Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed.

Slides:

Advertisements

Similar presentations

K-State IT Security Training Ken Stafford CIO and Vice Provost for IT Services Harvard Townsend Chief Information Security Officer

Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

By Ashlee Parton, Kimmy McCoy, & Labdhi Shah

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Chapter 1 Introduction to Security

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

Staying Safe Online Keep your Information Secure.

Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Network problems Last week, we talked about 3 disadvantages of networks. What are they?

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Malware Targets Bank Accounts GAMEOVER!!. GameOver Cyber criminals have found yet another way to steal your hard-earned money: a recent phishing scheme.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

How can IT help you today?. Agenda Why Do You Care? What Are The Risks? What Can You Do? Questions? How can IT help you today? 2.

CCT355H5 F Presentation: Phishing November Jennifer Li.

About Phishing Phishing is a criminal activity using social engineering techniques.criminalsocial engineering Phishers attempt to fraudulently acquire.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Local Threat Report Vikram Kumar – Chief Executive, InternetNZ 22/08/2012.

SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

Company LOGO User Authentication Threat Modelling from User and Social Perspective “Defending the Weakest Link: Intrusion.

© 2013 BALANCE / REV0513 Identity Theft Identity theft can be one of the most shocking and upsetting events to ever happen to you. Fortunately, there are.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

Computer Security By Duncan Hall.

Computer Crime: Identity Theft, Misuse of Personal Information, and How to Protect Yourself (Tawny Walsh, Irina Lohina, Renair Jackson, Jahmele Betterson,

Protecting Yourself from Fraud including Identity Theft Personal Finance.

ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

Cybersecurity Test Review Introduction to Digital Technology.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

E-Commerce & Bank Security By: Mark Reed COSC 480.

Safe Computing Practices. What is behind a cyber attack? 1.

CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via .

Cybersecurity - What’s Next? June 2017

Real-time protection for web sites and web apps against ATTACKS

Data Compromises: A Tax Practitioners “Nightmare”

How to Protect Yourself from ID Theft and Social Engineering

Securing Information Systems

Today’s Risk. Today’s Solutions. Cyber security and

Cybersecurity Awareness

Chapter 9 E-Commerce Security and Fraud Protection

Business Compromise and Cyber Threat

Spear Phishing Awareness

Cybersecurity Simplified: Phishing

Presentation transcript:

Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed Elsevier Inc. November 2014

1 Security Leaders Summit Southeast Agenda A Primer on Attacks Global Target Trends Global Attack Trends and Attacker Profiles » Custom malware and targeted social engineering » Indirect attacks (e.g. through third parties) An Example Attack Why Should Insurance Companies Care? Risk Mitigation

2 Security Leaders Summit Southeast Attacks... “Hacking” Basic MO is to get through your systems before you patch them (network, application, custom code). Defend by equal parts luck, technology, and diligent process. Expose as little as you can, detect/prevent obvious attacks, and deflect attacks. Denial of Service Almost always nuisance value from security perspective, less so from a loss of revenue perspective. Consider denial of service protection services (if your firewalls/border routers/ISPs are not up to the task) Solid infrastructure should make both of these straightforward (but not easy!) to deal with

3 Security Leaders Summit Southeast Attacks... Phishing More sophisticated than ever Spear phishing - Targeting specific individuals (e.g. senior executives) Quickly adapt to clone changes on legitimate websites Some variants even pass through to legitimate website Targeted Malware Integrated with hacking and phishing attacks to create enduring weaknesses in infrastructure Not just financial customers that are targeted – web of compromise continues to expand. Hard to detect; once infected, you’re toast. User education is critical Do newer tools (e.g. FireEye) help? Unclear.

4 Security Leaders Summit Southeast Advanced Persistent Threats … a group, such as a foreign government or organized crime, with the capability and intent to persistently and effectively target a specific entity Social activism (“hacktivism”) Threats targeting financial institutions (directly or indirectly) Threats targeting other firms housing personal information (Legal, Insurance, Retail, etc.) Threats targeting infrastructure Tempting to say “If xxx can be hacked, what chance do I have?” Detection and response capabilities are key

5 Security Leaders Summit Southeast Global Target Trends Attempting to retrieve financial information on consumers (e.g. through hacks of credit card databases; cloning of cards; and evasion of fraud detection mechanisms). Attempting to retrieve personal information on consumers (HR, health, shopping, insurance/claims) to use in future perpetration of identity theft. Attempting to retrieve corporate secrets (attacking legal firms, investment banks, high technology firms) for national or individual gain. Attempting to compromise user systems and use them as DDoS bots against targets (usually multi-player gaming systems – Sony, XBox, LoL, etc.).

6 Security Leaders Summit Southeast Attacker Profiles Generally resident in countries where Rule of Law is weak (Eastern Europe, West Africa, etc.) Use a complex set of intermediaries to avoid detection Attacking systems (bots, etc.) Accessories (J1 visas, etc.) Use advanced technology and stealth measures to avoid detection Tor Bitcoin Custom malware (Can spend weeks to months breaking into a corporation) But also use simple attack mechanisms Guessing of passwords Simple phishing attacks and other social engineering

7 Security Leaders Summit Southeast An Example Attack J1 Mule Operator Aka the mastermind. He orchestrates the entire crime and reaps most of its proceeds (along with co-conspirators). J1 Mule Foreign citizens that come to the US on J1 (exchange visitor) visas and then carry back currency to their home country. Runner A go-between to receive money from a J1 mule and pass it on to a sender. Sender A participant who retrieves funds to send to a foreign Receiver. Receiver A foreign agent who receives funds from the crime to deliver to the J1 Mule Operator.

8 Security Leaders Summit Southeast An Example Attack J1 Mule Operator (1) Online Research User Launch phishing With compromised ID, access wealthy victim’s information (2) Personal Records Runner Senders Receivers Impersonate (4) victim Victim’s Bank (3) Victim’s Banks J1 Mule J1 Mules

9 Security Leaders Summit Southeast An Example Criminal Enterprise Infrastructure

10 Security Leaders Summit Southeast Why Should Insurance Companies Care? You access, store, or process significant sensitive personal information (SSNs, DOBs, bank account information from quotes, claims, etc.). You’re as tempting a target as – a retail store, a public records company, a hospital... Some of you are also financial institutions or have links with them. You have thousands of agents and associates that access sensitive personal information, and any of them could be social engineered for their user credentials.

11 Security Leaders Summit Southeast Risk Mitigation How much risk do you want to mitigate and how much do you want to accept? Perimeter Protections Firewalls with strict ingress/egress rules. Web hygiene checking (i.e. dynamic URL blocking). Intrusion detection/prevention systems. Penetration testing. Host Protections Current anti-virus with updates (brand is not important). Patch management program. Application Protections Authentication enhancements (e.g. strong passwords, multi-factor authentication). Web application security scans. Other User need for access to services. Instrumentation and monitoring of outbound traffic (particularly web) – fraud detection, data leakage protection, correlation analysis. Logging and monitoring of network, application, and host traffic. User education (social engineering prevention, etc.). Document your Information Security Program. Optional / Buy with care Specialized monitoring (e.g. botnet detectors). Denial of service protection devices. * Use standards such as ISO 27002:2013 to determine the technical controls you need.

12 Security Leaders Summit Southeast Contact Information Presenter Contact information Aurobindo Sundaram, VP Information Assurance & Data Protection