Jessica Dore, CISA ... 2 Jessica Dore, CISA @rehmann.com 989.797.8391 Beth Behrend, CCBCA,

download Jessica Dore, CISA ... 2 Jessica Dore, CISA  @rehmann.com 989.797.8391 Beth Behrend, CCBCA,

of 48

  • date post

    16-Apr-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of Jessica Dore, CISA ... 2 Jessica Dore, CISA @rehmann.com 989.797.8391 Beth Behrend, CCBCA,

  • 1

  • 2

    Jessica Dore, CISA

    jessica.dore@rehmann.com

    989.797.8391

    Beth Behrend, CCBCA, CBAP

    beth.behrend@rehmann.com

    616.975.4100

    mailto:jessica.dore@rehmann.com mailto:beth.behrend@rehmann.com

  • 3

    Security is not convenient.

    – J. Hey, c. 2003

  • 4

    There are only two types of

    companies: those that have been

    hacked, and those that will be.”

    — Robert Mueller, FBI Director, 2001-2013

  • 5

    Banking / Financial

    Business

    Educational

    Government / Military

    Medical / Healthcare

    2017Category 2016 2015

    Source: ID Theft Resource Center

    52 (4.8%)

    72,262

    98 (9%)

    1,048,342

    72 (6.6%)

    13,869,571

    376 (34.4%)

    15,942,053

    495 (45.3%)

    5,669,711

    99 (7.4%)

    2,910,117

    116 (8.7%)

    1,146,861

    70 (5.2%)

    5,838,098

    374 (27.9%)

    5,141,972

    680 (50.8%)

    159,365,480

    71 (9.1%)

    5,063,044

    58 (7.4%)

    759,600

    63 (8.1%)

    34,222,763

    277 (35.5%)

    112,832,082

    312 (39.9%)

    16,191,017

  • 6

    Perpetrated by Outsiders

    75%

    Source: Verizon 2017 Data Breach Investigations Report

  • 7

    25%

    Involved Internal Actors

    Source: Verizon 2017 Data Breach Investigations Report

  • 8

    18%

    Conducted by State-Affiliated Actors

    Source: Verizon 2017 Data Breach Investigations Report

  • 9

    Featured Multiple Parties

    3%

    Source: Verizon 2017 Data Breach Investigations Report

  • 10

    Involved Organized Criminal Groups

    51%

    Source: Verizon 2017 Data Breach Investigations Report

  • 11

    4

    5

    3

    2

    1 Hacking accounted for 62% of breaches.

    More than 5 of 10 breaches

    included malware.

    81% of hacking related breaches leveraged

    either stolen and/or weak passwords.

    Social attacks comprised 43% of attacks.

    Physical breaches account for 8%

    of attacks.

    Source: Verizon 2017 Data Breach Investigations Report

  • 12

    With donor restrictions

    • 7 out of 10 organizations say their security risk increased significantly

    in 2017.

    • 77% of attacks that successfully compromised organizations in 2017

    utilized fileless techniques.

    • A third of all attacks are projected to utilize fileless techniques in

    2018.

    • Ransomware on decline while cryptomining malware booms.

    • Cryptominers have impacted 55% of organizations globally.

    Source: barkly.com

    https://blog.barkly.com/2018-cybersecurity-statistics

  • 13

    With donor restrictions

    • Awareness of ransomware reached a tipping point.

    • Few victims are actually paying ransoms.

    • Cryptocurrency volatility is tough on the extortion racket.

    • Cryptocurrency-mining malware provides a stealthier, more effective

    alternative to ransomware.

  • 14

    4

    5

    3

    2

    1 123456

    password

    12345678

    Qwerty

    12345

    9

    10

    8

    7

    6 123456789

    letmein

    1234567

    football

    iloveyou

  • 15

    False emails, chats, or websites designed to impersonate real

    systems with the goal of capturing sensitive data.

    Phishing

    Same as phishing e-mails, but appearing to be from someone

    you know – VERY legitimate in appearance!

    Spearphishing

    SMS (text msg) phishing – link sent through text message

    which delivers a payload

    Smishing

    Targets employs fraudulently using actual executive’s names

    to attempt wire-fraud

    Whaling

    Using the promise of an incentive for gathering your

    information (e.g. gift cards; free movies; money)

    Baiting

    Legitmate looking ads on legitimate sites (ex. YouTube) that

    once clicked on deliver a payload

    “Malvertizing”

    Target (and one in West Michigan in early Oct ‘17!)

    Partner Network Compromise

    Impersonation (phone/in-person)

    Social Engineering

    Distributed Denial of Service

    DDoS

    And… don’t forget about physical security…

  • 16

    4B 4 billion humans

    online by 2020 –

    twice that of today

    $6T $6 trillion in cyber-

    crime damage costs

    by 2021

    15x 15x the amount of

    Ransomware impact

    of 2015.

  • 17

    Weak and Stolen Credentials,

    a.k.a. Passwords

    Back Doors, Application Vulnerabilities

    Malware

    Poor Patch Management

    Social Engineering

    Too Many Permissions

    Insider Threats

    Physical Attacks

    Improper Configuration

    Weak Enforcement of Remote

    Login Policies

  • 18

    With donor restrictions

    On May 25, 2018, all businesses

    collecting and retaining data of

    any individuals residing, visiting or

    conducting business in the

    European Union (EU) will be

    subject to new standards for data

    security and breach response

    when the EU General Data

    Protection Regulation (GDPR) goes

    into effect.

    S M T W T F S

    1 2 3 4 5

    6 7 8 9 10 11 12

    13 14 15 16 17 18 19

    20 21 22 23 24 25 26

    27 28 29 30 31

    May 2018

  • 19

    With donor restrictions

    • In the event of a data breach, businesses must notify all parties that could

    be affected within 72 hours after becoming aware of the breach.

    • EU residents will have full rights to access and request erasure of data as

    they see fit – free of charge – unless there is significant reason for the

    business to retain that information.

    • Increased jurisdiction will include any business that processes personal data

    of EU residents (including temporary residents and visitors) – not just

    businesses located within the EU.

    • The policies surrounding consent have become much stricter and

    businesses can no longer assume a party’s consent – it must be expressly

    stated.

  • 20

    Has your institution went through

    the process of determining if you

    need to be in compliance with

    GDPR?

    A. Yes

    B. No

    C. Uncertain

  • 21

    Data

    Perimeter

    Access

    Governance

    Vendor

    Mobile

    Human

    Source: www.lifehack.org

  • 22

    Keep patched and up to date

    Monitor network traffic for anomalies

    Monitor for encrypted traffic traveling over nonstandard ports

    Use two factor authentication wherever possible

    Ensure malware protection software is in place

    Monitor for the presence of remote network protocols and administrative tools used to

    pivot back into the network and conduct post-exploitation of a network, such as

    Powershell, cobalt strike and TeamViewer

  • 23

    Is your institution regularly

    monitoring ATMs to ensure they are

    patched appropriately?

    A. Yes

    B. No

    C. Uncertain

  • 24

    Monitoring and Patching of ATMs

    Vendor Management

    Patch Management

    Business Continuity & Recovery Testing

    Board Oversight

  • 25

  • 26

    Beneficial

    Ownership

    Rule:

    Fifth Pillar of

    Anti-Money

    Laundering

  • 27

    With donor restrictions

    Effective May 11, 2018, new requirements were imposed on covered

    Financial Institutions under FinCENs Customer Due Diligence rules.

    • Commonly referred to as the Beneficial Owners Rule

    • Categorizes Beneficial Owners into two categories:

    o Control Prong

    o Ownership Prong

    • Establishes requirements for verification of identity

  • 28

    With donor restrictions

    By now, all covered financial institutions should have in place procedures for

    compliance with the Rule, which should be incorporated into the customer risk

    monitoring process

    Any reasonable suspicion that a customer is evading or attempting to evade

    beneficial ownership requirements should trigger an assessment of the

    advisability of opening an account or closing an existing account, as well as

    the possibility of filing a suspicious activity report

  • 29

    With donor restrictions

    A quick recap of the guidance provided by FinCEN:

    Beneficial ownership threshold: more stringent written internal

    policies may be appropriate:

    • Goal is transparency in beneficial ownership

    • Should be risk-based

  • 30

    Consider this ownership structure:

    For purposes of the Rule, Fred is a beneficial owner of Bedrock Granite because he owns 30% of its equity through his 60% ownership