Presentation on theme: "Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed."— Presentation transcript:
Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed Elsevier Inc. November 2014
1 Security Leaders Summit Southeast Agenda A Primer on Attacks Global Target Trends Global Attack Trends and Attacker Profiles » Custom malware and targeted social engineering » Indirect attacks (e.g. through third parties) An Example Attack Why Should Insurance Companies Care? Risk Mitigation
2 Security Leaders Summit Southeast Attacks... “Hacking” Basic MO is to get through your systems before you patch them (network, application, custom code). Defend by equal parts luck, technology, and diligent process. Expose as little as you can, detect/prevent obvious attacks, and deflect attacks. Denial of Service Almost always nuisance value from security perspective, less so from a loss of revenue perspective. Consider denial of service protection services (if your firewalls/border routers/ISPs are not up to the task) Solid infrastructure should make both of these straightforward (but not easy!) to deal with
3 Security Leaders Summit Southeast Attacks... Phishing More sophisticated than ever Spear phishing - Targeting specific individuals (e.g. senior executives) Quickly adapt to clone changes on legitimate websites Some variants even pass through to legitimate website Targeted Malware Integrated with hacking and phishing attacks to create enduring weaknesses in infrastructure Not just financial customers that are targeted – web of compromise continues to expand. Hard to detect; once infected, you’re toast. User education is critical Do newer tools (e.g. FireEye) help? Unclear.
4 Security Leaders Summit Southeast Advanced Persistent Threats … a group, such as a foreign government or organized crime, with the capability and intent to persistently and effectively target a specific entity Social activism (“hacktivism”) Threats targeting financial institutions (directly or indirectly) Threats targeting other firms housing personal information (Legal, Insurance, Retail, etc.) Threats targeting infrastructure Tempting to say “If xxx can be hacked, what chance do I have?” Detection and response capabilities are key
5 Security Leaders Summit Southeast Global Target Trends Attempting to retrieve financial information on consumers (e.g. through hacks of credit card databases; cloning of cards; and evasion of fraud detection mechanisms). Attempting to retrieve personal information on consumers (HR, health, shopping, insurance/claims) to use in future perpetration of identity theft. Attempting to retrieve corporate secrets (attacking legal firms, investment banks, high technology firms) for national or individual gain. Attempting to compromise user systems and use them as DDoS bots against targets (usually multi-player gaming systems – Sony, XBox, LoL, etc.).
6 Security Leaders Summit Southeast Attacker Profiles Generally resident in countries where Rule of Law is weak (Eastern Europe, West Africa, etc.) Use a complex set of intermediaries to avoid detection Attacking systems (bots, etc.) Accessories (J1 visas, etc.) Use advanced technology and stealth measures to avoid detection Tor Bitcoin Custom malware (Can spend weeks to months breaking into a corporation) But also use simple attack mechanisms Guessing of passwords Simple phishing attacks and other social engineering
7 Security Leaders Summit Southeast An Example Attack J1 Mule Operator Aka the mastermind. He orchestrates the entire crime and reaps most of its proceeds (along with co-conspirators). J1 Mule Foreign citizens that come to the US on J1 (exchange visitor) visas and then carry back currency to their home country. Runner A go-between to receive money from a J1 mule and pass it on to a sender. Sender A participant who retrieves funds to send to a foreign Receiver. Receiver A foreign agent who receives funds from the crime to deliver to the J1 Mule Operator.
8 Security Leaders Summit Southeast An Example Attack J1 Mule Operator (1) Online Research User Launch phishing email With compromised ID, access wealthy victim’s information (2) Personal Records Runner Senders Receivers Impersonate (4) victim Victim’s Bank (3) Victim’s Banks J1 Mule J1 Mules
9 Security Leaders Summit Southeast An Example Criminal Enterprise Infrastructure
10 Security Leaders Summit Southeast Why Should Insurance Companies Care? You access, store, or process significant sensitive personal information (SSNs, DOBs, bank account information from quotes, claims, etc.). You’re as tempting a target as – a retail store, a public records company, a hospital... Some of you are also financial institutions or have links with them. You have thousands of agents and associates that access sensitive personal information, and any of them could be social engineered for their user credentials.
11 Security Leaders Summit Southeast Risk Mitigation How much risk do you want to mitigate and how much do you want to accept? Perimeter Protections Firewalls with strict ingress/egress rules. Web hygiene checking (i.e. dynamic URL blocking). Intrusion detection/prevention systems. Penetration testing. Host Protections Current anti-virus with updates (brand is not important). Patch management program. Application Protections Authentication enhancements (e.g. strong passwords, multi-factor authentication). Web application security scans. Other User need for access to services. Instrumentation and monitoring of outbound traffic (particularly web) – fraud detection, data leakage protection, correlation analysis. Logging and monitoring of network, application, and host traffic. User education (social engineering prevention, etc.). Document your Information Security Program. Optional / Buy with care Specialized monitoring (e.g. botnet detectors). Denial of service protection devices. * Use standards such as ISO 27002:2013 to determine the technical controls you need.
12 Security Leaders Summit Southeast Contact Information Presenter Contact information Aurobindo Sundaram, VP Information Assurance & Data Protection email@example.com +1-678-694-3663