際際滷

際際滷Share a Scribd company logo

Cyber Security and Data Privacy - presentation

N
noorebrahim2002

Cyber security presentation

1 of 141
Download to read offline
Cyber Security and Data Privacy BBK
Overview The current cybersecurity landscape is complex. Attackers develop new and ingenious methods of compromising systems on a daily basis. Security researchers continue to find vulnerabilities in applications, products, and operating systems. In the current cybersecurity landscape, attackers are finding it simpler to monetize their activities, either by deploying ransomware that encrypts a targets data and system and demanding payment for a solution, or by deploying coin mining software that generates cryptocurrency using the resources of the target organizations infrastructure
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cybersecurity terms and Industry buzzwords
Phishing A technique used by hackers to obtain sensitive information. For example, using hand-crafted email messages designed to trick people into divulging personal or confidential data such as passwords and bank account information.
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Smishing
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Vishing Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Social Engineering
Social Engineering Social engineering is the practice of using social tactics to gain information. Its often low- tech and encourages individuals to do something they wouldnt normally do, or cause them to reveal some piece of information, such as user credentials. Social engineering uses social tactics to trick users into giving up information or performing actions they wouldnt normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.
Impersonation
Email Impersonation
Shoulder Surfing
Cyber Security and Data Privacy - presentation
Hoax Messages
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Dumpster Diving
Cyber Security and Data Privacy - presentation
Software A set of programs that tell a computer to perform a task. These instructions are compiled into a package that users can install and use. For example, Microsoft Office is an application software.
Cloud A technology that allows us to access our files and/or services through the internet from anywhere in the world. Technically speaking, its a collection of computers with large storage capabilities that remotely serve requests.
Breach The moment a hacker successfully exploits a vulnerability in a computer or device, and gains access to its files and network.
An umbrella term that describes all forms of malicious software designed to wreak havoc on a computer. Common forms include: viruses, trojans, worms and ransomware. Malware
A type of malware aimed to corrupt, erase or modify information on a computer before spreading to others. Virus
A form of malware that deliberately prevents you from accessing files on your computer holding your data hostage. It will typically encrypt files and request that a ransom be paid in order to have them decrypted or recovered. For example, WannaCry Ransomware Ransomware
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
A piece of malware that often allows a hacker to gain remote access to a computer through a back door. Trojan Horse
A type of software application or script that performs tasks on command, allowing an attacker to take complete control remotely of an affected computer. A collection of these infected computers is known as a botnet and is controlled by the hacker or bot-herder. Bot / Botnet
Cyber Security and Data Privacy - presentation
An acronym that stands for distributed denial of service a form of cyber attack. This attack aims to make a service such as a website unusable by flooding it with malicious traffic or data from multiple sources (often botnets). Dos / DDOS
Cyber Security and Data Privacy - presentation
BYOD (Bring Your Own Device) Refers to a company security policy that allows for employees personal devices to be used in business. A BYOD policy sets limitations and restrictions on whether or not a personal phone or laptop can be connected over the corporate network. BYOD
APT (Advanced Persistent Threat) A security breach that enables an attacker to gain access or control over a system for an extended period of time usually without the owner of the system being aware of the violation. Often an APT takes advantage of numerous unknown vulnerabilities or zero day attacks, which allow the attacker to maintain access to the target even as some attack vectors are blocked. APT
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Backdoor
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Key Loggers
Cyber Security and Data Privacy - presentation
Adware
Cyber Security and Data Privacy - presentation
Cyber Security and Data Privacy - presentation
Cyber Security Standards and Frameworks
Frameworks and Standards Introduction NIST Cybersecurity Framework ISO 27001 ( ISMS ) PCI Standards Software Assurance Maturity Model Agenda
Framework and Standards Introduction
Cybersecurity Framework
Characteristics of a Cybersecurity Framework
Objectives of Cybersecurity Framework Describe current Security Posture Describe Target Security Posture Assess Progress towards the target posture Communicate Risk Continuous Improvement Continuous Improvement
Frameworks
NIST Cybersecurity Framework
NIST CSF Components Overview
ISO 27001 ( ISMS )
Overview of ISO 27001 ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.
ISO 27001 - Components
ISO 27001 Implementation Process
PCI Standards
PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store,process or transmit cardholder data with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Overview of PCI
Cyber Security and Data Privacy - presentation
PCI Data Security Standard (DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. PCI Security Standards Include - 1
PIN Transaction (PTS) Security Requirements PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC PCI Security Standards Include - 2
Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI Security Standards Include - 3
PCI Point-to-Point Encryption Standard (P2PE) This Point-to-Point Encryption (P2PE) standard provides a comprehensive set of security requirements for P2PE solution providers to validate their P2PE solutions, and may help reduce the PCI DSS scope of merchants using such solutions. P2PE is a cross-functional program that results in validated solutions incorporating the PTS Standards, PA-DSS, PCI DSS, and the PCI PIN Security Standard PCI Security Standards Include - 2
PCI DSS goals and Requirements
SAMM
Overview of SAMM The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. The foundation of the model is built upon the core business functions of software development with security practices tied to each other
SAMM - Components
Bangladesh Central Bank Fraud - 2016 About
The Bangladesh Bank heist is just one of several recent high-profile data breaches that have affected hundreds of millions of consumers and that illustrate how attackers exploit weaknesses across the cybersecurity, fraud and anti-money-laundering (AML) Bangladesh bank Heist
In January 2015, an innocuous-looking email had been sent to several Bangladesh Bank employees. It came from a job seeker calling himself Rasel Ahlam. His polite enquiry included an invitation to download his CV and cover letter from a website. In reality, Rasel did not exist he was simply a cover name being used by the Lazarus Group, according to FBI investigators, the report says. Trap Setup
At least one person inside the bank fell for the trick, downloaded the documents, and got infected with the viruses hidden inside. Once inside the banks systems, the Lazarus Group began stealthily hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained. The actual draining of the accounts happened only a year later, the report says, because the hackers were lining up the next stages, planning how to remove the money in such a way that it would not be possible to retrieve it.
Hackers attempted to steal $951 million from the Bangladesh Central Bank (BCB) in Dhaka. $81 million sent to Rizal Commercial Banking Corporation in the Philippines via four different transfer requests Additional $20 million sent to Pan Asia(Sri Lanka ) Banking in a single request. Bangladesh Bank managed to halt $850 million in other transactions. What Happened in between February 4-7, 2016 On 4th Feb 2016
$81 million was deposited into four accounts at a Rizal branch in Manila on 4th Feb 2016 These accounts had all been opened a year earlier in May 2015, but had been inactive with just $500 sitting in them until the stolen funds arrived in February 2016 About $81 Million
How did Hackers did it ?
The theft involved manipulating the SWIFT system and used SWIFT credentials of Bangladesh Central Bank employees Pretending to be the BCB, the thieves sent fake instructions over SWIFT to the New York Fed, asking for some funds to be transferred to bank accounts in Southeast Asia. The bank's SWIFT system is configured to automatically print out a record each time a money transfer request goes through. Part 1 How did they do it ?
But in this case, the attackers disabled the BCBs printers with a piece of malware. This meant the banks employees in Bangladesh were not aware that the heist was going on. By the time the BCB reactivated its printer and received the notifications of the transfers and requests from the New York Fed for clarification it was already too late and the money had been sent. Part 2 How did they do it ?
How Bangladesh bank Identified
The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that got confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldnt. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered. Part 1 How did BCB Identified the attack ?
When they finally got the software working the next day(5th Feb 2016 ) and were able to restart the printer, dozens of suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. They contacted SWIFT and New York Fed, but the attackers had timed their heist well; because it was the weekend in New York, no one there responded. It wasn't until Monday that bank workers in Bangladesh finally learned that four of the transactions had gone through amounting to $101 million. Part 2 How did BCB Identified the attack ?
How US Federals Identified
The hackers might have stolen much more if not for a typo in one of the money transfer requests that caught the eye of the Federal Reserve Bank in New York. The hackers apparently had indicated that at least one of the transfers should go to the Shalika Foundation, but they misspelled foundation as fandation." How US Fed identified
How much money is recovered
Bangladesh Bank managed to get Pan Asia Banking to cancel the $20 million that it had already received and reroute that money back to Bangladesh Bank's New York Fed account. But the $81 million that went to Rizal Bank in the Philippines was gone It had already been credited to multiple accounts, reportedly belonging to casinos in the Philippines How much they recovered ?
At least $21 million of the stolen funds reportedly ended up in the Philippine bank account of Eastern Hawaii, a company run by Chinese business man Kim Wong, who says he received it as payment for helping a Chinese client settle a casino debt. Casinos in that country are not covered by anti-money laundering laws, which means there are gaps in record-keeping around where money goes once a casino obtains it. What happened to those 81 Million
The RCBC Bank branch in Manila to which the hackers tried to transfer $951m was in Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one and the decision cost them hundreds of millions of dollars. The transactionswere held up at the Fed because the address used in one of the orders included the word Jupiter, which is also the name of a sanctioned Iranian shipping vessel. This led to an automatic reviewing of payment transfers which were stopped because of the imposed sanctions How did they save $850 million
Summary of Heist
The attackers first exploited cyber weaknesses by designing custom malware to bypass controls and network logging systems. They then abused gaps in fraud controls by using the Bangladesh Central Banks credentials to gain unauthorized access to networks and by setting up fraudulent bank accounts to receive and transfer the stolen funds. Finally, the attackers laundered the stolen money through casinos in the Philippines. Summary
Not directly. According to SWIFT, they obtained valid credentials the banks use to conduct money transfers over SWIFT and then used those credentials to initiate money transactions as if they were legitimate bank employees. Bangladesh Bank were to blame: the bank reportedly didn't have firewalls installed on its networks, raising the possibility that hackers may have breached the network and found the credentials stored on the system. Did the Attackers Compromise SWIFT?
They installed malware on the bank's network to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. The hackers installed it on the bank's system some time in January, not long before they initiated the bogus money transfers on 4th Feb. How Did the Hackers Cover Their Tracks?
Bank in Vietnam
The custom malware targeted a PDF reader the bank used to record SWIFT money transfers. The malware apparently manipulated the PDF reports to remove any trace of the fraudulent transactions from them, according to SWIFT Malware
Bangladesh Bank blames the Federal Reserve Bank of New York for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The New York Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Reserve Bank said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others. Who's to Blame?
Sony Hack
Malware found on Bangladesh Bank's system shares similarities to some of the malware found in the Sony hack, which the US government attributed to North Korea Sony Hack
In Manila, Philippines, workers at the Riza Commercial Banking Corporation allowed the attackers to open accounts using fake driving licenses; these accounts were then used to receive and traffic stolen funds. There is evidence that the workers who installed the SWIFT system in BCB did not follow official guidelines and that could have opened up security vulnerabilities. There is also evidence of slack procedure in New York: There were numerous inconsistencies in the fraudulent SWIFT orders which should have been spotted. Learnings Beware Of Human Error
Cloud Models
What is Data Protection ?
Data Protection Data Security Data Privacy Data Protection
Data Protection Data Protection Security System Security Network Security Access Control Activity Monitoring Incident Management Cloud Security Privacy Data Classification Customer Consent Data Exchange Policies Data Erasure Data Retention 3rd Party Data Sharing How do these policies get enforced? What data is important and Why? Data
Data Security vs Data Privacy Confidentiality Integrity Availability Traceability Linkability Identifiability Data Security Data Privacy
A typical Data Privacy applies to Every Individual normally living Every business located Individuals and Businesses residing in foreign countries, who collect the personal data of Individuals for a specific country
Principles of Data Processing
Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Lawfulness, Fairness and Transparency Shall always process personal data in a Fair, Lawful and Transparent manner in line with the requirements of the Data Privacy Law
Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Purpose Limitation Shall only process personal data for a specified and lawful purpose. Shall not use the data for another purpose unless conditions are met ( Consent from the Data Subject is taken )
Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Data Minimization Should ensure only processing of the personal data which is truly need to conduct business and nothing more.
Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Accuracy Should ensure personal data is kept up to date, and necessary measures are in place for correcting and updating inaccurate data
Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Storage Limitation Will not keep personal data for longer than you need it. It should be securely destroyed after the defined retention period.
Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Accountability Will ensure all appropriate measures and records in place to be able to demonstrate Data processor and Data Controllers compliance toward Data Protection Law
Rights of Individuals in Various Privacy laws Individuals can object to the processing of their personal data by an organization 01 02 03 04 05 06 07 08 Objection Automated decision making and profiling Cause Moral Damage Transfer Personal Data Correct personal data Right to erasure * Submit Complaints Sample text Individuals can object to decisions made about them based solely on automated and mechanical processing Individuals can object to the processing of their personal data, if they feel, it can cause a moral damage Individuals have the ability to receive data in an organized, commonly used machine-readable form Individuals can have their personal data rectified if inaccurate or completed if it is incomplete Individuals can have their personal data deleted without undue delay complaint to the PDPA if the individual believes there has been a breach of the provisions of the Data Protection Law
Lesson Summary
Understand the Characteristics of Frameworks Understand the Components and Implementation Guidelines of NIST Cybersecurity Framework ISO 27001 ( ISMS ) PCI-DSS Software Assurance Maturity Model Summary
Thank you

More Related Content

Cyber Security and Data Privacy - presentation

  • 1. Cyber Security and Data Privacy BBK
  • 2. Overview The current cybersecurity landscape is complex. Attackers develop new and ingenious methods of compromising systems on a daily basis. Security researchers continue to find vulnerabilities in applications, products, and operating systems. In the current cybersecurity landscape, attackers are finding it simpler to monetize their activities, either by deploying ransomware that encrypts a targets data and system and demanding payment for a solution, or by deploying coin mining software that generates cryptocurrency using the resources of the target organizations infrastructure
  • 15. Cybersecurity terms and Industry buzzwords
  • 16. Phishing A technique used by hackers to obtain sensitive information. For example, using hand-crafted email messages designed to trick people into divulging personal or confidential data such as passwords and bank account information.
  • 29. Vishing Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.
  • 33. Social Engineering Social engineering is the practice of using social tactics to gain information. Its often low- tech and encourages individuals to do something they wouldnt normally do, or cause them to reveal some piece of information, such as user credentials. Social engineering uses social tactics to trick users into giving up information or performing actions they wouldnt normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.
  • 46. Software A set of programs that tell a computer to perform a task. These instructions are compiled into a package that users can install and use. For example, Microsoft Office is an application software.
  • 47. Cloud A technology that allows us to access our files and/or services through the internet from anywhere in the world. Technically speaking, its a collection of computers with large storage capabilities that remotely serve requests.
  • 48. Breach The moment a hacker successfully exploits a vulnerability in a computer or device, and gains access to its files and network.
  • 49. An umbrella term that describes all forms of malicious software designed to wreak havoc on a computer. Common forms include: viruses, trojans, worms and ransomware. Malware
  • 50. A type of malware aimed to corrupt, erase or modify information on a computer before spreading to others. Virus
  • 51. A form of malware that deliberately prevents you from accessing files on your computer holding your data hostage. It will typically encrypt files and request that a ransom be paid in order to have them decrypted or recovered. For example, WannaCry Ransomware Ransomware
  • 54. A piece of malware that often allows a hacker to gain remote access to a computer through a back door. Trojan Horse
  • 55. A type of software application or script that performs tasks on command, allowing an attacker to take complete control remotely of an affected computer. A collection of these infected computers is known as a botnet and is controlled by the hacker or bot-herder. Bot / Botnet
  • 57. An acronym that stands for distributed denial of service a form of cyber attack. This attack aims to make a service such as a website unusable by flooding it with malicious traffic or data from multiple sources (often botnets). Dos / DDOS
  • 59. BYOD (Bring Your Own Device) Refers to a company security policy that allows for employees personal devices to be used in business. A BYOD policy sets limitations and restrictions on whether or not a personal phone or laptop can be connected over the corporate network. BYOD
  • 60. APT (Advanced Persistent Threat) A security breach that enables an attacker to gain access or control over a system for an extended period of time usually without the owner of the system being aware of the violation. Often an APT takes advantage of numerous unknown vulnerabilities or zero day attacks, which allow the attacker to maintain access to the target even as some attack vectors are blocked. APT
  • 74. Frameworks and Standards Introduction NIST Cybersecurity Framework ISO 27001 ( ISMS ) PCI Standards Software Assurance Maturity Model Agenda
  • 77. Characteristics of a Cybersecurity Framework
  • 78. Objectives of Cybersecurity Framework Describe current Security Posture Describe Target Security Posture Assess Progress towards the target posture Communicate Risk Continuous Improvement Continuous Improvement
  • 81. NIST CSF Components Overview
  • 82. ISO 27001 ( ISMS )
  • 83. Overview of ISO 27001 ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.
  • 84. ISO 27001 - Components
  • 85. ISO 27001 Implementation Process
  • 87. PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store,process or transmit cardholder data with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Overview of PCI
  • 89. PCI Data Security Standard (DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. PCI Security Standards Include - 1
  • 90. PIN Transaction (PTS) Security Requirements PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC PCI Security Standards Include - 2
  • 91. Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI Security Standards Include - 3
  • 92. PCI Point-to-Point Encryption Standard (P2PE) This Point-to-Point Encryption (P2PE) standard provides a comprehensive set of security requirements for P2PE solution providers to validate their P2PE solutions, and may help reduce the PCI DSS scope of merchants using such solutions. P2PE is a cross-functional program that results in validated solutions incorporating the PTS Standards, PA-DSS, PCI DSS, and the PCI PIN Security Standard PCI Security Standards Include - 2
  • 93. PCI DSS goals and Requirements
  • 94. SAMM
  • 95. Overview of SAMM The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. The foundation of the model is built upon the core business functions of software development with security practices tied to each other
  • 97. Bangladesh Central Bank Fraud - 2016 About
  • 98. The Bangladesh Bank heist is just one of several recent high-profile data breaches that have affected hundreds of millions of consumers and that illustrate how attackers exploit weaknesses across the cybersecurity, fraud and anti-money-laundering (AML) Bangladesh bank Heist
  • 99. In January 2015, an innocuous-looking email had been sent to several Bangladesh Bank employees. It came from a job seeker calling himself Rasel Ahlam. His polite enquiry included an invitation to download his CV and cover letter from a website. In reality, Rasel did not exist he was simply a cover name being used by the Lazarus Group, according to FBI investigators, the report says. Trap Setup
  • 100. At least one person inside the bank fell for the trick, downloaded the documents, and got infected with the viruses hidden inside. Once inside the banks systems, the Lazarus Group began stealthily hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained. The actual draining of the accounts happened only a year later, the report says, because the hackers were lining up the next stages, planning how to remove the money in such a way that it would not be possible to retrieve it.
  • 101. Hackers attempted to steal $951 million from the Bangladesh Central Bank (BCB) in Dhaka. $81 million sent to Rizal Commercial Banking Corporation in the Philippines via four different transfer requests Additional $20 million sent to Pan Asia(Sri Lanka ) Banking in a single request. Bangladesh Bank managed to halt $850 million in other transactions. What Happened in between February 4-7, 2016 On 4th Feb 2016
  • 102. $81 million was deposited into four accounts at a Rizal branch in Manila on 4th Feb 2016 These accounts had all been opened a year earlier in May 2015, but had been inactive with just $500 sitting in them until the stolen funds arrived in February 2016 About $81 Million
  • 103. How did Hackers did it ?
  • 104. The theft involved manipulating the SWIFT system and used SWIFT credentials of Bangladesh Central Bank employees Pretending to be the BCB, the thieves sent fake instructions over SWIFT to the New York Fed, asking for some funds to be transferred to bank accounts in Southeast Asia. The bank's SWIFT system is configured to automatically print out a record each time a money transfer request goes through. Part 1 How did they do it ?
  • 105. But in this case, the attackers disabled the BCBs printers with a piece of malware. This meant the banks employees in Bangladesh were not aware that the heist was going on. By the time the BCB reactivated its printer and received the notifications of the transfers and requests from the New York Fed for clarification it was already too late and the money had been sent. Part 2 How did they do it ?
  • 106. How Bangladesh bank Identified
  • 107. The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that got confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldnt. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered. Part 1 How did BCB Identified the attack ?
  • 108. When they finally got the software working the next day(5th Feb 2016 ) and were able to restart the printer, dozens of suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. They contacted SWIFT and New York Fed, but the attackers had timed their heist well; because it was the weekend in New York, no one there responded. It wasn't until Monday that bank workers in Bangladesh finally learned that four of the transactions had gone through amounting to $101 million. Part 2 How did BCB Identified the attack ?
  • 109. How US Federals Identified
  • 110. The hackers might have stolen much more if not for a typo in one of the money transfer requests that caught the eye of the Federal Reserve Bank in New York. The hackers apparently had indicated that at least one of the transfers should go to the Shalika Foundation, but they misspelled foundation as fandation." How US Fed identified
  • 111. How much money is recovered
  • 112. Bangladesh Bank managed to get Pan Asia Banking to cancel the $20 million that it had already received and reroute that money back to Bangladesh Bank's New York Fed account. But the $81 million that went to Rizal Bank in the Philippines was gone It had already been credited to multiple accounts, reportedly belonging to casinos in the Philippines How much they recovered ?
  • 113. At least $21 million of the stolen funds reportedly ended up in the Philippine bank account of Eastern Hawaii, a company run by Chinese business man Kim Wong, who says he received it as payment for helping a Chinese client settle a casino debt. Casinos in that country are not covered by anti-money laundering laws, which means there are gaps in record-keeping around where money goes once a casino obtains it. What happened to those 81 Million
  • 114. The RCBC Bank branch in Manila to which the hackers tried to transfer $951m was in Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one and the decision cost them hundreds of millions of dollars. The transactionswere held up at the Fed because the address used in one of the orders included the word Jupiter, which is also the name of a sanctioned Iranian shipping vessel. This led to an automatic reviewing of payment transfers which were stopped because of the imposed sanctions How did they save $850 million
  • 116. The attackers first exploited cyber weaknesses by designing custom malware to bypass controls and network logging systems. They then abused gaps in fraud controls by using the Bangladesh Central Banks credentials to gain unauthorized access to networks and by setting up fraudulent bank accounts to receive and transfer the stolen funds. Finally, the attackers laundered the stolen money through casinos in the Philippines. Summary
  • 117. Not directly. According to SWIFT, they obtained valid credentials the banks use to conduct money transfers over SWIFT and then used those credentials to initiate money transactions as if they were legitimate bank employees. Bangladesh Bank were to blame: the bank reportedly didn't have firewalls installed on its networks, raising the possibility that hackers may have breached the network and found the credentials stored on the system. Did the Attackers Compromise SWIFT?
  • 118. They installed malware on the bank's network to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. The hackers installed it on the bank's system some time in January, not long before they initiated the bogus money transfers on 4th Feb. How Did the Hackers Cover Their Tracks?
  • 120. The custom malware targeted a PDF reader the bank used to record SWIFT money transfers. The malware apparently manipulated the PDF reports to remove any trace of the fraudulent transactions from them, according to SWIFT Malware
  • 121. Bangladesh Bank blames the Federal Reserve Bank of New York for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The New York Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Reserve Bank said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others. Who's to Blame?
  • 123. Malware found on Bangladesh Bank's system shares similarities to some of the malware found in the Sony hack, which the US government attributed to North Korea Sony Hack
  • 124. In Manila, Philippines, workers at the Riza Commercial Banking Corporation allowed the attackers to open accounts using fake driving licenses; these accounts were then used to receive and traffic stolen funds. There is evidence that the workers who installed the SWIFT system in BCB did not follow official guidelines and that could have opened up security vulnerabilities. There is also evidence of slack procedure in New York: There were numerous inconsistencies in the fraudulent SWIFT orders which should have been spotted. Learnings Beware Of Human Error
  • 126. What is Data Protection ?
  • 128. Data Protection Data Protection Security System Security Network Security Access Control Activity Monitoring Incident Management Cloud Security Privacy Data Classification Customer Consent Data Exchange Policies Data Erasure Data Retention 3rd Party Data Sharing How do these policies get enforced? What data is important and Why? Data
  • 129. Data Security vs Data Privacy Confidentiality Integrity Availability Traceability Linkability Identifiability Data Security Data Privacy
  • 130. A typical Data Privacy applies to Every Individual normally living Every business located Individuals and Businesses residing in foreign countries, who collect the personal data of Individuals for a specific country
  • 131. Principles of Data Processing
  • 132. Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Lawfulness, Fairness and Transparency Shall always process personal data in a Fair, Lawful and Transparent manner in line with the requirements of the Data Privacy Law
  • 133. Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Purpose Limitation Shall only process personal data for a specified and lawful purpose. Shall not use the data for another purpose unless conditions are met ( Consent from the Data Subject is taken )
  • 134. Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Data Minimization Should ensure only processing of the personal data which is truly need to conduct business and nothing more.
  • 135. Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Accuracy Should ensure personal data is kept up to date, and necessary measures are in place for correcting and updating inaccurate data
  • 136. Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Storage Limitation Will not keep personal data for longer than you need it. It should be securely destroyed after the defined retention period.
  • 137. Principals of Data Processing Data Processor & Data Controllers ( Corporates & Businesses ) Accountability Will ensure all appropriate measures and records in place to be able to demonstrate Data processor and Data Controllers compliance toward Data Protection Law
  • 138. Rights of Individuals in Various Privacy laws Individuals can object to the processing of their personal data by an organization 01 02 03 04 05 06 07 08 Objection Automated decision making and profiling Cause Moral Damage Transfer Personal Data Correct personal data Right to erasure * Submit Complaints Sample text Individuals can object to decisions made about them based solely on automated and mechanical processing Individuals can object to the processing of their personal data, if they feel, it can cause a moral damage Individuals have the ability to receive data in an organized, commonly used machine-readable form Individuals can have their personal data rectified if inaccurate or completed if it is incomplete Individuals can have their personal data deleted without undue delay complaint to the PDPA if the individual believes there has been a breach of the provisions of the Data Protection Law
  • 140. Understand the Characteristics of Frameworks Understand the Components and Implementation Guidelines of NIST Cybersecurity Framework ISO 27001 ( ISMS ) PCI-DSS Software Assurance Maturity Model Summary