Cyber Security in

the 21st Century

 Safe Harbor Statement
This presentation outlines certain practices that businesses should
consider to reduce the likelihood of loss caused by online fraud and
identity theft. This presentation does not purport to identify all existing
online fraud and identity theft practices and all fraud mitigation measures
that your business should consider implementing. There is no way to
guarantee that any set of protective measures will eliminate loss caused
by online fraud and identify theft. U.S. Bank is not responsible for losses
caused by online fraud and identity theft.

2
 Agenda
 Context
 The Expanding Internet
 Cyber Crime Scale
 Today’s Threats
 Malware
 Preventing Business Account Takeover
 Avoid Being a Victim

3
 Context
• The internet is incredibly convenient – banking and shopping with a few clicks
of the mouse.
• Personal Banking
• 63 million Americans bank online1
• $3,500 average balance in “transaction accounts”2
• ~ $221 Billion managed online
• Shopping
• $1.042 Billion spent online the day after Thanksgiving 20123
• $1.465 Billion spent online the Monday after Thanksgiving 20123

• The internet holds a wealth of information

• Encyclopedia Britannica has 32 volumes - English Wikipedia, if bound identically,
would consist of 1,673 volumes
• Birthdates, residences, phone numbers, email addresses – all conveniently
located in one place – your Facebook or LinkedIn profile page!
1. Pew Research Center, Jan 2012
2. Federal Reserve 2010 Survey of Consumer Finances
3. comScore e-Commerce Measurement

4
 The Expanding Internet
THE SUPERHIGHWAY, pre-2000 2012

1 3
2

Analogy Pre-2000 2012

1  Billions (1,000,000,000)  Quintillions (1,000,000,000,000,000,000)

Cars  60 mph  60,000 mph

2 Lanes  4  4,000

On/Off
3  Millions (1,000,000)  Hundreds of Millions (800,000,000)
Ramps

5
 Cyber Crime Scale
1

(347M) (431M)

 14 adults become victims of cybercrime every second,

totaling more than one million victims each day1
 Cybercriminals unleash 3.5 new threats targeting businesses every second2
 69% of breaches incorporated malware as part of the attack3
1 Norton Cybercrime Report 2011
2 Trend Micro “Small business is big business in cybercrime”
3 Verizon Breach Report 2012

6
 Changing Cyber Threats
Insiders
• Often undetected for up to 32 months
• Culprits are employees- typically managers – with 5 years + experience
• Usually low-tech, relying on access privileges

Hacktivists
• Responsible for 58% of all data stolen in 2011
• Targets include CIA, FBI, Visa, MasterCard, Sony (breached 21 times in 2011), Amazon

Organized crime
• Cybercrime is maturing as a business, with marketing, support, advertising,
R&D, and economies of scale

Nation-states
• Since 2010, nation-state linked malware IDs increased from 1 to 8; 5 in 2012
• Gauss Malware targets financial services in the Middle East; steals credentials
• Technically sophisticated malware for espionage, data breaches, even sabotage

7
 Changing Threats: Insiders
• Almost 1 in 10 who reported fraud suffered losses of more than $5 million.
• 56% of respondents said the most serious fraud was an ‘inside job’.
PWC Global Economic Crime Survey November 2011

Perpetrators of fraud by industry

Financial services 38 60 2
Insurance 40 59 1
Technology 45 45 10
Communications 52 45 3
Professional services 56 39 5
Hospitality & leisure 58 42
Retail & consumer 59 35 6
Entertainment & media 59 41
Automotive 63 24 13
Government/state-owned enterprises 67 29 4
Energy, utilities, & mining 68 28 4
Transportation & logistics 69 27 4
Manufacturing 75 22 3
Pharmaceuticals & life sciences 75 23 2
Engineering & construction 77 21 2

0 20 40 60 80 100
% of reported frauds

Internal fraud External fraud Don't know

8
 Changing Threats: Hacktivists
• Hacktivism was responsible for 58% of all data stolen last year
• Hacktivist motives vary; nationalism, digital/electronic rights, privacy issues, copyright
issues, Occupy Wall Street, even animal rights
• Hacktivist tactics depend on the size of the organization and the relative skill levels of its
members. Some typical attacks are:

Vulnerabilities Denial of service Advanced persistent

• Broad scans of identified targets in
search of easily-exploitable
vulnerabilities
• May be the first choice, with DDoS
as a last resort if no exploitable
vulnerabilities are found
• A DDoS attack can be used as
cover for a smaller team to exploit
previously identified vulnerabilities
• Hacktivists use software tools to
overload target servers and
applications with requests; little
technical skill required and there is
strength in sheer numbers
• Goal is to bring down web sites
and applications for hours or even
days
• DDoS attacks like this are planned
publicly, so there is usually lead
time to prepare
threats
• Highly skilled, technologically
advanced and stealthy attacks by
smaller teams
• Goal is to steal IP and
authentication information, and PII
for individuals & organizations
• Often has a spearphishing
component, or other social
engineering stage
• APTs linked with “watering hole”
attacks, where malware is seeded
at sites where targets of interest
gather to see who they can snare

9
 Changing Threats: Organized Crime
• Traditional organized crime is
making inroads and extending
operations into digital markets
• Young hacker stereotype
turns out not to be the case -
43% of organized digital crime
associates are over 35 – more
than those who are under 25
(29%)
– Research indicates this is
because technology bar to digital
crime has been lowered due to
easy availability of ready-made,
low-skill toolkits to make malware
or manage botnets
10
TRADITIONAL INDICATOR ONLINE PARALLEL
Extortion techniques • Threats to close down systems by malware
attacks
• Use of compromising browser records for
blackmail
Control of gambling • Development of new ‘offshore’ income streams
• Sales of illegal drugs
Control of drug markets • Development of fake Viagra and other pseudo
drug markets / spamming
• Laundering of digital income
Money laundering
• Global money mule systems
• Organized DVD copying gangs
Counterfeiting • Organized intellectual copyright theft
• Carding and skimming
• Creation of online pornography empires
Sex & prostitution • Links between escort sites, trafficking and
organized groups
Organized crime in the digital age: the real picture, BAE Systems Deltica-
sponsored study, London Metropolitan University
 Changing Threats: Nation-state Threats
• Double-threat from highly advanced
and specialized malware & 0
Advanced Persistent Threats
Rise of Malware Linked to Nation-States
• Targets specific nations through
government & civil organizations, L Intelligence gathering L~SHAMOON
commerce & infrastructure: ~ Sabotage LGAUSS
– Gauss focused on financial
institutions LIXESHE ?
– Flame targeted companies and LFLAME MINIFLAME
institutions in the Middle East ~WIPER
• Highly sophisticated and complex:
~ STUXNET LMADHI
– Stuxnet probably required 10 man-
years of development; Flame 20
L~DUQU
times more complex 2010 2011 2012 2013
• Enables plausible deniability
– Researchers who analyze the code
can’t be sure that they’re seeing • Red lines indicate probable family link
more than what the writers want • Only circumstantial evidence for Wiper link to Stuxnet family
them to see. (it left very little forensic data)
• The status of Shamoon as nation-state malware has been
questioned – some attribute it to nationalist hackers or
cybercriminals

11
 Attacks from Last Traceable Point of Origin

10-30%
3-4%
1%
0.6%
0.3%
32.5% Unknown origin

USA
• Hosted ~50% of all phishing Russia
sites in 1H 2011 • Produces 77% of all spam
• Hosted ~45% of all phishing-based • Source of many successful botnets;
keyloggers or Trojan downloaders Rustock, Grum, Cutwail , and more
China
• 55,000 malware/intrusion incidents on DoD systems in
2010; large but unspecified number blamed on China *Trustwave Breach Report 2012
• Highest level of malware infections
12
 What is Malware?
• “Malware” is an umbrella term used to describe many forms of
malicious software
• Common forms of malware:
• Worms – malware that can spread by itself (most other forms spread by attaching to
a file).

• Trojans – malware that looks legitimate and tricks the user into activating it. Known to
create “backdoors” that give malicious users access to the infected system.

• Viruses – malware that replicates itself by inserting itself into and becoming a part of
a piece of legitmate software.

• Bots – malware that automates the use of system resources on the infected computer
to interact with external computers. Causes “Denial of Service (DoS) attacks.

13
 The Business of Malware…
• 350 to 400 million PCs compromised
• $388 billion per year in losses resulting from cybercrime
• 431 million adults fall victim per year (69% of those
surveyed by Symantec had been victims)

A big
problem…
… getting
bigger?
*2011 PandaLabs

14
 How Malware Works
0 1 3 4
Malware Malware Money Money
Service Infection Theft Collection

2
Malware Credential Money Mule
Cyber Harvest Victim Mules
Coder Organization
Theft

0 1
Malware Service
Malware-as-a-Service
Malware programmers
- sell/lend malware.
- purchase/rent malware module from
other programmers
- use testing services such as checking
detection by Anti-Virus software
- provide customers with customization,
updates, and issue maintenance
3
Malware Infection Money Theft
Criminals Criminals leverage the victim’s
- trick victims into opening infected credentials to initiate funds
attachments or visit nefarious websites transfers from the victim’s
- commands bots to download malware account to mules.
(criminals lend/rent botnets)
2 4
Credential harvest Money Collection
The victims visit their online banking Mule organizations collect money
websites and logon per the standard from mules and laundry money.
processes.
The malware collects and transmits data
back to the criminals.

15
 Malware Infection
• Phishing – “phishing” is the use of spam email designed to trick
the recipient into clicking a hyperlink or opening an attachment
• Phising emails often look official and have a clear “call to action”

• Most commonly look like email from banks, delivery services or law enforcement
agencies

• Spear Phishing
• A phising attack that is designed for a specific person. The attacker may conduct
extensive research on a specific individual to customize the attack.

• Social Networks
• Attackers using social networks take advantage of the fact that most everyone is on
another user’s “trusted” list

16
 Social Engineering / Social Media
• Social engineering attacks occur by phone,
email, or even in person
Social Media Malware–
• A social engineer tricks people into giving away Automated social engineering:
• Malware can take over your social
sensitive information, even passwords media account to:
• Send phishing emails to all your
• Social engineers are ‘hacking the human contacts
• Set your “like” status to a
element’ – it’s easy and untrained employees product you’ve never heard of, or
won’t suspect to some malware-infected app

• Effective because it exploits the

Typical approaches: assumed trust we have in our
• “Do me a favor and help me out or I’ll get in trouble…” networks – email typically comes
from someone we know.
• “This is business-critical and time is running out…”
• 52% of companies surveyed at end
• “Hi, I’m from the IT helpdesk and we’re doing a routine of 2011 said they had seen an
but complicated-sounding test, can you give me increase in social media attacks due
your…” to malware.

• “The Sales Director has asked me for this

information…”
• “Why can’t you hurry this up? I don’t have all day…”

17
 Man-In-The-Browser
• One of the most concerning types of malware attacks is called
“Man-In-The-Browser” (MITB).
• Typically the result of a Trojan infection, MITB permits a cybercriminal to modify
the infected machine’s browser and harvest user credentials.

• Infected browser looks like an unifected browser, many times prompting the user
for token generated passwords and / or transaction PINs.

Login screen
altered

18
 Prevent Business Account Takeover
• Dual Authorization
• If offered, utilize dual authorization for ACH / wire transactions and account
administration

• Do not execute both authorizations from the same computer

• Business Account Settings

• Reset default transaction limits – many institutions set default transaction
limits very high

• Remove those employees no longer with your organization from payroll

rosters immediately

• Regularly review your account settings

19
 Prevent Business Account Takeover
• Dedicated Computer
• Use a dedicated computer for online financial transactions

• No internet browsing except for bank transactions

• No email or internet-accessing applications

• Configure user accounts with least necessary privilege

20
 How to Avoid Being a Victim
• Keep anti-virus software up to date
• AV software is not a silver bullet – only catches 40% of all documented malware!
Use AV software as one part of your entire strategy to stay safe online.

• Smart internet browsing

• Stay away from websites ending in “.ru”

• Be very wary about downloading files, even from “trusted” websites

• Avoid downloading “plug-ins” for your browser

• Use strong passwords

• The longer the better (12 – 14 characters is optimal)

• Do not use dictionary words in your password

• Do not re-use passwords on different websites

21
 How to Avoid Being a Victim (Continued)
• Social Network Safety
• Minimize the amount of personal information (birth date, address, etc) you
share on social networks

• Be careful when clicking on web links at social media sites

Nielsen Global Trust in Advertising Report for 2012

“Social media is most influential new media because we consider familiar voices to be trustworthy”

22