250 likes | 265 Views
Cyber Fraud. Mr. Keelan T. Stewart August 20 th , 2019 www.linkedin.com/in/keelanstewart. About the Speaker. Education and Certification BS, MS in Information Assurance, University of Nebraska Omaha Certified Information Systems Security Professional, CISSP
E N D
Cyber Fraud Mr. Keelan T. Stewart August 20th, 2019 www.linkedin.com/in/keelanstewart
About the Speaker • Education and Certification • BS, MS in Information Assurance, University of Nebraska Omaha • Certified Information Systems Security Professional, CISSP • HealthCare Information Security and Privacy Practitioner, HCISPP • GIAC Law of Data Security & Investigations, with Gold Paper, GLEG Gold • GIAC Strategic Planning, Policy, and Procedure, GSTRT • Experience • Information Security Analyst and Authorizing Official, Boys Town • Nuclear and Space Mission Systems Cybersecurity Analyst, U.S. Strategic Command • National and Nuclear Command and Control Enterprise and Solutions Architect
Introduction • FBI reports $2.7B in cyber fraud in 2018 • Businesses reluctant to report losses related to cyber fraud • Long-term, intangible losses hard to determine/track • Cyber crime capabilities continue to expand • Nation states operating with impunity • Organized crime tolerated by host countries • Weaponized malware openly available for purchase
Cyber Fraud:Phishing, Spear Phishing, & Whaling • 91% of data breaches start with spear phishing • Between 45%-90% of email is spam • 60% routinely observed at work • Inclusive of attacks and general sales spam • Attackers have huge advantages • Attacks cost little ($15/month) • Defense costs a lot • Jurisdictions prevent recourse
Cyber Fraud:Phishing, Spear Phishing, & Whaling • Security Controls • User Training • Phishing Exercises • Firewall Region Blocking • Anti-Spoofing (SPF, DMARC, DKIM) • Email Security Tools • OPSEC • Social Media Policies • Executive Procedures
Cyber Fraud:Business Email Compromise • Highest reported loss cyber crime: $1.2B in 2018
Cyber Fraud:Business Email Compromise • Security Controls: • Procedural Security • Call to confirm (amount, account) • Known good list • Email Security / Social Engineering Training • Phishing exercises • Domain Security • Register similar domains • Anti-spoofing (SPF, DMARC, DKIM)
Cyber Fraud:Ransomware • Petya • MBR attack, prevents Windows booting • 2017: Ukraine cyberwar • SamSam • RDP brute force, so no user interaction • 2018: City of Atlanta, 6M affected, $2.7M damages • EternalBlue • Developed by NSA, exploited MS SMB in XP-8 and Server 2003-2016 • Used in WannaCry, NotPetya, BadRabbit • UK’s NHS, Ukraine, Baltimore
Cyber Fraud:Ransomware • Security Controls • Backups • Remove Local Admin • Patching • Awareness Training • Web Ad Blocking • Email Security • NextGen Anti-Virus • NextGen Firewall • User Behavior Analytics • Segmentation
Cyber Fraud:Data Breach • Social Security Number: $1 • Login Credentials: $1 • Credit/Debit Card • With CVV: $5 • With Bank Info: $15 • With All Info: $30 • Netflix, etc.: $10 • Driver’s License: $20 • Loyalty Accounts: $20 • Paypal, etc.: $200 • Diplomas: $400 • Medical Records: $1000 • Passports: $1000-$2000
Cyber Fraud:Data Breach • Security Controls • Procedural Security • Process transactions quickly • Call to confirm, known-good lists • Record Retention • Secure Repositories • Policy to not store outside • Segmentation
Audit ConsiderationsInvest for Success: Diversifying Your Audit Portfolio
Audit Considerations:Invest for Success: Diversifying Your Audit Portfolio • Information Security is to IT as Internal Audit is to Finance • Separation of duties due to conflict of interest • Shadow IT • Devices purchased by business units without IT • Typically not managed/secured well • Users are not stupid; they are doctors, lawyers, but not IT • In modern countries, 5% of population has high computer skills • Only 33% can complete medium-complexity tasks
Audit Considerations:Invest for Success: Diversifying Your Audit Portfolio • Information Security is becoming highly regulated and fined • GDPR, HIPAA, PCI, CCPA • Regulatory audits can help InfoSec advocate • Almost any audit can have cyber aspects • Big 4 audits consider cyber security in financial analysis • Know when to look at cyber to enhance audits • Take cyber liability insurance seriously • No long a matter of “if” but “when”
Audit Considerations:Invest for Success: Diversifying Your Audit Portfolio • Computer literacy is just as important as accounting in IA • You know accounting to keep accountants honest • Know computers to keep IT and InfoSec honest • Information Security Groups • ISACA • ISC(2) • FBI InfraGard • DHS ISACs • NEbraskaCERT