Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | claud-preston |
View: | 213 times |
Download: | 0 times |
Cybersecurity Threats – What You Need to Know as an Insurance
Professional and as a Consumer
Aurobindo SundaramVP IS Assurance & Data Protection, Reed Elsevier Inc.
November 2014
2Security Leaders Summit Southeast
Agenda
• A Primer on Attacks• Global Target Trends• Global Attack Trends and Attacker Profiles
» Custom malware and targeted social engineering» Indirect attacks (e.g. through third parties)
• An Example Attack• Why Should Insurance Companies Care?• Risk Mitigation
3Security Leaders Summit Southeast
Attacks ...
“Hacking”
• Basic MO is to get through your systems before you patch them (network, application, custom code).
• Defend by equal parts luck, technology, and diligent process.
• Expose as little as you can, detect/prevent obvious attacks, and deflect attacks.
Denial of Service
• Almost always nuisance value from security perspective, less so from a loss of revenue perspective.
• Consider denial of service protection services (if your firewalls/border routers/ISPs are not up to the task)
Solid infrastructure should make both of these straightforward (but not easy!) to deal with
4Security Leaders Summit Southeast
Attacks ...
Phishing
• More sophisticated than ever• Spear phishing - Targeting
specific individuals (e.g. senior executives)
• Quickly adapt to clone changes on legitimate websites
• Some variants even pass through to legitimate website
Targeted Malware
• Integrated with hacking and phishing attacks to create enduring weaknesses in infrastructure
• Not just financial customers that are targeted – web of compromise continues to expand.
• Hard to detect; once infected, you’re toast.
User education is criticalDo newer tools (e.g. FireEye) help? Unclear.
5Security Leaders Summit Southeast
Advanced Persistent Threats
… a group, such as a foreign government or organized crime, with the capability and intent to persistently and effectively target a specific
entity
• Social activism (“hacktivism”)• Threats targeting financial institutions
(directly or indirectly)• Threats targeting other firms housing
personal information (Legal, Insurance, Retail, etc.)
• Threats targeting infrastructure
Tempting to say “If xxx can be hacked, what chance do I have?”Detection and response capabilities are key
6Security Leaders Summit Southeast
Global Target Trends
• Attempting to retrieve financial information on consumers (e.g. through hacks of credit card databases; cloning of cards; and evasion of fraud detection mechanisms).
• Attempting to retrieve personal information on consumers (HR, health, shopping, insurance/claims) to use in future perpetration of identity theft.
• Attempting to retrieve corporate secrets (attacking legal firms, investment banks, high technology firms) for national or individual gain.
• Attempting to compromise user systems and use them as DDoS bots against targets (usually multi-player gaming systems – Sony, XBox, LoL, etc.).
7Security Leaders Summit Southeast
Attacker Profiles
• Generally resident in countries where Rule of Law is weak (Eastern Europe, West Africa, etc.)
• Use a complex set of intermediaries to avoid detection• Attacking systems (bots, etc.)
• Accessories (J1 visas, etc.)
• Use advanced technology and stealth measures to avoid detection• Tor
• Bitcoin
• Custom malware
• (Can spend weeks to months breaking into a corporation)
• But also use simple attack mechanisms• Guessing of passwords
• Simple phishing attacks and other social engineering
8Security Leaders Summit Southeast
An Example Attack
J1 Mule Operator• Aka the mastermind. He orchestrates the entire crime and reaps most of
its proceeds (along with co-conspirators).
J1 Mule• Foreign citizens that come to the US on J1 (exchange visitor) visas and
then carry back currency to their home country.
Runner• A go-between to receive money from a J1 mule and pass it on to a
sender.
Sender• A participant who retrieves funds to send to a foreign Receiver.
Receiver• A foreign agent who receives funds from the crime to deliver to the J1
Mule Operator.
9Security Leaders Summit Southeast
An Example Attack
J1 MuleOperator
(1) OnlineResearch User
Launch phishing email
With compromised ID,access wealthy victim’s
information(2) PersonalRecords
Runner
SendersSendersSendersSendersSendersSendersSendersSendersSendersSenders
ReceiversReceiversReceiversReceiversReceiversReceiversReceivers
Impersonate (4) victimVictim’s
BankVictim’s
BankVictim’s
Bank(3) Victim’s
Banks
J1 MuleJ1 MuleJ1 Mules
10Security Leaders Summit Southeast
An Example Criminal Enterprise Infrastructure
11Security Leaders Summit Southeast
Why Should Insurance Companies Care?
• You access, store, or process significant sensitive personal information (SSNs, DOBs, bank account information from quotes, claims, etc.). You’re as tempting a target as – a retail store, a public records company, a hospital...
• Some of you are also financial institutions or have links with them.
• You have thousands of agents and associates that access sensitive personal information, and any of them could be social engineered for their user credentials.
12Security Leaders Summit Southeast
Risk Mitigation
How much risk do you want to mitigate and how much do you want to accept?
Perimeter Protections• Firewalls with strict ingress/egress rules.• Web hygiene checking (i.e. dynamic URL blocking).• Intrusion detection/prevention systems.• Penetration testing.
Host Protections• Current anti-virus with updates (brand is not
important).• Patch management program.
Application Protections• Authentication enhancements (e.g. strong
passwords, multi-factor authentication).• Web application security scans.
Other
• User need for access to services.
• Instrumentation and monitoring of outbound traffic (particularly web) – fraud detection, data leakage protection, correlation analysis.
• Logging and monitoring of network, application, and host traffic.
• User education (social engineering prevention, etc.).
• Document your Information Security Program.
Optional / Buy with care• Specialized monitoring (e.g. botnet detectors).• Denial of service protection devices.
* Use standards such as ISO 27002:2013 to determine the technical controls you need.
13Security Leaders Summit Southeast
Contact Information
Presenter Contact informationAurobindo Sundaram,
VP Information Assurance & Data Protection
+1-678-694-3663