Best Practices for Avoiding Getting Speared Like a Phish Thoughts from in-house 2016 MRIS Erik M Feig General Counsel MRIS ACC NCR Small Law Department Initiative May, 2016 Erik.feig@mris.net
PANELISTS Erik Feig General Counsel MRIS Michael Dombrowski Cybersecurity Leader BDO Randy V. Sabett, J.D., CISSP Vice Chair, Privacy & Data Protection Practice Group Cooley LLP 2
PHISHING OVERVIEW 3
BUILD & MAINTAIN CYBERSECURITY Threats State sponsored PHISHING OVERVIEW: THREATS Organized crime Malware Phishing Insiders Targeted hacking Vulnerability 4
TYPES OF PHISHING 1. PHISHING 2. SPEAR PHISHING PHISHING OVERVIEW 3. CLONE PHISHING 4. WHALE PHISHING 5
SPEAR PHISHING is a targeted email to an individual and looks like it comes from an individual or business that you know. Common target types: PHISHING OVERVIEW Victim Segmentation Email Personalization Sender Impersonation Zero-day vulnerabilities 6
SPEAR PHISHING GOALS Acquire PII Acquire Account Information PHISHING OVERVIEW Steal Money Install Malware 7
SPEAR PHISHING DESIGN Mining social networks (facebook, linkedin, etc..) PHISHING OVERVIEW Blogs Company website Malware 8
ANATOMY OF AN ATTACK PHISHING OVERVIEW 9
GONE PHISHIN PHISHING OVERVIEW In 2015, spear-phishing campaigns increased 55% 91% of cyber-attacks start with an e-mail of spear phishing origin 94% of targeted e-mails are trying to scam the potential victims through malicious attachments while only 6% use links to trick them 2 out of every 1000 targets fall for spear phishing attacks 70% of spear phishing emails get opened compared to 3% for normal phishing attacks 10
HOW TO PROTECT AND DETECT 11
HOW TO PROTECT & DETECT TRAINING & AWARENESS PHISHING FILTERS FOR BROWSERS PROTECT & DETECT CHECK LINKS BEFORE CLICKING VALIDATE EMAIL WITH KNOWN SENDER VIA SEPARATE EMAIL MONITORING SOLUTIONS 12
HOW TO DETECT VALIDATE BEFORE CLICKING / HOVER OVER THE LINK 13
VALIDATE PRIOR TO WIRING Spear phishing Tessa, HOW TO DETECT I need you to facilitate a wire transfer for a payment, let me know if you're available and i will forward the details for the payment. I'll wait for your email. Thanks Mason 14
SAMPLE SOCIAL ENGINEERING REVIEW Work with Company to select and design a social engineering email campaign Configure email solution and build email content (e.g., Company IT support site spoofing) PROTECT AND DETECT Perform email campaign and track results Validate the information obtained via the Social Engineering email campaign 15
Social Engineering Phishing Credentials Access 16
LEGAL HAS A role at each stage Preparing Responding Assessing Learning Improving 17
Enterprise Attention Costs and Insurance Understand the Threats and Tools Assess the Risks Privilege Communication Active Stakeholder Involvement is Key Asses the Potential Benefits Engage Staff, Management, and BOD Education and Training Policies and Procedures Assemble the Team Think Broadly! 18
Time To Compromise and Exfiltration 98.6% Verizon, 2016 Data Breach Investigation Report 19
Time to Compromise Vs. Time to Discovery Verizon, 2016 Data Breach Investigation Report 20
Complete set of timespans 2012 [82%] 85% [98.6%] 21
Recommendations What should the management team, board of directors, and security function be focused on when deploying a security program? 1. Create Governance Structure 2. Research Threats 3. Prioritize Information Assets 4. Perform a Risk Analysis 5. Create a Security Protection Plan Tied to a Technology Acquisition Strategy 6. Engage Third Parties Appropriately (legal, technical, procedural) 7. Request Regular Updates and Adjust Accordingly 8. Test the Response Plan 9. Maintain Appropriate Insurance Coverage 10. Provide Regular Cybersecurity Training for Employees, Vendors, and Other Third Parties 11. Stay informed learn, learn, learn (including RAND report from 1964) 22
Paul Baran On Distributed Communications RAND Corporation, 1964 [t]he present Memorandum is a consideration of the security aspects of a system of the type proposed, in which secrecy is of paramount importance [and where] we should fully anticipate the existence of "spies" within our ostensibly secure communications secrecy protection structure; hence our primary interest should be in raising the "price" of espied information to a level which becomes excessive. 23
Wrap Up Thoughts and Questions? 24
Thank You Erik Feig Erik.Feig@mris.net Randy V. Sabett, J.D., CISSP rsabett@cooley.com Michael Dombrowski mdombrowski@bdo.com