This is a briefing on Cyber Security threats in non-technical terms. The briefing includes statistics on the threat landscape and business readiness to address them. Contact the presenter, David A. Kondrup, CPP SPHR at dk@CyberDiligence for a copy or for further information.
1. ASIS International – NYC Chapter
David A. Kondrup, CPP SPHR
Cyber Diligence, Inc.
Electronic Dossiers,
Spearing and Whaling
Cyber Security Briefing
2. Disclaimer
This presentation is for informational purposes
only, it does not constitute professional
advice or convey a client – vendor
relationship.
Citations are noted and the presenter is not
responsible for the contents of cited work.
And ...what I knew about IT / computer security in
the past, what I knew last week, and what I
know today, will all change tomorrow. The
threats and the defenses described here will
rapidly change - You and I have to Change.
3. Risks And Your Incident
Response Strategies
Insider Threats Outsider Threats
Protecting the
Enterprise From
Digital Risks
ROI to Protect: Intellectual Compliance Issues
Property, Sensitive Data, (HR, EEO, Sex Harassment, HIPAA,
Personal Identifiable Personal Identifiable Info, SAS 70,
Information, Financial etc. etc.)
4. Emerging Threats
Cyber-Risk Control Practices of Top Management (%)
Receive Reports on Security 31
Breaches / Data Loss 30
30
Review Annual Security 35 Rarely / Never
Program Assessments 20
36 Occassionally
Regularly
Receive Reports on Privacy 39
and Security Risks 33
26
0 10 20 30 40
Sources: Security Management July 2012 page 30 citing “How Boards & Senior Executives Are Managing Cyber
Risks”, Carnegie Mellon University, Cylab, May 2012
5. Types of Data
Breaches (2011)
Payment Card Numbers
Authentication Credentials
Proprietary Info
Medical Records
Bank Account Data
Personal Info
System Info
Sensitive Info
Trade Secrets
0% 20% 40% 60%
Large Organizations Small Organizations 80%
100%
Sources: Security Management June 2012 page 48 citing “Data Breach Investigations Report”, Verizon, March 2012
7. Executive Spear-
Phishing or Whaling
Hackers posing as federal agents (or other people)
send emails to executives, department
heads, technical staffers, financial staff, conning
them into providing passwords to gain access to
networks.
Innocuous attachments are also sent. The moment
an attachment is opened (or a link is clicked) a
malware program is released.
There is nothing complicated or innovative about
phishing. It’s simple but its just dreadfully
effective!
Email is not like snail mail, you can’t just throw the
envelop away or peak inside – once you click on
a unknown link or an attachment, they’ve got you
8. Fake Subpoenas
Hackers target corporate executives with fake
subpoenas.
In 2008 US federal court officials were warning
that hackers were emailing fake subpoenas
that contained malware to corporate
executives
The company information is correct, so is the
address, so is the executive’s name and
title.
The fake subpoenas were official looking and
contained a link that states “Please
download the entire document on this
matter (follow this link) and print it for your
records ...”
9.
10. Effective
Thousands of executives and corporate officials
have been engineered and fallen for this.
Not just subpoenas, its been Better Business
Bureau Complaints, emails to attorneys from
overseas looking for representation, Invitations
to Events that are of interest to the recipient.
Subpoenas don’t come by email
– Don’t Click on them!
12. On-Line Research
Hackers/phishers perform research before
launching his or her attack.
They compile dossiers on the corporation, the
company executives, and their families (xref)
Specifically, they locate the executive’s email
address, phone numbers, addresses (home &
work), and others associated with them.
This information is located online:
Pipl.com
Who.Is.com
Facebook
LinkedIn
Ancestry.com
“Google”
Corporate web sites
14. Malware - Botnets -
Proxies
Backdoor.Proxybox
The malware is a Trojan program with rootkit
functionality that transforms a computer
into a proxy server.
Botnets
One of the main tools used by cybercriminals.
Send spam emails, used for distributed
denial of service attacks, perform online
financial (bank) fraud, click fraud, and
others.
People and companies do not know they have
it. And their IP address is used for illegal
activities.
$25 a month gets 150 proxy servers, $40 gets unlimited in the country you
want. Symantec believes there are 40,000 any given day.
16. Cyber Defense
Education & Awareness
Educate the executives especially, and the “at risk”
members of the company (those with credentials)
Technology (BYOD) Policies
Proactive Programs
Do checks on your top executives (with permission).
Regular & infrequent sweeps of
systems, servers, computers.
Line-up specialist – have a response plan ready.
(Specialist also for reputational & shielding Info)
Combined efforts and programs involving Physical
Security – IT Security – Risk Management
17. www.CyberDiligence.com
David A. Kondrup, CPP SPHR
dk@CyberDiligence.com
575 Underhill Blvd – suite # 209
Syosset, NY 11791
(516) 342-9378 office
(516) 507-4322 direct