scammed: defend against social engineering
DESCRIPTION
Do you know how to identify and respond to cyberattacks? As the size, severity and frequency of hacks continues to grow, A-LIGN President Gene Geiger looks to assist organizations in managing and minimizing the risk of cyberattacks. This presentation will evaluate different security trends and risks, review a client environment and account compromise through social engineering, and provide practical advice on how to avert your organization from becoming compromised. As hackers become increasingly savvy at accessing accounts and sensitive information, this session will help your organization build a security foundation to avoid becoming another target. This presentation reviews the current data breach landscape, reviewing examples of real-world breaches; security trends and risks, including the consequences of a data breach; a case study of a social engineering attack; Actionable prevention tips and IT audits to secure your organization.TRANSCRIPT
-
Presenter
Gene GeigerPresident at
A-LIGN
• Co-founder and President atA-LIGN, leading the firm's
service delivery function of all audits• Professional designations:
- CPA- CCSK- CISSP- PCIP- QSA
- ISO 27001, ISO 9001, and ISO 22301 Lead Auditor- HITRUST CCSFP
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Agenda
• The Cybersecurity Landscape• Security Trends and Risks• Real World Breaches• Case Study of a Social Engineering Attack• Breach Prevention Solutions• Q&A Session
WWW.A-LIGN.COM | ©2018
https://a-lign.com/cybersecurity/http://www.a-lign.com/
-
Data Breach vs. Data Incident
A data incident is a security event that compromises the
integrity, confidentiality, or availability of an information asset
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by
an individual notauthorized to do so
Data breaches may involve:
• PCI - Payment card information• PHI -Personal health
information• PII -Personally identifiable
information• Trade secrets• Intellectual property
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Recent Data Breaches
• Yahoo• >1 billion affected users
• Equifax• >140 million affected users
• LinkedIn• 117 million affected users
• Facebook• 87 million affected users
• Target• 70 million affected users
• Uber• 57 million affected users
• Internal Revenue Service (IRS)• 700,000 affected users
BIRS ©TARGET
EQJJIFAX
YiHoo!
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
The Cybersecurity Landscape
“No locale, industry or organization is bulletproof when it comes to the compromise of data.”
-Verizon's 2017 Data Breach InvestigationsReport
Misuse
Environmental
Social
2011
Source: Verizon's 2017 Data
0% *—2010
60%
Breach Investigations Report
Physical
2012 2013 2014 2015 2016 2017
40%
20%
Error
Hacking
Malware
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Cost of a Breach
Fines- HIPAA- PCI
Settlement and lawsuit costs
• Reputation• Ability to capture new Business
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Average Cost of a Breach
• $3.62 million: Consolidated total cost of a breach
• $141/per record: Cost incurred per record of sensitive/confidential information
• $1.56 million in U.S.: Post data breach response activities
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
PCI DSS Fines
Visa Non Compliance FinesMonth Level 1 Level 2
1 to 3 $10,000/month $5,000/month
4 to 6 $50,000/month $25,000/month
7+ $100,000/month $50,000/month
Breach fines and resulting lawsuits are even higher in potential cost!
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
HIPAA Fines
• Category 1— A violation that the CE was unaware of and could not
have realistically avoided— Had a reasonable amount of care had been taken to abide
by HIPAA Rules— Minimum fine of $100 per violation up to $50,000
• Category 2— A violation that the CE should have been aware of but
could not have avoided even with a reasonable amount of care
— Falls short of willful neglect of HIPAA Rules— Minimum fine of $1,000 per violation up to $50,000
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
HIPAA Fines
• Category 3- A violation suffered as a direct result of willful neglect
of HIPAA Rules- Only in cases where an attempt has been made to
correct the violation- Minimum fine of $10,000 per violation up to $50,000
• Category 4- A violation of HIPAA Rules constituting willful neglect- No attempt has been made to correct the violation- Minimum fine of $50,000 per violation
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breach Fallout: Anthem.• 78.8 million affected users• Largest healthcare data breach ever reported• Accessed information may have included:
- Names- Dates of birth- Social Security numbers- Health care ID numbers- Home addresses- Email addresses- Work information like income data
• Previously fined $1.7 million for data security failures by OCR in 2009
• Pending fines, settlements, other costs
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breach Fallout:
• Fines- PCI Council could fine Target between $400 million and $1.1
billion
• Settlement Cost- $10 million from users- Additional settlements pending
• Class-Action Lawsuit- $5 million in damages pending
• Loss in credibility/business- After Target's data breach, sales fell by 46% loss of more than
$200 million in profits
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breached by A-LIGN
• Scenario 1- A-LIGN's penetration testing team posed as an
internal IT group
- A survey was sent to a group of employees- Follow up with phone call
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breached by A-LIGN
• Scenario 2-Penetration testing team posed as the HR department
and an email was sent to the IT staff
- They were asked to login and update HR information -Goal was to get them to click the link within the email only
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breached by A-LIGN
• Scenario 1- 100 total targets- 42 survey visits- 9 credentials gathered- 6 opt outs
• Scenario 2- 8 total targets- 6 visits- No credentials
Scenario #1 Email Engagement
LI Credentials Captured _ Opt-out _ Link Followed H No Action
Scenario #2 Email Engagement
H Link Followed HNo Action
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Why is This Happening?
• No written and/or implemented information security policy
• Not complied with applicable standards• No recent assessments/penetration tests• Not improving information security
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Solutions
• Improving policies and procedures • Restrict access with proper authorization and access
controls
• Improve third-party vendor management• Design and follow an incident response program• Compliance audits and penetration testing• Employee education and security training
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Breach Prevention
• Data breaches can never be fully prevented, but preparation can help your organization- Recurring/scheduled security tests- Enforcement of strong security policies- Training of employees
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Compliance Audits and Penetration Testing
• Be in compliance with the necessary standards• Understand potential risk of your organizations• Cyber risk & privacy, compliance and security audits available- SOC 1, SOC 2, SOC for Cybersecurity- HIPAA, HITRUST- PCI DSS- FISMA, FedRAMP- Penetration Testing- ISO 27001- CFPB- GDPR
WWW.A-LIGN.COM | ©2018
https://a-lign.com/compliance/soc-1/https://a-lign.com/compliance/soc-2/https://a-lign.com/cybersecurity/https://a-lign.com/compliance/hipaa-hitech/https://a-lign.com/compliance/hitrust/https://a-lign.com/compliance/pci-dss/https://a-lign.com/compliance/fisma/https://a-lign.com/compliance/fedramp/https://a-lign.com/cybersecurity/penetration-testing/https://a-lign.com/compliance/iso-27001/https://a-lign.com/compliance/cfpb/https://a-lign.com/cyber-risk-privacy/gdpr/http://www.a-lign.com/
-
888.702.5446 | www.A-LIGN.com | [email protected]
WWW.A-LIGN.COM | ©2018
Summary/Questions
http://www.a-lign.commailto:[email protected]://www.a-lign.com/
-
A-LIGN Can Help
HITRUST
Authorized CSF Assessor
Security ™Standards Council
QUALIFIED SECURITY ASSESSOR
ANABACCREDITED ---MEWJJtoW---
MANAGEMENT SYSTEMS CERTIFICATION BODY
● A-LIGN is a leading information security audit firm focused on security, privacy and compliance frameworks including:
- SOC 1 Examinations, SOC 2 / AT-C 105 and 205 Examinations, SOC for Cybersecurity Examinations, Penetration Testing, ISAE 3402, HITRUST, FFIEC Cybersecurity Assessment Services, FedRAMP Assessment, FISMA Assessment, ISO 27001 Certification and more● A Public Company Accounting
Oversight Board (PCAOB) registered auditor
● Enrolled in the American Institute of CPAs' (AICPA) Peer Review Program
WWW.A-LIGN.COM | ©2018
http://www.a-lign.com/
-
Sources
● http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/● http://www.esecurityplanet.com/network-security/all-time-high-of-1093-dat
a-breaches-reported-in-u.s.-in-2016.html● https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-qu
arter-earnings.html? r=0●
http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breaches
● http://www-03.ibm.com/security/data-breach/ http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdf
● https:e.html● https://www.owasp.org/index.php/Top 10 2013-A5-Security
Misconfiguration● https://www.owasp.org/index.php/SQL Injection Prevention Cheat Sheet● http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-
sued-by-banks/d/d-id/1127936● https://fas.org/sgp/crs/misc/R43496.pdf
WWW.A-LIGN.COM | ©2018
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/http://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.htmlhttp://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.htmlhttps://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://www-03.ibm.com/security/data-breach/http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttp://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttp://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttps://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.htmlhttps://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfigurationhttps://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfigurationhttps://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheethttp://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936https://fas.org/sgp/crs/misc/R43496.pdfhttp://www.a-lign.com/