Advertisement
Check these out next
Scammed: Defend Against Social Engineering
May. 31, 2018•0 likes•143 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Data & Analytics
Do you know how to identify and respond to cyberattacks? As the size, severity and frequency of hacks continues to grow, A-LIGN President Gene Geiger looks to assist organizations in managing and minimizing the risk of cyberattacks. This presentation will evaluate different security trends and risks, review a client environment and account compromise through social engineering, and provide practical advice on how to avert your organization from becoming compromised. As hackers become increasingly savvy at accessing accounts and sensitive information, this session will help your organization build a security foundation to avoid becoming another target. This presentation reviews the current data breach landscape, reviewing examples of real-world breaches; security trends and risks, including the consequences of a data breach; a case study of a social engineering attack; Actionable prevention tips and IT audits to secure your organization
Resolver Inc.Follow
Resolver Inc.Advertisement
Advertisement
Advertisement
Recommended
An Intro to Resolver's InfoSec Application (RiskVision)Resolver Inc.
Keeping Your Data CleanResolver Inc.
Data Driven Risk AssessmentResolver Inc.
Crown jewels risk assessment - Cost-effective risk identificationPriyanka Aash
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
5 Steps to Securing Your Company's Crown JewelsIBM Security
Scammed: Defend Against Social Engineering
- Scammed: Defend Against Social Engineering
- Presenter • Co-founder and President at A-LIGN, leading the firm’s service delivery function of all audits • Professional designations: – CPA – CCSK – CISSP – PCIP – QSA – ISO 27001, ISO 9001, and ISO 22301 Lead Auditor – HITRUST CCSFP Gene Geiger President at A-LIGN WWW.A-LIGN.COM | ©2018
- Agenda • The Cybersecurity Landscape • Security Trends and Risks • Real World Breaches • Case Study of a Social Engineering Attack • Breach Prevention Solutions • Q&A Session WWW.A-LIGN.COM | ©2018
- THE CYBERSECURITY LANDSCAPE
- Data Breach vs. Data Incident WWW.A-LIGN.COM | ©2018 A data incident is a security event that compromises the integrity, confidentiality, or availability of an information asset A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual not authorized to do so Data breaches may involve: • PCI – Payment card information • PHI - Personal health information • PII - Personally identifiable information • Trade secrets • Intellectual property
- Recent Data Breaches • Yahoo • >1 billion affected users • Equifax • >140 million affected users • LinkedIn • 117 million affected users • Facebook • 87 million affected users • Target • 70 million affected users • Uber • 57 million affected users • Internal Revenue Service (IRS) • 700,000 affected users WWW.A-LIGN.COM | ©2018
- The Cybersecurity Landscape Source: Verizon’s 2017 Data Breach Investigations Report “No locale, industry or organization is bulletproof when it comes to the compromise of data.” -Verizon’s 2017 Data Breach Investigations Report WWW.A-LIGN.COM | ©2018
- Data Breach Statistics WWW.A-LIGN.COM | ©2018 Source: Verizon’s 2017 Data Breach Investigations Report
- SECURITY TRENDS AND RISKS
- Security Trends WWW.A-LIGN.COM | ©2018
- Security Trends WWW.A-LIGN.COM | ©2018
- Cost of a Breach • Fines –HIPAA –PCI • Settlement and lawsuit costs • Reputation • Ability to capture new Business WWW.A-LIGN.COM | ©2018
- Average Cost of a Breach • $3.62 million: Consolidated total cost of a breach • $141/per record: Cost incurred per record of sensitive/confidential information • $1.56 million in U.S.: Post data breach response activities WWW.A-LIGN.COM | ©2018
- PCI DSS Fines Breach fines and resulting lawsuits are even higher in potential cost! Visa Noncompliance Fines Month Level 1 Level 2 1 to 3 $10,000/month $5,000/month 4 to 6 $50,000/month $25,000/month 7+ $100,000/month $50,000/month WWW.A-LIGN.COM | ©2018
- HIPAA Fines • Category 1 – A violation that the CE was unaware of and could not have realistically avoided – Had a reasonable amount of care had been taken to abide by HIPAA Rules – Minimum fine of $100 per violation up to $50,000 • Category 2 – A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care – Falls short of willful neglect of HIPAA Rules – Minimum fine of $1,000 per violation up to $50,000 WWW.A-LIGN.COM | ©2018
- HIPAA Fines • Category 3 – A violation suffered as a direct result of willful neglect of HIPAA Rules – Only in cases where an attempt has been made to correct the violation – Minimum fine of $10,000 per violation up to $50,000 • Category 4 – A violation of HIPAA Rules constituting willful neglect – No attempt has been made to correct the violation – Minimum fine of $50,000 per violation WWW.A-LIGN.COM | ©2018
- Breach Fallout: • 78.8 million affected users • Largest healthcare data breach ever reported • Accessed information may have included: – Names – Dates of birth – Social Security numbers – Health care ID numbers – Home addresses – Email addresses – Work information like income data • Previously fined $1.7 million for data security failures by OCR in 2009 • Pending fines, settlements, other costs WWW.A-LIGN.COM | ©2018
- Breach Fallout: • Fines – PCI Council could fine Target between $400 million and $1.1 billion • Settlement Cost – $10 million from users – Additional settlements pending • Class-Action Lawsuit – $5 million in damages pending • Loss in credibility/business – After Target’s data breach, sales fell by 46% loss of more than $200 million in profits WWW.A-LIGN.COM | ©2018
- REAL WORLD BREACHES
- Breached by A-LIGN • Scenario 1 – A-LIGN’s penetration testing team posed as an internal IT group – A survey was sent to a group of employees – Follow up with phone call WWW.A-LIGN.COM | ©2018
- Breached by A-LIGN Survey sent to employees in scenario 1 WWW.A-LIGN.COM | ©2018
- Breached by A-LIGN • Scenario 2 – Penetration testing team posed as the HR department and an email was sent to the IT staff – They were asked to login and update HR information – Goal was to get them to click the link within the email only WWW.A-LIGN.COM | ©2018
- Breached by A-LIGN • Scenario 1 – 100 total targets – 42 survey visits – 9 credentials gathered – 6 opt outs • Scenario 2 – 8 total targets – 6 visits – No credentials Scenario #1 Email Engagement Credentials Captured Opt-out Link Followed No Action Scenario #2 Email Engagement Link Followed No Action WWW.A-LIGN.COM | ©2018
- Why is This Happening? • No written and/or implemented information security policy • Not complied with applicable standards • No recent assessments/penetration tests • Not improving information security WWW.A-LIGN.COM | ©2018
- BREACH PREVENTION SOLUTIONS
- Solutions • Improving policies and procedures • Restrict access with proper authorization and access controls • Improve third-party vendor management • Design and follow an incident response program • Compliance audits and penetration testing • Employee education and security training WWW.A-LIGN.COM | ©2018
- Breach Prevention • Data breaches can never be fully prevented, but preparation can help your organization – Recurring/scheduled security tests – Enforcement of strong security policies – Training of employees WWW.A-LIGN.COM | ©2018
- Compliance Audits and Penetration Testing • Be in compliance with the necessary standards • Understand potential risk of your organizations • Cyber risk & privacy, compliance and security audits available – SOC 1, SOC 2, SOC for Cybersecurity – HIPAA, HITRUST – PCI DSS – FISMA, FedRAMP – Penetration Testing – ISO 27001 – CFPB – GDPR WWW.A-LIGN.COM | ©2018
- Summary/Questions 888.702.5446 | www.A-LIGN.com | info@a-lign.com WWW.A-LIGN.COM | ©2018
- A-LIGN Can Help • A-LIGN is a leading information security audit firm focused on security, privacy and compliance frameworks including: – SOC 1 Examinations, SOC 2 / AT-C 105 and 205 Examinations, SOC for Cybersecurity Examinations, Penetration Testing, ISAE 3402, HITRUST, FFIEC Cybersecurity Assessment Services, FedRAMP Assessment, FISMA Assessment, ISO 27001 Certification and more • A Public Company Accounting Oversight Board (PCAOB) registered auditor • Enrolled in the American Institute of CPAs’ (AICPA) Peer Review Program WWW.A-LIGN.COM | ©2018
- Sources • http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ • http://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in- u.s.-in-2016.html • https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0 • http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breaches • http://www-03.ibm.com/security/data-breach/ • http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry- forecast.pdf • https://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.html • https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet • http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d- id/1127936 • https://fas.org/sgp/crs/misc/R43496.pdf WWW.A-LIGN.COM | ©2018
Advertisement