1 / 31

Scammed: Defend Against Social Engineering

Do you know how to identify and respond to cyberattacks? As the size, severity and frequency of hacks continues to grow, A-LIGN President Gene Geiger looks to assist organizations in managing and minimizing the risk of cyberattacks. This presentation will evaluate different security trends and risks, review a client environment and account compromise through social engineering, and provide practical advice on how to avert your organization from becoming compromised. As hackers become increasingly savvy at accessing accounts and sensitive information, this session will help your organization build a security foundation to avoid becoming another target.<br>This presentation reviews the current data breach landscape, reviewing examples of real-world breaches; security trends and risks, including the consequences of a data breach; a case study of a social engineering attack; Actionable prevention tips and IT audits to secure your organization.

aligncompliance
Download Presentation

Scammed: Defend Against Social Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presenter • Co-founder and President at A-LIGN, leading the firm's service delivery function of all audits • Professional designations: - CPA - CCSK - CISSP - PCIP - QSA - ISO 27001, ISO 9001, and ISO 22301 Lead Auditor - HITRUST CCSFP Gene Geiger President at A-LIGN WWW.A-LIGN.COM | ©2018

  2. Agenda • The Cybersecurity Landscape • Security Trends and Risks • Real World Breaches • Case Study of a Social Engineering Attack • Breach Prevention Solutions • Q&A Session WWW.A-LIGN.COM | ©2018

  3. Data Breach vs. Data Incident A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual not authorized to do so A data incident is a security event that compromises the integrity, confidentiality, or availability of an information asset Data breaches may involve: • PCI - Payment card information • PHI -Personal health information • PII -Personally identifiable information • Trade secrets • Intellectual property WWW.A-LIGN.COM | ©2018

  4. Recent Data Breaches BIRS © • Yahoo • >1 billion affected users • Equifax • >140 million affected users • LinkedIn • 117 million affected users • Facebook • 87 million affected users • Target • 70 million affected users • Uber • 57 million affected users • Internal Revenue Service (IRS) • 700,000 affected users TARGET EQJJIFAX YiHoo! WWW.A-LIGN.COM | ©2018

  5. The Cybersecurity Landscape 60% Hacking “No locale, industry or organization is bulletproof when it comes to the compromise of data.” 40% Malware -Verizon's 2017 Data Breach Investigations Report 20% Misuse Error Social Physical Environmental 0% *— 2010 2011 2012 2013 2014 2015 2016 2017 Source: Verizon's 2017 Data Breach Investigations Report WWW.A-LIGN.COM | ©2018

  6. WWW.A-LIGN.COM | ©2018

  7. WWW.A-LIGN.COM | ©2018

  8. WWW.A-LIGN.COM | ©2018

  9. Cost of a Breach Fines - HIPAA - PCI Settlement and lawsuit costs • Reputation • Ability to capture new Business WWW.A-LIGN.COM | ©2018

  10. Average Cost of a Breach • $3.62 million: Consolidated total cost of a breach • $141/per record: Cost incurred per record of sensitive/confidential information • $1.56 million in U.S.: Post data breach response activities WWW.A-LIGN.COM | ©2018

  11. PCI DSS Fines Visa Non Compliance Fines Month Level 1 Level 2 1 to 3 $10,000/month $5,000/month 4 to 6 $50,000/month $25,000/month 7+ $100,000/month $50,000/month Breach fines and resulting lawsuits are even higher in potential cost! WWW.A-LIGN.COM | ©2018

  12. HIPAA Fines • Category 1 — A violation that the CE was unaware of and could not have realistically avoided — Had a reasonable amount of care had been taken to abide by HIPAA Rules — Minimum fine of $100 per violation up to $50,000 • Category 2 — A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care — Falls short of willful neglect of HIPAA Rules — Minimum fine of $1,000 per violation up to $50,000 WWW.A-LIGN.COM | ©2018

  13. HIPAA Fines • Category 3 - A violation suffered as a direct result of willful neglect of HIPAA Rules - Only in cases where an attempt has been made to correct the violation - Minimum fine of $10,000 per violation up to $50,000 • Category 4 - A violation of HIPAA Rules constituting willful neglect - No attempt has been made to correct the violation - Minimum fine of $50,000 per violation WWW.A-LIGN.COM | ©2018

  14. Anthem. Breach Fallout: • 78.8 million affected users • Largest healthcare data breach ever reported • Accessed information may have included: - Names - Dates of birth - Social Security numbers - Health care ID numbers - Home addresses - Email addresses - Work information like income data • Previously fined $1.7 million for data security failures by OCR in 2009 • Pending fines, settlements, other costs WWW.A-LIGN.COM | ©2018

  15. Breach Fallout: • Fines - PCI Council could fine Target between $400 million and $1.1 billion • Settlement Cost - $10 million from users - Additional settlements pending • Class-Action Lawsuit - $5 million in damages pending • Loss in credibility/business - After Target's data breach, sales fell by 46% loss of more than $200 million in profits WWW.A-LIGN.COM | ©2018

  16. Breached by A-LIGN • Scenario 1 - A-LIGN's penetration testing team posed as an internal IT group - A survey was sent to a group of employees - Follow up with phone call WWW.A-LIGN.COM | ©2018

  17. WWW.A-LIGN.COM | ©2018

  18. Breached by A-LIGN • Scenario 2 -Penetration testing team posed as the HR department and an email was sent to the IT staff - They were asked to login and update HR information -Goal was to get them to click the link within the email only WWW.A-LIGN.COM | ©2018

  19. Breached by A-LIGN Scenario #1 Email Engagement • Scenario 1 - 100 total targets - 42 survey visits - 9 credentials gathered - 6 opt outs • Scenario 2 - 8 total targets - 6 visits - No credentials LI Credentials Captured _ Opt-out _ Link Followed H No Action Scenario #2 Email Engagement H Link Followed HNo Action WWW.A-LIGN.COM | ©2018

  20. Why is This Happening? • No written and/or implemented information security policy • Not complied with applicable standards • No recent assessments/penetration tests • Not improving information security WWW.A-LIGN.COM | ©2018

  21. Solutions • Improving policies and procedures • Restrict access with proper authorization and access controls • Improve third-party vendor management • Design and follow an incident response program • Compliance audits and penetration testing • Employee education and security training WWW.A-LIGN.COM | ©2018

  22. Breach Prevention • Data breaches can never be fully prevented, but preparation can help your organization - Recurring/scheduled security tests - Enforcement of strong security policies - Training of employees WWW.A-LIGN.COM | ©2018

  23. Compliance Audits and Penetration Testing • Be in compliance with the necessary standards • Understand potential risk of your organizations • Cyber risk & privacy, compliance and security audits available - SOC 1, SOC 2, SOC for Cybersecurity - HIPAA, HITRUST - PCI DSS - FISMA, FedRAMP - Penetration Testing - ISO 27001 - CFPB - GDPR WWW.A-LIGN.COM | ©2018

  24. Summary/Questions 888.702.5446 | www.A-LIGN.com | info@a-lign.com WWW.A-LIGN.COM | ©2018

  25. A-LIGN Can Help ● A-LIGN is a leading information security audit firm focused on security, privacy and compliance frameworks including: - SOC 1 Examinations, SOC 2 / AT-C 105 and 205 Examinations, SOC for Cybersecurity Examinations, Penetration Testing, ISAE 3402, HITRUST, FFIEC Cybersecurity Assessment Services, FedRAMP Assessment, FISMA Assessment, ISO 27001 Certification and more ● A Public Company Accounting Oversight Board (PCAOB) registered auditor ● Enrolled in the American Institute of CPAs' (AICPA) Peer Review Program Security ™ Standards Council QUALIFIED SECURITY ASSESSOR HITR UST Authorized CSF Assessor ANAB ACCREDITED ---MEWJJtoW--- MANAGEMENT SYSTEMS CERTIFICATION BODY WWW.A-LIGN.COM | ©2018

  26. Sources ● ● http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ http://www.esecurityplanet.com/network-security/all-time-high-of-1093-dat a-breaches-reported-in-u.s.-in-2016.html https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-qu arter-earnings.html? r=0 http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in -data-breaches http://www-03.ibm.com/security/data-breach/ http://www.experian.com/assets/data-breach/white-papers/2017-experian -data-breach-industry-forecast.pdf https:e.html https://www.owasp.org/index.php/Top 10 2013-A5-Security Misconfiguration https://www.owasp.org/index.php/SQL Injection Prevention Cheat Sheet http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave- sued-by-banks/d/d-id/1127936 https://fas.org/sgp/crs/misc/R43496.pdf ● ● ● ● ● ● ● ● WWW.A-LIGN.COM | ©2018

More Related