Best Practices for Avoiding Getting Speared Like a Phish

Similar documents
Conducting an Phishing Campaign

The Top Ten Cybersecurity Considerations To Take To Your Management

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

SPEAR-PHISHING ATTACKS

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Into the cybersecurity breach

Security Challenges and Solutions for Higher Education. May 2011

Don t Fall Victim to Cybercrime:

Collateral Effects of Cyberwar

Defending Against Data Beaches: Internal Controls for Cybersecurity

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Reducing the Threat Window

Is security awareness a waste of time?

Cybersecurity Governance Update on New FFIEC Requirements


Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

SPEAR PHISHING UNDERSTANDING THE THREAT

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Information Security Field Guide to Identifying Phishing and Scams

Privilege Gone Wild: The State of Privileged Account Management in 2015

SEC-GDL-005-Anatomy of a Phishing

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cybersecurity Awareness. Part 1

Healthcare in the Crosshairs for Data Breaches. April 22, Deborah Hiser (512)

Privilege Gone Wild: The State of Privileged Account Management in 2015

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

How To Help Protect Yourself From Identity Theft

Hearing on Commercial Cyber Espionage and Barriers to Digital Trade in China

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

Cybersecurity: Protecting Your Business. March 11, 2015

OCIE Technology Controls Program

Moderated by: Paul M. Schwartz Berkeley Law School Fourth Annual BCLT Privacy Forum March 13, Data Security Issues

CYBERSECURITY HOT TOPICS

NATIONAL CYBER SECURITY AWARENESS MONTH

2012 Data Breach Investigations Report

Identity and Access Management in the Commonwealth

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

of firms with remote users say Web-borne attacks impacted company financials.

IT Security Risks & Trends

Spear Phishing Attacks Why They are Successful and How to Stop Them

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

October 24, Mitigating Legal and Business Risks of Cyber Breaches

KEY STEPS FOLLOWING A DATA BREACH

Presented by: Islanders Bank

Protecting Your Organisation from Targeted Cyber Intrusion

WRITTEN TESTIMONY OF

Dissecting the Recent Cyber Security Breaches. Yu Cai School of Technology Michigan Technological University

Understanding the Advanced Threat Landscape an MSPs Guide. IT Security: Enabled

Preventing, Insuring, and Surviving Fund Transfer Fraud... and Other Cyber Attacks

INDUSTRY OVERVIEW: HEALTHCARE

Why The Security You Bought Yesterday, Won t Save You Today

INCIDENT DETECTION AND RESPONSE. Oct 2015

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

I ve been breached! Now what?

How To Understand The Security Posture Of Home Internet Users In Australia

Online Cash Manager Security Guide

FY17 State of IT Security: What You Need to Know

Report. Phishing Deceives the Masses: Lessons Learned from a Global Assessment

How To Protect Your Organisation From A Phishing Attack

1 8 Security PredictionS

NZI LIABILITY CYBER. Are you protected?

Anatomy of a Social Engineering Attack Exploiting Human Behaviors

Security and Privacy

Malware & Botnets. Botnets

Cyber Crime: You Are the Target

How to Spot and Combat a Phishing Attack Webinar

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Welcome to this ACT webinar

I N T E L L I G E N C E A S S E S S M E N T

Presentation Objectives

Basic Security Considerations for and Web Browsing

Corporate Account Takeover & Information Security Awareness

Creating a Culture of Cyber Security at Work

Security Guide

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

A New Era. A New Edge. Phishing within your company

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office (ISPRO) June 2013 ANATOMY OF A HACK

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Compliance series Guide to the NIST Cybersecurity Framework

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

how human behavior and decision making expose users to phishing attacks BY INA WANCA AND ASHLEY CANNON

ISO27032 Guidelines for Cyber Security

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Remote Deposit Quick Start Guide

What is Management Responsible For?

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

SPEAR-PHISHING ATTACKS: REELING IN CORPORATE AMERICA. August Sponsored by:

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

How to Identify Phishing s

CYBER SECURITY THREAT REPORT Q1

Department of Homeland Security

Transcription:

Best Practices for Avoiding Getting Speared Like a Phish Thoughts from in-house 2016 MRIS Erik M Feig General Counsel MRIS ACC NCR Small Law Department Initiative May, 2016 Erik.feig@mris.net

PANELISTS Erik Feig General Counsel MRIS Michael Dombrowski Cybersecurity Leader BDO Randy V. Sabett, J.D., CISSP Vice Chair, Privacy & Data Protection Practice Group Cooley LLP 2

PHISHING OVERVIEW 3

BUILD & MAINTAIN CYBERSECURITY Threats State sponsored PHISHING OVERVIEW: THREATS Organized crime Malware Phishing Insiders Targeted hacking Vulnerability 4

TYPES OF PHISHING 1. PHISHING 2. SPEAR PHISHING PHISHING OVERVIEW 3. CLONE PHISHING 4. WHALE PHISHING 5

SPEAR PHISHING is a targeted email to an individual and looks like it comes from an individual or business that you know. Common target types: PHISHING OVERVIEW Victim Segmentation Email Personalization Sender Impersonation Zero-day vulnerabilities 6

SPEAR PHISHING GOALS Acquire PII Acquire Account Information PHISHING OVERVIEW Steal Money Install Malware 7

SPEAR PHISHING DESIGN Mining social networks (facebook, linkedin, etc..) PHISHING OVERVIEW Blogs Company website Malware 8

ANATOMY OF AN ATTACK PHISHING OVERVIEW 9

GONE PHISHIN PHISHING OVERVIEW In 2015, spear-phishing campaigns increased 55% 91% of cyber-attacks start with an e-mail of spear phishing origin 94% of targeted e-mails are trying to scam the potential victims through malicious attachments while only 6% use links to trick them 2 out of every 1000 targets fall for spear phishing attacks 70% of spear phishing emails get opened compared to 3% for normal phishing attacks 10

HOW TO PROTECT AND DETECT 11

HOW TO PROTECT & DETECT TRAINING & AWARENESS PHISHING FILTERS FOR BROWSERS PROTECT & DETECT CHECK LINKS BEFORE CLICKING VALIDATE EMAIL WITH KNOWN SENDER VIA SEPARATE EMAIL MONITORING SOLUTIONS 12

HOW TO DETECT VALIDATE BEFORE CLICKING / HOVER OVER THE LINK 13

VALIDATE PRIOR TO WIRING Spear phishing Tessa, HOW TO DETECT I need you to facilitate a wire transfer for a payment, let me know if you're available and i will forward the details for the payment. I'll wait for your email. Thanks Mason 14

SAMPLE SOCIAL ENGINEERING REVIEW Work with Company to select and design a social engineering email campaign Configure email solution and build email content (e.g., Company IT support site spoofing) PROTECT AND DETECT Perform email campaign and track results Validate the information obtained via the Social Engineering email campaign 15

Social Engineering Phishing Credentials Access 16

LEGAL HAS A role at each stage Preparing Responding Assessing Learning Improving 17

Enterprise Attention Costs and Insurance Understand the Threats and Tools Assess the Risks Privilege Communication Active Stakeholder Involvement is Key Asses the Potential Benefits Engage Staff, Management, and BOD Education and Training Policies and Procedures Assemble the Team Think Broadly! 18

Time To Compromise and Exfiltration 98.6% Verizon, 2016 Data Breach Investigation Report 19

Time to Compromise Vs. Time to Discovery Verizon, 2016 Data Breach Investigation Report 20

Complete set of timespans 2012 [82%] 85% [98.6%] 21

Recommendations What should the management team, board of directors, and security function be focused on when deploying a security program? 1. Create Governance Structure 2. Research Threats 3. Prioritize Information Assets 4. Perform a Risk Analysis 5. Create a Security Protection Plan Tied to a Technology Acquisition Strategy 6. Engage Third Parties Appropriately (legal, technical, procedural) 7. Request Regular Updates and Adjust Accordingly 8. Test the Response Plan 9. Maintain Appropriate Insurance Coverage 10. Provide Regular Cybersecurity Training for Employees, Vendors, and Other Third Parties 11. Stay informed learn, learn, learn (including RAND report from 1964) 22

Paul Baran On Distributed Communications RAND Corporation, 1964 [t]he present Memorandum is a consideration of the security aspects of a system of the type proposed, in which secrecy is of paramount importance [and where] we should fully anticipate the existence of "spies" within our ostensibly secure communications secrecy protection structure; hence our primary interest should be in raising the "price" of espied information to a level which becomes excessive. 23

Wrap Up Thoughts and Questions? 24

Thank You Erik Feig Erik.Feig@mris.net Randy V. Sabett, J.D., CISSP rsabett@cooley.com Michael Dombrowski mdombrowski@bdo.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information