Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Iron Bastion: Preventing business email compromise fraud at your firm

72 visualizaciones

Publicado el

What is BEC fraud?
How does it affect my business?
A practical guide for minimising cyber threats

Publicado en: Tecnología
  • Sé el primero en comentar

Iron Bastion: Preventing business email compromise fraud at your firm

  1. 1. A practical guide for minimising cyber threats ISACA 24 October 2018
  2. 2. Nicholas Kavadias @nkav •Information Security Expert at Iron Bastion •15+ years of experience in IT •Practising solicitor (Disclaimer: this presentation does not constitute legal advice!) Who am I?
  3. 3. 1. What is BEC fraud? 2. How does it affect my business? 3. How do I know if I am a victim of BEC fraud? 4. How can I protect my organisation from BEC fraud? 5. Where to go next? What we are covering today …
  4. 4. Let’s go!
  5. 5. What is BEC fraud? Social Engineering / Spear Phishing: “I am the CFO, pay this invoice urgently” • Display name spoofing – real name, but not email • Email address spoofing – real name, email. Different Reply-To address • Email account compromise – real email account is broken into (data breach credentials or spear phishing) Impersonation: “Our payment details have changed, use this bank account instead” • One of your staff’s mailbox is compromised • One of your vendor’s mailbox is compromised Display name Email address
  6. 6. Example 1 • Authority • Sense of urgency • Personal greeting • Sent from a phone to excuse lack of email signature Andy Penn <apen555@gmail.com> Real name gleaned from public source
  7. 7. Example 2 • Pixel perfect copy, cloned from a legitimate email • Urgency: Due today! • All the links go to actual AGL site except the “Download bill” and “Make a payment”
  8. 8. •Global Problem •At risk industries •Not “kids in basements” •A criminal’s cost-benefit analysis What is BEC fraud (cont’d)
  9. 9. BEC Fraud is a Global Problem https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718
  10. 10. How BEC affects Australia? * https://exchange.telstra.com.au/business-email-compromise-scams/ ** https://www.mailguard.com.au/blog/ceo-fraud-up-2370pc •The Australian Federal Government says businesses here have lost more than $20 million in 2017* •Damages are often more than $100,000 per incident •Increase of 2,370% since 2015**
  11. 11. At risk industries According to OAIC Report Apr-Jun 2018: 1.Health Service Providers 2.Finance 3.Legal, Accounting & Management services 4.Education 5.Business and Professional Associations * https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly- statistics-report-1-april-30-june-2018
  12. 12. Preconceptions about BEC Fraud and cybercrime…
  13. 13. Cost-Benefit Analysis: Classic Crime v Cyber Crime Armed Robbery • Aggravating circumstances i.e. weapon, assault means gaol++ • Profit: $10,000-$50,000? • Max 20 years in prison– s95 Crimes Act 1900 (NSW) • Security cameras everywhere, and everyone has a camera phone • Hard to make a fast getaway in Sydney traffic! Cyber Crime • Fraud – White collar crime • Profit: $100,000+ • Max 10 years in prison – s192E Crimes Act 1900 (NSW) • Minimum security prison? • Cross-jurisdictional law enforcement issue • Small fraud ($1-10k) so common, not investigated!
  14. 14. BEC is a Lucrative Business
  15. 15. Global Cybercrime: •$1.5 trillion in 2017 •Annual GDP equivalent to Russia https://www.information-age.com/global-cybercrime-economy- generates-over-1-5tn-according-to-new-study-123471631 This is a serious business…
  16. 16. * 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE …and the sad reality is: organised crime
  17. 17. * 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE …and the sad reality is: organised crime
  18. 18. •Large financial motivation •Play the long game •Multi-actors with specialised skills …and the sad reality is: organised crime
  19. 19. How are email accounts compromised? •Lousy passwords (Letmein1) •Stolen passwords (phishing) •Leaked passwords & password reuse)
  20. 20. Password Leaks Everywhere! • Websites get hacked • People reuse the same email and password across multiple online accounts. D’oh!
  21. 21. Secret: “hackers” log into your webmail
  22. 22. The BEC lifecycle
  23. 23. How does it affect my business?
  24. 24. How does BEC affect my business? •Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation •Notifiable Data Breach – if email account compromise - incident reportable to OAIC, fines? •Reputational damage – Negative media coverage & Twitter rage
  25. 25. A little
  26. 26. Reputation damage
  27. 27. • You won’t know until its too late: supplier: “Why you haven’t you paid my bill?” you:“But I have paid it, haven’t I?... • Email forwarding rules you have never set:O365 has 5 different locations to set rules • Colleagues receive emails/documents you never sent • Your talk to your customer/supplier and you have no idea what he/she is talking about How do I know if I am a victim of BEC fraud?
  28. 28. Hacked email account signs: • Password reset emails for accounts you have not requested a reset • 2FA SMS codes when you have not tried to log in • A password you use no longer works, and you know you didn’t change it • Strange emails/phone calls from clients asking you about a request you never made • Unknown logged-in devices How do I know if I am a victim of BEC Fraud?
  29. 29. How can I protect my organisation from BEC fraud?
  30. 30. “You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
  31. 31. How can I protect my organisation from BEC fraud? –> Quick win –> 2FA If you only do one thing to improve your cybersecurity posture, it should be to turn on 2FA for your email Advice evolves with threats & as criminals become more sophisticated. e.g. 2FA via SMS can be attacked with SIM swapping
  32. 32. Why we have just a few passwords? Problems: • Too many passwords to remember • Has my password leaked in a data breach? Password managers solve both
  33. 33. Password Wallets Remember a single password only: o LastPass o 1Password o Dashlane o RoboForm
  34. 34. Stop using email •Email: the default ad-hoc workflow! •Formalise business processes •Move collaboration to: •Secure business platforms (e.g. web portals) •Third-party platforms: Slack, Microsoft Teams, Skype, WhatsApp (Brazil), WeChat (China) How can I protect my organisation from BEC fraud? (cont’d)
  35. 35. BEC Fraud is a people, process, and technology problem
  36. 36. BEC Fraud – People Phishing simulation: • Phishing is a precursor of BEC fraud • Identify vulnerable segments of your staff by phishing them • Target the vulnerable people with training • Train and test your employees to follow payment procedures
  37. 37. Business: • Change your contracts • Set up processes for payments and payment detail changes/verification • Minimise use of email for payments/invoices Security: • Cyber Security team to scan for indicators of BEC fraud (e.g. suspicious email redirection rules) BEC Fraud – Process
  38. 38. BEC Fraud – Low tech/no tech solutions • Put payment instructions in your supplier/customer agreements • Specify payment instructions will never change by email • Phone it in payment confirmations disclaimer on all your emails?
  39. 39. • Advanced Email Security ( AKA: ATP, anti-phishing) • Two-factor authentication (2FA) • Password Wallets • DNS firewalls • Endpoint security (phishing protection) • Web proxies, Brower Extensions protect from phishing, fake login pages • General Advice: ASD Essential 8 BEC Fraud – Technology
  40. 40. Summary BEC is a lucrative business: •Organised crime •Relies on social engineering and phishing •Technology and human problem Defence: •Formalise business processes •Change people, process and technology •2FA (i.e. out run others!)
  41. 41. Where to go next? If you are hit by BEC fraud: •Activate your incident response plan •Assemble a breach response working group to coordinate response •Report incident to ACORN, IDCARE and OAIC as required •Get professional help if needed
  42. 42. Questions? Nicholas Kavadias @nkav nick@ironbastion.com.au 1300 883 420 Slides: https://ironbastion.com.au/ISACA

×