Hacking the Human - How Secure Is Your Organization?
Transcript of Hacking the Human - How Secure Is Your Organization?
![Page 1: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/1.jpg)
Hacking the HumanHow Secure Is Your Organization?
April 23, 2015
CBIZ MHM, LLC – Kansas City
![Page 2: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/2.jpg)
• Social Engineering
– Targets, Costs, Frequency
– Real Life Examples
– Mitigating Risks
– Internal Programs
• Data Security & Privacy Liability
– Cyber Liability
– Cyber Insurance
– Financial Impact
– Key Coverage Components
– Checklist for Assessing your Level of Cyber Risk
Agenda
![Page 3: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/3.jpg)
Social Engineering
The Art of Hacking the Human
![Page 4: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/4.jpg)
1) The clever manipulation of the natural human tendency to trust.
2) Manipulating people into willingly doing something rather than by
breaking in using technical or brute force means.
3) The act of manipulating a person to take an action that may or may
not be in the target’s best interest. ~ Chris Hadnagy
4) The art of intentionally manipulating behavior using specially
crafted communication techniques. ~ Gavin Watson
What Is Social Engineering?
![Page 5: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/5.jpg)
4%
14%
40%
46%
51%
0% 10% 20% 30% 40% 50% 60%
Other
Revenge or personal vendetta
Competitive advantage
Access to proprietary information
Financial gain
Motivations for Social Engineering Attacks
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
![Page 6: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/6.jpg)
• Sensitive Personally Identifiable Information
• System usernames and passwords
• High-value assets
• Trade secrets and proprietary information
Social Engineering Targets
![Page 7: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/7.jpg)
32%
12%
13%
13%
30%
38%
14%
16%
13%
19%
0% 10% 20% 30% 40%
Less than $10,000
$10,000 - $25,000
$25,000 - $50,000
$50,000 - $100,000
More than $100,000
All companies
More than 5,000employees
Typical Cost Per Social Engineering Incident
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
![Page 8: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/8.jpg)
20%
32%
15%
33%
32%
36%
20%
12%
0% 10% 20% 30% 40%
Less than 5 times
5 - 24
25 - 50
More than 50 times
All companies
More than 5,000employees
Frequency of Social Engineering Attacks
Over 2-year Period
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
![Page 9: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/9.jpg)
• Dumpster diving
– Company directory and phone list with email addresses.
– Client sensitive personally identifiable information.
– Employee usernames and passwords to company systems.
– Company policies, procedures, systems, vendors.
– Vertical cut shred in trash bag in dumpster.
– Hand torn documents in trash in dumpster.
An Attack In Action – Stories and Examples
![Page 10: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/10.jpg)
• Email phishing
– New paid time off policy and tracking system.
– Obtain false website address
– Create a mirror image false website.
– Use employee directory from dumpster to email false link to website.
– Require Windows login to gain access.
– Ask employees to update paid time off balances and requests.
• Provide personal incentive to click the link.
An Attack In Action – Stories and Examples
![Page 11: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/11.jpg)
https://www.principal.com/
https://www.princlpal.com/
Fake Web Address Example
![Page 12: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/12.jpg)
• Pretexting, Baiting, and Piggy-backing
– Impersonate telecom, janitorial, security personnel, employees.
– Drop a CD or USB thumb drive with a creative label.
– Follow employees through secured doors.
– Develop rapport and level of comfort.
An Attack In Action – Stories and Examples
![Page 13: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/13.jpg)
5%6%12%
21%
56%Vishing
Other
Criminals
Phishing
Lack of EmployeeAwareness
Social Engineering Threats To Organizations
Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading
![Page 14: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/14.jpg)
60%
44%
38%
33% 32%
23%
New employees
Contractors
Executive assistants
Human resources
Business leaders
IT personnel
Risk of Falling for Social Engineering Attack
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
![Page 15: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/15.jpg)
Social engineering attacks cannot be prevented—only
mitigated and deterred.
• Policies
– Employees are not allowed to divulge information.
– Prevents employees from being socially pressured or tricked.
– Policies MUST be enforced to be effective.
• Training
– User awareness—user knows giving out information is bad.
Mitigating A Social Engineering Attack
![Page 16: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/16.jpg)
• Password management
• Physical security
• Network defenses may only temporarily repel attacks.
– Virus protection
– Email attachment scanning
– Firewalls, etc.
– Intrusion detection system and intrusion protection system
– Encrypted data at rest
• Security must be tested and updated periodically.
Mitigating A Social Engineering Attack
![Page 17: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/17.jpg)
• Social engineering testing
– IMPORTANT! This is strictly intended to be a learning tool for the
organization—not a punishment for individual employees.
– Who should consider testing?
– Have the tester attempt to acquire information from employees
using social engineering techniques.
• Attack strategically targeted areas of the organization.
– May include technical testing of malware and other abnormalities.
– What a tester legally cannot do.
Mitigating A Social Engineering Attack
![Page 18: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/18.jpg)
Develop Internal Programs
Information Security Program
The written plan created and implemented by the
organization to identify and control risks to information and
information systems and to properly dispose of information.
Security Awareness Program
Security awareness reflects an organization’s attitude
toward protecting the physical and intellectual assets of an
organization. This attitude guides the approach used to
protect those assets.
![Page 19: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/19.jpg)
• When assessing the weakest link, the human factor is very critical
when protecting sensitive information and valuable assets.
• Social engineering testing is an effective method commonly used to
assess the condition of the overall security culture.
• Good habits drive security culture and there are no technologies that
will ever make up for poor security culture.
• Awareness programs, when properly executed, provide knowledge
that instills behavior.
It is better to fail a test in a controlled environment than to be
attacked without knowing how much information will be lost.
Summary
![Page 20: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/20.jpg)
Data Security and
Privacy Liability: Why Cyber Insurance is No Longer Optional!
![Page 21: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/21.jpg)
Threat Matrix – Where Do We Start?
Threats to Cybersecurity are Decentralized and Diverse
Threats to
CybersecuritySpy and
Malware
Spammers
Bot-net Operators
Nation
Phisher
Business competitors
Corporate Espionage
Terrorist
Hacker
Insider
Criminal Groups
Human Error
![Page 22: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/22.jpg)
Statistically Speaking
![Page 23: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/23.jpg)
Why Worry?
The most vigilant network security and most
comprehensive privacy policies remain
vulnerable to hackers, rogue employees, social
engineering and human error!
![Page 24: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/24.jpg)
“Dave” is Responsible for 31% of all Losses
![Page 25: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/25.jpg)
Causes of Loss (2013-14)
![Page 26: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/26.jpg)
• Frequency of privacy breaches are on the rise
– 10% increase year over year
• Threats and vulnerabilities are getting dramatically worse.
• More than 47 states, including U.S. territories, have
enacted privacy laws in response to the increased
frequency of privacy breaches.
Why Cyber Insurance?
![Page 27: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/27.jpg)
• Corporate governance requires organizations address
information technology risks.
• The plaintiffs’ bar is becoming more active in pursing class
action litigation.
• Contracts may require cyber liability insurance.
• Cyber liability insurance can mitigate the financial impact
on a company.
Why Cyber Insurance?
![Page 28: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/28.jpg)
In the past, small businesses (SMB’s) may have been able to
neglect network security with little consequence, but this is
not the case today.
In Symantec’s 2014 Internet security Threat report they
found SMBs (defined as having fewer than 250 employees)
accounted for more than half of all targeted attacks (61%) in
2013. This was an 11 percentage point increase from the
previous year.
A “Not So Positive Trend”
![Page 29: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/29.jpg)
You Are At Risk!
![Page 30: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/30.jpg)
• Cost to defend and/or settle:
– Regulatory investigations.
– Unauthorized access or unauthorized use.
– Allegations that malicious code (such as viruses) caused harm to
the data or computer systems of third parties.
– Allegations that an insured’s computer system denied a third party
the ability to conduct transactions.
– Litigation from customers or employees for identify theft.
Financial Impact of a Security/Privacy Breach?
![Page 31: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/31.jpg)
• Cost to investigate and determine the cause of a security
or privacy breach, including computer forensics.
• Cost to hire a public relations or crisis management firm
to mitigate against reputational harm.
• Cost for legal counsel related to privacy and notification
laws.
Financial Impact of a Security/Privacy Breach?
Example: 2,500 records times $201 equals $502,500
just in notification costs!!
![Page 32: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/32.jpg)
Key Coverage Components
The following are the essential coverage's
when putting together a comprehensive
cyber liability policy…
![Page 33: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/33.jpg)
• Provides liability coverage for damages and claim
expenses arising out of an actual or alleged act, error
omission resulting in:
– The failure to prevent unauthorized access/use to system that
results in:
• The destruction, deletion or corruption of electronic data;
• Theft of loss of data; or
• Denial of service attacks against Internet sites or computers.
Network Security Liability
![Page 34: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/34.jpg)
• The inability of a third party, who is authorized to do so, to
gain access to your system.
• The failure to prevent transmission of Malicious Code
from your system to third-party computers and systems.
Network Security Liability
![Page 35: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/35.jpg)
• Provides liability coverage if an insured fails to protect
electronic or non-electronic private or confidential
information in their care custody and control.
• Provides coverage for defense expenses, and in some
cases penalties/fines, incurred from a regulatory
proceeding resulting from a violation of a privacy law
caused by a covered security breach.
Privacy Liability and Privacy Regulatory Proceeding
![Page 36: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/36.jpg)
• Covers crisis management, including credit monitoring
services and public relations expenses incurred resulting
from a security or privacy breach. Also pays costs of
notifying consumers as required by various state, federal
or international laws or regulations.
Breach Response Expenses
![Page 37: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/37.jpg)
• Covers the insured for Intellectual Property (copyright
infringement, etc.) and Personal Injury (defamation, etc.)
perils that result from an error or omission in content on
their website. Multimedia coverage is also available.
• Provides coverage for expenses and/or losses incurred
as the result of an extortion threat made against an
insured.
• Provides coverage for business interruption loss and/or
business restoration expense incurred by the insured as
the direct result of a security breach that caused system
failure.
Media Liability/Cyber Extortion/Business Interruption
![Page 38: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/38.jpg)
• Pays the reasonable costs incurred by the insured, in
excess of any normal operating costs, for the restoration
of any data stored.
• Technology E&O and/or certain Miscellaneous
Professional Liability exposures may be combined with
the cyber coverage in one policy.
Data Restoration and Professional Liability
![Page 39: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/39.jpg)
Data Breach or cyber insurance policies are becoming a more
important part of a company’s preparedness plans.
In 2013, only 10% of respondents said their company purchases a
policy. In 2014 the percentage more than doubled to 26%
Gaining Traction
![Page 40: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/40.jpg)
Final Thoughts
• Any one who collects, stores (either on their system, a third
party vendor or the cloud) and/or shares customer information
(PII or PHI) has an exposure regardless of industry class or
size.
• Size doesn’t matter!
– “Targets of opportunity” are based on “ease of access” &
likelihood of breach being detected.
• This coupled with the probability of human error or
unintended disclosure can result in significant costs.
![Page 41: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/41.jpg)
QUESTIONS?
![Page 42: Hacking the Human - How Secure Is Your Organization?](https://reader034.fdocuments.in/reader034/viewer/2022052123/55a5378a1a28ab212c8b46fa/html5/thumbnails/42.jpg)
Contact Information
Raja Paranjothi
CBIZ Business and Technology
Risk Services
913.234.1869
Kyle Konopasek
CBIZ Business and Technology
Risk Services
913.234.1020
Damian Caracciolo
CBIZ Risk & Consulting
443.472.8096