Transcript Document

Paul Rainbow - CPA, CISA, CIA,
CISSP, CTGA
IT TRENDS
AND FUTURE
CONSIDERATIONS
The material appearing in this presentation is for informational purposes
only and should not be construed as advice of any kind, including, without
limitation, legal, accounting, or investment advice. This information is not
intended to create, and receipt does not constitute, a legal relationship,
including, but not limited to, an accountant-client relationship. Although
this information may have been prepared by professionals, it should not be
used as a substitute for professional services. If legal, accounting,
investment, or other professional advice is required, the services of a
professional should be sought.
AGENDA
•
•
•
•
•
•
BYOD
Cloud Computing
PCI
Fraud
Internet Banking
Questions
The Mobile Explosion
• Mobile traffic data in 2011 was nearly 12 times the
size of the entire global Internet traffic in 2000
• Global mobile traffic will increase 13-fold between
2012 and 2017
• By the end of 2013, the number of mobile-connected
devices will exceed the number of people on earth
• By 2017, there will be 8.6 billion handheld or
personal mobile-ready devices
• Gartner predicts that by 2014, 90% of companies
will support corporate applications on personal
mobile devices
Source: Cisco Global Mobile Data Traffic Forecast Update, 2012 - 2017
Mobile Computer Sales: Tablets Lead
Tablets are poised to outsell laptops by 2016
6
Mobile Technology Trends
• According to CTIA, as of June 2012, there were
327,577,529 active mobile devices connected to US
carriers
• BYOD gaining acceptance in the workplace
• Mobile Device Sales (3Q 2012):
–
–
–
–
–
Android– 104.8 million units (68.1% market share)
iOS– 26 million units (16.9% market share)
BlackBerry– 7.4 million units (4.8% market share)
Symbian– 6.8 million units (4.4% market share)
Windows– 5.4 million units (3.5% market share)
• The popularity of smartphones has made them the
next major target for cyber criminals
BYOD: The New Frontier
• Employees are using their own devices in the work
place and asking to connect them to the company
network – this trend is known as Bring Your Own
Device (BYOD).
• According to Forrest Research, 48% of employees
will buy their own device – whether their
organization approves or not.
BYOD: The New Frontier
Benefits
• Employees get a choice
• Boosts morale and productivity.
• The firm avoids owning hardware and ongoing contracts
• Employees set up services under their own names.
• The equipment can go with the employee if they leave
• Departures are cleaner, as data is simply wiped out from the
employee’s device.
BYOD: The New Frontier
Challenges
• Security is easier to manage in company owned devices
• Security is difficult to control when the environment and
devices are not under the IT department’s control.
• The balance between life and work is challenged
• The line between life and work is blurred; employees have a
hard time turning off work.
• Policies are not keeping up with the trend
• Enterprises are lagging behind in creating policies that
addresses the BYOD trend.
BYOD: The New Frontier
Legal Challenges
• Can legal discovery rights of corporate information be extended
to personal devices if they hold personal data?
• Do breaches of personal data on company owned devices leave
the company liable (e.g., HIPAA information on my company
owned device)?
• Could it support wage and hour claims for non-exempt
employees working off the clock?
• A 2010 US Supreme Court 9-0 ruling declared that employees
are not entitled to privacy if they use an employer’s issued
device, so what level of privacy is there for BYODs?
Current Mobile Threats
• Malware is the single largest threat to mobile security
• In 2012, Kaspersky Labs discovered an average of 6,300
new Android malware samples every month, which was an
increase of over eight times from 2011
• Mobile malware can be divided into three separate
categories:
Trojans, Backdoors, Spyware
• Trojans are widely used in SMS attacks
• Backdoors allow unauthorized access to devices
• Spyware targets the unauthorized collection of private data
Current Mobile Threats: Android
• Android is more susceptible to malware than Apple
• Why?
– Lax application markets; apps can be downloaded outside of
market
– Easy to repackage legitimate applications with malware
– Flawed Android security model
• Large security issues with jail-broken and rooted
phones
– “Hacking” mobile phones allows security controls to be
circumvented
Current Mobile Threats: Find and Call
• Apple’s first App Store
malware: Find and Call
• App steals phonebook from
devices and pushes data back
to a command-and-control
(C&C) server
• Data is then used for SMS spam
campaigns
Current Mobile Threats: Ransomware
• Ransomware:
– Malware which effectively
holds a user’s device hostage
until a fee is paid
Current Mobile Threats: SMS Botnets
• SMS Spam Botnet:
– Directs users to download malware
directly on their device
• An SMS is received containing a
URL
• When the users clicks on the
URL, a Trojan is installed on the
device with the legitimate
application
• Trojan contacts C&C server to
obtain spam message
• The spam message is sent to the
contacts stored in the phone
Current Mobile Threats: Zitmo
Banking Trojans: Zeus-In-The-Mobile (Zitmo)
• Masquerades as a banking activation application
and eavesdrops while looking for mobile
transaction authentication numbers (mTAN) in
SMS messages sent by banks to customers for a
second form of authentication
• First appeared in 2010
Cloud Computing
• Private Cloud − Hosted for or by a single entity on a
private network; can be hosted internally or
outsourced but is most often operated internally; only
those within the entity share the resources
• Community Cloud − Hosted for a limited number of
entities with a common purpose; access is generally
restricted; most often used in a regulated environment
where entities have common requirements
• Hybrid Cloud − Data or applications are portable and
permit private and public clouds to connect
• Public Cloud − Available to the general public; owned
and operated by a third-party service provider
Cloud Computing
• The institution has the ability to increase or
decrease resources on demand without involving
the service provider (on-demand self-service).
• Massive scalability in terms of bandwidth or
storage is available to the institution.
• The institution can rapidly deploy or release
resources.
• The financial institution pays only for those
resources which are actually used (pay-as-you-go
pricing)
Cloud Computing
• One of the major concerns with
cloud computing is the loss of
control for physical access to
systems.
• Depending on the type of cloud
service you use, you may be
sharing hardware with others.
This can lead to legal (and
operational) issues if the systems
and/or backups are requested by
a court or government agency.
Notable Payment Card Security Breaches
• Heartland Payment Systems – 2008 – Hackers attacked the
system that is used to process card transactions. Up to 100
million transactions compromised.
• TJX Corp. – 2007 – Hackers compromised wireless network to
steal information on approx. 94 million card transactions.
• HEI Hospitality (Marriott, Sheraton, Westin) – March/April
2010: POS system compromised. Up to 3,400 credit card
accounts compromised.
• PlayStation Network – 2011 – Hack attack. 77 million personal
information acquired. Credit card information (TBD).
• Seattle Small-Medium-sized businesses – April 2011 – war
driving hacks to steal credit card data. Stole about $750,000
worth of goods.
Payment Card Industry (PCI) –
Data Security Standard Overview
• Not a government regulation, but an industry regulation.
• All entities that process, store, or transmit payment card
information need to comply. (PAN is the deciding factor.)
• The Players: Card Brands, Merchants, Service Providers,
Acquirers, and Issuers
• Effective compliance dates varies depending on merchant
level or service provider level and card brand (June 2005,
Dec. 2008).
• Card brands have their own compliance programs and are
responsible for compliance tracking, enforcement,
penalties, and fees.
Why is compliance with PCI DSS important?
A security breach and subsequent compromise of
payment card data has far-reaching consequences
for affected organizations, including:
1. Regulatory notification requirements
2. Loss of reputation
3. Loss of customers
4. Potential financial liabilities (regulatory and
other fees and fines)
5. Litigation
Penalties for Non-Compliance
Members proven to be non-compliant or whose
merchants or agents are non-compliant may be
assessed:
– Non-compliance fine up to $500K
– Forensic investigation costs
– Issuer/Acquirer losses
• Unlimited liability for fraudulent transactions
• Potential additional issuer compensation (e.g., card
replacement)
– Dispute resolution costs
Fraud Trends
•
•
•
•
Malware
Mobile Devices
Social Engineering
Social Media
Malware
• “Man in the Browser” is malware that infects a web
browser and has the ability to modify pages,
modify transaction content, or insert additional
transactions. This is hidden from both the user
and application.
• Keystroke loggers and other similar strains of
malware continue to be used to collect data and
user credentials to be used for fraud.
Social Engineering
• As financial institutions enhance
their online security, the criminals
are changing their avenue of attack
• Social engineering is used in
various forms (phishing, spear
phishing, or smishing)
US Bank Types Attacked - Phishing
Phishing Attacks per Month
Social Media
• Easy way for criminals to
gather intimate details about
members to use in fraud
• Easy way to send malware or
Trojans to a large group of
people from a “trusted” friend
• New frontier for phishing and
social engineering attacks
Internet Banking Authentication
Regulators came out with guidance related to Internet
banking authentication in June 2011. The guidance
called out the responsibility of financial institutions to:
• Differentiate between retail and business
transaction risk
“Agencies recommend that institutions offer multifactor
authentication to their business customers.”
• Continue to focus on Risk Assessment
• Increased emphasis on Layered Security Programs
Questions? Contact Us
[email protected]
509-714-4865