Cyber Security Seminar - 2014

Presenter: Tim Lenhoff, Chief Technology Officer

Agenda

 Introductions and Logistics

 How Safe Are You?
 A Year in Review
 Cyber Security - 2014
 Top 10 Cyber Attack Methods
 Security Counter Measures
 Columbia Bank - Managing Risk

2
How Safe Are You?

3
 How Safe Are You?
Data Breaches by Sector in 2012-2013

3% 3%
4%

5%
Healthcare
6% 36% Education
Government
Accounting
6% Computer Software
Financial
Information Technology
9% Telecom
Computer Hardware
Community/Non Profit

13%
16%

4
Source: Symantec Internet Security Threat Report April 2013
How Safe Are You?

Adobe Systems (Photo Shop and Acrobat products)

On October 3, 2013, Adobe faced two attacks from cyber
criminals who stole credit card data of 2.9 million customers.
Its security team had discovered the sophisticated attacks
involving illegal access of customer information and source
code of many Adobe products.
After further investigation, it was confirmed that the
attackers obtained access to Adobe IDs and what were at the
time valid, encrypted passwords for approximately 38
million active users.

5
How Safe Are You?
Facebook, Gmail and Twitter Breach
November 2013, hackers stole usernames and
passwords for nearly two million accounts at
Facebook, Google, Twitter, Yahoo and ADP.
The massive data breach was a result of key logging
software maliciously installed on an untold number of
computers around the world. The virus captured log-in
credentials for key websites and sending those
usernames and passwords to a server controlled by the
hackers. Approximate numbers of accounts:
•318,000 Facebook •70,000 Gmail, Google+ and
YouTube •60,000 Yahoo •22,000 Twitter •8,000 ADP
•8,000 LinkedIn
6
How Safe Are You?
Target Data Breach
December 2013, credit and debit card information of as many
as 70 million customers was compromised over three weeks
of the holiday shopping season —one of the largest breaches
ever of American consumer data.
Target said that the information compromised included
customer names, card numbers, expiration dates and the
short verification codes known as CVVs.
It is believed that hackers broke into the retailer's network
using login credentials stolen from a heating, ventilation and
air conditioning company that does work for Target at a
number of locations.
7
How Safe Are You?
Blue Cross Blue Shield Breach
December 2013, a pair of laptops containing
unencrypted patient data was stolen from Horizon
Blue Cross Blue Shield of New Jersey’s Newark
headquarters. The Apple MacBook Pros held
information from almost 840,000 Horizon BCBSNJ
members.
It is believed that the laptops, which were cable-
locked to workstations, contained information
including names, addresses, dates of birth, clinical
information, and Social Security numbers.

8
How Safe Are You?
NSA Surveillance Program Breach
Edward Snowden, the high-profile Booz Allan government
contractor, received widespread headlines for releasing
data on the National Security Agency's surveillance
program as part of its counter terrorism activities.
This security breach is an example of the internal threats
posed to organizations.
Snowden was with Booz Allan for only three months,
assigned to a team in Hawaii. Snowden had access to top-
secret data and over time used a thumb drive to take
thousands of confidential documents, damaging to the
NSA.
9
A Year in Review

10
The Cost of Cyber Crime Services
Service for Sale Cost of Service

Trojan for bank account stealing $1,300

Trojan for web page data replacement in a browser $850

Hiring a DDoS attack $30 - $70/day, $1,200 / month

Email Spamming $10 / 1 million emails

Email Spamming using customer database $50 - $500 / 50,000 – 1 mil

SMS Spamming $3 - $150 / 100-10,000 texts

Windows Rootkit $292

Ransom ware $8 - $20

Fake Websites $5 - $50

Zues source code $200 - $500

Hacking Facebook or Twitter account $130

Hacking Gmail account $162

Hacking corporate mailbox $500 11
*Source: TrendMicro Research paper 2012 – Russian Underground 101
 A Year in Review
Information Exposed in Breaches in 2013

70% Real Names

40% Social Security Numbers

40% Birth Dates

36% Home Address

31% Medical Records

12
*Source: Symantec Internet Security Threat Report – December 2013
 A Year in Review
Top 5 Social Media Attacks, 2013
Fake Offering – Invites users to join a fake event
81% Fake Offering or group with incentives such as free gift cards.
Joining often requires users to share credentials
or send a text to a premium rate number.
7% Likejacking
Likejacking – Using fake “Like” buttons to install
malware.
6% Fake Plug-in Fake Plug-in Scams – Tricked into downloading
fake browser extensions on their machines.

2% Fake Apps Fake Apps– Applications provided by attackers

that appear to be legitimate apps; however, they
contain a malicious payload. The attackers often
take legitimate apps, bundle malware with them,
2% Manual Sharing and then re-release it as a free version of the
app.

Manual Sharing – Rely on victims to share

videos, fake offers or messages they share with
their friends.
*Source: Symantec Internet Security Threat Report – December 2013 13
Cyber Security - 2014

14
 Cyber Security - 2014
Priorities and Concerns for 2014
• Social Media Will Continue to Grow
• As they go mobile and add payment mechanisms, they will attract even more attention
from online criminals with malware, phishing, spam and scams.
• Criminals will target teenagers, young adults and other people who may be less guarded
about their personal data and insufficiently security-minded to protect their devices and
avoid scams.

• Websites Will Become More Difficult to Manage / Navigate

• Criminals will increasingly infect websites with Malware and attack kits. Software vendors
will become pressured to “fix” vulnerabilities quicker.
• Users and companies that employ them will need to become more proactive about
maintaining privacy and security.

• Growing Risk of Unpatched Systems

• As of April 8, 2014 no new security patches are available for Windows XP and Office 2003
making home computer systems, specialized markets such as point of sale and medical
equipment extremely vulnerable……Heartbleed….. 15
 Cyber Security - 2014
Priorities and Concerns for 2014
• Phishing
• Identities are valuable. Phishing attacks will continue to get smarter and more
sophisticated.
• Phishing will become more regional and specific.
• Social Media websites and trusted messaging platforms will become bigger targets.

• Managing Mobile Malware

• Mobile Phones and Tablets are becoming the new hardware platform. Prepare for
Ransom ware and website infections on these new devices.
• Consider this security risk when allowing employees to bring their own devices into
the workplace.

16
Anatomy of a Hacked Mobile Device:
How a hacker can profit from your smartphone

17
Top 10 Cyber Attack Methods

18
Top 10 Cyber Attack Methods
1. E-mail Attachments
• Common method of distribution
of malicious code.
• E-mail is inherently insecure.
• The source of an e-mail address
can be easily spoofed as
someone that you trust.
• Avoid using attachments as a
means to exchange files.
Instead, use a third-party file
exchange system
2. Portable Media
• Any device that can store
information. (CD, DVD, HD-DVD,
Blu-Ray, etc.), tapes, external
hard drives, USB drives, and
memory cards.
• Any storage device can support
both benign and malicious
content.
• Be cautious about connecting
devices it to your system.
19
Top 10 Cyber Attack Methods
3. Malicious Web Sites
• The primary tool used to interact
with the Internet.
• Any site can be the victim of an
attack.
• Always be cautious about
following Web links to domain
names you don’t generally
recognize.
4. Downloading Files
• Files, also includes: plug-ins,
movies, audio files, etc., as well
as mobile code, such as ActiveX,
Java, JavaScript, Flash, etc.
• Any code that comes from an
outside source puts you and your
computer system at risk.
• Seek out only those locations
that are known to be safe and
trustworthy.
20
Top 10 Cyber Attack Methods
5. P2P File Sharing Services
• Malicious content grows when
that code is obtained through a
peer file-sharing system.
• The risk is greater not because
the content becomes malicious
when it is exchanged outside of
ethical channels, but because
the providers of the content often
include malicious code
intentionally.
6. Instant Messaging Clients
• Malware can be seen as a form
of parasite that attaches itself to
any popular communication
medium.
• User can accept an offered file
from an unknown source or
follow an offered hyperlink to a
malicious Web site.
• Allow remote hackers to upload
and/or download files through
holes in IM client software.
21
Top 10 Cyber Attack Methods
7. New Device or Peripheral
• Vendors often outsource the
actual construction and pre-
production of their products to
external manufacturers and
assemblers.
• Mobile phones, digital photo
frames, and even media players
have been compromised during
manufacturing.
• Don’t be an early adapter.
8. Social Networking Sites
• Proliferation of message posting
and exchange services.
• Trick users into accepting
fraudulent information that could
compromise an account or the
security of a computer.
• Some in-site applications, written
by malicious entities, attempt to
hijack accounts or distribute
malicious code.
22
Top 10 Cyber Attack Methods
9. Social Engineering
• Phishing is the most popular
• Web - Fake AV
• USB Flash Drives
• Be aware that attackers are trying
to trick you into doing things like
following hyperlinks and
downloading files.
10. Not Following Security
Guidelines and Policies
• People tend to care less about
company data, then they would
their own.
• Security Awareness Training
• Communicate regularly
throughout the year.
• Stay current with new security
trends – Be aware that it can
happen to YOU.
23
Security Counter Measures

24
Why do we care about this?…

• Financial Loss
• Customer or personal Data Loss
• Business Disruption
• Closing Accounts
• Reregistering Accounts
• Reputational Business Risks

25
Apply Business Security Policies

Provide a uniform security policy enforced across the business

Admin Rights – network and local
Control Access Based on the Need to Know
Policies and procedures for the following service elements:
End-User Security
Removable Device Security
Network Communications Security
Remote Desktop Security
Software Updates
Uniform Security Settings

26
System Patching

Workstations and Servers

Versions Upgrades
Critical Updates
Operating Systems
Windows Applications
3rd Party Applications
Heartbleed Vulnerability
April 8, 2014
No New Updates are available for Windows XP & Office 2003
Continuous Patching

27
Know your Business Partners

Manage the business’s you do business with

Do the have access to confidential information?
Review them on a recurring basis

28
Cloud Email Anti-SPAM & Anti-Virus

Safeguarding your email with anti-virus, anti-spyware, anti-

spam technology and Phishing Defense.
Stop in the cloud before it reaches your servers or
workstation.
Protection Against Zero-Day

29
Wireless Device Control

Wireless devices are a convenient vector for attackers

Attackers gain wireless access to organizations from outside the
building, bypassing organizations' security by connecting wirelessly to
access points inside the organization.
Wireless mobile devices can be infected during air travel or in cyber
cafes and are then used as back doors when reconnected to your
internal network.
Restrict Access to authorized users only
Scan for Rouge devices
Disable Wireless Access on devices that do not need it

30
Protection on Your Devices and Systems

24/7 Management and Monitoring

Definition file updates
Version updates
Forgotten systems or devices
Reporting/Tracking

Anti-Virus
Anti-Malware
Host Intrusion Prevention
HIPS
Content Filtering
SPAM Filtering
Network Access Control
Application Control 31
Columbia Bank - Managing Risks

32
Managing the Risk
Best Practice # 1 – Separation of Duties

33
Managing the Risk
Best Practice # 2 – Stronger Password

34
Managing the Risk

Best Practice # 3 – Dual Administrative Control

35
Managing the Risk
Best Practice # 4 – Dual Transaction Control

36
Managing the Risk
Best Practice # 5 – Dual Transaction Control Plus

37
Managing the Risk
Best Practice # 6 - Education

• Educate staff on risk and fraud prevention (key)

• Set strong internal control criteria (policy)
• Educate staff on internet browsing risks
• Educate staff on Email Risks

38
Managing the Risk
Best Practice # 7 – Protection

• Email filtering software/service

• Internet browser filtering software/service
• External device (USB) (DVD) control
• Mobile Device Management
• Segregation of workstation for financial transactions
• Insurance – Cyber related

39
Managing the Risk

Best Practice # 8 – Monitoring

• Monitor activity daily

• Utilize Balance Alerts - think fraud protection and prevention
• Limit / Eliminate email and internet on business workstations
• Use a layered security approach – solutions - vendors

40
Managing the Risk
Key solutions for better protection…
• Enhanced Multifactor Authentication (MFA)
• Method for security code delivery

• Tokens
• Protection for ACH and Wire transactions
• Wire procedures
• ACH profile controls

41
Managing the Risk
Key solutions for better protection…
• Browser Security for Columbia Bank Access
• Secures and Encrypts the session
• Alerts of possible issues
• Back End Monitoring Tools
• Advanced activity monitoring
• Based on patterns of behavior
• Alerts of possible issues
• Communication
42
In Summary…

• Review, identify and know your risks

• Put a plan in place to close gaps
• Review Email and Internet browsing habits
• Patching-Operating systems and virus software
• Windows XP and Office Suite sunset

43
In Summary…

• Utilize various layers of protection

• Stay current…news…reports….information
• Regularly review your own security practices
• If it looks, feels or sound strange….it is…
• Money spent now will save you later

44
You can’t do everything….
But don’t do nothing!

45
What Questions do we have?

46
Thank you for your business!
Thank you for attending !

47