Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed.

Published byClaud Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed."— Presentation transcript:

1 Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed Elsevier Inc. November 2014

2 1 Security Leaders Summit Southeast Agenda A Primer on Attacks Global Target Trends Global Attack Trends and Attacker Profiles » Custom malware and targeted social engineering » Indirect attacks (e.g. through third parties) An Example Attack Why Should Insurance Companies Care? Risk Mitigation

3 2 Security Leaders Summit Southeast Attacks... “Hacking” Basic MO is to get through your systems before you patch them (network, application, custom code). Defend by equal parts luck, technology, and diligent process. Expose as little as you can, detect/prevent obvious attacks, and deflect attacks. Denial of Service Almost always nuisance value from security perspective, less so from a loss of revenue perspective. Consider denial of service protection services (if your firewalls/border routers/ISPs are not up to the task) Solid infrastructure should make both of these straightforward (but not easy!) to deal with

4 3 Security Leaders Summit Southeast Attacks... Phishing More sophisticated than ever Spear phishing - Targeting specific individuals (e.g. senior executives) Quickly adapt to clone changes on legitimate websites Some variants even pass through to legitimate website Targeted Malware Integrated with hacking and phishing attacks to create enduring weaknesses in infrastructure Not just financial customers that are targeted – web of compromise continues to expand. Hard to detect; once infected, you’re toast. User education is critical Do newer tools (e.g. FireEye) help? Unclear.

5 4 Security Leaders Summit Southeast Advanced Persistent Threats … a group, such as a foreign government or organized crime, with the capability and intent to persistently and effectively target a specific entity Social activism (“hacktivism”) Threats targeting financial institutions (directly or indirectly) Threats targeting other firms housing personal information (Legal, Insurance, Retail, etc.) Threats targeting infrastructure Tempting to say “If xxx can be hacked, what chance do I have?” Detection and response capabilities are key

6 5 Security Leaders Summit Southeast Global Target Trends Attempting to retrieve financial information on consumers (e.g. through hacks of credit card databases; cloning of cards; and evasion of fraud detection mechanisms). Attempting to retrieve personal information on consumers (HR, health, shopping, insurance/claims) to use in future perpetration of identity theft. Attempting to retrieve corporate secrets (attacking legal firms, investment banks, high technology firms) for national or individual gain. Attempting to compromise user systems and use them as DDoS bots against targets (usually multi-player gaming systems – Sony, XBox, LoL, etc.).

7 6 Security Leaders Summit Southeast Attacker Profiles Generally resident in countries where Rule of Law is weak (Eastern Europe, West Africa, etc.) Use a complex set of intermediaries to avoid detection Attacking systems (bots, etc.) Accessories (J1 visas, etc.) Use advanced technology and stealth measures to avoid detection Tor Bitcoin Custom malware (Can spend weeks to months breaking into a corporation) But also use simple attack mechanisms Guessing of passwords Simple phishing attacks and other social engineering

8 7 Security Leaders Summit Southeast An Example Attack J1 Mule Operator Aka the mastermind. He orchestrates the entire crime and reaps most of its proceeds (along with co-conspirators). J1 Mule Foreign citizens that come to the US on J1 (exchange visitor) visas and then carry back currency to their home country. Runner A go-between to receive money from a J1 mule and pass it on to a sender. Sender A participant who retrieves funds to send to a foreign Receiver. Receiver A foreign agent who receives funds from the crime to deliver to the J1 Mule Operator.

9 8 Security Leaders Summit Southeast An Example Attack J1 Mule Operator (1) Online Research User Launch phishing email With compromised ID, access wealthy victim’s information (2) Personal Records Runner Senders Receivers Impersonate (4) victim Victim’s Bank (3) Victim’s Banks J1 Mule J1 Mules

10 9 Security Leaders Summit Southeast An Example Criminal Enterprise Infrastructure

11 10 Security Leaders Summit Southeast Why Should Insurance Companies Care? You access, store, or process significant sensitive personal information (SSNs, DOBs, bank account information from quotes, claims, etc.). You’re as tempting a target as – a retail store, a public records company, a hospital... Some of you are also financial institutions or have links with them. You have thousands of agents and associates that access sensitive personal information, and any of them could be social engineered for their user credentials.

12 11 Security Leaders Summit Southeast Risk Mitigation How much risk do you want to mitigate and how much do you want to accept? Perimeter Protections Firewalls with strict ingress/egress rules. Web hygiene checking (i.e. dynamic URL blocking). Intrusion detection/prevention systems. Penetration testing. Host Protections Current anti-virus with updates (brand is not important). Patch management program. Application Protections Authentication enhancements (e.g. strong passwords, multi-factor authentication). Web application security scans. Other User need for access to services. Instrumentation and monitoring of outbound traffic (particularly web) – fraud detection, data leakage protection, correlation analysis. Logging and monitoring of network, application, and host traffic. User education (social engineering prevention, etc.). Document your Information Security Program. Optional / Buy with care Specialized monitoring (e.g. botnet detectors). Denial of service protection devices. * Use standards such as ISO 27002:2013 to determine the technical controls you need.

13 12 Security Leaders Summit Southeast Contact Information Presenter Contact information Aurobindo Sundaram, VP Information Assurance & Data Protection aurobindo.sundaram@lexisnexis.com +1-678-694-3663

Download ppt "Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed."

Similar presentations

K-State IT Security Training Ken Stafford CIO and Vice Provost for IT Services Harvard Townsend Chief Information Security Officer

K-State IT Security Training Ken Stafford CIO and Vice Provost for IT Services Harvard Townsend Chief Information Security Officer
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.
Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.

Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
By Ashlee Parton, Kimmy McCoy, & Labdhi Shah

By Ashlee Parton, Kimmy McCoy, & Labdhi Shah
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

Similar presentations

Ads by Google