2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization

Thrive. Grow. Achieve.

Mitigating Cybersecurity and Cyber Fraud Risk in your Organization

Nate Solloway and Martin Nash

October 5, 2017

BUT FIRST

• EAGLEBANK - DISCLAIMER!

• ABOUT US

• ABOUT YOU

• INTERACTION ENCOURAGED

• QUESTIONS ANYTIME

2

WHAT WE WILL COVER

• RISK BASICS – KNOW, MANAGE, UNDERSTAND

• WHAT ARE THREATS DOING?

• WHAT CAN YOU DO?

• HELPFUL RESOURCES

3

RISK BASICS: KNOW, MANAGE,

UNDERSTAND

• KNOW YOUR THREATS

• MANAGE YOUR VULNERABILITIES

• UNDERSTAND THE POSSIBLE IMPACTS TO

YOU/YOUR ORGANIZATION

4

CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION

THREAT X VULNERABILITY X IMPACT = RISK

KNOW YOUR THREATS

Defined as a potential cause of an incident that may result in harm to a system or

organization. Information security threats to the confidentiality, integrity and/or availability of

information can be environmental (such as hurricanes, tornadoes, floods, earthquakes) or a

person (threat actor)/group of people (threat group) who actually performs an attack, or, in

the case of accidents, will cause the accident.

KEY INFORMATION SECURITY THREATS TO BE (IN NO PARTICULAR ORDER AND NOT EXHAUSTIVE):

• Organized Crime/Cyber Criminals

• Hacktivists

• Nation States

• Insiders (including 3rd parties with access to Sensitive Information)

• Accidental, non-intentional and/or non-malicious versus Deliberate: Biggest Help versus Biggest Hindrance

• Environmental

• (Terrorists)

5

MANAGE YOUR VULNERABILITIES

Information security vulnerabilities are defines as any weaknesses of an information

asset or group of assets that can be exploited by one or more threats leading to the

deliberate or accidental unauthorized disclosure, misuse, alteration, and/or

destruction of information or information systems

EVERY COMPUTER IS MILLIONS OF LINES OF CODE WRITTEN BY FALLIBLE OR DELIBERATELY MALICIOUS HUMAN BEINGS.

6

UNDERSTAND THE POSSIBLE IMPACTS

TO YOUR ORGANIZATION (EXAMPLES)

• FINANCIAL LOSS OR STOCK CRASH

• REPUTATIONAL DAMAGE

• LEGAL/REGULATORY PENALTIES

• LOSS OF PRIVACY FOR STAFF AN/OR CUSTOMERS

• IDENTITY THEFT (FRAUD) FOR STAFF AND/ORG CUSTOMERS

• FRAUD (GENERALLY)

• PERSONAL FINANCE IMPLICATIONS FOR STAFF AND OR

CUSTOMERS

7

WHAT ARE THREATS DOING?

IT

MISTAKES

MAKE BIG

HEADLINES

8

VERIZON: 2017 DATA BREACH

INVESTIGATIONS REPORT

(DBIR)

9

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

10

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

11

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

WHAT ARE THREATS DOING?

• SECTOR BREACH STATISTICS

COURTESY OF THE 2017

VERIZON DATA BREACH REPORT

(DBIR)

• SECTORS CHOSEN BASED ON

ATTENDEES (THERE ARE A FEW

MORE IN THE DBIR)

• GOING TO EXAMINE

PREDOMINANT THREAT

AVENUES FOR EACH SECTOR

AND PROVIDE FURTHER

CONTEXT THROUGH

DEMONSTRATIONS

12

2017

VERIZON

DBIR

13

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

THREAT

ATTACK

LIFECYCLE

14

WHAT ARE THREATS DOING?

PHISHING AND EMAILS

- WHAT HAPPENS WHEN YOU CLICK ON A MALICIOUS LINK OR OPEN AN ATTACHMENT?

- STOP AND THINK BEFORE CLICKING A LINK (OR OPENING ATTACHMENTS)

- MALWARE AND VIRUSES

15

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

PHISHING

16

WHAT ARE THREATS DOING?

SQL INJECTION ATTACKS

17

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

SOCIAL ENGINEERING

- In person

- Via emails/electronically

- (remember phishing?)

- On the phone

18

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

ACCIDENTAL

- Excessive Privileges

- No ‘Need to Know’

- Not properly trained

- Ineffective Policies, Processes, Procedures

19

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

DISCUSS!

20

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

21

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

DELIBERATE! (VERSUS ACCIDENTAL)!

- Excessive Privileges

- No ‘Need to Know’

- Lack of Monitoring

22

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

• Denial of Service Attack of October 2016 was

a game changer!

• Mirai botnet takes down Netflix, Twitter,

Spotify, Reddit, CNN, PayPal, Pinterest

• DVR’s, Cameras, IOT Devices

Security Awareness Training 23

WHAT ARE THREATS DOING?

DENIAL OF

SERVICE

24

WHAT ARE THREATS DOING?

2017

VERIZON

DBIR

25

WHAT ARE THREATS DOING?

RANSOMWARE

• Usually infected via phishing email

• File extension name changes

• Pop Ups

26

WHAT ARE THREATS DOING?

Business Email Compromise or Email

Account Compromise (BEC or EAC)

– Business IT Systems

– Aim is to enable Wire (or any

financial transaction) Fraud

– Financial Loss!

2017

VERIZON

DBIR

Security Awareness Training 27

WHAT ARE THREATS DOING?

BEC or

EAC

Compromised Email Header

FRAUDULENT HOTSPOTS

Security Awareness Training 28

WHAT ARE THREATS DOING?

“SMART DEVICE” HACKING

• Increasingly, we’re being offered Internet-connected devices for all aspects of our lives

– Home automation – remote control of lights, blinds, garage doors, security systems

– “Smart” refrigerators

– Internet-enabled baby monitors

• If it’s on the internet, it is vulnerable to hackers

– Many of these new devices are designed without consideration for security, since they’re

not items that traditionally require security!

– http://47.18.104.167:5000/Top

Security Awareness Training 29

WHAT ARE THREATS DOING?

Security Awareness Training 30

WHAT CAN YOU DO?

About 80% of Insider Threat is accidental, non-

malicious, unintentional risk

Training and Awareness

New Employee Training

Phishing (KnowBe4, PhishMe and others)

Social Engineering

Results

Should you tell your staff you are doing this?

Online Courses

Staff Meetings

Cyber Champions?

Security Awareness Training 31

WHAT CAN YOU DO?

99% of attacks are successful because people fail to do the

basics right!

Up to date Anti-Virus

Different and Changing Passwords

Patches and Updates

Switch on anti-spam and anti-phishing options in email

Train staff and encourage them to be cyber savvy at work

and at home.

Make your cyber house more secure than your neighbor’s cyber

house.

Treat information like a high value cash asset – because that is

exactly what it is!

Security Awareness Training 32

WHAT CAN YOU DO?

Check that you have Distributed Denial of Service (DDoS) mitigation services in

place, that they are regularly tested and that they work.

Watch out for potentially malicious attachments (such as macro enabled MS Office

docs) and ask talk about patching and updating hygiene to anyone who will listen.

Implement limiting, logging and monitoring of use. Watch out for large file transfers

via USB for example.

Have and enforce a formal procedure for disposing of anything that might contain

sensitive data and always have anything you are publishing checked and double

checked.

Encrypt wherever possible and establish a corporate culture that frowns upon

printing out sensitive data.

If you have web applications for customer use, encourage customers to vary their

passwords and use two-factor authentication. Limit the amount of sensitive

information stored in web-facing applications.

Hammer home to your teams — particularly in finance — that no one will request a

payment via unauthorized processes. Also ask IT to mark external emails with an

unmistakable stamp.

Security Awareness Training 33

HELPFUL RESOURCES AND INFO

Verizon 2017 Data Breach Investigations Report (DBIR)

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

FutureLearn – Introduction to Cybersecurity

https://www.futurelearn.com/courses/introduction-to-cyber-security

EagleBank website – Cybersecurity and Fraud page

https://www.eaglebankcorp.com/cybersecurity-and-fraud/

TED Talks – Everyday Cybercrime and what you can do about it

http://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it

BEC Brochure (hard copy and EagleBank Website)

https://www.eaglebankcorp.com/cybersecurity-and-fraud/

Social Engineering Red Flags (hard copy)

Subscriptions:

US-Cert https://www.us-cert.gov/

Brian Krebs (Cybersecurity Investigative Blogger) http://www.krebsonsecurity.com/

Security Awareness Training 34

HELPFUL RESOURCES AND INFO

Resources for SMBs

https://www.us-cert.gov/ccubedvp/smb

10 Steps to Cybersecurity

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security,

http://www.baesystems.com/en/cybersecurity/cyber-attacks-are-you-at-risk

NIST Cybersecurity Framework

https://www.nist.gov/cyberframework

ISO27001/2 Information Security Management

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

Center for Internet Security – Top 20 Critical Security Controls

https://www.cisecurity.org/critical-controls.cfm

QUESTIONS AND ANSWERS

Security Awareness Training 35

EagleBank Disclaimer - Reminder

36