Scammed: Defend Against Social Engineering
-
Upload
miteshpatelcs -
Category
Technology
-
view
3 -
download
0
description
Transcript of Scammed: Defend Against Social Engineering
-
Presenter
Gene GeigerPresident at
A-LIGN
• Co-founder and President atA-LIGN, leading the firm's
service delivery function of all audits• Professional designations:
- CPA- CCSK- CISSP- PCIP- QSA
- ISO 27001, ISO 9001, and ISO 22301 Lead Auditor- HITRUST CCSFP
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Agenda
• The Cybersecurity Landscape• Security Trends and Risks• Real World Breaches• Case Study of a Social Engineering Attack• Breach Prevention Solutions• Q&A Session
WWW.A-LIGN.COM | ©2018
https://a-lign.com/cybersecurity/http://www.a-lign.com/
-
Data Breach vs. Data Incident
A data incident is a security event that compromises the
integrity, confidentiality, or availability of an information asset
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by
an individual notauthorized to do so
Data breaches may involve:
• PCI - Payment card information• PHI -Personal health
information• PII -Personally identifiable
information• Trade secrets• Intellectual property
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Recent Data Breaches
• Yahoo• >1 billion affected users
• Equifax• >140 million affected users
• LinkedIn• 117 million affected users
• Facebook• 87 million affected users
• Target• 70 million affected users
• Uber• 57 million affected users
• Internal Revenue Service (IRS)• 700,000 affected users
BIRS ©TARGET
EQJJIFAX
YiHoo!
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
The Cybersecurity Landscape
“No locale, industry or organization is bulletproof when it comes to the compromise of data.”
-Verizon's 2017 Data Breach InvestigationsReport
Misuse
Environmental
Social
2011
Source: Verizon's 2017 Data
0% *—2010
60%
Breach Investigations Report
Physical
2012 2013 2014 2015 2016 2017
40%
20%
Error
Hacking
Malware
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Cost of a Breach
Fines- HIPAA- PCI
Settlement and lawsuit costs
• Reputation• Ability to capture new Business
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Average Cost of a Breach
• $3.62 million: Consolidated total cost of a breach
• $141/per record: Cost incurred per record of sensitive/confidential information
• $1.56 million in U.S.: Post data breach response activities
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
PCI DSS Fines
Visa Non Compliance FinesMonth Level 1 Level 2
1 to 3 $10,000/month $5,000/month
4 to 6 $50,000/month $25,000/month
7+ $100,000/month $50,000/month
Breach fines and resulting lawsuits are even higher in potential cost!
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
HIPAA Fines
• Category 1— A violation that the CE was unaware of and could not
have realistically avoided— Had a reasonable amount of care had been taken to abide
by HIPAA Rules— Minimum fine of $100 per violation up to $50,000
• Category 2— A violation that the CE should have been aware of but
could not have avoided even with a reasonable amount of care
— Falls short of willful neglect of HIPAA Rules— Minimum fine of $1,000 per violation up to $50,000
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
HIPAA Fines
• Category 3- A violation suffered as a direct result of willful neglect
of HIPAA Rules- Only in cases where an attempt has been made to
correct the violation- Minimum fine of $10,000 per violation up to $50,000
• Category 4- A violation of HIPAA Rules constituting willful neglect- No attempt has been made to correct the violation- Minimum fine of $50,000 per violation
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breach Fallout: Anthem.• 78.8 million affected users• Largest healthcare data breach ever reported• Accessed information may have included:
- Names- Dates of birth- Social Security numbers- Health care ID numbers- Home addresses- Email addresses- Work information like income data
• Previously fined $1.7 million for data security failures by OCR in 2009
• Pending fines, settlements, other costs
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breach Fallout:
• Fines- PCI Council could fine Target between $400 million and $1.1
billion
• Settlement Cost- $10 million from users- Additional settlements pending
• Class-Action Lawsuit- $5 million in damages pending
• Loss in credibility/business- After Target's data breach, sales fell by 46% loss of more than
$200 million in profits
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breached by A-LIGN
• Scenario 1- A-LIGN's penetration testing team posed as an
internal IT group
- A survey was sent to a group of employees- Follow up with phone call
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breached by A-LIGN
• Scenario 2-Penetration testing team posed as the HR department
and an email was sent to the IT staff
- They were asked to login and update HR information -Goal was to get them to click the link within the email only
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breached by A-LIGN
• Scenario 1- 100 total targets- 42 survey visits- 9 credentials gathered- 6 opt outs
• Scenario 2- 8 total targets- 6 visits- No credentials
Scenario #1 Email Engagement
LI Credentials Captured _ Opt-out _ Link Followed H No Action
Scenario #2 Email Engagement
H Link Followed HNo Action
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Why is This Happening?
• No written and/or implemented information security policy
• Not complied with applicable standards• No recent assessments/penetration tests• Not improving information security
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Solutions
• Improving policies and procedures • Restrict access with proper authorization and access
controls
• Improve third-party vendor management• Design and follow an incident response program• Compliance audits and penetration testing• Employee education and security training
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breach Prevention
• Data breaches can never be fully prevented, but preparation can help your organization- Recurring/scheduled security tests- Enforcement of strong security policies- Training of employees
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Compliance Audits and Penetration Testing
• Be in compliance with the necessary standards• Understand potential risk of your organizations• Cyber risk & privacy, compliance and security audits available- SOC 1, SOC 2, SOC for Cybersecurity- HIPAA, HITRUST- PCI DSS- FISMA, FedRAMP- Penetration Testing- ISO 27001- CFPB- GDPR
WWW.A-LIGN.COM | ©2018
https://a-lign.com/compliance/soc-1/https://a-lign.com/compliance/soc-2/https://a-lign.com/cybersecurity/https://a-lign.com/compliance/hipaa-hitech/https://a-lign.com/compliance/hitrust/https://a-lign.com/compliance/pci-dss/https://a-lign.com/compliance/fisma/https://a-lign.com/compliance/fedramp/https://a-lign.com/cybersecurity/penetration-testing/https://a-lign.com/compliance/iso-27001/https://a-lign.com/compliance/cfpb/https://a-lign.com/cyber-risk-privacy/gdpr/http://www.a-lign.com/
-
888.702.5446 | www.A-LIGN.com | [email protected]
WWW.A-LIGN.COM | ©2018
Summary/Questions
http://www.a-lign.commailto:[email protected]://www.a-lign.com/
-
A-LIGN Can Help
HITRUST
Authorized CSF Assessor
Security ™Standards Council
QUALIFIED SECURITY ASSESSOR
ANABACCREDITED ---MEWJJtoW---
MANAGEMENT SYSTEMS CERTIFICATION BODY
● A-LIGN is a leading information security audit firm focused on security, privacy and compliance frameworks including:
- SOC 1 Examinations, SOC 2 / AT-C 105 and 205 Examinations, SOC for Cybersecurity Examinations, Penetration Testing, ISAE 3402, HITRUST, FFIEC Cybersecurity Assessment Services, FedRAMP Assessment, FISMA Assessment, ISO 27001 Certification and more● A Public Company Accounting
Oversight Board (PCAOB) registered auditor
● Enrolled in the American Institute of CPAs' (AICPA) Peer Review Program
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Sources
● http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/● http://www.esecurityplanet.com/network-security/all-time-high-of-1093-dat
a-breaches-reported-in-u.s.-in-2016.html● https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-qu
arter-earnings.html? r=0●
http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breaches
● http://www-03.ibm.com/security/data-breach/ http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdf
● https:e.html● https://www.owasp.org/index.php/Top 10 2013-A5-Security
Misconfiguration● https://www.owasp.org/index.php/SQL Injection Prevention Cheat Sheet● http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-
sued-by-banks/d/d-id/1127936● https://fas.org/sgp/crs/misc/R43496.pdf
WWW.A-LIGN.COM | ©2018
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/http://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.htmlhttp://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.htmlhttps://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://www-03.ibm.com/security/data-breach/http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttp://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttp://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttps://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.htmlhttps://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfigurationhttps://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfigurationhttps://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheethttp://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936https://fas.org/sgp/crs/misc/R43496.pdfhttp://www.a-lign.com/