it trends and future considerations paul rainbow - cpa, cisa, cia, cissp, ctga
TRANSCRIPT
IT TRENDS AND FUTURE CONSIDERATIONS
Paul Rainbow - CPA, CISA, CIA, CISSP, CTGA
The material appearing in this presentation is for informational purposes
only and should not be construed as advice of any kind, including, without
limitation, legal, accounting, or investment advice. This information is not
intended to create, and receipt does not constitute, a legal relationship,
including, but not limited to, an accountant-client relationship. Although
this information may have been prepared by professionals, it should not
be used as a substitute for professional services. If legal, accounting,
investment, or other professional advice is required, the services of a
professional should be sought.
AGENDA
• BYOD • Cloud Computing• PCI• Fraud• Internet Banking• Questions
The Mobile Explosion
• Mobile traffic data in 2011 was nearly 12 times the size of the entire global Internet traffic in 2000
• Global mobile traffic will increase 13-fold between 2012 and 2017
• By the end of 2013, the number of mobile-connected devices will exceed the number of people on earth
• By 2017, there will be 8.6 billion handheld or personal mobile-ready devices
• Gartner predicts that by 2014, 90% of companies will support corporate applications on personal mobile devices
Source: Cisco Global Mobile Data Traffic Forecast Update, 2012 - 2017
6
Mobile Computer Sales: Tablets LeadTablets are poised to outsell laptops by 2016
Mobile Technology Trends
• According to CTIA, as of June 2012, there were 327,577,529 active mobile devices connected to US carriers
• BYOD gaining acceptance in the workplace• Mobile Device Sales (3Q 2012):
– Android– 104.8 million units (68.1% market share)– iOS– 26 million units (16.9% market share)– BlackBerry– 7.4 million units (4.8% market share)– Symbian– 6.8 million units (4.4% market share)– Windows– 5.4 million units (3.5% market share)
• The popularity of smartphones has made them the next major target for cyber criminals
BYOD: The New Frontier
• Employees are using their own devices in the work place and asking to connect them to the company network – this trend is known as Bring Your Own Device (BYOD).
• According to Forrest Research, 48% of employees will buy their own device – whether their organization approves or not.
BYOD: The New Frontier
Benefits• Employees get a choice
• Boosts morale and productivity.
• The firm avoids owning hardware and ongoing contracts• Employees set up services under their own names.
• The equipment can go with the employee if they leave• Departures are cleaner, as data is simply wiped out from the
employee’s device.
BYOD: The New Frontier
Challenges• Security is easier to manage in company owned devices
• Security is difficult to control when the environment and devices are not under the IT department’s control.
• The balance between life and work is challenged• The line between life and work is blurred; employees have a
hard time turning off work.
• Policies are not keeping up with the trend• Enterprises are lagging behind in creating policies that
addresses the BYOD trend.
BYOD: The New Frontier
Legal Challenges• Can legal discovery rights of corporate information be extended
to personal devices if they hold personal data?• Do breaches of personal data on company owned devices leave
the company liable (e.g., HIPAA information on my company owned device)?
• Could it support wage and hour claims for non-exempt employees working off the clock?
• A 2010 US Supreme Court 9-0 ruling declared that employees are not entitled to privacy if they use an employer’s issued device, so what level of privacy is there for BYODs?
Current Mobile Threats
• Malware is the single largest threat to mobile security• In 2012, Kaspersky Labs discovered an average of 6,300
new Android malware samples every month, which was an increase of over eight times from 2011
• Mobile malware can be divided into three separate categories:Trojans, Backdoors, Spyware
• Trojans are widely used in SMS attacks• Backdoors allow unauthorized access to devices• Spyware targets the unauthorized collection of private data
Current Mobile Threats: Android
• Android is more susceptible to malware than Apple• Why?
– Lax application markets; apps can be downloaded outside of market
– Easy to repackage legitimate applications with malware– Flawed Android security model
• Large security issues with jail-broken and rooted phones– “Hacking” mobile phones allows security controls to be
circumvented
Current Mobile Threats: Find and Call
• Apple’s first App Store malware: Find and Call
• App steals phonebook from devices and pushes data back to a command-and-control (C&C) server
• Data is then used for SMS spam campaigns
Current Mobile Threats: Ransomware
• Ransomware:– Malware which effectively
holds a user’s device hostage until a fee is paid
Current Mobile Threats: SMS Botnets
• SMS Spam Botnet:– Directs users to download malware
directly on their device
• An SMS is received containing a URL• When the users clicks on the URL, a
Trojan is installed on the device with the legitimate application
• Trojan contacts C&C server to obtain spam message
• The spam message is sent to the contacts stored in the phone
Current Mobile Threats: Zitmo
Banking Trojans: Zeus-In-The-Mobile (Zitmo)• Masquerades as a banking activation application
and eavesdrops while looking for mobile transaction authentication numbers (mTAN) in SMS messages sent by banks to customers for a second form of authentication
• First appeared in 2010
Cloud Computing
• Private Cloud − Hosted for or by a single entity on a private network; can be hosted internally or outsourced but is most often operated internally; only those within the entity share the resources
• Community Cloud − Hosted for a limited number of entities with a common purpose; access is generally restricted; most often used in a regulated environment where entities have common requirements
• Hybrid Cloud − Data or applications are portable and permit private and public clouds to connect
• Public Cloud − Available to the general public; owned and operated by a third-party service provider
Cloud Computing
• The institution has the ability to increase or decrease resources on demand without involving the service provider (on-demand self-service).
• Massive scalability in terms of bandwidth or storage is available to the institution.
• The institution can rapidly deploy or release resources.
• The financial institution pays only for those resources which are actually used (pay-as-you-go pricing)
Cloud Computing
• One of the major concerns with cloud computing is the loss of control for physical access to systems.
• Depending on the type of cloud service you use, you may be sharing hardware with others. This can lead to legal (and operational) issues if the systems and/or backups are requested by a court or government agency.
Notable Payment Card Security Breaches
• Heartland Payment Systems – 2008 – Hackers attacked the system that is used to process card transactions. Up to 100 million transactions compromised.
• TJX Corp. – 2007 – Hackers compromised wireless network to steal information on approx. 94 million card transactions.
• HEI Hospitality (Marriott, Sheraton, Westin) – March/April 2010: POS system compromised. Up to 3,400 credit card accounts compromised.
• PlayStation Network – 2011 – Hack attack. 77 million personal information acquired. Credit card information (TBD).
• Seattle Small-Medium-sized businesses – April 2011 – war driving hacks to steal credit card data. Stole about $750,000 worth of goods.
Payment Card Industry (PCI) – Data Security Standard Overview• Not a government regulation, but an industry regulation. • All entities that process, store, or transmit payment card
information need to comply. (PAN is the deciding factor.)• The Players: Card Brands, Merchants, Service Providers,
Acquirers, and Issuers• Effective compliance dates varies depending on
merchant level or service provider level and card brand (June 2005, Dec. 2008).
• Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees.
Why is compliance with PCI DSS important?
A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:1. Regulatory notification requirements2. Loss of reputation3. Loss of customers4. Potential financial liabilities (regulatory and other fees and fines)5. Litigation
Penalties for Non-Compliance
Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed:
– Non-compliance fine up to $500K– Forensic investigation costs– Issuer/Acquirer losses
• Unlimited liability for fraudulent transactions• Potential additional issuer compensation (e.g., card
replacement)
– Dispute resolution costs
Fraud Trends
• Malware• Mobile Devices• Social Engineering• Social Media
Malware
• “Man in the Browser” is malware that infects a web browser and has the ability to modify pages, modify transaction content, or insert additional transactions. This is hidden from both the user and application.
• Keystroke loggers and other similar strains of malware continue to be used to collect data and user credentials to be used for fraud.
Social Engineering
• As financial institutions enhance their online security, the criminals are changing their avenue of attack
• Social engineering is used in various forms (phishing, spear phishing, or smishing)
US Bank Types Attacked - Phishing
Phishing Attacks per Month
Social Media
• Easy way for criminals to gather intimate details about members to use in fraud
• Easy way to send malware or Trojans to a large group of people from a “trusted” friend
• New frontier for phishing and social engineering attacks
Internet Banking Authentication
Regulators came out with guidance related to Internet banking authentication in June 2011. The guidance called out the responsibility of financial institutions to:
• Differentiate between retail and business transaction risk
“Agencies recommend that institutions offer multifactor authentication to their business customers.”
• Continue to focus on Risk Assessment• Increased emphasis on Layered Security
Programs
