Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Scammed: Defend Against Social Engineering

55 views

Published on

Do you know how to identify and respond to cyberattacks? As the size, severity and frequency of hacks continues to grow, A-LIGN President Gene Geiger looks to assist organizations in managing and minimizing the risk of cyberattacks. This presentation will evaluate different security trends and risks, review a client environment and account compromise through social engineering, and provide practical advice on how to avert your organization from becoming compromised. As hackers become increasingly savvy at accessing accounts and sensitive information, this session will help your organization build a security foundation to avoid becoming another target.
This presentation reviews the current data breach landscape, reviewing examples of real-world breaches; security trends and risks, including the consequences of a data breach; a case study of a social engineering attack; Actionable prevention tips and IT audits to secure your organization

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Scammed: Defend Against Social Engineering

  1. 1. Scammed: Defend Against Social Engineering
  2. 2. Presenter • Co-founder and President at A-LIGN, leading the firm’s service delivery function of all audits • Professional designations: – CPA – CCSK – CISSP – PCIP – QSA – ISO 27001, ISO 9001, and ISO 22301 Lead Auditor – HITRUST CCSFP Gene Geiger President at A-LIGN WWW.A-LIGN.COM | ©2018
  3. 3. Agenda • The Cybersecurity Landscape • Security Trends and Risks • Real World Breaches • Case Study of a Social Engineering Attack • Breach Prevention Solutions • Q&A Session WWW.A-LIGN.COM | ©2018
  4. 4. THE CYBERSECURITY LANDSCAPE
  5. 5. Data Breach vs. Data Incident WWW.A-LIGN.COM | ©2018 A data incident is a security event that compromises the integrity, confidentiality, or availability of an information asset A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual not authorized to do so Data breaches may involve: • PCI – Payment card information • PHI - Personal health information • PII - Personally identifiable information • Trade secrets • Intellectual property
  6. 6. Recent Data Breaches • Yahoo • >1 billion affected users • Equifax • >140 million affected users • LinkedIn • 117 million affected users • Facebook • 87 million affected users • Target • 70 million affected users • Uber • 57 million affected users • Internal Revenue Service (IRS) • 700,000 affected users WWW.A-LIGN.COM | ©2018
  7. 7. The Cybersecurity Landscape Source: Verizon’s 2017 Data Breach Investigations Report “No locale, industry or organization is bulletproof when it comes to the compromise of data.” -Verizon’s 2017 Data Breach Investigations Report WWW.A-LIGN.COM | ©2018
  8. 8. Data Breach Statistics WWW.A-LIGN.COM | ©2018 Source: Verizon’s 2017 Data Breach Investigations Report
  9. 9. SECURITY TRENDS AND RISKS
  10. 10. Security Trends WWW.A-LIGN.COM | ©2018
  11. 11. Security Trends WWW.A-LIGN.COM | ©2018
  12. 12. Cost of a Breach • Fines –HIPAA –PCI • Settlement and lawsuit costs • Reputation • Ability to capture new Business WWW.A-LIGN.COM | ©2018
  13. 13. Average Cost of a Breach • $3.62 million: Consolidated total cost of a breach • $141/per record: Cost incurred per record of sensitive/confidential information • $1.56 million in U.S.: Post data breach response activities WWW.A-LIGN.COM | ©2018
  14. 14. PCI DSS Fines Breach fines and resulting lawsuits are even higher in potential cost! Visa Noncompliance Fines Month Level 1 Level 2 1 to 3 $10,000/month $5,000/month 4 to 6 $50,000/month $25,000/month 7+ $100,000/month $50,000/month WWW.A-LIGN.COM | ©2018
  15. 15. HIPAA Fines • Category 1 – A violation that the CE was unaware of and could not have realistically avoided – Had a reasonable amount of care had been taken to abide by HIPAA Rules – Minimum fine of $100 per violation up to $50,000 • Category 2 – A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care – Falls short of willful neglect of HIPAA Rules – Minimum fine of $1,000 per violation up to $50,000 WWW.A-LIGN.COM | ©2018
  16. 16. HIPAA Fines • Category 3 – A violation suffered as a direct result of willful neglect of HIPAA Rules – Only in cases where an attempt has been made to correct the violation – Minimum fine of $10,000 per violation up to $50,000 • Category 4 – A violation of HIPAA Rules constituting willful neglect – No attempt has been made to correct the violation – Minimum fine of $50,000 per violation WWW.A-LIGN.COM | ©2018
  17. 17. Breach Fallout: • 78.8 million affected users • Largest healthcare data breach ever reported • Accessed information may have included: – Names – Dates of birth – Social Security numbers – Health care ID numbers – Home addresses – Email addresses – Work information like income data • Previously fined $1.7 million for data security failures by OCR in 2009 • Pending fines, settlements, other costs WWW.A-LIGN.COM | ©2018
  18. 18. Breach Fallout: • Fines – PCI Council could fine Target between $400 million and $1.1 billion • Settlement Cost – $10 million from users – Additional settlements pending • Class-Action Lawsuit – $5 million in damages pending • Loss in credibility/business – After Target’s data breach, sales fell by 46% loss of more than $200 million in profits WWW.A-LIGN.COM | ©2018
  19. 19. REAL WORLD BREACHES
  20. 20. Breached by A-LIGN • Scenario 1 – A-LIGN’s penetration testing team posed as an internal IT group – A survey was sent to a group of employees – Follow up with phone call WWW.A-LIGN.COM | ©2018
  21. 21. Breached by A-LIGN Survey sent to employees in scenario 1 WWW.A-LIGN.COM | ©2018
  22. 22. Breached by A-LIGN • Scenario 2 – Penetration testing team posed as the HR department and an email was sent to the IT staff – They were asked to login and update HR information – Goal was to get them to click the link within the email only WWW.A-LIGN.COM | ©2018
  23. 23. Breached by A-LIGN • Scenario 1 – 100 total targets – 42 survey visits – 9 credentials gathered – 6 opt outs • Scenario 2 – 8 total targets – 6 visits – No credentials Scenario #1 Email Engagement Credentials Captured Opt-out Link Followed No Action Scenario #2 Email Engagement Link Followed No Action WWW.A-LIGN.COM | ©2018
  24. 24. Why is This Happening? • No written and/or implemented information security policy • Not complied with applicable standards • No recent assessments/penetration tests • Not improving information security WWW.A-LIGN.COM | ©2018
  25. 25. BREACH PREVENTION SOLUTIONS
  26. 26. Solutions • Improving policies and procedures • Restrict access with proper authorization and access controls • Improve third-party vendor management • Design and follow an incident response program • Compliance audits and penetration testing • Employee education and security training WWW.A-LIGN.COM | ©2018
  27. 27. Breach Prevention • Data breaches can never be fully prevented, but preparation can help your organization – Recurring/scheduled security tests – Enforcement of strong security policies – Training of employees WWW.A-LIGN.COM | ©2018
  28. 28. Compliance Audits and Penetration Testing • Be in compliance with the necessary standards • Understand potential risk of your organizations • Cyber risk & privacy, compliance and security audits available – SOC 1, SOC 2, SOC for Cybersecurity – HIPAA, HITRUST – PCI DSS – FISMA, FedRAMP – Penetration Testing – ISO 27001 – CFPB – GDPR WWW.A-LIGN.COM | ©2018
  29. 29. Summary/Questions 888.702.5446 | www.A-LIGN.com | info@a-lign.com WWW.A-LIGN.COM | ©2018
  30. 30. A-LIGN Can Help • A-LIGN is a leading information security audit firm focused on security, privacy and compliance frameworks including: – SOC 1 Examinations, SOC 2 / AT-C 105 and 205 Examinations, SOC for Cybersecurity Examinations, Penetration Testing, ISAE 3402, HITRUST, FFIEC Cybersecurity Assessment Services, FedRAMP Assessment, FISMA Assessment, ISO 27001 Certification and more • A Public Company Accounting Oversight Board (PCAOB) registered auditor • Enrolled in the American Institute of CPAs’ (AICPA) Peer Review Program WWW.A-LIGN.COM | ©2018
  31. 31. Sources • http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ • http://www.esecurityplanet.com/network-security/all-time-high-of-1093-data-breaches-reported-in- u.s.-in-2016.html • https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html?_r=0 • http://thehill.com/policy/cybersecurity/316034-united-states-leads-world-in-data-breaches • http://www-03.ibm.com/security/data-breach/ • http://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry- forecast.pdf • https://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.html • https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet • http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d- id/1127936 • https://fas.org/sgp/crs/misc/R43496.pdf WWW.A-LIGN.COM | ©2018

×