1 / 24

Cyber Fraud

Cyber Fraud. Mr. Keelan T. Stewart August 20 th , 2019 www.linkedin.com/in/keelanstewart. About the Speaker. Education and Certification BS, MS in Information Assurance, University of Nebraska Omaha Certified Information Systems Security Professional, CISSP

robertgreene
Download Presentation

Cyber Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Fraud Mr. Keelan T. Stewart August 20th, 2019 www.linkedin.com/in/keelanstewart

  2. About the Speaker • Education and Certification • BS, MS in Information Assurance, University of Nebraska Omaha • Certified Information Systems Security Professional, CISSP • HealthCare Information Security and Privacy Practitioner, HCISPP • GIAC Law of Data Security & Investigations, with Gold Paper, GLEG Gold • GIAC Strategic Planning, Policy, and Procedure, GSTRT • Experience • Information Security Analyst and Authorizing Official, Boys Town • Nuclear and Space Mission Systems Cybersecurity Analyst, U.S. Strategic Command • National and Nuclear Command and Control Enterprise and Solutions Architect

  3. Introduction

  4. Introduction • FBI reports $2.7B in cyber fraud in 2018 • Businesses reluctant to report losses related to cyber fraud • Long-term, intangible losses hard to determine/track • Cyber crime capabilities continue to expand • Nation states operating with impunity • Organized crime tolerated by host countries • Weaponized malware openly available for purchase

  5. Cyber Fraud:Does crime pay?

  6. Cyber Fraud:Phishing

  7. Cyber Fraud:Spear Phishing

  8. Cyber Fraud:Whaling

  9. Cyber Fraud:Phishing, Spear Phishing, & Whaling • 91% of data breaches start with spear phishing • Between 45%-90% of email is spam • 60% routinely observed at work • Inclusive of attacks and general sales spam • Attackers have huge advantages • Attacks cost little ($15/month) • Defense costs a lot • Jurisdictions prevent recourse

  10. Cyber Fraud:Phishing, Spear Phishing, & Whaling • Security Controls • User Training • Phishing Exercises • Firewall Region Blocking • Anti-Spoofing (SPF, DMARC, DKIM) • Email Security Tools • OPSEC • Social Media Policies • Executive Procedures

  11. Cyber Fraud:Business Email Compromise

  12. Cyber Fraud:Business Email Compromise • Highest reported loss cyber crime: $1.2B in 2018

  13. Cyber Fraud:Business Email Compromise • Security Controls: • Procedural Security • Call to confirm (amount, account) • Known good list • Email Security / Social Engineering Training • Phishing exercises • Domain Security • Register similar domains • Anti-spoofing (SPF, DMARC, DKIM)

  14. Cyber Fraud:Ransomware

  15. Cyber Fraud:Ransomware • Petya • MBR attack, prevents Windows booting • 2017: Ukraine cyberwar • SamSam • RDP brute force, so no user interaction • 2018: City of Atlanta, 6M affected, $2.7M damages • EternalBlue • Developed by NSA, exploited MS SMB in XP-8 and Server 2003-2016 • Used in WannaCry, NotPetya, BadRabbit • UK’s NHS, Ukraine, Baltimore

  16. Cyber Fraud:Ransomware • Security Controls • Backups • Remove Local Admin • Patching • Awareness Training • Web Ad Blocking • Email Security • NextGen Anti-Virus • NextGen Firewall • User Behavior Analytics • Segmentation

  17. Cyber Fraud:Data Breach • Social Security Number: $1 • Login Credentials: $1 • Credit/Debit Card • With CVV: $5 • With Bank Info: $15 • With All Info: $30 • Netflix, etc.: $10 • Driver’s License: $20 • Loyalty Accounts: $20 • Paypal, etc.: $200 • Diplomas: $400 • Medical Records: $1000 • Passports: $1000-$2000

  18. Cyber Fraud:Data Breach

  19. Cyber Fraud:Data Breach • Security Controls • Procedural Security • Process transactions quickly • Call to confirm, known-good lists • Record Retention • Secure Repositories • Policy to not store outside • Segmentation

  20. Audit ConsiderationsInvest for Success: Diversifying Your Audit Portfolio

  21. Audit Considerations:Invest for Success: Diversifying Your Audit Portfolio • Information Security is to IT as Internal Audit is to Finance • Separation of duties due to conflict of interest • Shadow IT • Devices purchased by business units without IT • Typically not managed/secured well • Users are not stupid; they are doctors, lawyers, but not IT • In modern countries, 5% of population has high computer skills • Only 33% can complete medium-complexity tasks

  22. Audit Considerations:Invest for Success: Diversifying Your Audit Portfolio • Information Security is becoming highly regulated and fined • GDPR, HIPAA, PCI, CCPA • Regulatory audits can help InfoSec advocate • Almost any audit can have cyber aspects • Big 4 audits consider cyber security in financial analysis • Know when to look at cyber to enhance audits • Take cyber liability insurance seriously • No long a matter of “if” but “when”

  23. Audit Considerations:Invest for Success: Diversifying Your Audit Portfolio • Computer literacy is just as important as accounting in IA • You know accounting to keep accountants honest • Know computers to keep IT and InfoSec honest • Information Security Groups • ISACA • ISC(2) • FBI InfraGard • DHS ISACs • NEbraskaCERT

  24. Questions?

More Related