Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
1
ISMG’s Global Fraud & Breach Summit is a must-attend event for any executive
tasked with protecting an organization from today’s information security threats.
March 22-23, 2016 | Hilton Financial District
Fraud and Breach Prevention Summit
SAN FRANCISCO
Visit ismgcorp.com/events for more information
2 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
When we first gathered here a year ago, we were amidst a string of high-profile retail breaches
that had repercussions throughout the world, sparking fresh discussions about new payments
security answers.
Today, we’re here to discuss not just the future of payment card security, but also the rapid
evolution of cyber-attacks and the unique challenges of detecting, responding to and
investigating these crimes.
With dual tracks focusing on fraud and on breach prevention/response, we hope today’s
Summit offers you multiple entry points into these engaging topics. Mix and match – attend
sessions in each track, and be sure to take time to meet with your peers, our speakers and our
sponsors. Exchange insights on today’s top schemes and the technology solutions designed to
stop them.
Throughout the day, please take time to visit with our Summit sponsors, who make this event
possible.
Also, please be sure to evaluate each of our sessions and speakers, and introduce yourself
anytime to the entire ISMG team. Let us know how we can help you enrich your Summit
experience.
Best,
Tom Field
Vice President, Editorial
ISMG’s Upcoming Fraud and Breach Prevention
Summit in San Francisco!
Tom Field
Vice President, Editorial
Schedule
3
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Tuesday, March 22
Time Session
12:00pm - 1:00pm Workshops Registration & Networking
1:00pm - 2:30pm
Data Breach Outlook: From Its Nation-State Roots to the Next Massive Attack
Born from nation-state espionage, hundreds of tools and services are now available for assembly into custom-built attack suites fit for almost any purpose and truly massive scale.
As these attacks are gaining momentum and sophistication, we need to adapt our defenses accordingly. To do that effectively, we must clearly understand how and why our enemy functions.
2:30pm - 3:00pm Break & Networking
3:00pm - 4:30pm
Breach Response Planning: Hammer Out Your Legal, Business and Technology Differences Before a Breach
Every mature enterprise understands the necessity of a maintaining a tested breach response plan. But it’s critical for the scope of that plan to go beyond technical operations, covering all interested parties, such as legal, finance and media relations, that may have greatly different priorities at crunch time.
Hear the perspectives of key stakeholders – the practitioners who represent legal, IT and business operations, and whose organizations have suffered severe data breaches.
4:30pm - 5:00pm Closing Remarks
5:00pm - 6:00pm Dinner & Networking
Schedule
4 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Wednesday, March 23 - Morning
Time Session
8:00am - 9:00am Registration, Breakfast & Exhibit Browsing
9:00am - 9:30am
Data Breach Outlook: From Its Nation-State Roots to the Next Massive Attack
Born from nation-state espionage, hundreds of tools and services are now available for assembly into custom-built attack suites fit for almost any purpose and truly massive scale. As these attacks are gaining momentum and sophistication, we need to adapt our defenses accordingly. To do that effectively, we must clearly understand how and why our enemy functions.
FRAUD TRACK DATA BREACH TRACK
9:30am - 10:00am
New Account Fraud: Still a Model of Success
This session will discuss strategies and technologies to gain a more accurate and holistic picture of account applicants and to respond in real-time to risk.
Et Tu Brute? How Your Government Can Take You Down
Take an in-depth look at the details of an investigation of a cancer screening service that led to a protracted legal battle, putting the service out of business.
10:00am - 10:30am
Customer Endpoint Protection – Securing Transactions From Millions of Devices You Don’t Own
Experts will discuss the latest in tools and strategies, including the latest endpoint malware capabilities, fraud detection and prevention technologies, and more.
The True Cost of Data Breaches: Not Just a Dollar Per Record
Hear a firsthand account of a business leader who has survived, overcome and thrived in the wake of such an experience.
10:30am - 11:00am Break & Networking
11:00am - 11:30am
Mobile: The Emerging Standard for Payments and the Next Target for Fraud
We will discuss the latest mobile vulnerabilities and the mechanisms to secure them including the inherent differences and weaknesses of the best-known mobile platforms, and more.
Reverse Engineering Intrusions and Infections: How Malware Can Educate Us About Our Adversaries
We can use clues such as hard-coded, command-and- control IP addresses, communication mechanisms and general toolset functionality to build a picture as to how an attack will be conducted. In this session we’ll hear from a leading research lab about its methods in defeating attacks based on these observations.
11:30am - 12:00pm
Card-Not-Present: Fraud on the Move, Back to the Future, Again
Attend this session, where we’ll discuss developments in CNP fraud detection and prevention
Mass Identity Management: Our Collective Multipersona Disorder
Join us in this session on the scope of identity sprawl and the leading mechanisms and techniques to ensure the safety of PII (Personally Identi able Information).
12:00pm - 12:30pm
Account Takeover: Where Does the Buck Stop?
Our legal and anti-fraud experts will discuss various account takeover prevention strategies, including: The distinction between fraud detection and prevention tools for account compromise and account takeover mitigation; The latest evolution of account takeover schemes; and more.
APIs: The Unmanned and Ever Expanding Threat Interface
Recent attacks at Snapchat, Yahoo and Tesla clearly show the vulnerabilities of poorly implemented and protected APIs. In this session we’ll describe the extent to which this vulnerability is exploited and the best practices for securing it.
12:30pm - 1:30pm Lunch
Schedule
5
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Wednesday, March 23 - Afternoon
Time Session
FRAUD TRACK DATA BREACH TRACK
1:30pm - 2:00pm
Biometrics: From Fingerprints to Heart Beats, from iTunes to Missiles
This session will review some of the latest advances in biometrics for both “whitelist” and “blacklist” applications, as well as the most significant considerations for their secure deployment.
Internet of Everything: Please Don’t Connect It First and Secure It Later
The number of IoT devices will proliferate to over one trillion in the next few years, but any device that can communicate with another potentially can provide a direct conduit from the public Internet to some very private and valuable information. Join us as we attempt to help you say: “Yes, you can connect now. We’ve got this covered.”
2:00pm - 2:30pm
Knowledge-Based Authentication is Dead; We Need a New, Multidimensional Approach
Here we will describe a layered approach to building a multidimensional reference model of every individual that adapts to changes in the environment, and “prove” that they are who they say they are.
Ransomware: You Can Have Your Business Back, But for a Fee
We’ll discuss the scope of this threat, steps you can take to minimize your risk of being victimized by ransomware attacks and steps you can take to recover your data should you fall victim to this type of attack.
2:30pm - 3:00pm
Federal Reserve Initiative: Faster Payments from End-to-End
In this interactive session, a Federal Reserve Payments executive discusses how the Fed is expanding its payments focus beyond the services it provides today to merchants and banking institutions.
Breach Disclosure: The Media’s Role
Listen to a panel of well-known journalists discuss their evolving roles. What are some of their reporting techniques? How do they decide what is or is not a story? How can you work more effectively with them when your organization is the one in the news?
3:00pm - 3:30pm Break & Networking
3:30pm - 4:00pm
Fraud Protection and User Friction: Online Experience vs. Risk Management
Getting the right balance between online experience and fraud protection is key. In this session, you will gain insight into the ways to provide protection and enhance the customer experience.
International Breach Disclosure: Navigating A New Legal World of Complexity
You will query a panel of litigators who focus solely on data breach, theft of intellectual property and privacy-related topics.
4:00pm - 4:30pm
The Blockchain: A New Hypersecure Fabric for Any Transaction?
Many current transaction mechanisms are vulnerable to fraud. In this session we’ll walk through the potential impact of broader blockchain deployment.
Role-Based Behavior Analytics: Patterns and Anomalies in User Behavior as Indicators of Attack
Here we will lay out the various models used for behavior pattern analysis and demonstrate how this may be integrated into a real-world SOC.
4:30pm - 5:00pm
If Data Has No Value, Its Theft is Pointless
Payment transactions often provide a treasure trove of valuable, usable data for thieves. But if that data has no value, it becomes useless and will eventually no longer be a target for theft in the first place. In this session we’ll discuss the benefits and pitfalls on this topic.
5:00pm - 6:00pm Cocktails & Networking
Faculty
6 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Editorial Staff
Howard AndersonNews Editor
Tracy KittenExecutive Editor, BankInfoSecurity & CUInfoSecurity
Robyn WeismanCustom Content Producer
Mathew J. SchwartzExecutive Editor, DataBreachToday & Europe
Geetha NandikotkurManaging Editor, Asia & the Middle East
Eric ChabrowExecutive Editor, GovInfoSecurity & InfoRiskToday
Marianne Kolbasuk McGeeExecutive Editor, HealthcareInfoSecurity
Varun HaranPrincipal Correspondent
Based on decades of experience, content for ISMG’s Summit
series is crafted by the foremost experts in information security
and risk management.
Tom Field
Vice President EditorialField is an award-winning journalist with
over 30 years experience in newspapers,
magazines, books, events and electronic
media. A veteran community journalist
with extensive business/technology
and international reporting experience,
Field joined ISMG in 2007 and currently
oversees the editorial operations for all
of ISMG’s global media properties. An
accomplished public speaker, Field has
developed and moderated scores of
podcasts, webcasts, roundtables and conferences. He has appeared at RSA
Conference and on various C-SPAN, History Channel and Travel Channel
television programs.
ISMG brand and regional Executive Editors will moderate most summit sessions. With extensive industry and regional expertise, these hosts are
responsible for ensuring a timely pace and connecting speakers with the audience.
Mindy Blodgett
Content Director
Blodgett is an Events Content Director at
Information Security Media Group and is
an experienced communications specialist
and content creator for editorial, marketing
and events. She has spent more than 30
years in communications and events roles,
with a focus on information technology
and business strategy journalism and
related events. Before coming to ISMG,
she produced content for events for the
International Data Group (IDG) Enterprise;
was a senior editor at CIO magazine and
worked as a research analyst for the
Yankee Group.
Speakers
7
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Michael TheisCMU CERT Insider Threat Center
Jeffrey ShafferPricewaterhouseCoopers
Doug JohnsonAmerican Bankers Association
Clyde LangleyCharles Schwab
Robert CarrHeartland Payment Systems
Richard BortnickTraub Lieberman Straus & Shrewsberry, LLP
Avivah LitanGartner
Barbara PachecoFederal Reserve Bank of Kansas City
Eduardo PerezVisa Inc
Janey CarruthersUS Banking Regulator
Julie ConroyAite Group
David PollinoBank of the West
Kate BortenThe Marblehead Group
Jessica CorleyAlston & Bird LLP
Ron RossNational Institute of Standards and Technology (NIST)
Kevin MorrisonThe Results Companies
T.C. Spencer PryorAlston & Bird, LLP
David SzaboLocke Lord LLP
Dr. Dale MeyerroseU.S. Air Force (retired)
Michael RedmanSpace and Missile Defense Command (SMDC)
Dominique SheltonAlston & Bird, LLP
Sharon AnolikPrivacy Panacea
Shirley InscoeAite Group
Uri RivnerBioCatch
A small cross-section of our expert speaker community
8 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
2016 Summit Events at-a-glance
Global Reach
Toronto
Dubai
MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Mumbai
2.5 days
Silicon Valley
Chicago BostonBangalore
1.5 days
Amsterdam
DC SingaporeMiami
New York New York
London
Dehli
NEW YORK
Fraud & Data BreachAugust 2, 2016
HealthcareOctober 18, 2016
TORONTO
Fraud & Data BreachSeptember 13, 2016
SILICON VALLEY
Fraud & Data BreachMarch 22, 2016
CHICAGO
Fraud & Data BreachNovember 8, 2016
WASHINGTON, DC
GovernmentMay 17, 2016
BOSTON
Fraud & Data BreachJuly 12, 2016
LONDON
Fraud & Data BreachNovember 8, 2016
DUBAI
Fraud & Data BreachEarly May
DELHI
Fraud & Data BreachNovember
SINGAPORE
Fraud & Data BreachSeptemberMUMBAI
Fraud & Data BreachJune
BANGALORE
Fraud & Data BreachMarch 16, 2016
AMSTERDAM
Fraud & Data BreachSeptember 27, 2016
Sessions
9
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
The New Wave of Fraud Analytics and AI
Fraud detection has long been a goal of big data analytics, but we’ve
seen too many expensive deployment casualties along the way,
leaving us with lakes of data and minimal successful fraud detection.
But today as data collection techniques develop and machine-learning
capabilities are tuned to this use case, highly accurate data linkage
and pattern detection solutions can be created to quickly identify
fraudulent behavior amid the “noise” of authentic transactions.
Attend this session to learn how some forward-looking organizations
are using advanced analytics tools to:
• Use the latest in multi-channel modeling and identification
patterns technology to detect fraud;
• Pull actionable information from cognitive analysis and AI;
• Reduce the opportunity for cross-channel fraud;
• Cut response time between suspicious activity occurrence and
detection;
• Take unstructured data and turn it into relevant information for
decision-making and analysis.
Breach Response Planning: Hammer Out Your Legal, Business and Technology Differences Before a Breach
Every mature enterprise understands the necessity of a maintaining a
tested breach response plan. But it’s critical for the scope of that plan
to go beyond technical operations, covering all interested parties,
such as legal, finance and media relations, that may have greatly
different priorities at crunch time.
Hear the perspectives of key stakeholders – the practitioners who
represent legal, IT and business operations, and whose organizations
have suffered severe data breaches. Learn from them:
• The roles each stakeholder plays in crafting and testing the plan;
• What changes when the breach is real and it’s time to put the plan
in action;
• Lessons learned from their own breach experiences.
Data Breach Outlook: From Its Nation-State Roots to the Next Massive Attack
Born from nation-state espionage, hundreds of tools and services are
now available for assembly into custom-built attack suites fit for almost
any purpose and truly massive scale.
As these attacks are gaining momentum and sophistication, we need
to adapt our defenses accordingly. To do that effectively, we must
clearly understand how and why our enemy functions.
Therefore, in this session we will discuss:
• The current statistical scale and scope of targeted attacks;
• The threat actors executing these attacks and their motivations
for doing so, including financial gain, personal identity information
(PII) and terror;
• The types of valuable data and/or critical infrastructure they are
now targeting;
• Existing vectors that remain vulnerable, as well as new points of
vulnerability, such as APIs and mobile;
• Where resources should be focused to defend against these
evolving threats.
FRAUD TRACK
New Account Fraud: Still a Model of Success
Account origination fraud remains one of the fastest growing threats
today for organizations ranging from banks to government entities.
According to Javelin Strategy & Research, this type of fraud has risen
by 50 percent with $9.8 billion in losses – and the damage continues
to grow. With account origination fraud so difficult to detect and with
the stakes so high, this session will discuss:
• Strategies and technologies to gain a more accurate and holistic
picture of account applicants and to respond in real-time to risk;
• The shortcomings of using device identification and log analysis
to create a layered defense strategy;
• The latest on cloud-based solutions and behavioral analytics;
• Ways to integrate solutions with your internal and consumer-
facing systems in order to more quickly assess risk and to identify
inconsistencies
Sessions
10 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
DATA BREACH TRACK
Et Tu Brute? How Your Government Can Take You Down
After any significant breach, many parties, including customers,
clients, business partners and government agencies, will demand
clarity about the details of how the incident occurred and what data
was exposed.
Increasingly, the Federal Trade Commission is aggressively
investigating breaches to ensure that an organization is not negligent
or reckless with private information. But some question whether the
FTC is basing its decisions upon reliable information.
In this session we’ll take an in-depth look at the details of an
investigation of a cancer screening service that led to a protracted
legal battle, putting the service out of business.
FRAUD TRACK
Customer Endpoint Protection – Securing Transactions From Millions of Devices You Don’t Own
By allowing connections to multiple endpoint platform types, financial
institutions are tasked with providing a secure transaction channel to
a massive number of devices they don’t own and have limited control
over. Meanwhile, cybercriminals develop new attacks targeted directly
at this type of communication every day, with maturing multifunction
malware such as Zeus already infecting millions of endpoints in the
U.S. alone.
In this session, experts will discuss the latest in tools and strategies,
including:
• The latest endpoint malware capabilities;
• How assuming that every endpoint may already be compromised,
while still providing a secure channel to it, is a viable strategy;
• The latest fraud detection and prevention technologies;
• How enhanced authentication with biometrics, Device ID and
behavioral analytics can be integrated.
DATA BREACH TRACK
The True Cost of Data Breaches: Not Just a Dollar Per Record
When an organization suffers a data breach, how can we quantify the
total of all the associated costs?
The scope of costs go way beyond a fixed dollar value per stolen
record, but extend to include legal fees, third-party forensic services,
loss of reputation and defense improvements as well as state and
federal penalties.
An entire complex, interconnected, multifaceted economy sprouts
up in the wake of every significant data breach, each adding its own
contribution to the total overall cost.
In this session we’ll hear a firsthand account of a business leader
who has survived, overcome and thrived in the wake of such an
experience.
FRAUD TRACK
Mobile: The Emerging Standard for Payments and the Next Target for Fraud
Mobile is quickly establishing itself as the payment channel of choice.
More than 36 million Americans are forecast to conduct $27 billion
in mobile transactions in the coming months. As users increasingly
adopt new payments platforms, including Apple Pay and Samsung
Pay, cybercriminals are devising new ways to compromise them, with
new malware exploiting inter-application vulnerabilities or the devices
themselves. And old protection mechanisms are no longer effective in
combating this growing threat.
In this session we will discuss the latest mobile vulnerabilities and the
mechanisms to secure them including:
• The inherent differences and weaknesses of the best-known
mobile platforms;
• The latest in authentication tools and technologies, including
biometrics, geo-location, Device ID and more, available for
financial services providers and retailers to detect and counter
fraud attempts in real time;
• The potential trade-offs between ease of use, functionality and
security;
• Mobile Device Management solutions for onboarding and
maintaining devices.
Sessions
11
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
DATA BREACH TRACK
Reverse Engineering Intrusions and Infections: How Malware Can Educate Us About Our Adversaries
Although zero-day malware is relatively uncommon, most attacks do
employ some form of purpose-built software to establish residency
and “act” within our networks.
By deconstructing and analyzing this code, we can gain great clarity
into exactly how our adversaries operate. We can use such clues
as hard-coded, command-and-control IP addresses, communication
mechanisms and general toolset functionality to build a picture as to
how an attack will be conducted.
These insights help us to detect the behavioral patterns of an attack,
instead of relying on code signature-based detection, which has been
proven to fail as a single line of defense.
In this session we’ll hear from a leading research lab about its
methods in defeating attacks based on these observations.
FRAUD TRACK
Card-Not-Present: Fraud on the Move, Back to the Future, Again
As fraudsters switch focus back to card-not-present (CNP) schemes,
research from the Aite Group indicates that such schemes will soon
outpace card-present fraud in the U.S. by a three-to-one margin.
Globally, payments provider ACI Worldwide saw a 30 percent
increase in CNP fraud in the first half of 2015. In fact, ACI says that
approximately 1.2 percent of all CNP transactions conducted between
January 2015 and July 2015 were fraudulent.
While in-person payment technologies become increasingly
sophisticated, CNP transactions still rely on decades-old security
mechanisms that are relatively easy to defeat.
Attend this session, where we’ll discuss developments in CNP fraud
detection and prevention via:
• Multifactor, multichannel authentication mechanisms being
applied across both the endpoint and call-center channels;
• Real-time fraud monitoring systems and tools, such as the 3-D
Secure messaging protocol;
• The use of behavioral analytics tools to review purchase and
payment trends across multiple channels;
• Tokenization and what it can do to protect consumers and issuers.
DATA BREACH TRACK
Mass Identity Management: Our Collective Multipersona Disorder
We, and often our devices, each have multiple identities, gradually
spreading into every facet of our lives while simultaneously increasing
in accessibility and value. Employers and service providers,
meanwhile, struggle to provision, manage, track and secure them,
often on a massive scale.
While vendors focus on solutions for single sign-on, identity federation
and application integrations, the National Strategy for Trusted
Identities in Cyberspace (NSTIC) is emphasizing the importance of
privacy, security, resiliency, interoperability and ease of use.
What are the immediate hurdles and opportunities for achieving these
goals?
Join us in this session on the scope of identity sprawl and the leading
mechanisms and techniques to ensure the safety of PII (Personally
Identifiable Information).
FRAUD TRACK
Account Takeover: Where Does the Buck Stop?
Despite years of trying to figure out who is liable for corporate
account takeover incidents, we are no closer to an answer. ISMG’s
latest fraud research shows that incidents and resulting losses from
account takeover have remained steady or grown for most institutions
over the past five years.
While many of these incidents ended up being resolved out of court,
before judges could rule on primary responsibility, the question
remains: Who is liable? Is it the business whose credentials were
stolen, or the institution that failed to spot and stop anomalous
behavior?
Sessions
12 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Because of the significant pain and losses attached to account
takeover fraud, financial institutions need to do more to avoid it in the
first place. In this session, our legal and anti-fraud experts will discuss
various account takeover prevention strategies, including:
• The distinction between fraud detection and prevention tools for
account compromise and account takeover mitigation;
• The latest evolution of account takeover schemes;
• Recent case law on account takeover liability;
• Powerful new tools that help organizations detect anomalous
transactions and stop them before damage is done.
DATA BREACH TRACK
APIs: The Unmanned and Ever Expanding Threat Interface
Recent attacks at Snapchat, Yahoo and Tesla clearly show the
vulnerabilities of poorly implemented and protected APIs.
Almost every new cloud, partner, mobile or IoT service relies on an API
for automated configuration and use. The proliferation of these app-
to-app communications for payments, data exchange and messaging
is drastically expanding the enterprise threat map, despite bypassing
all but the most rudimentary security measures.
When compromised by an attacker, these interfaces provide
connectivity directly into a mesh of “unmanned” inter-app channels
that are rarely inspected for suspicious behavior.
In this session we’ll describe the extent to which this vulnerability is
exploited and the best practices for securing it.
FRAUD TRACK
Biometrics: From Fingerprints to Heart Beats, from iTunes to Missiles
Biometrics offer many of the sought-after characteristics of
authentication perfection. They provide highly complex patterns that
are unique and are impossible to forget or leave at home. Whether
paying for coffee with a heartbeat or accessing a laboratory with an
iris, the potential use cases are limitless.
There are, however, significant challenges to implementing biometric-
based solutions, such as the initial recording and registration process,
protecting the privacy of individuals and any stored or transmitted
identifying information. Maintaining the security and confidentiality of
that information from theft and abuse also is critical because there is
no form to fill out to replace it.
In this session we’ll review some of the latest advances in biometrics
for both “whitelist” applications, such as granting access to sensitive
information or funds, and “blacklist” applications, such as identifying
fraudsters’ voices at call centers, as well as the most significant
considerations for their secure deployment.
DATA BREACH TRACK
Internet of Everything: Please Don’t Connect It First and Secure It Later
The number of IoT devices will proliferate to over one trillion in the
next few years, but any device that can communicate with another
potentially can provide a direct conduit from the public Internet to
some very private and valuable information.
In our rush to connect everything together, secure connectivity and
information handling is frequently an afterthought, if ever even a
thought at all.
Is it possible to instill sound SDL (security development lifecycle)
practices into device manufacturers? Practices are improving, with
more refinements on the way. But hope, as they say, is not a strategy.
An alternative to waiting for built-in security to gestate is to bolt it
on. Several gatekeeper onboarding solutions exist for brokering the
relationship between enterprise and device, limiting connectivity in
controlled phases, and managing patch levels, authorization and
connectivity to within acceptable limits.
Join us as we attempt to help you say: “Yes, you can connect now.
We’ve got this covered.”
Sessions
13
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
FRAUD TRACK
Knowledge-Based Authentication is Dead; We Need a New, Multidimensional Approach
Until we get to a stage where we can guarantee the confidentiality
of static identity reference data, such as names, addresses, emails
and favorite cat colors, we must move away from relying on it for
authentication.
Truly massive amounts of this information are stolen on a regular
basis, proving we are far from achieving its confidentiality. Moreover,
it is a straightforward process to use this data to steal, or at least
borrow, someone’s identity.
There is, however, a wealth of dynamic, behavioral, reputational and
association-type information that can add many organic dimensions
to identity verification data, making it far more difficult to compromise
than static, “flat” reference fields.
In this session, we will describe a layered approach to building a
multidimensional reference model of every individual that adapts to
changes in the environment, and “prove” that they are who they say
they are.
DATA BREACH TRACK
Ransomware: You Can Have Your Business Back, But for a Fee
Digital hostage taking has become a highly profitable opportunity
for cyber criminals. Strategic, enterprise-focused attackers use
ransomware (which can be purchased from Ransomware-as-a-
Service providers on the Dark Web) for a variety of reasons, including
hacktivism, nation-state revenge or financial gain.
Ransomware has become popular with threat actors because the
methodology is quite simple. It encrypts your systems and then tells
you that if you want to recover your information, you must pay a
certain amount for the decryption key. And if you don’t pay? You risk
losing months, even years of your organization’s critical information.
In this session we’ll discuss the scope of this threat, steps you can
take to minimize your risk of being victimized by ransomware attacks
and steps you can take to recover your data should you fall victim to
this type of attack.
FRAUD TRACK
Federal Reserve Initiative: Faster Payments from End-to-End
As we discuss ways to ensure faster payments security, we must make
sure we include newer payments providers, such as Apple Pay and
Square, that aren’t associated with banks and are, for the most part,
unregulated.
Federal Reserve experts say that it’s no longer enough to focus
on bank-to-bank payments as they have historically. Now they are
focusing on transactions from an end-to-end perspective – from the
point at which the consumer makes a payment through the various
financial institutions and payments providers all the way to the
commercial side.
In this interactive session, a Federal Reserve Payments executive
discusses how the Fed is expanding its payments focus beyond the
services it provides today to merchants and banking institutions,
including:
• The types of financial fraud that are of greatest concern;
• The importance of a variety of stakeholders within the payments
industry playing a role in crafting a faster payment strategy;
• The Federal Reserve’s payments industry roadmap.
DATA BREACH TRACK
Breach Disclosure: The Media’s Role
Sometimes breach disclosure is mandated by a regulator.
Occasionally, it comes from a CEO who wants to control the news. But
often it’s an enterprising journalist who pulls together and validates
disparate facts, then breaks the news about the latest breach – often
against the wishes of the breached entity.
Their backgrounds are varied, but their methods are common: to sift
through tips, trends, incidents, studies and commentary to determine
fact from fiction or even PR spin. Sometimes the information comes
from official sources. Often it’s from sources of questionable repute
in the Dark Web. It’s the journalists’ responsibility to treat these leads
with equal parts caution and respect, and then to stand solidly behind
what they publish.
Sessions
14 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Listen to a panel of well-known journalists discuss their evolving roles.
What are some of their reporting techniques? How do they decide
what is or is not a story? How can you work more effectively with them
when your organization is the one in the news?
FRAUD TRACK
Fraud Protection and User Friction: Online Experience vs. Risk Management
Customers have put financial institutions and retailers in a sort of
pickle. On the one hand, customers expect their transactions to be
secure, yet they also demand a frictionless online experience.
How do banks and retailers negotiate the seeming chasm between
a delightful online experience and one that protects against
fraudulent activity? They do have a plethora of technology options
for increasingly sophisticated fraud detection. Should these solutions
hinder customers’ ability to make an easy transaction, however, they
will abandon it, leading to frustrated customers and lost business.
Getting the right balance between online experience and fraud
protection is key. In this session, you will gain insight into the ways to
provide protection and enhance the customer experience, including:
• The latest ways to instill risk mitigation while also implementing a
strategy of increasing customer satisfaction;
• Building a unified approach to fraud prevention across all lines of
business;
• The technology advances that place an emphasis on prevention
rather than breach and after-the fact detection
DATA BREACH TRACK
International Breach Disclosure: Navigating A New Legal World of Complexity
Following two years of headline breaches at the likes of Target,
JPMorgan Chase, Sony, Anthem and OPM, the U.S. Congress is finally
poised to at least discuss enaction of a national breach disclosure law
superseding all of the individual state regulations.
But that’s just one nation.
Around the world, governments such as the European Union have
either developed or even refined their own breach notification laws or
are in the process of drafting one.
If your organization conducts business in these countries, and/or
stores information on these nations’ citizens, then pay close attention
to the vast array of existing and pending international breach
regulations. Because when your organization is breached, you will be
held accountable to these laws.
You don’t want to take a crash course in international breach
legislation after your organization has been breached. Instead, take
time now to query a panel of litigators who focus solely on data
breach, theft of intellectual property and privacy-related topics. Learn:
• How international breach disclosure regulations are shaping up
in 2016;
• Lessons learned from case law involving breached entities that
have run afoul of the law;
• How to tailor your own breach disclosure plan to meet the most
exacting of international standards.
FRAUD TRACK
The Blockchain: A New Hypersecure Fabric for Any Transaction?
Although developed to support the infamous Bitcoin, the blockchain
mechanism is proving to have a multitude of use cases, from IoT micro
payments to capital market trading, retail banking and even voting.
The blockchain, in effect, is a distributed ledger, shared with hundreds
of thousands of automated auditors that verify the authenticity of
every transaction, drastically reducing, if not completely eliminating,
fraudulent entries.
Many current transaction mechanisms are vulnerable to fraud. In this
session we’ll walk through the potential impact of broader blockchain
deployment.
Sessions
15
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
DATA BREACH TRACK
Role-Based Behavior Analytics: Patterns and Anomalies in User Behavior as Indicators of Attack
A monumental challenge for security teams is distinguishing between
legitimate user behavior and an attacker using valid credentials. New
machine-learning applications are emerging to distinguish between
the two. These new applications can analyze seemingly endless
activity and events from various classes of users, apps and devices.
Morevover, they can blend this information with contextual reference
points, such as geolocation, device type and time of day, so that
distinctly normal patterns of activity emerge, and anomalies begin
to stand out. These anomalies can be further compared with known
malicious activity patterns, and once a match is found, may then be
reclassified as an active indicator of attack.
In this session we will lay out the various models used for behavior
pattern analysis and demonstrate how this may be integrated into a
real-world SOC
If Data Has No Value, Its Theft is Pointless
Payment transactions often provide a treasure trove of valuable,
usable data for thieves. But if that data has no value, it becomes
useless and will eventually no longer be a target for theft in the first
place.
Because the theft of this data is so widespread today, we need
to start this devaluation cycle immediately and make sure data
becomes useless for the purposes of fraud. To that end, it needs to
be unreadable, which we can achieve with encryption, invalidated by
replacing it with a representative token – or preferably both.
When these mechanisms are layered upon other technologies such
as EMV, transaction and data security increases by many orders of
magnitude. In this session we’ll discuss the benefits and pitfalls of
their interaction, security and deployment.
“This was an excellent
event, with clear and
insightful presentations.
The format worked
extremely well and I went
away feeling it had been
very worthwhile.”
Venue
16 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
16
Hilton Financial District
This San Francisco hotel’s incredible
downtown location puts you in the
center of the city, within walking
distance to numerous attractions.
Discover shopping at Union Square,
dining in North Beach, culture
in Chinatown and family fun at
Fisherman’s Wharf, and the perfect
location for ISMG’s Fraud and Breach
Prevention Summit.
Address
Hilton Financial District
750 Kearny Street
San Francisco, CA 94108
Contact
+1-415-433-6600
Global Event Sponsors
17
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
18 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Cyber Extortion: Fighting DDoS AttacksHow to Defend Against the Surge in Shakedowns
by Mathew Schwartz, Executive Editor, ISMG
CONTENT HIGHLIGHT
Cyber-extortion attacks are on the rise for one
reason: The lure of easy money.
Such attacks often unfold in this way:
Attackers disrupt a site for a short period
with a distributed denial-of-service attack,
send a ransom note threatening further
disruption, and if the ransom doesn’t get paid,
sometimes make good on that threat.
An increasing number of attack groups have
been waging DDoS extortion campaigns
globally, often targeting multiple organizations
in any given sector at once before moving on
to a new sector and starting afresh.
“We have seen a lot of activity in relation
to the ‘DDoS as an extortion’ technique
being used by groups such as the Armada
Collective and also DD4BC,” says Brian
Honan, a Dublin-based information security
consultant who heads Ireland’s computer
emergency response team. DD4BC is short
for “DDoS for Bitcoin,” an extortion racket that
first emerged in July 2014.
Law enforcement agencies continue to
track and sometimes arrest suspected
DDoS extortionists, despite their use of
bitcoins to try to disguise their identity (see
How Do We Catch Cybercrime Kingpins?).
Earlier this month, for example, the EU’s law
enforcement intelligence agency, Europol,
announced that it helped coordinate an
operation that identified “key members of the
organized network” behind DD4BC, located
in Bosnia and Herzegovina, after which both
a “main target” as well as another suspect
were arrested there. But authorities haven’t
released any further details (see Europol
Announces DD4BC Arrests).
It’s unclear just how widespread DDoS
extortion attacks are, says Honan, who’s
also a cybersecurity adviser to Europol. “I
have no sense how many [ransom notes]
are being sent,” he says. “One industry
we have seen as being victims are online
service providers such as email and hosting
providers, e.g. Protonmail in Switzerland,”
Honan says. Protonmail is a Geneva-based
encrypted email service provider that paid 15
bitcoins (about $6,000) this past November to
extortionists, only to have its site get knocked
offline anyway. And banking sector experts
say that financial services firms are among the
most-targeted organizations too.
Extortion Comes in Multiple Forms
Roland Dobbins, a principal engineer at DDoS
defense firm Arbor Networks, notes that
attackers typically employ DDoS extortions
for one of three reasons:
• Profit: Criminals are looking for easy
bitcoins.
• Ideology: Many attacks, Dobbins
says, are ideologically motivated, with
attackers “trying to force the targeted
organization to stop doing something
the attackers find objectionable, or start
doing something the attackers find
desirable.”
• Bickering: Some DDoS extortions are
what he refers to as “intra-miscreant,”
such as rival fraudsters demanding each
others’ credit card dumps.
Dobbins says a ransom demand can range
anywhere from 1 to 100 bitcoins (worth about
$400 to $40,000). In some cases, victims who
have paid the ransom then receive repeat,
increasing ransom demands from the same
extortion gang.
A History of Online Extortion
Using online channels and the threat of
disruption to extort victims isn’t new. In fact,
DDoS extortion attacks date back to the
late 1980s, Dobbins says, when “warez”
gangs - referring to illegal copies of software
- regularly shut down each other’s IRC
channels over petty disputes.
By the mid-1990s, the first packet-flooding
attacks against websites appeared as
attackers threatened further disruption
unless victims paid a ransom via wire transfer,
Dobbins says. By the late 1990s, attackers
focused on niche sites that were least likely
to appeal to authorities, such as online
gambling and adult entertainment sites. And
that continues to an extent today, with attacks
against encrypted email service providers,
bitcoin miners, cryptocurrency exchanges and
even banks, he says.
After temporarily waning, cyberextortion
attacks have surged in recent years, Honan
says, especially those targeting organizations
in the U.S. and Europe. In November 2015, for
example, three Greek banks reported multiple
website disruptions after they refused to
accede to extortionists’ bitcoin demands (see
Greek Banks Face DDoS Shakedown).
19
ISMG Fraud and Breach Prevention Summit
San Francisco
Interested in multiple attendees? Contact [email protected] or call (800) 944-0401
Responding to DDoS Extortion: 8 Steps
With the threat of DDoS extortion attacks on
the rise, here are seven steps that security
experts recommend organizations pursue to
defend themselves against related threats
and attacks:
• React: Take any extortion threat
seriously. Immediately “spin up” an
incident response team to manage your
organization’s response to any such
attacks or threats.
• Defend: Review DDoS defenses to
ensure they can handle attackers’
threatened load, and, if necessary,
contract with, subscribe to or buy an anti-
DDoS service or tool.
• Alert: Warn the organization’s data
centers and ISPs about the threatened
attack, which they may also be able to
help mitigate.
• Report: Tell law enforcement agencies
about the threat - even if attackers do not
follow through - so they can amass better
intelligence to pursue the culprits.
• Withhold: Never pay attackers, which
encourages repeat - and copycat -
attacks.
• Fallback: If an attack occurs, for its
duration, redirect website users to a
previously unrevealed and pre-prepared
backup site, or else to a ready-made
microsite.
• Review: Continually review and update
business continuity plans to prepare for
any disruption in order to minimize the
impact to the organization’s operations.
• Monitor: Consider implementing some
type of threat-intelligence capability to
track these types of threats.
Paying Ransoms Doesn’t Pay
Regardless of who’s behind any online
extortion attempt - or their motivation -
experts’ advice for dealing with such threats
is clear: “Don’t pay the ransom,” Honan says.
“Anyone we’ve seen or dealt with that has not
paid the ransom, all of them have not had a
subsequent DDoS afterwards.”
By contrast, Arbor’s Dobbins says some
organizations that have paid ransoms have
been subjected to repeat disruptions and
increasing ransom demands. For example,
Protonmail in Switzerland reported that after
its website was knocked offline for about 15
minutes and it received a ransom notice, it
“grudgingly agreed” to pay the ransom after
being pressured by its ISP to do so.
But ProtonMail then got hammered by a
second, much larger DDoS attack anyway,
although officials say no related ransom
note was ever received. The attack not only
knocked ProtonMail offline, but also disrupted
its ISP’s data center and hundreds of its other
downstream customers. “We hoped that by
paying, we could spare the other companies
impacted by the attack against us, but the
attacks continued nevertheless,” ProtonMail
said in a blog post. “This was clearly a wrong
decision.”
Security experts say the right decision for
DDoS ransom-demand victims is to work
with law enforcement authorities. “The
recent [anti-DD4BC] operation and arrests
are a good example of why talking to law
enforcement is a good thing,” Honan says.
“All that information gets shared with Europol,
who then can analyze it and depending
on the results of that analysis set up an
operation.”
But the importance of preparation - including
maintaining logs to understand what normal
network-traffic volumes look like, keeping
all Internet-facing systems fully patched and
working with your ISP and DDoS mitigation
services - cannot be overemphasized,
according to the U.K.’s computer emergency
response team (see The CISO’s Role in
Fighting Extortion).
“As part of normal security measures, liaise
with your ISP or Internet hosting provider so
they can be ready to provide traffic filtering,
IP blocking and additional bandwidth to
help mitigate any disruption,” a CERT-UK
spokesman tells Information Security Media
Group. “In attacks seen so far, upstream
filtering of specific protocols appears to have
been reasonably effective.”
“DDoS extortion
attacks date back
to the late 1980s,
Dobbins says, when
“warez” gangs -
referring to illegal
copies of software -
regularly shut down
each other’s IRC
channels over petty
disputes.”
902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com
www.ismgcorp.com/events
Fraud and Breach Prevention Summit 2016