Scammed: Defend Against Social Engineering

Presenter

Gene GeigerPresident at

A-LIGN

• Co-founder and President atA-LIGN, leading the firm's

service delivery function of all audits• Professional designations:

- CPA- CCSK- CISSP- PCIP- QSA

- ISO 27001, ISO 9001, and ISO 22301 Lead Auditor- HITRUST CCSFP

WWW.A-LIGN.COM | ©2018

http://www.a-lign.com/

Agenda

• The Cybersecurity Landscape• Security Trends and Risks• Real World Breaches• Case Study of a Social Engineering Attack• Breach Prevention Solutions• Q&A Session


https://a-lign.com/cybersecurity/http://www.a-lign.com/

Data Breach vs. Data Incident

A data incident is a security event that compromises the

integrity, confidentiality, or availability of an information asset

A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by

an individual notauthorized to do so

Data breaches may involve:

• PCI - Payment card information• PHI -Personal health

information• PII -Personally identifiable

information• Trade secrets• Intellectual property



Recent Data Breaches

• Yahoo• >1 billion affected users

• Equifax• >140 million affected users

• LinkedIn• 117 million affected users

• Facebook• 87 million affected users

• Target• 70 million affected users

• Uber• 57 million affected users

• Internal Revenue Service (IRS)• 700,000 affected users

BIRS ©TARGET

EQJJIFAX

YiHoo!



The Cybersecurity Landscape

“No locale, industry or organization is bulletproof when it comes to the compromise of data.”

-Verizon's 2017 Data Breach InvestigationsReport

Misuse

Environmental

Social

2011

Source: Verizon's 2017 Data

0% *—2010

60%

Breach Investigations Report

Physical

2012 2013 2014 2015 2016 2017

40%

20%

Error

Hacking

Malware



Cost of a Breach

Fines- HIPAA- PCI

Settlement and lawsuit costs

• Reputation• Ability to capture new Business



Average Cost of a Breach

• $3.62 million: Consolidated total cost of a breach

• $141/per record: Cost incurred per record of sensitive/confidential information

• $1.56 million in U.S.: Post data breach response activities



PCI DSS Fines

Visa Non Compliance FinesMonth Level 1 Level 2

1 to 3 $10,000/month $5,000/month

4 to 6 $50,000/month $25,000/month

7+ $100,000/month $50,000/month

Breach fines and resulting lawsuits are even higher in potential cost!



HIPAA Fines

• Category 1— A violation that the CE was unaware of and could not

have realistically avoided— Had a reasonable amount of care had been taken to abide

by HIPAA Rules— Minimum fine of $100 per violation up to $50,000

• Category 2— A violation that the CE should have been aware of but

could not have avoided even with a reasonable amount of care

— Falls short of willful neglect of HIPAA Rules— Minimum fine of $1,000 per violation up to $50,000



HIPAA Fines

• Category 3- A violation suffered as a direct result of willful neglect

of HIPAA Rules- Only in cases where an attempt has been made to

correct the violation- Minimum fine of $10,000 per violation up to $50,000

• Category 4- A violation of HIPAA Rules constituting willful neglect- No attempt has been made to correct the violation- Minimum fine of $50,000 per violation



Breach Fallout: Anthem.• 78.8 million affected users• Largest healthcare data breach ever reported• Accessed information may have included:

- Names- Dates of birth- Social Security numbers- Health care ID numbers- Home addresses- Email addresses- Work information like income data

• Previously fined $1.7 million for data security failures by OCR in 2009

• Pending fines, settlements, other costs



Breach Fallout:

• Fines- PCI Council could fine Target between $400 million and $1.1

billion

• Settlement Cost- $10 million from users- Additional settlements pending

• Class-Action Lawsuit- $5 million in damages pending

• Loss in credibility/business- After Target's data breach, sales fell by 46% loss of more than

$200 million in profits



Breached by A-LIGN

• Scenario 1- A-LIGN's penetration testing team posed as an

internal IT group

- A survey was sent to a group of employees- Follow up with phone call



Breached by A-LIGN

• Scenario 2-Penetration testing team posed as the HR department

and an email was sent to the IT staff

- They were asked to login and update HR information -Goal was to get them to click the link within the email only



Breached by A-LIGN

• Scenario 1- 100 total targets- 42 survey visits- 9 credentials gathered- 6 opt outs

• Scenario 2- 8 total targets- 6 visits- No credentials

Scenario #1 Email Engagement

LI Credentials Captured _ Opt-out _ Link Followed H No Action

Scenario #2 Email Engagement

H Link Followed HNo Action



Why is This Happening?

• No written and/or implemented information security policy

• Not complied with applicable standards• No recent assessments/penetration tests• Not improving information security



Solutions

• Improving policies and procedures • Restrict access with proper authorization and access

controls

• Improve third-party vendor management• Design and follow an incident response program• Compliance audits and penetration testing• Employee education and security training



Breach Prevention

• Data breaches can never be fully prevented, but preparation can help your organization- Recurring/scheduled security tests- Enforcement of strong security policies- Training of employees



Compliance Audits and Penetration Testing

• Be in compliance with the necessary standards• Understand potential risk of your organizations• Cyber risk & privacy, compliance and security audits available- SOC 1, SOC 2, SOC for Cybersecurity- HIPAA, HITRUST- PCI DSS- FISMA, FedRAMP- Penetration Testing- ISO 27001- CFPB- GDPR


https://a-lign.com/compliance/soc-1/https://a-lign.com/compliance/soc-2/https://a-lign.com/cybersecurity/https://a-lign.com/compliance/hipaa-hitech/https://a-lign.com/compliance/hitrust/https://a-lign.com/compliance/pci-dss/https://a-lign.com/compliance/fisma/https://a-lign.com/compliance/fedramp/https://a-lign.com/cybersecurity/penetration-testing/https://a-lign.com/compliance/iso-27001/https://a-lign.com/compliance/cfpb/https://a-lign.com/cyber-risk-privacy/gdpr/http://www.a-lign.com/

888.702.5446 | www.A-LIGN.com | [email protected]


Summary/Questions

http://www.a-lign.commailto:[email protected]://www.a-lign.com/

A-LIGN Can Help

HITRUST

Authorized CSF Assessor

Security ™Standards Council

QUALIFIED SECURITY ASSESSOR

ANABACCREDITED ---MEWJJtoW---

MANAGEMENT SYSTEMS CERTIFICATION BODY

● A-LIGN is a leading information security audit firm focused on security, privacy and compliance frameworks including:

- SOC 1 Examinations, SOC 2 / AT-C 105 and 205 Examinations, SOC for Cybersecurity Examinations, Penetration Testing, ISAE 3402, HITRUST, FFIEC Cybersecurity Assessment Services, FedRAMP Assessment, FISMA Assessment, ISO 27001 Certification and more● A Public Company Accounting

Oversight Board (PCAOB) registered auditor

● Enrolled in the American Institute of CPAs' (AICPA) Peer Review Program



Sources

● http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/● http://www.esecurityplanet.com/network-security/all-time-high-of-1093-dat

a-breaches-reported-in-u.s.-in-2016.html● https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-qu

arter-earnings.html? r=0●

http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breaches

● http://www-03.ibm.com/security/data-breach/ http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdf

● https:e.html● https://www.owasp.org/index.php/Top 10 2013-A5-Security

Misconfiguration● https://www.owasp.org/index.php/SQL Injection Prevention Cheat Sheet● http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-

sued-by-banks/d/d-id/1127936● https://fas.org/sgp/crs/misc/R43496.pdf

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/http://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.htmlhttp://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in-u.s.-in-2016.htmlhttps://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breacheshttp://www-03.ibm.com/security/data-breach/http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttp://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttp://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdfhttps://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.htmlhttps://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfigurationhttps://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfigurationhttps://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheethttp://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936https://fas.org/sgp/crs/misc/R43496.pdfhttp://www.a-lign.com/

Scammed: Defend Against Social Engineering

Technology

Transcript of Scammed: Defend Against Social Engineering