1 April 2005 TOP IT Security Issues An Examiner’s Perspective Matthew Biliouris, Information Systems Officer – E&I

1 April 2005

TOP IT Security IssuesAn Examiner’s Perspective

Matthew Biliouris, Information Systems Officer – E&I

2 PACUA Technology Council Meeting – April 2005

EFS Products & ServicesEFS Products & Services

TRADITIONAL EFS ATMATM WIRE TRANSFERWIRE TRANSFER ACHACH Automated Telephone Automated Telephone

Response SystemsResponse Systems



TYPICAL INTERNET-BASED EFS

A/C History Review A/C History Review Account TransfersAccount Transfers Applications Applications Withdrawal RequestsWithdrawal Requests



NEWER ON-LINE EFS

Bill Payment / PresentmentBill Payment / Presentment Account AggregationAccount Aggregation Statement & Disclosure Delivery Statement & Disclosure Delivery Check ImagingCheck Imaging Credit Card Statement AccessCredit Card Statement Access Downloads to Financial SoftwareDownloads to Financial Software


BrokerageBrokerage

CUs/BanksCUs/Banks401K401K

taxestaxes Credit CardsCredit Cards

Airline MilesAirline MilesBillsBills

TravelTravel

E-MailE-MailShoppingShopping

Account Aggregation


Types of Web Sites

Informational Sites Marketing Info

Interactive Sites Secure Messaging Loan Applications Account Inquiry

Fully Transactional Sites Financial Transactions (transfer funds, pay bills, etc.)


Credit Union Industry Statistics

0

1,000

2,000

3,000

4,000

5,000

6,000

Website Type

Interactive

Non-Interactive

Total



-20.0%

-10.0%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

Interactive Non-Interactive Total

Website Growth

Jun-99

Dec-99

Jun-00

Dec-00

Jun-01

Dec-01

Jun-02

Dec-02

Jun-03

Dec-03

Jun-04

Dec-04



Percentage of FICUs By Website TypeDecember 31, 2004

41.2%

14.3%3.7%

40.7% None

Informational

Interactive

Transactional



FICU Assets By Website TypeDecember 31, 2004

3.5% 4.3%

90.0%

2.2%

None

Informational

Interactive

Transactional


2004 CSI/FBI Survey

Security Trends

2004 Computer Security Institute & FBI Survey

494 Security practitioner responses 19% of responders from financial services industry


Key Findings

Unauthorized use and financial losses declined Virus and denial of service top cost Law enforcement reporting declined Security audits used Security outsourcing low Sarbanes-Oxley impact Security training needed


Respondents

Respondents By Revenue

Over $1B37%

$100M-$1B20%

$10M-$99M23%

Under $10M20%


Percentage of IT Budget Spent on Security

2004: 481 Respondents/97%2004: 481 Respondents/97%

IT Budget Spent on Security

8%

8%

7%

22%

24%

16%

14%

0% 5% 10% 15% 20% 25% 30%

More than 10%

8%-10%

6%-7%

3%-5%

1%-2%

Less than 1%

Unknown

2004


Unauthorized Use

Unauthorized Use of Computer Systems Within the Last 12 Months

0%

10%

20%

30%

40%

50%

60%

70%

80%

Yes No Don't Know

1996

1997

1998

1999

2000

2001

2002

2003

2004


Breach Frequency

How Many Security Breach Incidents?

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

1-5 6-10 >10 Don't Know

1999

2000

2001

2002

2003

2004


Website Incidents

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 to 5 6 to 10 More Than 10

1999

2000

2001

2002

2003

2004


Types of Losses

Dollar Amount of Losses By Type (000)

5,149

2,754

702

406

6,831

10,186

11,767

70,196

65,643

27,382

781

201,797

871

902

958

2,747

3,998

4,278

6,735

7,671

10,159

10,601

11,460

26,064

55,054

0

141,498

0 30,000 60,000 90,000 120,000 150,000 180,000

Sabotage

System Penetration

Website Defacement

Misuse of Web Application

Telecom Fraud

Unauthorized Access

Laptop Theft

Financial Fraud

Abuse of Wireless Network

Insider Net Abuse

Theft of Propietary Info.

Denial of Service

Virus

Other

Total

2004

2003


Computer Intrusions Actions Taken

Computer Intrusion(s) Within Last 12 Months: Actions Taken

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Patched Holes Did Not Report Reported to LawEnforcement

Reported to LegalCounsel

1996

1997

1998

1999

2000

2001

2002

2003

2004


Computer Intrusions Not Reported

The Reasons Organizations Did Not Report Intrusions to Law Enforcement

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Negative Publicity Competitors WouldUse to Advantage

Unaware That CouldReport

Civil Remedy SeemedBest

1996

1997

1998

1999

2000

2001

2002

2003

2004


NCUA Strategic Plan 2003-2008

Goal #2:

Facilitate the ability of credit unions to safely integrate financial services and emerging technology in order to meet the changing expectations of their members.


Frequent Question

Does NCUA expect all credit unions to develop and implement e-Commerce services?

NO!NO!

NCUA encourages credit unions to NCUA encourages credit unions to considerconsider offering e-Commerce services. offering e-Commerce services.




Risk Assessment ProcessRisk Assessment Process

2. Understand2. UnderstandRisksRisks

3. Prioritize Risks3. Prioritize Risks

4. Develop & Implement 4. Develop & Implement Action PlansAction Plans

5. Monitor5. Monitor

1. Identify Risks1. Identify Risks


Electronic Financial Services

Areas of Risk Transaction/Operational Compliance Reputation Strategic


IS&T Exam ProceduresIS&T Exam Procedures

Before implementing product/service:– Seek education as to the benefits & risks.– Determine if risks are acceptable.– Determine regulatory compliance requirements.– Ensure a legal review of contracts.– Assess the adequacy of staff expertise (technical,

managerial, member service).



Before implementing product/service (cont’d):– Assess the adequacy of staff expertise (technical,

managerial, member service).– Determine best in-house/outsourcing solution.– Evaluate necessary security measures.– Research available bond coverage.– Seek expert assistance when necessary.



Before implementing product/service (cont’d):– Complete due diligence of vendors.– Involve all interested operational & audit functions in

planning & implementation.– Develop audit & performance mechanisms.– Create or revise related policies and procedures.


Security Programs

Gramm-Leach-Bliley Act – 501(b)– Outlines Specific Objectives– Requires NCUA establish standards for

safeguarding member records


Security Programs

Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member

Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access

Specifically Stated in §748.0(b)(2)



Security Programs

Appendix A – Guidelines for Safeguarding Member Information– Involvement of Board of Directors– Assess Risk– Manage & Control Risk– Oversee Service Providers– Adjust the Program– Report to the Board


Security Programs

Response Program Guidance– Increasing Number of Security Events– Congressional Inquiries– GLBA Interpretation– FFIEC Working Group– Revise Part 748-Add New Appendix B


Security Programs

Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member

Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access– Respond to Incidents of Unauthorized

Access to Member Information



Security Programs

Appendix B – Guidance on Response Programs– Components of a Response Program

Assessing Incident Notifying NCUA/SSA Notifying Law Enforcement Agencies Containing/Controlling Incident Notifying Affected Members


Security Programs

Appendix B – Guidance on Response Programs– Content of Member Notice

Account/Statement Review Fraud Alerts Credit Reports FTC Guidance


PART 748 APPENDIX B

Conflict with State Law – e.g., California Notice of Security Breach statute– Requires notice to California residents when

unencrypted member information is or may have been acquired by unauthorized person

– Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections


NCUA Expectations

Potential Questionnaire:– Incorporated into Overall Security Program– Escalation Process / Incident Response– Review of Notices – Attorney Review?– Enterprise Wide Approach– Reporting to Senior Management– Member Outreach / Awareness Programs– Employee Training Programs


“Phishing”


“…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”

Arthur LevittArthur Levitt

Former Chairman of the SECFormer Chairman of the SEC

Quotes


Quotes

“Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet.”

Jana Monroe

Assistant Director

Cyber Division of FBI


Phishing 101

Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.


Phishing 101

E-mailSpoofed addressConvincing Sense of urgencyEmbedded link (but not always)


Phishing Trends

Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA


Phishing Trends

Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004

Unique Phishing Attacks

282116 176

402

11251197

0

200

400

600

800

1000

1200

1400

Dec '03 Jan '04 Feb '04 March '04 April '04 May '04

48 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004

Phishing Trends

49 PACUA Technology Council Meeting – April 2005Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)








Examples (March 2004)

Source: Anti-Phishing Working Group Phishing Archive


Examples (March 2004)



Examples (May 2004)



Training / Policy Development

Awareness

Handling complaints & reports of

suspicious e-mails/sites

Protect on-line identity of credit union

Response Plan

Phishing Action Plans – Employee Education


Communication Methods

Internet Banking Agreements

Newsletters

Statement Stuffers

Recordings when on “hold”

Website (FAQs / Advisories / Links)

Phishing Action Plans – Member Education


Action Plan Ideas - Education






Content

We will never ask for xxx via e-mail

We will never alert you of xxx via e-mail

Always feel free to call us at # on statement

Always type in our site URL (see

statement / newsletter / previous bookmark)

Phishing Action Plan Ideas – Member Education


Content (cont’d) Sites can be convincingly copied

Report suspicious e-mails & sites

Where to get more advice on phishing

Importance of patching

How to validate site (via cert or seal)

Where to go for ID theft help

Phishing Action Plan Ideas – Member Education


Considerations:

Keep certificates up-to-date

Practice good domain name controls

Don’t let URLs lapse

Purchase similar URLs / Search for

similar URLs

Phishing Action Plan Ideas – Protection of CU’s Online Identity


NCUA

(8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions

(04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes

(05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance

FFIEC Agency Brochure

Phishing Resources






NCUA Related guidance:

(12/02) LTR 02-CU-16 Protection of CU Internet Addresses

(7/02) LTR 02-FCU-11 Tips to Safely Conduct Financial Transactions Over the Internet

(09/01) LTR 01-CU-09 Identity Theft & Pretext Calling

Working with External Sources

Article in NCUA News

Phishing Resources


Inside the Examiner’s PlaybookInside the Examiner’s Playbook

Think GloballyVendor ManagementSecurity Program

(Part 748)Employee Remote

AccessRisk Assessment

Patch Management IDS/Incident

ResponseVirus Definition

UpdatesBCPFormal Policies











FFIEC IT Handbook


FFIEC IT Examination Handbook

Development & Acquisition

Management

Operations

Outsourcing

Retail Payment Systems

Wholesale Payment Systems

Issued: BCP Information

Security Supervision of

TSPs Audit E-Banking Fedline









Contact Information:

Matthew Biliouris

703-518-6394

[email protected]

Questions??

Documents

1 April 2005 TOP IT Security Issues An Examiner’s Perspective Matthew Biliouris, Information Systems Officer – E&I