Pub. 11 2020 Issue 3

Pub. 11 2020 I Issue 3 Fall 33 West Virginia Banker Chris Joseph is a partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A certified public accountant, certified information system auditor, certified in risk and information systems control and certified information technology professional, Mr. Joseph has over 35 years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@actcpas.com . • Zero-day attacks • Ransomware • Software vulnerabilities • Social engineering The threats have increased due to the COVID-19 environ- ment with employees working remotely where the security at an employee’s home is not as robust as what is present at the financial institution. Ransomware. As indicated previously, ransomware is on the rise at a very high rate (i.e., 900%). Ransomware has been discussed in detail over the past few years, but there have been some changes in the behavior of the fraudsters/ bad actors. A summary of the ransomware follows: • Ransomware prevents users from accessing their systems and data/files. The first variant of ransomware occurred in the 1980s. • The bad actor demands payment to regain access to the victim’s systems and data/files. • There have been three types of ransomware over the years:  The first type of ransomware was scareware that was more of a nuisance, where the victim received popups claiming malware and demanded payments to remove the popups. There were no real threats to the files.  The second type of ransomware was screen lockers that locked the victim’s screen and claimed that the victim conducted illegal activity. The bad actor typ- ically claimed to be the FBI and wanted a payment to unlock the screen. The FBI does not operate in this manner, and as more of the victims realized that, the threat was reduced. The victims did not pay the ransom as they became more informed of the way the FBI operated.  The third type of ransomware is encrypting ransom- ware. This type of ransomware can be devastating to the victim. With encrypting ransomware, the victim’s files/data are encrypted by the fraudster/ bad actor preventing the victim’s financial institution from having access to their files. Of course, without access to their files, the financial institution encoun- ters significant issues with providing timely customer service. The fraudster/bad actor demands payment, or ransom, for the decryption key to gain access to the files/data. When ransomware was in the headlines a few years back, the amount of the ransom typically ranged from a few hundred dollars to a few thousand dollars. Things have changed significantly in the ransom demands. Ransom demands can reach six figures now, and in one case, $14 million was demanded from an IT company in Wisconsin that services 110 companies that, in turn, have 2,400 nursing homes. The fraudsters/bad actors can identify their victims and then as- sess what the victim’s data is worth to them. Another change in the behavior of the fraudsters/bad actors is their willing- ness to implement destructive behavior. In the past, if your financial institution had good controls to combat the attack, they would typically move on to another target and possibly attempt to compromise the financial institution another day. Today, they are willing to engage in destructive behavior by destroying data files, downloading and publishing sensitive and confidential information, etc. Should you pay the ransom? The FBI recommends not to pay ransoms, as there is no guarantee that the decryption key will be provided. Also, the ransom money could be used to fund terrorist activity, fund nation-states activities (i.e., North Korea), fund cybercriminals, etc. Controls. The best way to combat cyber events is through the implementation of sound controls. Most of these are back-to- basic controls such as a regular and ongoing patch manage- ment program, next-generation anti-virus solution, next-gen- eration firewall solutions, engaging security testers to conduct penetration testing and vulnerability assessments, ongoing employee training/education, etc. In the area of ransomware, a good backup solution that includes an offline backup compo- nent is a strong way to reduce the impact. In the case of the IT vendor supporting multiple nursing homes, the company had a good backup solution, so they did not pay the ransom (the CEO/Owner also indicated they could not afford to pay the ransom). The IT vendor did encounter significant issues as their clients could not access their data for treatment plans, billings, etc. until the systems were brought back online. In addition, there was evidence that the cybercriminal was on their system for 14 months prior to executing the attack, leaving doubt as to how much information the cybercriminal was able to obtain. Conclusion. COVID-19 has permanently changed the way financial institutions work, operate and how they serve their customers. With the changes comes increased and new risks/ threats. Staying proactive with information security and cyber- security programs is increasingly important and should be part of the financial institution’s daily operations. 