This presentation covers:
Social Engineering
Targets, Costs, Frequency
Real Life Examples
Mitigating Risks
Internal Programs
Data Security & Privacy Liability
Cyber Liability
Cyber Insurance
Financial Impact
Key Coverage Components
Checklist for Assessing your Level of Cyber Risk
4. 1) The clever manipulation of the natural human tendency to trust.
2) Manipulating people into willingly doing something rather than by
breaking in using technical or brute force means.
3) The act of manipulating a person to take an action that may or may
not be in the target’s best interest. ~ Chris Hadnagy
4) The art of intentionally manipulating behavior using specially
crafted communication techniques. ~ Gavin Watson
What Is Social Engineering?
5. 4%
14%
40%
46%
51%
0% 10% 20% 30% 40% 50% 60%
Other
Revenge or personal vendetta
Competitive advantage
Access to proprietary information
Financial gain
Motivations for Social Engineering Attacks
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
6. • Sensitive Personally Identifiable Information
• System usernames and passwords
• High-value assets
• Trade secrets and proprietary information
Social Engineering Targets
7. 32%
12%
13%
13%
30%
38%
14%
16%
13%
19%
0% 10% 20% 30% 40%
Less than $10,000
$10,000 - $25,000
$25,000 - $50,000
$50,000 - $100,000
More than $100,000
All companies
More than 5,000
employees
Typical Cost Per Social Engineering Incident
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
8. 20%
32%
15%
33%
32%
36%
20%
12%
0% 10% 20% 30% 40%
Less than 5 times
5 - 24
25 - 50
More than 50 times
All companies
More than 5,000
employees
Frequency of Social Engineering Attacks
Over 2-year Period
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
9. • Dumpster diving
– Company directory and phone list with email addresses.
– Client sensitive personally identifiable information.
– Employee usernames and passwords to company systems.
– Company policies, procedures, systems, vendors.
– Vertical cut shred in trash bag in dumpster.
– Hand torn documents in trash in dumpster.
An Attack In Action – Stories and Examples
10. • Email phishing
– New paid time off policy and tracking system.
– Obtain false website address
– Create a mirror image false website.
– Use employee directory from dumpster to email false link to website.
– Require Windows login to gain access.
– Ask employees to update paid time off balances and requests.
• Provide personal incentive to click the link.
An Attack In Action – Stories and Examples
12. • Pretexting, Baiting, and Piggy-backing
– Impersonate telecom, janitorial, security personnel, employees.
– Drop a CD or USB thumb drive with a creative label.
– Follow employees through secured doors.
– Develop rapport and level of comfort.
An Attack In Action – Stories and Examples
14. 60%
44%
38%
33% 32%
23%
New employees
Contractors
Executive assistants
Human resources
Business leaders
IT personnel
Risk of Falling for Social Engineering Attack
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
15. Social engineering attacks cannot be prevented—only
mitigated and deterred.
• Policies
– Employees are not allowed to divulge information.
– Prevents employees from being socially pressured or tricked.
– Policies MUST be enforced to be effective.
• Training
– User awareness—user knows giving out information is bad.
Mitigating A Social Engineering Attack
16. • Password management
• Physical security
• Network defenses may only temporarily repel attacks.
– Virus protection
– Email attachment scanning
– Firewalls, etc.
– Intrusion detection system and intrusion protection system
– Encrypted data at rest
• Security must be tested and updated periodically.
Mitigating A Social Engineering Attack
17. • Social engineering testing
– IMPORTANT! This is strictly intended to be a learning tool for the
organization—not a punishment for individual employees.
– Who should consider testing?
– Have the tester attempt to acquire information from employees
using social engineering techniques.
• Attack strategically targeted areas of the organization.
– May include technical testing of malware and other abnormalities.
– What a tester legally cannot do.
Mitigating A Social Engineering Attack
18. Develop Internal Programs
Information Security Program
The written plan created and implemented by the
organization to identify and control risks to information and
information systems and to properly dispose of information.
Security Awareness Program
Security awareness reflects an organization’s attitude
toward protecting the physical and intellectual assets of an
organization. This attitude guides the approach used to
protect those assets.
19. • When assessing the weakest link, the human factor is very critical
when protecting sensitive information and valuable assets.
• Social engineering testing is an effective method commonly used to
assess the condition of the overall security culture.
• Good habits drive security culture and there are no technologies that
will ever make up for poor security culture.
• Awareness programs, when properly executed, provide knowledge
that instills behavior.
It is better to fail a test in a controlled environment than to be
attacked without knowing how much information will be lost.
Summary
21. Threat Matrix – Where Do We Start?
Threats to Cybersecurity are Decentralized and Diverse
Threats to
CybersecuritySpy and
Malware
Spammers
Bot-net Operators
Nation
Phisher
Business
competitors
Corporate
Espionage
Terrorist
Hacker
Insider
Criminal Groups
Human Error
23. Why Worry?
The most vigilant network security and most
comprehensive privacy policies remain
vulnerable to hackers, rogue employees, social
engineering and human error!
26. • Frequency of privacy breaches are on the rise
– 10% increase year over year
• Threats and vulnerabilities are getting dramatically worse.
• More than 47 states, including U.S. territories, have
enacted privacy laws in response to the increased
frequency of privacy breaches.
Why Cyber Insurance?
27. • Corporate governance requires organizations address
information technology risks.
• The plaintiffs’ bar is becoming more active in pursing class
action litigation.
• Contracts may require cyber liability insurance.
• Cyber liability insurance can mitigate the financial impact
on a company.
Why Cyber Insurance?
28. In the past, small businesses (SMB’s) may have been able to
neglect network security with little consequence, but this is
not the case today.
In Symantec’s 2014 Internet security Threat report they
found SMBs (defined as having fewer than 250 employees)
accounted for more than half of all targeted attacks (61%) in
2013. This was an 11 percentage point increase from the
previous year.
A “Not So Positive Trend”
30. • Cost to defend and/or settle:
– Regulatory investigations.
– Unauthorized access or unauthorized use.
– Allegations that malicious code (such as viruses) caused harm to
the data or computer systems of third parties.
– Allegations that an insured’s computer system denied a third party
the ability to conduct transactions.
– Litigation from customers or employees for identify theft.
Financial Impact of a Security/Privacy Breach?
31. • Cost to investigate and determine the cause of a security
or privacy breach, including computer forensics.
• Cost to hire a public relations or crisis management firm
to mitigate against reputational harm.
• Cost for legal counsel related to privacy and notification
laws.
Financial Impact of a Security/Privacy Breach?
Example: 2,500 records times $201 equals $502,500
just in notification costs!!
32. Key Coverage Components
The following are the essential coverage's
when putting together a comprehensive
cyber liability policy…
33. • Provides liability coverage for damages and claim
expenses arising out of an actual or alleged act, error
omission resulting in:
– The failure to prevent unauthorized access/use to system that
results in:
• The destruction, deletion or corruption of electronic data;
• Theft of loss of data; or
• Denial of service attacks against Internet sites or computers.
Network Security Liability
34. • The inability of a third party, who is authorized to do so, to
gain access to your system.
• The failure to prevent transmission of Malicious Code
from your system to third-party computers and systems.
Network Security Liability
35. • Provides liability coverage if an insured fails to protect
electronic or non-electronic private or confidential
information in their care custody and control.
• Provides coverage for defense expenses, and in some
cases penalties/fines, incurred from a regulatory
proceeding resulting from a violation of a privacy law
caused by a covered security breach.
Privacy Liability and Privacy Regulatory Proceeding
36. • Covers crisis management, including credit monitoring
services and public relations expenses incurred resulting
from a security or privacy breach. Also pays costs of
notifying consumers as required by various state, federal
or international laws or regulations.
Breach Response Expenses
37. • Covers the insured for Intellectual Property (copyright
infringement, etc.) and Personal Injury (defamation, etc.)
perils that result from an error or omission in content on
their website. Multimedia coverage is also available.
• Provides coverage for expenses and/or losses incurred
as the result of an extortion threat made against an
insured.
• Provides coverage for business interruption loss and/or
business restoration expense incurred by the insured as
the direct result of a security breach that caused system
failure.
Media Liability/Cyber Extortion/Business Interruption
38. • Pays the reasonable costs incurred by the insured, in
excess of any normal operating costs, for the restoration
of any data stored.
• Technology E&O and/or certain Miscellaneous
Professional Liability exposures may be combined with
the cyber coverage in one policy.
Data Restoration and Professional Liability
39. Data Breach or cyber insurance policies are becoming a more
important part of a company’s preparedness plans.
In 2013, only 10% of respondents said their company purchases a
policy. In 2014 the percentage more than doubled to 26%
Gaining Traction
40. Final Thoughts
• Any one who collects, stores (either on their system, a third
party vendor or the cloud) and/or shares customer information
(PII or PHI) has an exposure regardless of industry class or
size.
• Size doesn’t matter!
– “Targets of opportunity” are based on “ease of access” &
likelihood of breach being detected.
• This coupled with the probability of human error or
unintended disclosure can result in significant costs.
42. Contact Information
Raja Paranjothi
CBIZ Business and Technology
Risk Services
913.234.1869
rparanjothi@cbiz.com
Kyle Konopasek
CBIZ Business and Technology
Risk Services
913.234.1020
kkonopasek@cbiz.com
Damian Caracciolo
CBIZ Risk & Consulting
443.472.8096
dcaracciolo@cbiz.com
Editor's Notes
There are many words to define what social engineering is, and they are all satisfactory, but my favorite is simply stated: The clever manipulation of the natural human tendency to trust. It is important to point out that social engineering does not use force of any kind to gain access to the target and rarely uses any sort of technical advantage to reach a target. Social engineering is often the first method of attack chosen by hackers en route to a cybersecurity attack. That is the element that you almost never read about when you hear about the Target, Home Depot, and Blue Cross Anthem information security breaches—what role social engineering played to develop the attack. Why is that? Most likely because the social engineering phase of the attack went undetected.
Why would anyone ever use social engineering to attack a company? What are the top motivators for doing so? It is probably no surprise that financial gain is the top motivator for an attack, but this Dimensional Research survey shows us that access to proprietary information and gaining a competitive advantage also rank very high. These top three motivators show why every organization that has anything to lose and/or protect need to be cognizant of social engineering attacks.
$10,000 and $25,000 for 62% of all companies
48% of those same companies said that an incident cost them between $25,000 and $50,000
The cost of a social engineering attack can be significant.
According to a 2011 survey by Dimensional Research of 853 companies across the globe, a single social engineering incident left a burden between $10,000 and $25,000 for 62% of all companies surveyed. 48% of those same companies said that an incident cost them between $25,000 and $50,000.
Typically, the larger the organization, the more that is at stake and that can increase the number of records that are available for compromise.
68% had more than 5 incidents across a two-year period
And when you have more than a single social engineering incident, those costs to the organization begin to rise quickly. From the same survey of 853 companies, 68% had more than 5 incidents across a two-year period.
Do the math and that is a range of $50,000 to more than $500,000 in total.
That doesn’t even quantify the reputation damage that may have been done and account for possible future losses or reductions in revenue as a result.
So as you can see, the numbers support how damaging social engineering attacks can be. While the frequency may not be high for all companies, one incident could be very damaging for a small organization.
MICHAEL
Much like a successful company, that success usually depends on a strategic plan. Social engineering is really no different. While some attackers may only elect one type of social engineering attack, the more elaborate schemes begin with information gathering. Most of the time, information gathering begins with internet research and may then progress to dumpster diving to develop a more complete understanding of the target.
When we talk about finding valuable information through the dumpster diving process it typically begins with Social Security Numbers, bank account numbers, usernames and passwords, and other sensitive personally identifiable information. However, companies often understate the importance of printed emails, company phone and email lists, schedules, vendor documentation, and new hire information. All of this information is golden to a social engineer.
Even if the material has been shredded, it may be possible for the attacker to tape the document and still have perfectly valuable information in hand. Multiple times, we have found a bag full of vertically shredded documents in the dumpster. What people don’t think about is that when a vertical cut shredder empties into the bin all the shredded strips generally stay together in the same area of the bin. It then becomes a matter of having a little patience and time to reassemble those pieces back together at a remote location. The only type of shredder that anyone should ever own is a “level 4” high security shredder—at a minimum a “level 3” micro cut shredder.
The same goes for hand torn documents. Just because you folded the document two or three times before your ripped it to pieces doesn’t make it any more secure. Actually, the fold lines make reassembly easier as it aides in lining up the torn sides.
EXAMPLES
Over the years we have found many documents in trash dumpsters. When we first began, we were in utter shock with the kinds of documentation we would find. After a while though, you begin to get numb when you find customer social security numbers, customer bank account numbers, system usernames and password listings, and other types of sensitive information.
The items found through dumpster diving often lead directly to an email phishing campaign by a real attacker. Armed with a fairly recent employee phone/email listing found in the trash, the attacker has more than he needs to accomplish this task. While certain technical defenses implemented by company may impede such an attack, just one email that slips through may be all the attacker needs to get one step closer to the target or possibly attain the targeted information.
While email phishing is a commonly heard phrase today, spear phishing and vishing are also two other methods used by attackers. A spear phishing attack will have the receivers name in the email to make it appear more personal—hoping it increases the odds of you clicking the link. Vishing is just phishing via the telephone. It requires a bit more practice and the ability to think quickly, but it enables the attacker to elicit certain responses and information that may be valuable to execute future attacks.
EXAMPLES
A success email phishing attack we have used to test employee compliance with policy is the implementation of a new paid time off policy and tracking system. A false website address is obtained by us for a few dollars and the actual URL will look very similar to the company’s real URL. The false URL will direct the person who clicks the link to a false website we also setup and takes key elements from the companies real website to make it appear authentic. However, the real hook for the attack is the body of the email where the link to the website is placed. By asking the targeted employee(s) to click the link and read the updated paid time off policy and make sure their vacation accrual and current requests are correct, we have just used the employee(s) to help us install malware on their computer just by clicking the link. And, to access the tracking system, we required the employee(s) to enter their Windows username and password so now we have valid login credentials to the company network.
Here is an example of how minor changes in website addresses can confuse people and go completely unnoticed. One of these addresses is the actual website address for Principal Financial Group (the middle URL is real) and two are false. While to most of us it may seem silly and incomprehensible to not know which one is real and to easily spot the fakes, however, the attacking is hoping that when the font size is smaller you won’t be able to see it as easily and that not everyone knows how to spell correctly.
Sometime, the false URL is underlain behind the real URL, but you wouldn’t know that unless you carefully hovered the mouse pointer over the link to see where the link is going to send you when clicked.
KYLE
With the information gathered through dumpster diving and phishing the next logical step for an attacker is pretexting. Pretexting is where an invented scenario is used and an in person attack is exercised. This is the stuff movies are made of—and it is real—and it works. Pretexting can be as simple as piggy-backing or following company employees through a secured door, but it always relies on the attackers ability to develop rapport, trick the minds of others, and successfully sell the role—be the person impersonated. This type of attack takes nerve and a calm demeanor—the ability to quickly think on your feet and adjust as needed to remain in the role.
Piggy-backing: Cold day, arms full, or left access key at home routine are often successful and play on people’s emotions of sympathy.
Baiting: Place a USB thumb drive in envelope with creative label and leave in a conspicuous location. Installs malware when found and inserted.
EXAMPLES
A highly successful pretext we have used at financial institutions is the roving telecom adapter scenario. We select a telecom vendor, typically the one used by the company, and capture that vendor’s logo from the internet. With the logo, we have created hats, polo shirts, business cards, ID badges, and automobile magnets.
With all of those tools in tow, we would rent a white van from City Rent-A-Truck and put the magnet on each side displaying the vendor’s logo. When we arrive at a branch we walk in, not knowing the building layout at all, and find the first person who would seem like a logical choice to approach. Many times it is a teller, but sometimes there is another person sitting at a desk in the lobby. Regardless, our approach is the same, quickly present our fake business card and work order to the target and begin speaking the pretext by introducing who we are and what we need. The idea is the overwhelm the target with enough information so as to confuse them and get them to forget about what they should be doing. And by going into these businesses in pairs, it doubles that impact and makes us appear more legitimate.
The pretext went like this, “Good morning, my name is Kyle Konopasek and I am with the XYZ Telecom Commercial Solutions Division. Our company owns the lines coming into the building up to the DEMARC and from there to the roving telecom adapter. We received a work order this morning from our supervisor for your company to check the roving telecom adapters. They were part of a recall last month and we just need to check the last four digits of the serial number to see if yours is part of the recall and put it on the list to be replaced in a couple weeks. We are not changing anything today, just need a couple minutes to look at the serial number and then we will be gone.”
The key is to remain calm, speak slowly and clearly, and start developing a rapport with the target. In one instance, the person had a St. Louis Cardinals mini helmet on her desk and a photo of a young child. With that, I was able to start a calming conversation about the Cardinals and her grandson while we waited to see if we would be granted access. Be developing this level of rapport, it increases our odds of being granted access. When we are granted access to the telecommunication closet/room, we are almost always granted access to the servers and other in-house technology as they typically share the same space.
There was another instance where the bank employees just gave us access to anything we wanted and allowed us to roam all secured areas of the branch with no escort. In this instance, I walked up to an unattended teller drawer that I noticed was open. In that drawer were four large stacks of $20 bills which I could have easily grabbed. They would have eventually noticed, but I would have also been long gone by that time. Aside from the cash, we could have tampered with any of the computers, servers, and surveillance equipment leading to a much larger attack and damaging results for that bank.
A 2014 poll by InformationWeek’s Dark Reading found that lack of employee awareness is the single biggest social engineering threat to companies. Many organizations will spend millions of dollars on technical defenses again intrusions, but very few put significant dollars and effort behind strong employee awareness.
MICHAEL
The Dimensional Research survey cited earlier also provides insight into who in an organization is most vulnerable to a social engineering attack. New employees are the easiest as they are just learning the internal policies, don’t know who all their co-workers are, and will be reluctant to push back against any request that sounds legitimate.
Second most susceptible are vendors and contractors. Unless the company has performed thorough due diligence and has a robust vendor management program, vendors may be an easy way to access valuable information and/or assets from you company.
Third highest are executive assistants primarily because they have access to so much valuable information about the executives they support. It is not that they aren’t capable of protecting information. It is that they are targeted so frequently that for those to do give up information it can be extremely damaging to the company and helpful to the attacker.
Social engineering attacks cannot be prevented—only mitigated and deterred. There are many effective methods to mitigate and reduce the likelihood of the risk of attack, but the best is awareness. Employee awareness is the key to defending and minimizing the damage from social engineering attacks. Strong policies approved by the board of directors or executive management support the employee awareness approach and reduces pressure on employees because they know they are supported by such documents. But for the policies to have their greatest impact, management must not be afraid to enforce even the smallest policy violations.
Some technical means may be used to help deter email phishing attacks but as we the Dark Reading poll shows, employee awareness is the biggest threat and is the last line of defense when these technical barriers fail. Organizations never truly know how well these defenses work unless they are tested on a regular basis. It is better to test them in a controlled environment than to risk having them fail in a real attack.
KYLE
Many times organizations will not have the means or ability to test with internal staff so they will look outside the organization for assistance. That is when a third-party can help out, but it is critical that management view all testing as a learning tool and not a punishment for individual employees that fail or contribute to a failed test. Tests that are failed show where the organization is weak and needs to be improved through employee awareness and possibly enhanced technical means.
Testing the organization’s information security policies and procedures with social engineering techniques is a positive exercise that will bring attention to the subject and contribute to the employee awareness plan.
Cannot be law enforcement, fire, paramedics, public safety personnel, military, or government officials.
Even the best technical security efforts will fail if the organization has a weak security culture.
What are the keys to having a successful security awareness program?
Understand what security awareness really is.
C-suite support.
Partner with key departments.
Be creative—only so many dollars may be allocated.
Collect metrics. # people fall victim to email phishing. # people who secure desk at EOD. # people using strong passwords.
Explanation and transparency. Explain how employee can do things rather than telling what not to do.
90-day plans.
Multimodal awareness materials. Blogs, newsletters, posters, internet articles—consider demographic of audience.
Incentivized program. Security cube with 10 violations—reward employees and “gamify” the program.
No matter how robust an organization’s firewalls, intrusion detection systems, anti-virus/malware software, or other technological and physical safeguards—the human is always the weakest link.