1 april 2005 top it security issues an examiner’s perspective matthew biliouris, information...
TRANSCRIPT
1 April 2005
TOP IT Security IssuesAn Examiner’s Perspective
Matthew Biliouris, Information Systems Officer – E&I
2 PACUA Technology Council Meeting – April 2005
EFS Products & ServicesEFS Products & Services
TRADITIONAL EFS ATMATM WIRE TRANSFERWIRE TRANSFER ACHACH Automated Telephone Automated Telephone
Response SystemsResponse Systems
3 PACUA Technology Council Meeting – April 2005
EFS Products & ServicesEFS Products & Services
TYPICAL INTERNET-BASED EFS
A/C History Review A/C History Review Account TransfersAccount Transfers Applications Applications Withdrawal RequestsWithdrawal Requests
4 PACUA Technology Council Meeting – April 2005
EFS Products & ServicesEFS Products & Services
NEWER ON-LINE EFS
Bill Payment / PresentmentBill Payment / Presentment Account AggregationAccount Aggregation Statement & Disclosure Delivery Statement & Disclosure Delivery Check ImagingCheck Imaging Credit Card Statement AccessCredit Card Statement Access Downloads to Financial SoftwareDownloads to Financial Software
5 PACUA Technology Council Meeting – April 2005
BrokerageBrokerage
CUs/BanksCUs/Banks401K401K
taxestaxes Credit CardsCredit Cards
Airline MilesAirline MilesBillsBills
TravelTravel
E-MailE-MailShoppingShopping
Account Aggregation
6 PACUA Technology Council Meeting – April 2005
Types of Web Sites
Informational Sites Marketing Info
Interactive Sites Secure Messaging Loan Applications Account Inquiry
Fully Transactional Sites Financial Transactions (transfer funds, pay bills, etc.)
7 PACUA Technology Council Meeting – April 2005
Credit Union Industry Statistics
0
1,000
2,000
3,000
4,000
5,000
6,000
Website Type
Interactive
Non-Interactive
Total
8 PACUA Technology Council Meeting – April 2005
Credit Union Industry Statistics
-20.0%
-10.0%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
Interactive Non-Interactive Total
Website Growth
Jun-99
Dec-99
Jun-00
Dec-00
Jun-01
Dec-01
Jun-02
Dec-02
Jun-03
Dec-03
Jun-04
Dec-04
9 PACUA Technology Council Meeting – April 2005
Credit Union Industry Statistics
Percentage of FICUs By Website TypeDecember 31, 2004
41.2%
14.3%3.7%
40.7% None
Informational
Interactive
Transactional
10 PACUA Technology Council Meeting – April 2005
Credit Union Industry Statistics
FICU Assets By Website TypeDecember 31, 2004
3.5% 4.3%
90.0%
2.2%
None
Informational
Interactive
Transactional
11 PACUA Technology Council Meeting – April 2005
2004 CSI/FBI Survey
Security Trends
2004 Computer Security Institute & FBI Survey
494 Security practitioner responses 19% of responders from financial services industry
12 PACUA Technology Council Meeting – April 2005
Key Findings
Unauthorized use and financial losses declined Virus and denial of service top cost Law enforcement reporting declined Security audits used Security outsourcing low Sarbanes-Oxley impact Security training needed
13 PACUA Technology Council Meeting – April 2005
Respondents
Respondents By Revenue
Over $1B37%
$100M-$1B20%
$10M-$99M23%
Under $10M20%
14 PACUA Technology Council Meeting – April 2005
Percentage of IT Budget Spent on Security
2004: 481 Respondents/97%2004: 481 Respondents/97%
IT Budget Spent on Security
8%
8%
7%
22%
24%
16%
14%
0% 5% 10% 15% 20% 25% 30%
More than 10%
8%-10%
6%-7%
3%-5%
1%-2%
Less than 1%
Unknown
2004
15 PACUA Technology Council Meeting – April 2005
Unauthorized Use
Unauthorized Use of Computer Systems Within the Last 12 Months
0%
10%
20%
30%
40%
50%
60%
70%
80%
Yes No Don't Know
1996
1997
1998
1999
2000
2001
2002
2003
2004
16 PACUA Technology Council Meeting – April 2005
Breach Frequency
How Many Security Breach Incidents?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1-5 6-10 >10 Don't Know
1999
2000
2001
2002
2003
2004
17 PACUA Technology Council Meeting – April 2005
Website Incidents
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 to 5 6 to 10 More Than 10
1999
2000
2001
2002
2003
2004
18 PACUA Technology Council Meeting – April 2005
Types of Losses
Dollar Amount of Losses By Type (000)
5,149
2,754
702
406
6,831
10,186
11,767
70,196
65,643
27,382
781
201,797
871
902
958
2,747
3,998
4,278
6,735
7,671
10,159
10,601
11,460
26,064
55,054
0
141,498
0 30,000 60,000 90,000 120,000 150,000 180,000
Sabotage
System Penetration
Website Defacement
Misuse of Web Application
Telecom Fraud
Unauthorized Access
Laptop Theft
Financial Fraud
Abuse of Wireless Network
Insider Net Abuse
Theft of Propietary Info.
Denial of Service
Virus
Other
Total
2004
2003
19 PACUA Technology Council Meeting – April 2005
Computer Intrusions Actions Taken
Computer Intrusion(s) Within Last 12 Months: Actions Taken
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Patched Holes Did Not Report Reported to LawEnforcement
Reported to LegalCounsel
1996
1997
1998
1999
2000
2001
2002
2003
2004
20 PACUA Technology Council Meeting – April 2005
Computer Intrusions Not Reported
The Reasons Organizations Did Not Report Intrusions to Law Enforcement
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Negative Publicity Competitors WouldUse to Advantage
Unaware That CouldReport
Civil Remedy SeemedBest
1996
1997
1998
1999
2000
2001
2002
2003
2004
21 PACUA Technology Council Meeting – April 2005
NCUA Strategic Plan 2003-2008
Goal #2:
Facilitate the ability of credit unions to safely integrate financial services and emerging technology in order to meet the changing expectations of their members.
22 PACUA Technology Council Meeting – April 2005
Frequent Question
Does NCUA expect all credit unions to develop and implement e-Commerce services?
NO!NO!
NCUA encourages credit unions to NCUA encourages credit unions to considerconsider offering e-Commerce services. offering e-Commerce services.
25 PACUA Technology Council Meeting – April 2005
Risk Assessment ProcessRisk Assessment Process
2. Understand2. UnderstandRisksRisks
3. Prioritize Risks3. Prioritize Risks
4. Develop & Implement 4. Develop & Implement Action PlansAction Plans
5. Monitor5. Monitor
1. Identify Risks1. Identify Risks
26 PACUA Technology Council Meeting – April 2005
Electronic Financial Services
Areas of Risk Transaction/Operational Compliance Reputation Strategic
27 PACUA Technology Council Meeting – April 2005
IS&T Exam ProceduresIS&T Exam Procedures
Before implementing product/service:– Seek education as to the benefits & risks.– Determine if risks are acceptable.– Determine regulatory compliance requirements.– Ensure a legal review of contracts.– Assess the adequacy of staff expertise (technical,
managerial, member service).
28 PACUA Technology Council Meeting – April 2005
IS&T Exam ProceduresIS&T Exam Procedures
Before implementing product/service (cont’d):– Assess the adequacy of staff expertise (technical,
managerial, member service).– Determine best in-house/outsourcing solution.– Evaluate necessary security measures.– Research available bond coverage.– Seek expert assistance when necessary.
29 PACUA Technology Council Meeting – April 2005
IS&T Exam ProceduresIS&T Exam Procedures
Before implementing product/service (cont’d):– Complete due diligence of vendors.– Involve all interested operational & audit functions in
planning & implementation.– Develop audit & performance mechanisms.– Create or revise related policies and procedures.
30 PACUA Technology Council Meeting – April 2005
Security Programs
Gramm-Leach-Bliley Act – 501(b)– Outlines Specific Objectives– Requires NCUA establish standards for
safeguarding member records
31 PACUA Technology Council Meeting – April 2005
Security Programs
Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member
Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access
Specifically Stated in §748.0(b)(2)
33 PACUA Technology Council Meeting – April 2005
Security Programs
Appendix A – Guidelines for Safeguarding Member Information– Involvement of Board of Directors– Assess Risk– Manage & Control Risk– Oversee Service Providers– Adjust the Program– Report to the Board
34 PACUA Technology Council Meeting – April 2005
Security Programs
Response Program Guidance– Increasing Number of Security Events– Congressional Inquiries– GLBA Interpretation– FFIEC Working Group– Revise Part 748-Add New Appendix B
35 PACUA Technology Council Meeting – April 2005
Security Programs
Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member
Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access– Respond to Incidents of Unauthorized
Access to Member Information
37 PACUA Technology Council Meeting – April 2005
Security Programs
Appendix B – Guidance on Response Programs– Components of a Response Program
Assessing Incident Notifying NCUA/SSA Notifying Law Enforcement Agencies Containing/Controlling Incident Notifying Affected Members
38 PACUA Technology Council Meeting – April 2005
Security Programs
Appendix B – Guidance on Response Programs– Content of Member Notice
Account/Statement Review Fraud Alerts Credit Reports FTC Guidance
39 PACUA Technology Council Meeting – April 2005
PART 748 APPENDIX B
Conflict with State Law – e.g., California Notice of Security Breach statute– Requires notice to California residents when
unencrypted member information is or may have been acquired by unauthorized person
– Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections
40 PACUA Technology Council Meeting – April 2005
NCUA Expectations
Potential Questionnaire:– Incorporated into Overall Security Program– Escalation Process / Incident Response– Review of Notices – Attorney Review?– Enterprise Wide Approach– Reporting to Senior Management– Member Outreach / Awareness Programs– Employee Training Programs
42 PACUA Technology Council Meeting – April 2005
“…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”
Arthur LevittArthur Levitt
Former Chairman of the SECFormer Chairman of the SEC
Quotes
43 PACUA Technology Council Meeting – April 2005
Quotes
“Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet.”
Jana Monroe
Assistant Director
Cyber Division of FBI
44 PACUA Technology Council Meeting – April 2005
Phishing 101
Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.
45 PACUA Technology Council Meeting – April 2005
Phishing 101
E-mailSpoofed addressConvincing Sense of urgencyEmbedded link (but not always)
46 PACUA Technology Council Meeting – April 2005
Phishing Trends
Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA
47 PACUA Technology Council Meeting – April 2005
Phishing Trends
Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004
Unique Phishing Attacks
282116 176
402
11251197
0
200
400
600
800
1000
1200
1400
Dec '03 Jan '04 Feb '04 March '04 April '04 May '04
48 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004
Phishing Trends
49 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
50 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
51 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
52 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
53 PACUA Technology Council Meeting – April 2005
Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
54 PACUA Technology Council Meeting – April 2005
Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
55 PACUA Technology Council Meeting – April 2005
Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
56 PACUA Technology Council Meeting – April 2005
Training / Policy Development
Awareness
Handling complaints & reports of
suspicious e-mails/sites
Protect on-line identity of credit union
Response Plan
Phishing Action Plans – Employee Education
57 PACUA Technology Council Meeting – April 2005
Communication Methods
Internet Banking Agreements
Newsletters
Statement Stuffers
Recordings when on “hold”
Website (FAQs / Advisories / Links)
Phishing Action Plans – Member Education
61 PACUA Technology Council Meeting – April 2005
Content
We will never ask for xxx via e-mail
We will never alert you of xxx via e-mail
Always feel free to call us at # on statement
Always type in our site URL (see
statement / newsletter / previous bookmark)
Phishing Action Plan Ideas – Member Education
62 PACUA Technology Council Meeting – April 2005
Content (cont’d) Sites can be convincingly copied
Report suspicious e-mails & sites
Where to get more advice on phishing
Importance of patching
How to validate site (via cert or seal)
Where to go for ID theft help
Phishing Action Plan Ideas – Member Education
63 PACUA Technology Council Meeting – April 2005
Considerations:
Keep certificates up-to-date
Practice good domain name controls
Don’t let URLs lapse
Purchase similar URLs / Search for
similar URLs
Phishing Action Plan Ideas – Protection of CU’s Online Identity
64 PACUA Technology Council Meeting – April 2005
NCUA
(8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions
(04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes
(05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance
FFIEC Agency Brochure
Phishing Resources
67 PACUA Technology Council Meeting – April 2005
NCUA Related guidance:
(12/02) LTR 02-CU-16 Protection of CU Internet Addresses
(7/02) LTR 02-FCU-11 Tips to Safely Conduct Financial Transactions Over the Internet
(09/01) LTR 01-CU-09 Identity Theft & Pretext Calling
Working with External Sources
Article in NCUA News
Phishing Resources
68 PACUA Technology Council Meeting – April 2005
Inside the Examiner’s PlaybookInside the Examiner’s Playbook
Think GloballyVendor ManagementSecurity Program
(Part 748)Employee Remote
AccessRisk Assessment
Patch Management IDS/Incident
ResponseVirus Definition
UpdatesBCPFormal Policies
79 PACUA Technology Council Meeting – April 2005
FFIEC IT Examination Handbook
Development & Acquisition
Management
Operations
Outsourcing
Retail Payment Systems
Wholesale Payment Systems
Issued: BCP Information
Security Supervision of
TSPs Audit E-Banking Fedline
87 PACUA Technology Council Meeting – April 2005
Contact Information:
Matthew Biliouris
703-518-6394
Questions??