institutions, hospitals, CPA firms, non-profits and other businesses. We have a team of professionals with extensive experience and certifications, performing hundreds of engagements per year.

We continually research new technologies and security threats so audit procedures remain up to date. Take a step toward business security. Visit our website for more details on any of our audit services or training options: www.TrainaCPA.com. Please contact us today at info@TrainaCPA.com or (225) 308-1712 or follow us on twitter at @TrainaCPA.

!

© 2014 Traina & Associates 1

‘Some form of data breach, deliberate or accidental, is now considered inevitable for all organizations at some point.’ – IRM Cyber Risk Report 2014

Making The Headlines

• Numerous companies and vendors have been breached recently • Many of these breaches have been in the past few months

Typical Myths

• Some users need better computer security than others • Breaches only happen to large organizations • Employees cannot access Facebook at work • EMV is the solution to card fraud • The ‘IT Guy’ keeps the organization safe • Anti-virus software is the best protection

Top Security Threats

1. Weak Passwords

o Default and weak passwords are very common o People use the same password for many systems o Many systems are accessible remotely with password as the single

control 2. Phishing

o A person is tricked into ! Visiting a site and entering confidential info (password, credit

card info, etc.) ! Clicking on a link that installs malware

o Top themes for spam & phishing messages worldwide ! Bank deposit/payment notifications, ! Online product purchase ! Attached photo, ! Shipping notices ! Online dating, ! Taxes ! Facebook, ! Gift card or voucher ! PayPal

3. Malware o Viruses, adware, bots, spyware o Installed without user’s knowledge o Often not detected by anti-virus programs o Malware Timeframe o One Click " Infected System

4. Vulnerable Systems o Vulnerability = security hole or weakness o Malware typically exploits a vulnerability

© 2014 Traina & Associates 2

o Every system must be updated or patched to eliminate vulnerabilities (servers, workstations, mobile devices, firewalls, routers, switches, etc.)

o Many new vulnerabilities discovered every day o Patching Systems

• Very difficult to keep everything patched • Patches can break things • Patches not provided for obsolete systems • Operating Systems – Windows XP, Windows 7, Windows 8, etc. • Applications – Java, Adobe, etc. run on many different operating

systems • 91% of attacks were from a Java vulnerability

Recent News

• Windows XP

o Support by Microsoft for Windows XP ended April 8, 2014 o Any computer with XP still installed could receive a ‘flood’ of malware,

since security patches will no longer be released o Server 2003 support ends June 2015

• Internet Explorer o Recent vulnerability, malware risk o Homeland Security warning issued o All versions of Explorer affected o Patches released for all supported versions

• RansomWare o Files are encrypted and a ransom is requested o Can happen on networks, workstations and mobile devices

• Backoff Malware o 1,000 businesses of different sizes hit o Remote access vulnerabilities exploited and access gained to point of

sale systems o Commonly compromised applications – LogMeIn, Join.me, Microsoft

Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway

• We’re Too Small To Matter o Hackers are not picky people o Path of least resistance o Gateway to ultimate target o Testing ground for new malware programs

• Malware For Sale

Malware At Its Worst

• Corporate Account Takeover o A form of corporate identity theft where a business’s online credentials

are stolen by malware and criminal entities fraudulently transfer funds from the account(s)

o Dissecting an Attack

© 2014 Traina & Associates 3

! Target Victims, Install Malware, Online Banking, Collect & Transmit Data, Initiate Funds Transfer(s)

o CATO is occurring at an alarming rate o Primary targets are small to mid-sized businesses o Lawsuits between businesses and financial institutions o Very preventable with proper security measures o OFI 19 Recommendations

! Protect, Detect, Respond o What institutions are doing right

! Most have adequate layered controls in place ! Risk assessments have been implemented and approved by

BOD ! Better information provided through literature and online

o Room for improvement ! Risk assessments missing new products/services ! ‘Respond’ recommendations not yet implemented ! More training for employees, board members and customers

needed

Mobile Devices

• More mobile devices in use than people on earth • Fraud will increase as use of banking and mobile payments increases • Mobile devices should be treated as any other computing resource • Mobile Malware

o 75% of web-delivered malware was encountered on Android devices (iOS 2nd with 17%)

o Mobile malware accounted for only 1.2% of total web malware encounters in 2013. However, this is the next logical area of exploitation for hackers

• Types of exploitations: o Surveillance – audio, camera, call logs, location, SMS messages o Impersonation – SMS redirection, sending email messages, posting to

social media o Financial – sending premium rate SMS messages, stealing transaction

authentication numbers, extortion via ransomware, fake antivirus, making expensive calls

o Botnet Activity – DDoS attacks, click fraud, premium rate SMS messages

o Data Theft – account details, contacts, call logs, phone numbers, stealing data via app vulnerabilities, stealing IMEI number

• Bring Your Own Device (BYOD) o Most organizations do not:

! Know who is doing what with devices ! Have sufficient controls ! Have a centralized management system (MDM)

• The Trouble With Syncing o BYOD approved devices o Personal devices o Automated syncing

© 2014 Traina & Associates 4

o Recipe for disaster • Bring Your Own Cloud

o BYOC is newest problem with cloud data storage o Organizations with employees who are using cloud services for data

storage ! Knowingly or Unknowingly

o Data is no longer controlled or secured by the Organization

Protection & Prevention

• No silver bullet, layers of security needed • Security measures must include

o Computer and mobile device security o Account security o The human element

• Critical Computer Security Measures 1. Properly configured network controls (firewalls, intrusion detection,

administrator access, etc.) 2. Constant patching for everything 3. Current anti-virus on all systems 4. Complex passwords that expire 5. Very restricted Internet access 6. Spam filtering

• Mobile Device Security 1. Passcode and inactivity lock 2. Device tracking and wipe 3. Updated operating systems and applications 4. Limited storage of confidential data 5. Acceptable usage policies 6. Mobile device management software (MDM) 7. Knowledge of where data resides

• Online Banking Account Security 1. Financial institution controls (tokens, call backs, dual control, etc.) 2. Strict password & access controls 3. Frequent review of account activity

• The Human Element 1. Training for every employee

! Use caution online ! Delete anything suspicious ! Do not reply to unknown emails

2. Important to include 3rd party testing of Organization systems and procedures

• Does This Make Sense? • How Secure Is Your Organization?

o You don’t know what you don’t know! o Third party security can impact you

! Due diligence is critical!

© 2014 Traina & Associates 5

What To Expect • More Sophisticated Attacks

• All businesses are prone to exploits • Known information is growing • Results in better targeted phishing attempts

• Credit Cards & EMV • Apple Pay & NFC Payments • New Avenues of Exploitation

• Small business, health care, construction, emergency management, etc. • These avenues will only grow and change • Important to address current issues

• The Internet of Things

‘The digital economy will continue to pose new information risks and business opportunities for all organizations.’ – IRM Cyber Risk Report 2014

Questions & Comments: Info@TrainaCPA.com Sales@ManagedVendorProgram.com (225) 308-1712

@TrainaCPA

www.ManagedVendorProgram.com | (541)2VENDOR or (541)283-6367 | Sales@ManagedVendorProgram.com

managed vendor program

As part of MVP, we will request for review the following vendor related documents as applicable:

• Contract*

• Audited financial statements• Security audit reports (i.e. SSAE 16, SOC 1, SOC 2, etc.)

• Business continuity planning documentation

• Disaster recovery testing results and documentation

• Identity Theft Program

• Insurance Coverage

• Regulatory Exam and Management Responses

• DDoS Plans

• Compliance and licensing information

• Customer complaint resolution information

*We do not offer legal advice on matters of contract structuring or obligations.

Reviews are performed by experienced professionals specializing in IS Risk Management for financial institutions. Reports provided include an Executive/Board Summary containing a snapshot of all vendors reviewed as well as a Vendor Review Report for each third party provider. We will also provide online access to your vendor documentation for 12 months, allowing easy retrieval for all auditing needs.

Keeping up is challengingMAKE A CHOICE TO LESSEN YOUR BURDEN AND RISK

Traina Advisory Services, LLC, is partnering with community financial institutions who face the challenge of keeping up with regulatory requirements for managing third party risk.

Our Managed Vendor Program (MVP) will take the burden of document collection and assessment off of you, and will provide information that can quickly be evaluated and reported to your Board of Directors. Our thorough yet concise summaries will give you the information you need to assess your critical vendors.

We want to be your Most Valuable Partner in managing third party risk.