Scammed: Defend Against Social Engineering

1
(No Transcript)
2
Presenter
Co-founder and President at A-LIGN, leading the
firm's service delivery function of all audits
Professional designations - CPA - CCSK - CISSP -
PCIP - QSA - ISO 27001, ISO 9001, and ISO 22301
Lead Auditor - HITRUST CCSFP
Gene Geiger President at A-LIGN
WWW.A-LIGN.COM 2018
3
Agenda
The Cybersecurity Landscape Security Trends
and Risks Real World Breaches Case Study of a
Social Engineering Attack Breach Prevention
Solutions QA Session
WWW.A-LIGN.COM 2018
4
(No Transcript)
5
Data Breach vs. Data Incident
A data breach is an incident in which sensitive,
protected or confidential data has potentially
been viewed, stolen or used by an individual
not authorized to do so
A data incident is a security event that
compromises the integrity, confidentiality, or
availability of an information asset
Data breaches may involve PCI - Payment card
information PHI -Personal health information
PII -Personally identifiable information
Trade secrets Intellectual property
WWW.A-LIGN.COM 2018
6
Recent Data Breaches
BIRS TARGET
Yahoo gt1 billion affected users Equifax
gt140 million affected users LinkedIn 117
million affected users Facebook 87 million
affected users Target 70 million affected
users Uber 57 million affected users
Internal Revenue Service (IRS) 700,000 affected
users
EQJJIFAX
YiHoo!
WWW.A-LIGN.COM 2018
7
The Cybersecurity Landscape
60
Hacking
No locale, industry or organization is
bulletproof when it comes to the compromise of
data. -Verizon's 2017 Data Breach
Investigations Report
40
Malware
20
Misuse
Error
Social
Physical
Environmental
0 2010
2011
2012
2013
2014
2015
2016
2017
Source Verizon's 2017 Data
Breach Investigations Report
WWW.A-LIGN.COM 2018
8
WWW.A-LIGN.COM 2018
9
(No Transcript)
10
WWW.A-LIGN.COM 2018
11
WWW.A-LIGN.COM 2018
12
Cost of a Breach
Fines - HIPAA - PCI Settlement and lawsuit costs
Reputation Ability to capture new Business
WWW.A-LIGN.COM 2018
13
Average Cost of a Breach
3.62 million Consolidated total cost of a
breach 141/per record Cost incurred per
record of sensitive/confidential information
1.56 million in U.S. Post data breach response
activities
WWW.A-LIGN.COM 2018
14
PCI DSS Fines
Visa Non Compliance Fines Visa Non Compliance Fines Visa Non Compliance Fines
Month Level 1 Level 2
1 to 3 10,000/month 5,000/month
4 to 6 50,000/month 25,000/month
7 100,000/month 50,000/month
Breach fines and resulting lawsuits are even
higher in potential cost!
WWW.A-LIGN.COM 2018
15
HIPAA Fines
Category 1 A violation that the CE was
unaware of and could not have realistically
avoided Had a reasonable amount of care had
been taken to abide by HIPAA Rules Minimum fine
of 100 per violation up to 50,000 Category
2 A violation that the CE should have been
aware of but could not have avoided even with a
reasonable amount of care Falls short of
willful neglect of HIPAA Rules Minimum fine of
1,000 per violation up to 50,000
WWW.A-LIGN.COM 2018
16
HIPAA Fines
Category 3 - A violation suffered as a direct
result of willful neglect of HIPAA Rules - Only
in cases where an attempt has been made to
correct the violation - Minimum fine of 10,000
per violation up to 50,000 Category 4 - A
violation of HIPAA Rules constituting willful
neglect - No attempt has been made to correct the
violation - Minimum fine of 50,000 per violation
WWW.A-LIGN.COM 2018
17
Anthem.
Breach Fallout
78.8 million affected users
Largest healthcare data breach ever reported
Accessed information may have included - Names
- Dates of birth - Social Security numbers -
Health care ID numbers - Home addresses - Email
addresses
- Work information like income data Previously
fined 1.7 million for data security failures by
OCR in 2009
Pending fines, settlements, other costs
WWW.A-LIGN.COM 2018
18
Breach Fallout
Fines - PCI Council could fine Target
between 400 million and 1.1 billion
Settlement Cost - 10 million from users -
Additional settlements pending Class-Action
Lawsuit - 5 million in damages pending Loss
in credibility/business - After Target's data
breach, sales fell by 46 loss of more than 200
million in profits
WWW.A-LIGN.COM 2018
19
(No Transcript)
20
Breached by A-LIGN
Scenario 1 - A-LIGN's penetration testing team
posed as an internal IT group - A survey was sent
to a group of employees - Follow up with phone
call
WWW.A-LIGN.COM 2018
21
WWW.A-LIGN.COM 2018
22
Breached by A-LIGN
Scenario 2 -Penetration testing team posed as
the HR department and an email was sent to the IT
staff - They were asked to login and update HR
information -Goal was to get them to click the
link within the email only
WWW.A-LIGN.COM 2018
23
Breached by A-LIGN
Scenario 1 Email Engagement
Scenario 1 - 100 total targets - 42 survey
visits - 9 credentials gathered - 6 opt outs
Scenario 2 - 8 total targets - 6 visits - No
credentials
li Credentials Captured _ Opt-out _ Link Followed
H No Action Scenario 2 Email Engagement
H Link Followed HNo Action
WWW.A-LIGN.COM 2018
24
Why is This Happening?
No written and/or implemented information
security policy Not complied with applicable
standards No recent assessments/penetration
tests Not improving information security
WWW.A-LIGN.COM 2018
25
(No Transcript)
26
Solutions
Improving policies and procedures Restrict
access with proper authorization and access
controls Improve third-party vendor
management Design and follow an incident
response program Compliance audits and
penetration testing Employee education and
security training
WWW.A-LIGN.COM 2018
27
Breach Prevention
Data breaches can never be fully prevented, but
preparation can help your organization -
Recurring/scheduled security tests - Enforcement
of strong security policies - Training of
employees
WWW.A-LIGN.COM 2018
28
Compliance Audits and Penetration Testing
Be in compliance with the necessary standards
Understand potential risk of your organizations
Cyber risk privacy, compliance and security
audits available - SOC 1, SOC 2, SOC for
Cybersecurity - HIPAA, HITRUST - PCI DSS - FISMA,
FedRAMP - Penetration Testing - ISO 27001 -
CFPB - GDPR
WWW.A-LIGN.COM 2018
29
Summary/Questions
888.702.5446 www.A-LIGN.com info_at_a-lign.com
WWW.A-LIGN.COM 2018
30
A-LIGN Can Help

• A-LIGN is a leading information security audit
  firm focused on security, privacy and compliance
  frameworks including
• - SOC 1 Examinations, SOC 2 / AT-C 105 and 205
  Examinations, SOC for Cybersecurity Examinations,
  Penetration Testing, ISAE 3402, HITRUST, FFIEC
  Cybersecurity Assessment Services, FedRAMP
  Assessment, FISMA Assessment, ISO 27001
  Certification and more
• A Public Company Accounting Oversight Board
  (PCAOB) registered auditor
• Enrolled in the American Institute of CPAs'
  (AICPA) Peer Review Program

Security Standards Council
QUALIFIED SECURITY ASSESSOR
HITRUST Authorized CSF Assessor
ANAB ACCREDITED ---MEWJJtoW--- MANAGEMENT SYSTEMS
CERTIFICATION BODY
WWW.A-LIGN.COM 2018
31
Sources

• http//www.verizonenterprise.com/verizon-insights-
  lab/dbir/2016/
• http//www.esecurityplanet.com/network-security/al
  l-time-high-of-1093-data-breaches-reported-in-u.s.
  -in-2016.html
• https//www.nytimes.com/2014/02/27/business/target
  -reports-on-fourth-quarter-earnings.html? r0
• http//thehill.com/policy/cybersecurity/316034-un
  ited-states-leads-world-in-data-breaches
• http//www-03.ibm.com/security/data-breach/
  http//www.experian.com/assets/data-breach/white-p
  apers/2017-experian-data-breach-industry-forecast.
  pdf
• httpse.html
• https//www.owasp.org/index.php/Top 10
  2013-A5-Security Misconfiguration
• https//www.owasp.org/index.php/SQL Injection
  Prevention Cheat Sheet
• http//www.darkreading.com/risk/compliance/target-
  pci-auditor-trustwave-sued-by-banks/d/d-id/1127936
  
• https//fas.org/sgp/crs/misc/R43496.pdf

WWW.A-LIGN.COM 2018