Cyber Security and Data Privacy - presentation

Cyber Security and Data Privacy
BBK

Overview
The current cybersecurity landscape is complex.
Attackers develop new and ingenious methods of compromising systems on a daily basis.
Security researchers continue to find vulnerabilities in applications, products, and operating systems.
In the current cybersecurity landscape, attackers are finding it simpler to monetize their activities, either by deploying
ransomware that encrypts a target’s data and system and demanding payment for a solution, or by deploying coin mining
software that generates cryptocurrency using the resources of the target organization’s infrastructure

Cybersecurityterms and Industry
buzzwords

Phishing
A technique used by hackers to obtain sensitive information. For example, using
hand-crafted email messages designed to trick people into divulging personal or
confidential data such as passwords and bank account information.

Smishing

Vishing
Vishing is a form of phishing that uses the phone
system or VoIP. Some vishing attempts are fully
automated.
Others start automated but an attacker takes
over at some point during the call.

Social Engineering

Social Engineering
Social engineering is the practice of using social tactics to gain information.
It’s often low-tech and encourages individuals to do something they wouldn’t normally do, or cause them to reveal some piece of
information, such as user credentials.
Social engineering uses social tactics to trick users into giving up information or performing actions they wouldn’t normallytake.
Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.

Impersonation

Email Impersonation

Shoulder Surfing

Hoax Messages

Dumpster Diving

Software
A set of programs that tell a computer to perform a task. These instructions are compiled
into a package that users can install and use.
For example, Microsoft Office is an application software.

Cloud
A technology that allows us to access our files and/or services through the internet
from anywhere in the world.
Technically speaking, it’s a collection of computers with large storage capabilities
that remotely serve requests.

Breach
The moment a hacker successfully exploits a vulnerability in a
computer or device, and gains access to its files and network.

•An umbrella term that describes all
forms of malicious software designed
to wreak havoc on a computer.
•Common forms include: viruses,
trojans, worms and ransomware.
Malware

•A type of malware aimed to corrupt, erase or modify
information on a computer before spreading to others.
Virus

•A form of malware that deliberately
prevents you from accessing files
on your computer –holding your
data hostage. It will typically
encrypt files and request that a
ransom be paid in order to have
them decrypted or recovered.
•For example, WannaCry
Ransomware
Ransomware

•A piece of malware that often allows a hacker to gain remote
access to a computer through a “back door”.
Trojan Horse

•A type of software application or script that performs tasks on
command, allowing an attacker to take complete control
remotely of an affected computer.
•A collection of these infected computers is known as a
“botnet” and is controlled by the hacker or “bot-herder”.
Bot / Botnet

•An acronym that stands for distributed denial of service –a
form of cyber attack. This attack aims to make a service such
as a website unusable by “flooding” it with malicious traffic or
data from multiple sources (often botnets).
Dos / DDOS

•BYOD (Bring Your Own Device)
•Refers to a company security policy that allows for employees’
personal devices to be used in business. A BYOD policy sets
limitations and restrictions on whether or not a personal
phone or laptop can be connected over the corporate
network.
BYOD

•APT (Advanced Persistent Threat) —A security breach that
enables an attacker to gain access or control over a system for
an extended period of time usually without the owner of the
system being aware of the violation.
•Often an APT takes advantage of numerous unknown
vulnerabilities or zero day attacks, which allow the attacker to
maintain access to the target even as some attack vectors are
blocked.
APT

Backdoor

Key Loggers

Adware

Cyber Security
Standards and Frameworks

•Frameworks and Standards Introduction
•NIST CybersecurityFramework
•ISO 27001 ( ISMS )
•PCI Standards
•Software Assurance Maturity Model
Agenda

Framework and Standards
Introduction

CybersecurityFramework

Characteristics of a CybersecurityFramework

Objectives of CybersecurityFramework
Describe
current Security
Posture
Describe
Target Security
Posture
Assess
Progress
towards the
target posture
Communicate
Risk
Continuous
Improvement
Continuous
Improvement

Frameworks

NIST CybersecurityFramework

NIST CSF –Components Overview

ISO 27001 ( ISMS )

Overview of ISO 27001
ISO 27001 is the international standard which is recognised globally for managing
risks to the security of information you hold.
Certification to ISO 27001 allows you to prove to your clients and other
stakeholders that you are managing the security of your information.
ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised
requirements for an Information Security Management System (ISMS).
The standard adopts a process based approach for establishing, implementing,
operating, monitoring, maintaining, and improving your ISMS.

ISO 27001 -Components

ISO 27001 –Implementation Process

PCI Standards

•PCI security standards are technical and operational requirements set by the PCI
Security Standards Council (PCI SSC) to protect cardholder data.
•The standards apply to all organizations that store,processor transmit cardholder
data –with guidance for software developers and manufacturers of applications
and devices used in those transactions.
•The Council is responsible for managing
•the security standards, while compliance with the PCI set of standards is enforced
by the founding members of the Council, American Express, Discover Financial
Services, JCB International, MasterCard Worldwide and Visa Inc.
Overview of PCI

•PCI Data Security Standard (DSS)
•The PCI DSS applies to all entities that store, process, and/or
transmit cardholder data.
•It covers technical and operational system components
included in or connected to cardholder data.
•If you are a merchant who accepts or processes payment
cards, you must comply with the PCI DSS.
PCI Security Standards Include -1

•PIN Transaction (PTS) Security Requirements
•PCI PTS (formerly PCI PED) is a set of security requirements
focused on characteristics and management of devices used
in the protection of cardholder PINs and other payment
processing related activities.
•The requirements are for manufacturers to follow in the
design, manufacture and transport of a device to the entity
that implements it.
•Financial institutions, processors, merchants and service
providers should only use devices or components that are
tested and approved by the PCI SSC
PCI Security Standards Include -2

•Payment Application Data Security Standard (PA-DSS)
•The PA-DSS is for software developers and integrators of
payment applications that store, process or transmit
cardholder data as part of authorization or settlement when
these applications are sold, distributed or licensed to third
parties.
•Most card brands encourage merchants to use payment
applications that are tested and approved by the PCI SSC.
PCI Security Standards Include -3

•PCI Point-to-Point Encryption Standard (P2PE)
•This Point-to-Point Encryption (P2PE) standard provides a
comprehensive set of security requirements for P2PE solution
providers to validate their P2PE solutions, and may help
reduce the PCI DSS scope of merchants using such solutions.
•P2PE is a cross-functional program that results in validated
solutions incorporating the PTS Standards, PA-DSS, PCI DSS,
and the PCI PIN Security Standard
PCI Security Standards Include -2

PCI DSS goals and Requirements

SAMM

Overview of SAMM
The Software Assurance Maturity Model (SAMM) is an open framework to
help organizations formulate and implement a strategy for software
security that is tailored to the specific risks facing the organization.
SAMM was defined with flexibility in mind such that it can be utilized by
small, medium, and large organizations using any style of development.
The foundation of the model is built upon the core business functions of
software development with security practices tied to each other

SAMM -Components

Bangladesh Central Bank Fraud -2016
About

•The Bangladesh Bank heist is just one of several recent high-profile
data breaches that have affected hundreds of millions of consumers
and that illustrate how attackers exploit weaknesses across the
cybersecurity, fraud and anti-money-laundering (AML)
Bangladesh bank Heist

•In January 2015, an innocuous-looking email had been sent to several
Bangladesh Bank employees.
•It came from a job seeker calling himself Rasel Ahlam. His polite
enquiry included an invitation to download his CV and cover letter
from a website.
•In reality, Rasel did not exist –he was simply a cover name being used
by the Lazarus Group, according to FBI investigators,” the report says.
Trap Setup

•At least one person inside the bank fell for the trick, downloaded the
documents, and got infected with the viruses hidden inside.
•Once inside the bank’s systems, the Lazarus Group began stealthily
hopping from computer to computer, working their way towards the
digital vaults and the billions of dollars they contained.”
•The actual draining of the accounts happened only a year later, the
report says, because the hackers were lining up the next stages,
planning how to remove the money in such a way that it would not
be possible to retrieve it.

•Hackers attempted to steal $951 million from the Bangladesh Central
Bank (BCB) in Dhaka.
•$81 million sent to Rizal Commercial Banking Corporation in the Philippines
via four different transfer requests
•Additional $20 million sent to Pan Asia(Sri Lanka ) Banking in a single request.
•Bangladesh Bank managed to halt $850 million in other transactions.
What Happened in between February 4-7, 2016
On 4
th
Feb 2016

•$81 million was deposited into four accounts at a Rizal branch in
Manila on 4
th
Feb 2016
•These accounts had all been opened a year earlier in May 2015, but
had been inactive with just $500 sitting in them until the stolen funds
arrived in February 2016
About $81 Million

How did Hackers did it ?

•The theft involved manipulating the SWIFT system and used SWIFT
credentials of Bangladesh Central Bank employees
•Pretending to be the BCB, the thieves sent fake instructions over
SWIFT to the New York Fed, asking for some funds to be transferred
to bank accounts in Southeast Asia.
•The bank's SWIFT system is configured to automatically print out a
record each time a money transfer request goes through.
Part 1
How did they do it ?

•But in this case, the attackers disabled the BCB’s printers with a piece
of malware.
•This meant the bank’s employees in Bangladesh were not aware that
the heist was going on.
•By the time the BCB reactivated its printer and received the
notifications of the transfers –and requests from the New York Fed
for clarification —it was already too late and the money had been
sent.
Part 2
How did they do it ?

How Bangladesh bank Identified

•The printer works 24 hours so that when workers arrive each
morning, they check the tray for transfers that got confirmed
overnight.
•But on the morning of Friday February 5, the director of the bank
found the printer tray empty.
•When bank workers tried to print the reports manually, they couldn’t.
•The software on the terminal that connects to the SWIFT network
indicated that a critical system file was missing or had been altered.
Part 1
How did BCB Identified the attack ?

•When they finally got the software working the next day(5
th
Feb 2016 ) and
were able to restart the printer, dozens of suspicious transactions spit out.
•The Fed bank in New York had apparently sent queries to Bangladesh Bank
questioning dozens of the transfer orders, but no one in Bangladesh had
responded.
•They contacted SWIFT and New York Fed, but the attackers had timed their
heist well; because it was the weekend in New York, no one there
responded.
•It wasn't until Monday that bank workers in Bangladesh finally learned that
four of the transactions had gone through amounting to $101 million.
Part 2
How did BCB Identified the attack ?

How US Federals Identified

•The hackers might have stolen much more if not for a typo in one of
the money transfer requests that caught the eye of the Federal
Reserve Bank in New York.
•The hackers apparently had indicated that at least one of the transfers
should go to the Shalika Foundation, but they misspelled
“foundation” as “fandation."
How US Fed identified

How much money is recovered

•Bangladesh Bank managed to get Pan Asia Banking to cancel the $20
million that it had already received and reroute that money back to
Bangladesh Bank's New York Fed account.
•But the $81 million that went to Rizal Bank in the Philippines was
gone
•It had already been credited to multiple accounts, reportedly
belonging to casinos in the Philippines
How much they recovered ?

•At least $21 million of the stolen funds reportedly ended up in the
Philippine bank account of Eastern Hawaii, a company run by Chinese
business man Kim Wong, who says he received it as payment for
helping a Chinese client settle a casino debt.
•Casinos in that country are not covered by anti-money laundering
laws, which means there are gaps in record-keeping around where
money goes once a casino obtains it.
What happened to those 81 Million

•The RCBC Bank branch in Manila to which the hackers tried to transfer
$951m was in Jupiter Street.
•There are hundreds of banks in Manila that the hackers could have
used, but they chose this one —and the decision cost them hundreds
of millions of dollars.
•The transactions…were held up at the Fed because the address used
in one of the orders included the word ‘Jupiter’, which is also the
name of a sanctioned Iranian shipping vessel.”
•This led to an automatic reviewing of payment transfers which were
stopped because of the imposed sanctions
How did they save $850 million

Summary of Heist

•The attackers first exploited cyber weaknesses by designing custom
malware to bypass controls and network logging systems.
•They then abused gaps in fraud controls by using the Bangladesh
Central Bank’s credentials to gain unauthorized access to networks
and by setting up fraudulent bank accounts to receive and transfer
the stolen funds.
•Finally, the attackers laundered the stolen money through casinos in
the Philippines.
Summary

•Not directly. According to SWIFT, they obtained valid credentials the
banks use to conduct money transfers over SWIFT and then used
those credentials to initiate money transactions as if they were
legitimate bank employees.
•Bangladesh Bank were to blame: the bank reportedly didn't have
firewalls installed on its networks, raising the possibility that hackers
may have breached the network and found the credentials stored on
the system.
Did the Attackers Compromise SWIFT?

•They installed malware on the bank's network to prevent workers
from discovering the fraudulent transactions quickly.
•In the case of Bangladesh Bank, the malware subverted the software
used to automatically print SWIFT transactions.
•The hackers installed it on the bank's system some time in January,
not long before they initiated the bogus money transfers on 4
th
Feb.
How Did the Hackers Cover Their Tracks?

Bank in Vietnam

•The custom malware targeted a PDF reader the bank used to record
SWIFT money transfers.
•The malware apparently manipulated the PDF reports to remove any
trace of the fraudulent transactions from them, according to SWIFT
Malware

•Bangladesh Bank blames the Federal Reserve Bank of New York for
allowing the money transfers to go through instead of waiting for
confirmation from Bangladesh.
•The New York Fed counters that it contacted the bank to question and
verify dozens of suspicious transfers and never got a response.
•Authorities at the Reserve Bank said that workers followed the
correct procedures in approving the five money transfers that went
through and blocking 30 others.
Who's to Blame?

Sony Hack

•Malware found on Bangladesh Bank's system shares similarities to
some of the malware found in the Sony hack, which the US
government attributed to North Korea
Sony Hack

•In Manila, Philippines, workers at the Riza Commercial Banking
Corporation allowed the attackers to open accounts using fake driving
licenses; these accounts were then used to receive and traffic stolen
funds.
•There is evidence that the workers who installed the SWIFT system in
BCB did not follow official guidelines and that could have opened up
security vulnerabilities.
•There is also evidence of slack procedure in New York: There were
numerous inconsistencies in the fraudulent SWIFT orders which
should have been spotted.
Learnings
Beware Of Human Error

Cloud Models

What is Data Protection ?

Data Protection
Data
Security
Data
Privacy
Data Protection

Data Protection
Data Protection
Security
System
Security
Network
Security
Access Control
Activity
Monitoring
Incident
Management
Cloud Security
Privacy
Data
Classification
Customer
Consent
Data Exchange
Policies
Data Erasure
Data
Retention
3
rd
Party Data
Sharing
How do these policies get enforced?What data is important and Why?
Data

Data Security vs Data Privacy
Confidentiality
Integrity
Availability
Traceability
Linkability
Identifiability
Data Security DataPrivacy

A typical Data Privacy applies to
Every Individual normally living
Every business located
Individuals and Businesses residing in foreign countries,
who collect the personal data of Individuals for a specific
country

Principles of Data Processing

Principals of Data Processing
Data Processor & Data Controllers
( Corporates & Businesses )
Lawfulness, Fairness and Transparency
ShallalwaysprocesspersonaldatainaFair,Lawful
andTransparentmannerinlinewiththerequirements
oftheDataPrivacyLaw

Principals of Data Processing
Data Processor & Data Controllers
( Corporates & Businesses )
Purpose Limitation
•Shallonlyprocesspersonaldataforaspecified
andlawfulpurpose.
•Shallnotusethedataforanotherpurposeunless
conditionsaremet(ConsentfromtheData
Subjectistaken)

Principals of Data Processing
Data Processor & Data Controllers
( Corporates & Businesses )
Data Minimization
Shouldensureonlyprocessingofthepersonaldata
whichistrulyneedtoconductbusinessandnothing
more.

Principals of Data Processing
Data Processor & Data Controllers
( Corporates & Businesses )
Accuracy
Shouldensurepersonaldataiskeptuptodate,and
necessarymeasuresareinplaceforcorrectingand
updatinginaccuratedata

Principals of Data Processing
Data Processor & Data Controllers
( Corporates & Businesses )
Storage Limitation
•Willnotkeeppersonaldataforlongerthanyou
needit.
•Itshouldbesecurelydestroyedafterthedefined
retentionperiod.

Principals of Data Processing
Data Processor & Data Controllers
( Corporates & Businesses )
Accountability
Willensureallappropriatemeasuresandrecordsin
placetobeabletodemonstrateDataprocessorand
DataControllerscompliancetowardDataProtection
Law

Rights of Individuals in Various Privacy laws
Individuals can object to the processing of their personal data by an organization
01
02
03
04
05
06
07
08
Objection
Automateddecision making
and profiling
Cause Moral Damage
Transfer Personal Data
Correct personal data
Right to erasure *
Submit Complaints
Sample text
Individuals can object to decisions made about them based solely on automated and
mechanical processing
Individuals can object to the processing of their personal data, if they feel,
it can cause a moral damage
Individuals have the ability toreceive data in an organized, commonly used
machine-readable form
Individuals can have their personal data rectified if inaccurate or
completed if it is incomplete
Individuals can have their personal data deleted without undue delay
complaint to the PDPA if the individual believes there has been a breach of the
provisions of the Data Protection Law

Lesson Summary

•Understand the Characteristics of Frameworks
•Understand the Components and Implementation Guidelines
of
•NIST CybersecurityFramework
•ISO 27001 ( ISMS )
•PCI-DSS
•Software Assurance Maturity Model
Summary

Thank you

Cyber Security and Data Privacy - presentation

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Cyber Security and Data Privacy - presentation

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 15

Slide 16

Slide 24

Slide 29

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 38

Slide 44

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 54

Slide 55

Slide 57

Slide 59

Slide 60

Slide 65

Slide 68

Slide 70

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

Slide 78

Slide 79

Slide 80

Slide 81

Slide 82

Slide 83

Slide 84

Slide 85

Slide 86

Slide 87

Slide 89

Slide 90

Slide 91

Slide 92

Slide 93

Slide 94

Slide 95

Slide 96

Slide 97

Slide 98

Slide 99

Slide 100

Slide 101

Slide 102

Slide 103

Slide 104

Slide 105

Slide 106

Slide 107

Slide 108

Slide 109

Slide 110

Slide 111

Slide 112

Slide 113

Slide 114

Slide 115

Slide 116

Slide 117

Slide 118

Slide 119

Slide 120

Slide 121

Slide 122

Slide 123