social engineering - stxhfma.org€¦ · common social engineering attack techniques baiting ease...
TRANSCRIPT
![Page 1: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/1.jpg)
AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.PNCPA.com I www.PNTECH.net
Social EngineeringProtecting PHI through the Weakest Link
Paul Douglas, CISA, CCSFP
![Page 2: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/2.jpg)
Common Social Engineering Techniques
Organization Preparation
Data Breach History
Regulatory Impact
![Page 3: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/3.jpg)
Social Engineering
Techniques
![Page 4: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/4.jpg)
Common Social Engineering Attack Techniques
Phishing
Ease of Access- Weak Links
Emails intended to acquire sensitive information
![Page 5: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/5.jpg)
Examples from my inbox…….
![Page 6: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/6.jpg)
Common Social Engineering Attack Techniques
Spear Phishing
Ease of Access- Weak Links
Targeted emails customized for you and potentially the organization
Example: Target Breach
![Page 7: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/7.jpg)
Examples from my inbox…….
![Page 8: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/8.jpg)
A lot of Phish in the Sea…..
* Verizon 2015 Data Breach Investigations Report
![Page 9: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/9.jpg)
Common Social Engineering Attack Techniques
Physical Spoofing
Ease of Access- Weak Links
Physical impersonation of an employee or vendor
![Page 10: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/10.jpg)
Common Social Engineering Attack Techniques
Remote Spoofing
Ease of Access- Weak Links
Impersonation of a device, employee, or vendor
Example: Windows Support Calls
![Page 11: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/11.jpg)
Common Social Engineering Attack Techniques
Baiting
Ease of Access- Weak Links
Physical objects used (CDs, USBs) to “bait” employees
Example: Iranian nuclear plant USB drop
![Page 12: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/12.jpg)
“A Network of Human Sensors”
“One of the most effective ways you can minimize the phishing threat is through effective awareness and training. Not only can you reduce the number of people that fall victim to (potentially) less than 5%, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.”
Lance Spitzner
Training Director for the SANS Securing The Human Program
![Page 13: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/13.jpg)
Employee Information Security Training
1. Diagnose the readiness of your employees for a social engineering attack
2. Design custom IT security training to address gaps / improvement opportunities with your workforce
3. Monitor progress though periodic testing and follow-up activities
DIAGNOSE
Social Engineering Review
PRESCRIBE
Custom IT Security Training
MONITOR
Periodic Testing and Follow-up Activities
13
![Page 14: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/14.jpg)
Employee Information Security Training
0%
5%
10%
15%
20%
25%
30%
35%
40%
2015 2016 2017 2018 2019
Social Engineering Success Rate
Social Engineering Success Rate
14
![Page 15: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/15.jpg)
10% 4%
10%
54%
22%
Data Source: www.hhs.gov
Hacking/IT Incident
Improper Disposal
Loss
Theft
UnauthorizedAccess/Disclosure
Breach Statistics
Data Breach Summary:
• Data from September 2009-April 2015
• Breaches affecting 500 or more individuals: 1,190
• Involving a Business Associate: 272 (23%)
• Amount of individuals affected: 129,466,215
![Page 16: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/16.jpg)
Breach Statistics
Data Breach Type % of Breach Type by
Occurrence
% of Individuals
Affected
Sum of Individuals
Affected
Hacking/IT Incident 10% 74% 95,575,317
Improper Disposal 4% 1% 764,514
Loss 10% 6% 7,514,208
Theft 54% 15% 20,362,698
Unauthorized Access/Disclosure
22% 4% 5,249,478
Grand Total 100% 100% 129,466,215
![Page 17: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/17.jpg)
Impact of the Anthem, Inc. Data Breach
Patient Records Breached
Pre-Anthem Post Anthem49,466,215 129,466,215
![Page 18: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/18.jpg)
Regulatory Impact – HIPAA Security Rule
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
§164.308(a)(1) Security Management Process
§164.308(a)(5) Security Awareness and Training
§164.308(a)(8) Technical / Non-Technical Evaluation
§164.316(a) Policies and Procedures
![Page 19: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/19.jpg)
Regulatory Impact – PCI DSS
Payment Card Industry Data Security Standard Version 3.0
Requirement began June 30, 2015
Requirement 11.3.1 – 11.3.3 – Perform a Penetration Test and Exploit Vulnerabilities
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment
![Page 20: Social Engineering - stxhfma.org€¦ · Common Social Engineering Attack Techniques Baiting Ease of Access- Weak Links Physical objects used (CDs, USBs) to “bait” employees Example:](https://reader036.vdocuments.net/reader036/viewer/2022081523/5fdba023c36b0c2af5295c91/html5/thumbnails/20.jpg)
Paul Douglas, Consulting Manager
225.408.4421
Connect with me on LinkedIn
Founded in 1949
#1 largest Louisiana accounting firm
Top 100 professional services firm in US