2017-10-05 mitigating cybersecurity and cyber fraud risk in your organization
TRANSCRIPT
![Page 1: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/1.jpg)
Thrive. Grow. Achieve.
Mitigating Cybersecurity and Cyber Fraud Risk in your Organization
Nate Solloway and Martin Nash
October 5, 2017
![Page 2: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/2.jpg)
BUT FIRST
• EAGLEBANK - DISCLAIMER!
• ABOUT US
• ABOUT YOU
• INTERACTION ENCOURAGED
• QUESTIONS ANYTIME
2
![Page 3: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/3.jpg)
WHAT WE WILL COVER
• RISK BASICS – KNOW, MANAGE, UNDERSTAND
• WHAT ARE THREATS DOING?
• WHAT CAN YOU DO?
• HELPFUL RESOURCES
3
![Page 4: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/4.jpg)
RISK BASICS: KNOW, MANAGE,
UNDERSTAND
• KNOW YOUR THREATS
• MANAGE YOUR VULNERABILITIES
• UNDERSTAND THE POSSIBLE IMPACTS TO
YOU/YOUR ORGANIZATION
4
CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION
THREAT X VULNERABILITY X IMPACT = RISK
![Page 5: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/5.jpg)
KNOW YOUR THREATS
Defined as a potential cause of an incident that may result in harm to a system or
organization. Information security threats to the confidentiality, integrity and/or availability of
information can be environmental (such as hurricanes, tornadoes, floods, earthquakes) or a
person (threat actor)/group of people (threat group) who actually performs an attack, or, in
the case of accidents, will cause the accident.
KEY INFORMATION SECURITY THREATS TO BE (IN NO PARTICULAR ORDER AND NOT EXHAUSTIVE):
• Organized Crime/Cyber Criminals
• Hacktivists
• Nation States
• Insiders (including 3rd parties with access to Sensitive Information)
• Accidental, non-intentional and/or non-malicious versus Deliberate: Biggest Help versus Biggest Hindrance
• Environmental
• (Terrorists)
5
![Page 6: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/6.jpg)
MANAGE YOUR VULNERABILITIES
Information security vulnerabilities are defines as any weaknesses of an information
asset or group of assets that can be exploited by one or more threats leading to the
deliberate or accidental unauthorized disclosure, misuse, alteration, and/or
destruction of information or information systems
EVERY COMPUTER IS MILLIONS OF LINES OF CODE WRITTEN BY FALLIBLE OR DELIBERATELY MALICIOUS HUMAN BEINGS.
6
![Page 7: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/7.jpg)
UNDERSTAND THE POSSIBLE IMPACTS
TO YOUR ORGANIZATION (EXAMPLES)
• FINANCIAL LOSS OR STOCK CRASH
• REPUTATIONAL DAMAGE
• LEGAL/REGULATORY PENALTIES
• LOSS OF PRIVACY FOR STAFF AN/OR CUSTOMERS
• IDENTITY THEFT (FRAUD) FOR STAFF AND/ORG CUSTOMERS
• FRAUD (GENERALLY)
• PERSONAL FINANCE IMPLICATIONS FOR STAFF AND OR
CUSTOMERS
7
![Page 8: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/8.jpg)
WHAT ARE THREATS DOING?
IT
MISTAKES
MAKE BIG
HEADLINES
8
![Page 9: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/9.jpg)
VERIZON: 2017 DATA BREACH
INVESTIGATIONS REPORT
(DBIR)
9
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 10: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/10.jpg)
10
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 11: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/11.jpg)
11
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 12: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/12.jpg)
WHAT ARE THREATS DOING?
• SECTOR BREACH STATISTICS
COURTESY OF THE 2017
VERIZON DATA BREACH REPORT
(DBIR)
• SECTORS CHOSEN BASED ON
ATTENDEES (THERE ARE A FEW
MORE IN THE DBIR)
• GOING TO EXAMINE
PREDOMINANT THREAT
AVENUES FOR EACH SECTOR
AND PROVIDE FURTHER
CONTEXT THROUGH
DEMONSTRATIONS
12
2017
VERIZON
DBIR
![Page 13: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/13.jpg)
13
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 14: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/14.jpg)
THREAT
ATTACK
LIFECYCLE
14
WHAT ARE THREATS DOING?
![Page 15: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/15.jpg)
PHISHING AND EMAILS
- WHAT HAPPENS WHEN YOU CLICK ON A MALICIOUS LINK OR OPEN AN ATTACHMENT?
- STOP AND THINK BEFORE CLICKING A LINK (OR OPENING ATTACHMENTS)
- MALWARE AND VIRUSES
15
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 16: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/16.jpg)
PHISHING
16
WHAT ARE THREATS DOING?
![Page 17: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/17.jpg)
SQL INJECTION ATTACKS
17
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 18: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/18.jpg)
SOCIAL ENGINEERING
- In person
- Via emails/electronically
- (remember phishing?)
- On the phone
18
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
ACCIDENTAL
- Excessive Privileges
- No ‘Need to Know’
- Not properly trained
- Ineffective Policies, Processes, Procedures
![Page 19: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/19.jpg)
19
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
DISCUSS!
![Page 20: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/20.jpg)
20
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 21: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/21.jpg)
21
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
DELIBERATE! (VERSUS ACCIDENTAL)!
- Excessive Privileges
- No ‘Need to Know’
- Lack of Monitoring
![Page 22: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/22.jpg)
22
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
• Denial of Service Attack of October 2016 was
a game changer!
• Mirai botnet takes down Netflix, Twitter,
Spotify, Reddit, CNN, PayPal, Pinterest
• DVR’s, Cameras, IOT Devices
![Page 23: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/23.jpg)
Security Awareness Training 23
WHAT ARE THREATS DOING?
DENIAL OF
SERVICE
![Page 24: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/24.jpg)
24
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
![Page 25: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/25.jpg)
25
WHAT ARE THREATS DOING?
RANSOMWARE
• Usually infected via phishing email
• File extension name changes
• Pop Ups
![Page 26: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/26.jpg)
26
WHAT ARE THREATS DOING?
Business Email Compromise or Email
Account Compromise (BEC or EAC)
– Business IT Systems
– Aim is to enable Wire (or any
financial transaction) Fraud
– Financial Loss!
2017
VERIZON
DBIR
![Page 27: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/27.jpg)
Security Awareness Training 27
WHAT ARE THREATS DOING?
BEC or
EAC
Compromised Email Header
![Page 28: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/28.jpg)
FRAUDULENT HOTSPOTS
Security Awareness Training 28
WHAT ARE THREATS DOING?
![Page 29: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/29.jpg)
“SMART DEVICE” HACKING
• Increasingly, we’re being offered Internet-connected devices for all aspects of our lives
– Home automation – remote control of lights, blinds, garage doors, security systems
– “Smart” refrigerators
– Internet-enabled baby monitors
• If it’s on the internet, it is vulnerable to hackers
– Many of these new devices are designed without consideration for security, since they’re
not items that traditionally require security!
– http://47.18.104.167:5000/Top
Security Awareness Training 29
WHAT ARE THREATS DOING?
![Page 30: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/30.jpg)
Security Awareness Training 30
WHAT CAN YOU DO?
About 80% of Insider Threat is accidental, non-
malicious, unintentional risk
Training and Awareness
New Employee Training
Phishing (KnowBe4, PhishMe and others)
Social Engineering
Results
Should you tell your staff you are doing this?
Online Courses
Staff Meetings
Cyber Champions?
![Page 31: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/31.jpg)
Security Awareness Training 31
WHAT CAN YOU DO?
99% of attacks are successful because people fail to do the
basics right!
Up to date Anti-Virus
Different and Changing Passwords
Patches and Updates
Switch on anti-spam and anti-phishing options in email
Train staff and encourage them to be cyber savvy at work
and at home.
Make your cyber house more secure than your neighbor’s cyber
house.
Treat information like a high value cash asset – because that is
exactly what it is!
![Page 32: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/32.jpg)
Security Awareness Training 32
WHAT CAN YOU DO?
Check that you have Distributed Denial of Service (DDoS) mitigation services in
place, that they are regularly tested and that they work.
Watch out for potentially malicious attachments (such as macro enabled MS Office
docs) and ask talk about patching and updating hygiene to anyone who will listen.
Implement limiting, logging and monitoring of use. Watch out for large file transfers
via USB for example.
Have and enforce a formal procedure for disposing of anything that might contain
sensitive data and always have anything you are publishing checked and double
checked.
Encrypt wherever possible and establish a corporate culture that frowns upon
printing out sensitive data.
If you have web applications for customer use, encourage customers to vary their
passwords and use two-factor authentication. Limit the amount of sensitive
information stored in web-facing applications.
Hammer home to your teams — particularly in finance — that no one will request a
payment via unauthorized processes. Also ask IT to mark external emails with an
unmistakable stamp.
![Page 33: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/33.jpg)
Security Awareness Training 33
HELPFUL RESOURCES AND INFO
Verizon 2017 Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
FutureLearn – Introduction to Cybersecurity
https://www.futurelearn.com/courses/introduction-to-cyber-security
EagleBank website – Cybersecurity and Fraud page
https://www.eaglebankcorp.com/cybersecurity-and-fraud/
TED Talks – Everyday Cybercrime and what you can do about it
http://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it
BEC Brochure (hard copy and EagleBank Website)
https://www.eaglebankcorp.com/cybersecurity-and-fraud/
Social Engineering Red Flags (hard copy)
Subscriptions:
US-Cert https://www.us-cert.gov/
Brian Krebs (Cybersecurity Investigative Blogger) http://www.krebsonsecurity.com/
![Page 34: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/34.jpg)
Security Awareness Training 34
HELPFUL RESOURCES AND INFO
Resources for SMBs
https://www.us-cert.gov/ccubedvp/smb
10 Steps to Cybersecurity
https://www.ncsc.gov.uk/guidance/10-steps-cyber-security,
http://www.baesystems.com/en/cybersecurity/cyber-attacks-are-you-at-risk
NIST Cybersecurity Framework
https://www.nist.gov/cyberframework
ISO27001/2 Information Security Management
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
Center for Internet Security – Top 20 Critical Security Controls
https://www.cisecurity.org/critical-controls.cfm
![Page 35: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/35.jpg)
QUESTIONS AND ANSWERS
Security Awareness Training 35
EagleBank Disclaimer - Reminder
![Page 36: 2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization](https://reader033.vdocuments.net/reader033/viewer/2022052706/5a64d3167f8b9ac21c8b67eb/html5/thumbnails/36.jpg)
36