You are on page 1of 28

Cyber security: (damn) good advice

September 2017
cyber-outreach@cba.com.au

| Commonwealth Bank of Australia |


The information and advice contained in this presentation is of general application and
is not tailored to your individual circumstances. The Bank cannot guarantee that by
implementing the advice in this guide you will never be a victim of fraud. All material
presented in this guide, unless specifically indicated otherwise, is under copyright to
the Commonwealth Bank of Australia. None of the material, nor its content, nor any
copy of it, may be altered in any way, transmitted to, copied or distributed to any other
party, without the prior written permission of the appropriate entity within the
Commonwealth Bank of Australia. Commonwealth Bank of Australia ABN 48 123 123
124 AFSL 234945

2 | Commonwealth Bank of Australia | Confidential


Protecting STAYING SAFE ONLINE
Digital technology provides boundless opportunities to deliver simpler
your and more convenient experiences to customers and stakeholders. It
organisation also presents new and evolving risks to manage.

Today I will be speaking with you on the steps you and your staff can
take to protect your organisation and stay safe online.

3 | Commonwealth Bank of Australia | Confidential


Why do we Some sobering statistics
care about
• Half a billion personal records have been stolen in known data
cyber breaches as of 2015.
security? • Email Payment Fraud has net attackers in excess of US$5 billion
over the last two years.
• Ransomware is now a US$1 billion a year industry.
Cyber crime is big
business.

4 | Commonwealth Bank of Australia | Confidential


Why should Why do we provide cyber security advice?
you care about • The vast majority of cyber crime events rely on deception of a
cyber human prior to hacking of a system.
– So most (not all) cyber crime events are preventable if we follow
security? some basic ‘cyber hygiene’.

Most cyber crime


events are
preventable.

5 | Commonwealth Bank of Australia | Confidential


For the
cause

I’m a
target?

Sources: https://www.itnews.com.au/news/jpmorgan-found-breach-through-corporate-challenge-site-397445
https://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/
6 | Commonwealth Bank of Australia | Confidential
You can’t always trust the sender of an SMS…
Phishing and
SMiShing

7 | Commonwealth Bank of Australia | Confidential


Fake
(malicious)
apps
Example: Android
Malware (Marcher –
GMBot – Maza)

8 | Commonwealth Bank of Australia | Confidential


Fake
(malicious)
apps
You can’t always trust
an application…

9 | Commonwealth Bank of Australia | Confidential


Fake
(malicious)
apps
You can’t always trust
an application…

10 | Commonwealth Bank of Australia | Confidential


Legitimate apps only, please.

Make yourself • Only download mobile apps from official online app stores (iOS App
Store, Windows Phone Store or Google Play Store)
a harder target – Trust your operating system to make this decision for you. On
Android 4.0 and above, go to Settings and ensure the “unknown
… against Android sources” feature is not selected. Your device will now be unable
malware to download apps from anywhere but the Google Play store.
• Don’t ‘root’ or ‘jailbreak’ your device.

11 | Commonwealth Bank of Australia | Confidential


Basic (user) hygiene

• Always change default credentials.


• Passphrases beat passwords (for length and complexity).
Basic hygiene • Choose a password manager/wallet that stores your
credentials in encrypted format.
Against phishing and • Be wary of attachments on emails (especially on emails you
SMiShing attacks. weren’t expecting).
• Hover over links appearing in emails to check the web
address (‘tap and hold’ on mobile).

Remember:
Your bank will never send you an email or SMS that asks you to
confirm, update or disclose personal or banking information.

12 | Commonwealth Bank of Australia | Confidential


Passwords &
Passphrases:
An evolution
of best
practice

Source: xkcd - https://xkcd.com/

13 | Commonwealth Bank of Australia | Confidential


Old School New School
• More than eight characters - • Password Managers and
the longer and more Vaults (free and paid
complex your password the services)
harder it is for someone to
• Saving you from having to
decipher it
remember many long and
• Made up of a variety of complex passwords
letters, numbers and
• Secret unique key known
Passwords & symbols
only to you
Passphrases • Complex and lengthy
passwords and passphrases
• 1 master password to
access your vault
• Unique (not re-used for other
• Password regenerator
Create stronger accounts or apps)
function (creating complex
passwords to keep
• Current (changed at least and lengthy passwords)
information secure
every 90 days)
• Do your research and
choose the option that is
right for you
• Some password managers
have business account
14 | Commonwealth Bank of Australia | Confidential
options
Create the Path of “most” resistance
While networks make it easy to share information within the office
and with others, an improperly configured network risks allowing
Securing your outsiders to disrupt your business activities or steal data.
network Here are some essential steps for protecting your business
network:
Office networks have • Review your default settings
improved productivity • Choose a secure form of encryption like Wireless Protected
and lowered costs – but Access II (WPA2)
don’t forget to secure • Got guests? Create a visitor mode
them • Turn off features you don’t use like universal plug and play
(UPnP)
• Keep an inventory of approved devices

15 | Commonwealth Bank of Australia | Confidential


Benefits of Cloud Services: Be Active, be informed:
• Improved productivity, • Read the terms and
flexibility and reduced costs conditions
• Data storage solutions • Be across your user access
controls – think about your
• Automatic software updates
onboarding/offboarding
Cloud security • Increased collaboration processes
Be safe and secure in • Work from anywhere • Make it hard for an attacker
the cloud – ask about security controls
• Keep tabs on your provider’s
practices

Remember:
If you're using cloud, the
security and privacy of your
data is largely in somebody
else’s direct control …
16 | Commonwealth Bank of Australia | Confidential
Make yourself a hard target and take steps to limit harm
Writers of malicious software (malware) including ransomware and
keyloggers rely on users of a system to make simple errors in order
Securing your to infect a device or gain unauthorised access.

devices Aside from educating your company's computer users, your best
defence as a small business is to 'harden' your devices against
these risks.
Take these actions to
help secure your
devices • Turn on automatic updates
• Only install software from reputable publishers
• Limit administrative access to your computers – de-privilege
where possible
• Encrypt your hard drives
• Install security software and keep it up to date

17 | Commonwealth Bank of Australia | Confidential


Email Payment Fraud (aka Business Email Compromise)

• Emails designed to look like valid requests to make payments to


Securing your third parties, which include payment instructions or invoices;
payments • Targeted at staff that have authority to perform the transaction;
• Designed to appear as legitimate, business as usual requests.
You can’t always trust
the sender of an The CEO Email Supplier Payment Fraud
email… A fraudster sends an email to Fraudsters pose as genuine
your accounts team pretending suppliers and submit
to be from the CEO, CFO or instructions to alter the
other person in authority, asking supplier’s bank account for
that a payment be made to a payment of future invoices.
nominated bank account as a
matter of urgency.

18 | Commonwealth Bank of Australia | Confidential


Losses from Email Payment Fraud
(US$ million)
Email $6,000

Payment $5,000
$5,300

Fraud $4,000

(US$ million)
$3,000 $3,100

US$5 billion industry $2,300


in under two years. $2,000

$1,200
$1,000

$214
$-

Jan-15
Feb-15
Mar-15
Apr-15
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Jan-16
Feb-16
Mar-16
Apr-16
May-16
Jun-16
Jul-16
Aug-16
Sep-16
Oct-16
Nov-16
Dec-16
Jan-17
Feb-17
Mar-17
Apr-17
May-17
Source: FBI/IC3

19 | Commonwealth Bank of Australia | Confidential


Possible indicators of fraudulent
emails

• The request claims to be urgent and/or confidential;


• The recipient is asked to ignore standard payment
authorisation processes or processes for changing beneficiary
details;
• The request (often) includes grammatical and spelling errors;
• The type of request and the language and formatting are
unusual for the supposed sender;
• The ‘reply to’ email address is different to the sender’s
address.

| Commonwealth Bank of Australia |


Detecting scams is easier if: Most affected industries:
Email • There is a strict payments Attacks are recorded relatively
process, with separation of evenly across most sectors of
Payment duties, and enforced the economy. The industries
Fraud compliance. most susceptible to fraud:
• Staff are trained (and it is • Property and Real Estate –
culturally acceptable) to 17% of recorded loss events
Review your payment question a process change • Building and Construction –
processes or anything that looks 11% of recorded loss events
suspicious (especially
• Education –
payments);
10% of recorded loss events
• Large or unexpected
• Retail and distribution –
payments, or changes to
9% of recorded loss events
beneficiary details in your
supplier database, cannot be • Government –
made without additional 7% of recorded loss events
verification steps.

21 | Commonwealth Bank of Australia | Confidential


Report suspicious activity

If you realise you have made a payment as a result of


these scams (or malware):

1. immediately call the CommBiz helpdesk on


132 339
2. inform your account manager.

3. Report to law enforcement.

| Commonwealth Bank of Australia |


How can we help?
Tailored advice:
Sharing • Focused on providing actionable
Knowledge advice on relevant topics eg.
network security, securing
devices, cloud security and
Supporting small email practices
and medium
business owners • Focusing on educating business
owners and their staff
• https://www.commbank.com.au/busi
ness/support/security.html
24 | Commonwealth Bank of Australia | Security Awareness at Scale
A quarterly threat update: In past editions:
Sharing • Trends and observations
Knowledge about the threat landscape • How to protect your
• Data-driven ‘deep dive’ organisation from Email
analysis on critical security Payment Fraud
Supporting small and
medium business issues • Effectiveness of simulated
• Updates on new legislation phishing programs.
owners
with security and privacy • The causes and impact of
implications the world’s largest data
• https://www.commbank.com.a breaches.
u/business/support/security/si
25 | Commonwealth Bank of Australia | Confidential
gnals.html
Cyber-outreach@cba.com.au
26 | Commonwealth Bank of Australia |
Cyber-Safety Advice: Partnership:
ThinkUKnow • Talking to parents about cyber
hygiene practices Police Associations
Enabling parents
• Raising awareness of threats from across the
and guardians to
• Presented in schools and + country and
have better
conversations with community centres neighbourhood
their children watch Australia
• Safe place to ask questions and
start the conversation

27 | Commonwealth Bank of Australia | Security Awareness at Scale


Thank you
Cyber-outreach@cba.com.au

28 | Commonwealth Bank of Australia | Confidential