230 likes | 413 Vues
Ataques Cibernéticos ao Setor Financeiro. 15 de Maio de 2013. Marco Souza. The Cyber Threat Landscape. Number of connected devices be more numerous than computers at least 5 to 1, growing geometrically. An Overview. The number of mobile subscriptions will
E N D
Ataques Cibernéticos ao Setor Financeiro 15 de Maio de 2013 Marco Souza
The Cyber Threat Landscape Number of connected devices be more numerous than computers at least 5 to 1, growing geometrically. An Overview The number of mobile subscriptions will Soon overtake the world’s population
Cyber Threat Landscape Actors Organized Crime • Motivation: Make Money • Methods: Very mature underground economy supporting every facet of cyber criminal activity Hactivists • Motivation: Seek Publicity to their Geopolitical agenda • Methods: Disruption and Defacement Cyber Terrorism • Motivation: Instill fear to have targets comply with demands or ideology • Methods: Currently using Cyber to “Enable” their programs (Recruit, Incite, Train, Plan & Finance). But there is growing concern they can easily acquire “Disruptive” and possibly “Destructive” capabilities. State-Affiliated • Motivation: Political and Technological advantage to improve self interests • Methods: Advanced operations to target specific individuals to gain a foothold into target’s infrastructure. Once a foothold is established, adversary is very patient to perform reconnaissance and methodically plan their attack. Often leaving back doors to re-establish access to the target in case their primary means is identified and mitigated.
Cyber Threat Landscape Profiling threat actors HACTIVISTS/TERRORISM Source: Verizon The 2013 Data Breach Investigations Report - http://www.verizonenterprise.com/DBIR/2013/
Cyber Threat Landscape Actor and Variety Categories Threat actor categories Variety of external actor Source: Verizon The 2013 Data Breach Investigations Report - http://www.verizonenterprise.com/DBIR/2013/
Organized Crime Sophisticated Attacks • Recent attacks show increased knowledge and understanding of the technology, infrastructure and systems of their victims • The amount of knowledge the attacker can obtain on their victim is increasing at lightning speed making these threats more severe each day • Bad Actors are going after customers, suppliers, and third parties in addition to direct attacks Current Threat Levels •FS-ISAC maintained its advisory level at HIGH •Symantec maintained its threat level at ELEVATED •iDefense maintained its threat meter at ELEVATED
State-Affiliated China Motivation: Intellectual Theft Google Nortel Communications New York Times, Washington Post Iran Motivation Defacement Disruption Destruction Shamoon Saudi Aramco United States Motivation Disruption Destruction Stuxnet Flame Cyberwar
State-Affiliated Growth of Offensive Cyber Program Trends • Newly created Cyber Command establishes 3 teams who could carry out offensive cyberattacks on foreign nations if the United States were hit with a major attack on its own networks given expressed terrorist interest in cyber • First time the Obama administration has publicly admitted to developing such weapons for use in wartime • James R. Clapper Jr warned Congress that a major cyberattack on the United States could cripple the country’s infrastructure and economy • Clapper suggested that such attacks now pose the most dangerous immediate threat to the United States, even more pressing than an attack by global terrorist networks. Source: New York Times
State-Affiliated Growth of Offensive Cyber Program Trends Sources: http://www.nytimes.com/us-accuses-chinas-military-in-cyberattacks Mandiant: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Cyber Terrorism Hacktivists/Terrorism • Exhibiting ‘Enabling’ capabilities • In 2012, moving from ‘Disruptive’ to ‘Destructive’ capabilities
Anonymous Global anonymous participants Target: Government and Multinational corporations Al Qassam Cyber Fighters Iran Target: US Banks LulzSec Several core members identified Target: CIA, Sony, Nintendo Hacktivists/Terrorism Cyber Terrorism
Hacktivists/Terrorism Operation Ababil Update • The Al-Qassam Cyber Fighters have sustained its attacks on financial institutions, including retail banks and credit card, investment, and insurance providers • Additional targeting of technology service providers associated with the financial industry • Attack code also focused on Verisign • Multiple previously unobserved scripts and targeting have occurred • Continuing observations of the botnet emphasized alternation and updating of DDoS tools • Postings continue related to the “Innocence of Muslims” trailer Source: iSIGHTPartners 8
Hacktivists/Terrorism Operation Ababil Update • Since early September 2012, the Financial Service sector has been the target of an escalating series of DDoS Attacks. • Attacks “ended” on January 22, 2013, however after a brief hiatus, began again on March 5, 2013 • From Dec 11, 2012 to Jan 10, 2013 • 140 ‘distributed denial-of-service’ attacks against banks • 34 banks victimized – up to 23 in one day
Organized Crime - Hacktivists/Terrorism DDoS Attack on Spamhaus with Broad – Financial Impact • •The latest DDOS attacks are much more powerful because the bots are data center servers which contain more processing power and have access to greater data center size bandwidth. • –Normal DDoS attacks observed in 2012 averaged around 10-50 Gbps and today‟s attacks are starting to average closer to the range of 300 Gbps. • •Ordinary internet users are starting to see more of an impact as they may go through the same data centers and infrastructure that are being attacked in more sophisticated campaigns, whom ultimately that have direct effects on ISP‟s and Internet Exchanges. • –The Spamhaus campaign caused direct congestion to the London, Amsterdam, Frankfurt, and Hong Kong Internet Exchanges.
Data Breach – ATM Skimmers Organized Crime • Biggest payouts are Data Breaches • Heartland Payment Systems– Processes 100 millioncard transactions per month for 175,000 merchants
Ataques Cibernéticos ao Setor Financeiro Lei e Regulamentação
Cyber Threat Data Breach Regulations New Zealand Office of the Privacy Commissioner’s Privacy Breach Guidance Material Mexico Federal Law for Protection of Personal Data in Possession of Individuals and It's Implementing Regulations Ireland The Data Protection Act 1988 (the “1988 Act”), as modified by the Data Protection (Amendment) Act 2003 (the “2003 Act”) Personal Data Security Breach Code of Practice (Guidance) Bahamas "The Central Bank of The Bahamas NoticeRe: Reporting of Material Events and Incidents of Fraud" Australia "BANKING ACT 1959 - SECT 62A (1B)" Ukraine Law of Ukraine “On Personal Data Protection” Uruguay Decree No. 414/009 Austria Federal Act concerning the Protection of Personal Data (DSG 2000) Belgium Circular CBFA 2009 17_ April 7 2009 Indonesia "Bank Indonesia Regulation Number : 9/15/PBI/2007 Regarding the Risk Management Implementation for the use of Information Technology by Commercial Banks" Israel Proper Conduct of Banking Business Information Technology Management Norway Regulation on the processing of personal data (Personal Data Regulations) Canada Personal Information Protection and Electronic Documents Act (PIPEDA); Alberta Personal Information Protection Act; British Columbia Personal Information Protection Act; Quebec- Act Respecting the Protection of Personal Information in the Private Sector Citi Canada Policy - Breach Notification.pdf United States Gramm-Leach-Bliley Act (GLBA) - Section 501(b) and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (12 CFR Parts 568 and 570) United Kingdom • Notification of Data Security Breaches to the Information Commissioner’s Office Vietnam No: 01/2011/TT-NHNN Regulation on the prudence and confidentially of the Informatics Technology System in Banking Activity Hong Kong Office of the Privacy Commissioner for Personal Data, Hong Kong ,Guidance on Data Breach Handling and the Giving of Breach Notifications (June 2010). Malaysia "Bank Negara Malaysia, Guidelines on Management of IT Environment (GPIS 1)" Japan "Guidelines for Personal Information Protection in the Financial Business (the “Financial Guidelines”) " Guatemala "Oficio No. 119-2008 OficioEnviado a Bancos, Sociedadesfinancieras, AlmacenerGenerales de Deposito, Entidades Off Shore, EmpresasEspecializadas en serviciosFinancieros Y casas de BolsaOffice Memorandum No. 119-2008 Submitted to Banks, Finance companies, General Almacener Storage, Offshore Entities, companies specializing in financial services and brokerage firms" Slovakia "Act No. 428/2002 Coll. On Protection of Personal Data, as amended by the Act No 602/2003 Coll., Act No 576/2004 Coll. And the Act No. 90/2005" Taiwan Personal Information Protection Act (the "Act"), amended May 10, 2010, Article 12** China "PBOC Notice on Further Strengthening the Reporting of Critical Event for Financial Institutions (Shanghaiyinfa(2011) No.40) Issued on Feb 23, 2011 Jordan Instructions of internal control systems no (35/2007) issued by the central bank of Jordan pursuant to the stipulations of article (45/a) of the central bank’s law and article (99/b) of the banking law Luxembourg Circular CSSF 11/504 Sweden Finansinspektionen's (The Swedish Financial and Supervisory Authority) General Guidelines regarding Reporting of Events of Material Significance; Korea PERSONAL_INFORMATION_PROTECTION_ACT (2).pdf Germany Federal Data Protection Act (BDSG)
Marco Civil Direitos e Deveresna Internet O Marco Civil da Internet é um projeto de Lei que visa estabelecer princípios, garantias, direitos e deveres para o uso da Internet no Brasil, , garantindo os direitos fundamentais previstos na Constituição com medidas para preservar a liberdade de expressão e a privacidade. Atualmente, ele tramita na Câmara dos Deputados sob o número PL 5403/2001 (Era PL 2126/2011). • Polêmicas: • Tratamento dos pacotes e conteúdos na transmissão. • Guarda de logs facultativo • Responsabilidade dos provedores em relação ao conteúdo de terceiros.
Crimes Eletrônicos e a Nova Lei InvasãoFísica e Eletrônica x
Crimes Eletrônicos e a Nova Lei Lei 12.737/12 – Lei Carolina Dieckmann Art. 154-A. Invadir dispositivo informático alheio, conectado ou não à rede de computadores, mediante violação indevida de mecanismo de segurança e com o fim de obter, adulterar ou destruir dados ou informações sem autorização expressa ou tácita do titular do dispositivo ou instalar vulnerabilidades para obter vantagem ilícita: Pena - detenção, de 3 (três) meses a 1 (um) ano, e multa. • Crime de Invasão • Criação e Disseminação de Código Malicioso • Invasão + Prejuízo (Aumenta a penaem 1/3) • Obtenção Indevida e Controle Remoto • Divulgação de Dados ou Informações • InterrupçãoouPerturbação • Falsificação de Cartão de Crédito ou Débito
Ciberataques Alguns Números • O Brasil perde quase R$ 16 bilhões por ano com ciberataques, média de prejuízo por usuário de R$ 562. • No mundo o prejuízo chega a US$ 110 bilhões por ano, com média de US$ 200 por usuário. • No Mundo 556 milhões de pessoas sofreram com algum tipo de crime cibernético. No Brasil, são 28,3 milhões as vítimas. • Os ataques são cada vez mais direcionados ao mundo móvel e às redes sociais • 32% dos brasileiros já foram vítimas de uma infecção móvel ou através de redes sociais. • 44% dos usuários brasileiros já receberam uma mensagem de texto em seu celular oriunda de desconhecidos e pedindo que clicassem num link ou discassem para um número • 23% dos usuários de redes sociais no país já tiveram seus perfis invadidos, e outros 12% já foram contaminados com malware via phishingenviados via redes sociais. • 42% dos usuários adultos on-line no país (40% no mundo) simplesmente não sabem que um vírus pode atuar de forma bem discreta no computador Fonte: Norton/Symantec
Ciberataques Organização e colaboração The mission of the FS-ISAC, in collaboration with the U.S. Department of Treasury and the Financial Services Sector Coordinating Council , is to enhance the ability of the financial services sector to prepare for and respond to cyber and physical threats, vulnerabilities and incidents, and to serve as the primary communications channel for the sector. APWG is the global industry, law enforcement, and government coalition focused on unifying the global response to cyber crime through development of data resources, data standards and model response systems and protocols for private and public sectors. The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA) led the development of the STOP. THINK. CONNECT. campaign. The U.S. Department of Homeland Security provides the Federal Government's leadership for the STOP. THINK. CONNECT. campaign.
Ataques Cibernéticos ao Setor Financeiro OBRIGADO masouza.jr@uol.com.br