Cyber security: (damn) good advice

September 2017
cyber-outreach@cba.com.au

| Commonwealth Bank of Australia |

 The information and advice contained in this presentation is of general application and
is not tailored to your individual circumstances. The Bank cannot guarantee that by
implementing the advice in this guide you will never be a victim of fraud. All material
presented in this guide, unless specifically indicated otherwise, is under copyright to
the Commonwealth Bank of Australia. None of the material, nor its content, nor any
copy of it, may be altered in any way, transmitted to, copied or distributed to any other
party, without the prior written permission of the appropriate entity within the
Commonwealth Bank of Australia. Commonwealth Bank of Australia ABN 48 123 123
124 AFSL 234945

2 | Commonwealth Bank of Australia | Confidential

Protecting STAYING SAFE ONLINE
Digital technology provides boundless opportunities to deliver simpler
your and more convenient experiences to customers and stakeholders. It
organisation also presents new and evolving risks to manage.

Today I will be speaking with you on the steps you and your staff can
take to protect your organisation and stay safe online.

3 | Commonwealth Bank of Australia | Confidential

Why do we Some sobering statistics
care about
• Half a billion personal records have been stolen in known data
cyber breaches as of 2015.
security? • Email Payment Fraud has net attackers in excess of US$5 billion
over the last two years.
• Ransomware is now a US$1 billion a year industry.
Cyber crime is big
business.

4 | Commonwealth Bank of Australia | Confidential

Why should Why do we provide cyber security advice?
you care about • The vast majority of cyber crime events rely on deception of a
cyber human prior to hacking of a system.
– So most (not all) cyber crime events are preventable if we follow
security? some basic ‘cyber hygiene’.

Most cyber crime

events are
preventable.

5 | Commonwealth Bank of Australia | Confidential

 For the
cause

I’m a
target?

Sources: https://www.itnews.com.au/news/jpmorgan-found-breach-through-corporate-challenge-site-397445
https://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/
6 | Commonwealth Bank of Australia | Confidential
 You can’t always trust the sender of an SMS…
Phishing and
SMiShing

7 | Commonwealth Bank of Australia | Confidential

Fake
(malicious)
apps
Example: Android
Malware (Marcher –
GMBot – Maza)

8 | Commonwealth Bank of Australia | Confidential

Fake
(malicious)
apps
You can’t always trust
an application…

9 | Commonwealth Bank of Australia | Confidential

Fake
(malicious)
apps
You can’t always trust
an application…

10 | Commonwealth Bank of Australia | Confidential

 Legitimate apps only, please.

Make yourself • Only download mobile apps from official online app stores (iOS App
Store, Windows Phone Store or Google Play Store)
a harder target – Trust your operating system to make this decision for you. On
Android 4.0 and above, go to Settings and ensure the “unknown
… against Android sources” feature is not selected. Your device will now be unable
malware to download apps from anywhere but the Google Play store.
• Don’t ‘root’ or ‘jailbreak’ your device.

11 | Commonwealth Bank of Australia | Confidential

 Basic (user) hygiene

• Always change default credentials.

• Passphrases beat passwords (for length and complexity).
Basic hygiene • Choose a password manager/wallet that stores your
credentials in encrypted format.
Against phishing and • Be wary of attachments on emails (especially on emails you
SMiShing attacks. weren’t expecting).
• Hover over links appearing in emails to check the web
address (‘tap and hold’ on mobile).

Remember:
Your bank will never send you an email or SMS that asks you to
confirm, update or disclose personal or banking information.

12 | Commonwealth Bank of Australia | Confidential

 Passwords &
Passphrases:
An evolution
of best
practice

Source: xkcd - https://xkcd.com/

13 | Commonwealth Bank of Australia | Confidential

 Old School
• More than eight characters -
the longer and more
complex your password the
harder it is for someone to
decipher it
• Made up of a variety of
letters, numbers and
Passwords & symbols
Passphrases • Complex and lengthy
passwords and passphrases
• Unique (not re-used for other
Create stronger accounts or apps)
passwords to keep
• Current (changed at least
information secure
every 90 days)
14 | Commonwealth Bank of Australia | Confidential
New School
• Password Managers and
Vaults (free and paid
services)
• Saving you from having to
remember many long and
complex passwords
• Secret unique key known
only to you
• 1 master password to
access your vault
• Password regenerator
function (creating complex
and lengthy passwords)
• Do your research and
choose the option that is
right for you
• Some password managers
have business account
options
 Create the Path of “most” resistance
While networks make it easy to share information within the office
and with others, an improperly configured network risks allowing
Securing your outsiders to disrupt your business activities or steal data.
network Here are some essential steps for protecting your business
network:
Office networks have • Review your default settings
improved productivity • Choose a secure form of encryption like Wireless Protected
and lowered costs – but Access II (WPA2)
don’t forget to secure • Got guests? Create a visitor mode
them • Turn off features you don’t use like universal plug and play
(UPnP)
• Keep an inventory of approved devices

15 | Commonwealth Bank of Australia | Confidential

 Benefits of Cloud Services:
• Improved productivity,
flexibility and reduced costs
• Data storage solutions
• Automatic software updates
Cloud security • Increased collaboration
Be safe and secure in • Work from anywhere
the cloud
Be Active, be informed:
• Read the terms and
conditions
• Be across your user access
controls – think about your
onboarding/offboarding
processes
• Make it hard for an attacker
– ask about security controls
• Keep tabs on your provider’s
practices

Remember:
If you're using cloud, the
security and privacy of your
data is largely in somebody
else’s direct control …
16 | Commonwealth Bank of Australia | Confidential
 Make yourself a hard target and take steps to limit harm
Writers of malicious software (malware) including ransomware and
keyloggers rely on users of a system to make simple errors in order
Securing your to infect a device or gain unauthorised access.

devices Aside from educating your company's computer users, your best
defence as a small business is to 'harden' your devices against
these risks.
Take these actions to
help secure your
devices • Turn on automatic updates
• Only install software from reputable publishers
• Limit administrative access to your computers – de-privilege
where possible
• Encrypt your hard drives
• Install security software and keep it up to date

17 | Commonwealth Bank of Australia | Confidential

 Email Payment Fraud (aka Business Email Compromise)

• Emails designed to look like valid requests to make payments to

Securing your third parties, which include payment instructions or invoices;
payments • Targeted at staff that have authority to perform the transaction;
• Designed to appear as legitimate, business as usual requests.
You can’t always trust
the sender of an The CEO Email Supplier Payment Fraud
email… A fraudster sends an email to Fraudsters pose as genuine
your accounts team pretending suppliers and submit
to be from the CEO, CFO or instructions to alter the
other person in authority, asking supplier’s bank account for
that a payment be made to a payment of future invoices.
nominated bank account as a
matter of urgency.

18 | Commonwealth Bank of Australia | Confidential

 Losses from Email Payment Fraud
(US$ million)
Email $6,000

Payment $5,000
$5,300

Fraud $4,000

(US$ million)
$3,000 $3,100

US$5 billion industry $2,300

in under two years. $2,000

$1,200
$1,000

$214
$-

Jan-15
Feb-15
Mar-15
Apr-15
May-15
Jun-15
Jul-15
Aug-15
Sep-15
Oct-15
Nov-15
Dec-15
Jan-16
Feb-16
Mar-16
Apr-16
May-16
Jun-16
Jul-16
Aug-16
Sep-16
Oct-16
Nov-16
Dec-16
Jan-17
Feb-17
Mar-17
Apr-17
May-17
Source: FBI/IC3

19 | Commonwealth Bank of Australia | Confidential

 Possible indicators of fraudulent
emails

• The request claims to be urgent and/or confidential;

• The recipient is asked to ignore standard payment
authorisation processes or processes for changing beneficiary
details;
• The request (often) includes grammatical and spelling errors;
• The type of request and the language and formatting are
unusual for the supposed sender;
• The ‘reply to’ email address is different to the sender’s
address.

| Commonwealth Bank of Australia |

 Detecting scams is easier if:
Email • There is a strict payments
process, with separation of
Payment duties, and enforced
Fraud compliance.
• Staff are trained (and it is
culturally acceptable) to
Review your payment question a process change
processes or anything that looks
suspicious (especially
payments);
• Large or unexpected
payments, or changes to
beneficiary details in your
supplier database, cannot be
made without additional
verification steps.
21 | Commonwealth Bank of Australia | Confidential
Most affected industries:
Attacks are recorded relatively
evenly across most sectors of
the economy. The industries
most susceptible to fraud:
• Property and Real Estate –
17% of recorded loss events
• Building and Construction –
11% of recorded loss events
• Education –
10% of recorded loss events
• Retail and distribution –
9% of recorded loss events
• Government –
7% of recorded loss events
 Report suspicious activity

If you realise you have made a payment as a result of

these scams (or malware):

1. immediately call the CommBiz helpdesk on

132 339
2. inform your account manager.

3. Report to law enforcement.

| Commonwealth Bank of Australia |

How can we help?
 Tailored advice:
Sharing • Focused on providing actionable
Knowledge advice on relevant topics eg.
network security, securing
devices, cloud security and
Supporting small email practices
and medium
business owners • Focusing on educating business
owners and their staff
• https://www.commbank.com.au/busi
ness/support/security.html
24 | Commonwealth Bank of Australia | Security Awareness at Scale
 A quarterly threat update:
Sharing • Trends and observations
Knowledge about the threat landscape
• Data-driven ‘deep dive’
analysis on critical security
Supporting small and
medium business issues
• Updates on new legislation
owners
with security and privacy
implications
• https://www.commbank.com.a
u/business/support/security/si
25 | Commonwealth Bank of Australia | Confidential
gnals.html
In past editions:
• How to protect your
organisation from Email
Payment Fraud
• Effectiveness of simulated
phishing programs.
• The causes and impact of
the world’s largest data
breaches.
 Cyber-outreach@cba.com.au
26 | Commonwealth Bank of Australia |
 Cyber-Safety Advice: Partnership:
ThinkUKnow • Talking to parents about cyber
hygiene practices Police Associations
Enabling parents
• Raising awareness of threats from across the
and guardians to
• Presented in schools and + country and
have better
conversations with community centres neighbourhood
their children watch Australia
• Safe place to ask questions and
start the conversation

27 | Commonwealth Bank of Australia | Security Awareness at Scale

 Thank you
Cyber-outreach@cba.com.au

28 | Commonwealth Bank of Australia | Confidential