Thrive. Grow. Achieve.
Mitigating Cybersecurity and Cyber Fraud Risk in your Organization
Nate Solloway and Martin Nash
October 5, 2017
BUT FIRST
• EAGLEBANK - DISCLAIMER!
• ABOUT US
• ABOUT YOU
• INTERACTION ENCOURAGED
• QUESTIONS ANYTIME
2
WHAT WE WILL COVER
• RISK BASICS – KNOW, MANAGE, UNDERSTAND
• WHAT ARE THREATS DOING?
• WHAT CAN YOU DO?
• HELPFUL RESOURCES
3
RISK BASICS: KNOW, MANAGE,
UNDERSTAND
• KNOW YOUR THREATS
• MANAGE YOUR VULNERABILITIES
• UNDERSTAND THE POSSIBLE IMPACTS TO
YOU/YOUR ORGANIZATION
4
CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION
THREAT X VULNERABILITY X IMPACT = RISK
KNOW YOUR THREATS
Defined as a potential cause of an incident that may result in harm to a system or
organization. Information security threats to the confidentiality, integrity and/or availability of
information can be environmental (such as hurricanes, tornadoes, floods, earthquakes) or a
person (threat actor)/group of people (threat group) who actually performs an attack, or, in
the case of accidents, will cause the accident.
KEY INFORMATION SECURITY THREATS TO BE (IN NO PARTICULAR ORDER AND NOT EXHAUSTIVE):
• Organized Crime/Cyber Criminals
• Hacktivists
• Nation States
• Insiders (including 3rd parties with access to Sensitive Information)
• Accidental, non-intentional and/or non-malicious versus Deliberate: Biggest Help versus Biggest Hindrance
• Environmental
• (Terrorists)
5
MANAGE YOUR VULNERABILITIES
Information security vulnerabilities are defines as any weaknesses of an information
asset or group of assets that can be exploited by one or more threats leading to the
deliberate or accidental unauthorized disclosure, misuse, alteration, and/or
destruction of information or information systems
EVERY COMPUTER IS MILLIONS OF LINES OF CODE WRITTEN BY FALLIBLE OR DELIBERATELY MALICIOUS HUMAN BEINGS.
6
UNDERSTAND THE POSSIBLE IMPACTS
TO YOUR ORGANIZATION (EXAMPLES)
• FINANCIAL LOSS OR STOCK CRASH
• REPUTATIONAL DAMAGE
• LEGAL/REGULATORY PENALTIES
• LOSS OF PRIVACY FOR STAFF AN/OR CUSTOMERS
• IDENTITY THEFT (FRAUD) FOR STAFF AND/ORG CUSTOMERS
• FRAUD (GENERALLY)
• PERSONAL FINANCE IMPLICATIONS FOR STAFF AND OR
CUSTOMERS
7
WHAT ARE THREATS DOING?
IT
MISTAKES
MAKE BIG
HEADLINES
8
VERIZON: 2017 DATA BREACH
INVESTIGATIONS REPORT
(DBIR)
9
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
10
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
11
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
WHAT ARE THREATS DOING?
• SECTOR BREACH STATISTICS
COURTESY OF THE 2017
VERIZON DATA BREACH REPORT
(DBIR)
• SECTORS CHOSEN BASED ON
ATTENDEES (THERE ARE A FEW
MORE IN THE DBIR)
• GOING TO EXAMINE
PREDOMINANT THREAT
AVENUES FOR EACH SECTOR
AND PROVIDE FURTHER
CONTEXT THROUGH
DEMONSTRATIONS
12
2017
VERIZON
DBIR
13
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
THREAT
ATTACK
LIFECYCLE
14
WHAT ARE THREATS DOING?
PHISHING AND EMAILS
- WHAT HAPPENS WHEN YOU CLICK ON A MALICIOUS LINK OR OPEN AN ATTACHMENT?
- STOP AND THINK BEFORE CLICKING A LINK (OR OPENING ATTACHMENTS)
- MALWARE AND VIRUSES
15
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
PHISHING
16
WHAT ARE THREATS DOING?
SQL INJECTION ATTACKS
17
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
SOCIAL ENGINEERING
- In person
- Via emails/electronically
- (remember phishing?)
- On the phone
18
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
ACCIDENTAL
- Excessive Privileges
- No ‘Need to Know’
- Not properly trained
- Ineffective Policies, Processes, Procedures
19
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
DISCUSS!
20
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
21
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
DELIBERATE! (VERSUS ACCIDENTAL)!
- Excessive Privileges
- No ‘Need to Know’
- Lack of Monitoring
22
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
• Denial of Service Attack of October 2016 was
a game changer!
• Mirai botnet takes down Netflix, Twitter,
Spotify, Reddit, CNN, PayPal, Pinterest
• DVR’s, Cameras, IOT Devices
Security Awareness Training 23
WHAT ARE THREATS DOING?
DENIAL OF
SERVICE
24
WHAT ARE THREATS DOING?
2017
VERIZON
DBIR
25
WHAT ARE THREATS DOING?
RANSOMWARE
• Usually infected via phishing email
• File extension name changes
• Pop Ups
26
WHAT ARE THREATS DOING?
Business Email Compromise or Email
Account Compromise (BEC or EAC)
– Business IT Systems
– Aim is to enable Wire (or any
financial transaction) Fraud
– Financial Loss!
2017
VERIZON
DBIR
Security Awareness Training 27
WHAT ARE THREATS DOING?
BEC or
EAC
Compromised Email Header
FRAUDULENT HOTSPOTS
Security Awareness Training 28
WHAT ARE THREATS DOING?
“SMART DEVICE” HACKING
• Increasingly, we’re being offered Internet-connected devices for all aspects of our lives
– Home automation – remote control of lights, blinds, garage doors, security systems
– “Smart” refrigerators
– Internet-enabled baby monitors
• If it’s on the internet, it is vulnerable to hackers
– Many of these new devices are designed without consideration for security, since they’re
not items that traditionally require security!
– http://47.18.104.167:5000/Top
Security Awareness Training 29
WHAT ARE THREATS DOING?
Security Awareness Training 30
WHAT CAN YOU DO?
About 80% of Insider Threat is accidental, non-
malicious, unintentional risk
Training and Awareness
New Employee Training
Phishing (KnowBe4, PhishMe and others)
Social Engineering
Results
Should you tell your staff you are doing this?
Online Courses
Staff Meetings
Cyber Champions?
Security Awareness Training 31
WHAT CAN YOU DO?
99% of attacks are successful because people fail to do the
basics right!
Up to date Anti-Virus
Different and Changing Passwords
Patches and Updates
Switch on anti-spam and anti-phishing options in email
Train staff and encourage them to be cyber savvy at work
and at home.
Make your cyber house more secure than your neighbor’s cyber
house.
Treat information like a high value cash asset – because that is
exactly what it is!
Security Awareness Training 32
WHAT CAN YOU DO?
Check that you have Distributed Denial of Service (DDoS) mitigation services in
place, that they are regularly tested and that they work.
Watch out for potentially malicious attachments (such as macro enabled MS Office
docs) and ask talk about patching and updating hygiene to anyone who will listen.
Implement limiting, logging and monitoring of use. Watch out for large file transfers
via USB for example.
Have and enforce a formal procedure for disposing of anything that might contain
sensitive data and always have anything you are publishing checked and double
checked.
Encrypt wherever possible and establish a corporate culture that frowns upon
printing out sensitive data.
If you have web applications for customer use, encourage customers to vary their
passwords and use two-factor authentication. Limit the amount of sensitive
information stored in web-facing applications.
Hammer home to your teams — particularly in finance — that no one will request a
payment via unauthorized processes. Also ask IT to mark external emails with an
unmistakable stamp.
Security Awareness Training 33
HELPFUL RESOURCES AND INFO
Verizon 2017 Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
FutureLearn – Introduction to Cybersecurity
https://www.futurelearn.com/courses/introduction-to-cyber-security
EagleBank website – Cybersecurity and Fraud page
https://www.eaglebankcorp.com/cybersecurity-and-fraud/
TED Talks – Everyday Cybercrime and what you can do about it
http://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it
BEC Brochure (hard copy and EagleBank Website)
https://www.eaglebankcorp.com/cybersecurity-and-fraud/
Social Engineering Red Flags (hard copy)
Subscriptions:
US-Cert https://www.us-cert.gov/
Brian Krebs (Cybersecurity Investigative Blogger) http://www.krebsonsecurity.com/
Security Awareness Training 34
HELPFUL RESOURCES AND INFO
Resources for SMBs
https://www.us-cert.gov/ccubedvp/smb
10 Steps to Cybersecurity
https://www.ncsc.gov.uk/guidance/10-steps-cyber-security,
http://www.baesystems.com/en/cybersecurity/cyber-attacks-are-you-at-risk
NIST Cybersecurity Framework
https://www.nist.gov/cyberframework
ISO27001/2 Information Security Management
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
Center for Internet Security – Top 20 Critical Security Controls
https://www.cisecurity.org/critical-controls.cfm
QUESTIONS AND ANSWERS
Security Awareness Training 35
EagleBank Disclaimer - Reminder
36