Hacking the HumanHow Secure Is Your Organization?

April 23, 2015

CBIZ MHM, LLC – Kansas City

• Social Engineering

– Targets, Costs, Frequency

– Real Life Examples

– Mitigating Risks

– Internal Programs

• Data Security & Privacy Liability

– Cyber Liability

– Cyber Insurance

– Financial Impact

– Key Coverage Components

– Checklist for Assessing your Level of Cyber Risk

Agenda

Social Engineering

The Art of Hacking the Human

1) The clever manipulation of the natural human tendency to trust.

2) Manipulating people into willingly doing something rather than by

breaking in using technical or brute force means.

3) The act of manipulating a person to take an action that may or may

not be in the target’s best interest. ~ Chris Hadnagy

4) The art of intentionally manipulating behavior using specially

crafted communication techniques. ~ Gavin Watson

What Is Social Engineering?

4%

14%

40%

46%

51%

0% 10% 20% 30% 40% 50% 60%

Other

Revenge or personal vendetta

Competitive advantage

Access to proprietary information

Financial gain

Motivations for Social Engineering Attacks

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

• Sensitive Personally Identifiable Information

• System usernames and passwords

• High-value assets

• Trade secrets and proprietary information

Social Engineering Targets

32%

12%

13%

13%

30%

38%

14%

16%

13%

19%

0% 10% 20% 30% 40%

Less than $10,000

$10,000 - $25,000

$25,000 - $50,000

$50,000 - $100,000

More than $100,000

All companies

More than 5,000employees

Typical Cost Per Social Engineering Incident

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

20%

32%

15%

33%

32%

36%

20%

12%

0% 10% 20% 30% 40%

Less than 5 times

5 - 24

25 - 50

More than 50 times

All companies

More than 5,000employees

Frequency of Social Engineering Attacks

Over 2-year Period

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

• Dumpster diving

– Company directory and phone list with email addresses.

– Client sensitive personally identifiable information.

– Employee usernames and passwords to company systems.

– Company policies, procedures, systems, vendors.

– Vertical cut shred in trash bag in dumpster.

– Hand torn documents in trash in dumpster.

An Attack In Action – Stories and Examples

• Email phishing

– New paid time off policy and tracking system.

– Obtain false website address

– Create a mirror image false website.

– Use employee directory from dumpster to email false link to website.

– Require Windows login to gain access.

– Ask employees to update paid time off balances and requests.

• Provide personal incentive to click the link.

An Attack In Action – Stories and Examples

https://www.principal.com/

https://www.princlpal.com/

Fake Web Address Example

• Pretexting, Baiting, and Piggy-backing

– Impersonate telecom, janitorial, security personnel, employees.

– Drop a CD or USB thumb drive with a creative label.

– Follow employees through secured doors.

– Develop rapport and level of comfort.

An Attack In Action – Stories and Examples

5%6%12%

21%

56%Vishing

Other

Criminals

Phishing

Lack of EmployeeAwareness

Social Engineering Threats To Organizations

Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading

60%

44%

38%

33% 32%

23%

New employees

Contractors

Executive assistants

Human resources

Business leaders

IT personnel

Risk of Falling for Social Engineering Attack

Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research

Social engineering attacks cannot be prevented—only

mitigated and deterred.

• Policies

– Employees are not allowed to divulge information.

– Prevents employees from being socially pressured or tricked.

– Policies MUST be enforced to be effective.

• Training

– User awareness—user knows giving out information is bad.

Mitigating A Social Engineering Attack

• Password management

• Physical security

• Network defenses may only temporarily repel attacks.

– Virus protection

– Email attachment scanning

– Firewalls, etc.

– Intrusion detection system and intrusion protection system

– Encrypted data at rest

• Security must be tested and updated periodically.

Mitigating A Social Engineering Attack

• Social engineering testing

– IMPORTANT! This is strictly intended to be a learning tool for the

organization—not a punishment for individual employees.

– Who should consider testing?

– Have the tester attempt to acquire information from employees

using social engineering techniques.

• Attack strategically targeted areas of the organization.

– May include technical testing of malware and other abnormalities.

– What a tester legally cannot do.

Mitigating A Social Engineering Attack

Develop Internal Programs

Information Security Program

The written plan created and implemented by the

organization to identify and control risks to information and

information systems and to properly dispose of information.

Security Awareness Program

Security awareness reflects an organization’s attitude

toward protecting the physical and intellectual assets of an

organization. This attitude guides the approach used to

protect those assets.

• When assessing the weakest link, the human factor is very critical

when protecting sensitive information and valuable assets.

• Social engineering testing is an effective method commonly used to

assess the condition of the overall security culture.

• Good habits drive security culture and there are no technologies that

will ever make up for poor security culture.

• Awareness programs, when properly executed, provide knowledge

that instills behavior.

It is better to fail a test in a controlled environment than to be

attacked without knowing how much information will be lost.

Summary

Data Security and

Privacy Liability: Why Cyber Insurance is No Longer Optional!

Threat Matrix – Where Do We Start?

Threats to Cybersecurity are Decentralized and Diverse

Threats to

CybersecuritySpy and

Malware

Spammers

Bot-net Operators

Nation

Phisher

Business competitors

Corporate Espionage

Terrorist

Hacker

Insider

Criminal Groups

Human Error

Statistically Speaking

Why Worry?

The most vigilant network security and most

comprehensive privacy policies remain

vulnerable to hackers, rogue employees, social

engineering and human error!

“Dave” is Responsible for 31% of all Losses

Causes of Loss (2013-14)

• Frequency of privacy breaches are on the rise

– 10% increase year over year

• Threats and vulnerabilities are getting dramatically worse.

• More than 47 states, including U.S. territories, have

enacted privacy laws in response to the increased

frequency of privacy breaches.

Why Cyber Insurance?

• Corporate governance requires organizations address

information technology risks.

• The plaintiffs’ bar is becoming more active in pursing class

action litigation.

• Contracts may require cyber liability insurance.

• Cyber liability insurance can mitigate the financial impact

on a company.

Why Cyber Insurance?

In the past, small businesses (SMB’s) may have been able to

neglect network security with little consequence, but this is

not the case today.

In Symantec’s 2014 Internet security Threat report they

found SMBs (defined as having fewer than 250 employees)

accounted for more than half of all targeted attacks (61%) in

2013. This was an 11 percentage point increase from the

previous year.

A “Not So Positive Trend”

You Are At Risk!

• Cost to defend and/or settle:

– Regulatory investigations.

– Unauthorized access or unauthorized use.

– Allegations that malicious code (such as viruses) caused harm to

the data or computer systems of third parties.

– Allegations that an insured’s computer system denied a third party

the ability to conduct transactions.

– Litigation from customers or employees for identify theft.

Financial Impact of a Security/Privacy Breach?

• Cost to investigate and determine the cause of a security

or privacy breach, including computer forensics.

• Cost to hire a public relations or crisis management firm

to mitigate against reputational harm.

• Cost for legal counsel related to privacy and notification

laws.

Financial Impact of a Security/Privacy Breach?

Example: 2,500 records times $201 equals $502,500

just in notification costs!!

Key Coverage Components

The following are the essential coverage's

when putting together a comprehensive

cyber liability policy…

• Provides liability coverage for damages and claim

expenses arising out of an actual or alleged act, error

omission resulting in:

– The failure to prevent unauthorized access/use to system that

results in:

• The destruction, deletion or corruption of electronic data;

• Theft of loss of data; or

• Denial of service attacks against Internet sites or computers.

Network Security Liability

• The inability of a third party, who is authorized to do so, to

gain access to your system.

• The failure to prevent transmission of Malicious Code

from your system to third-party computers and systems.

Network Security Liability

• Provides liability coverage if an insured fails to protect

electronic or non-electronic private or confidential

information in their care custody and control.

• Provides coverage for defense expenses, and in some

cases penalties/fines, incurred from a regulatory

proceeding resulting from a violation of a privacy law

caused by a covered security breach.

Privacy Liability and Privacy Regulatory Proceeding

• Covers crisis management, including credit monitoring

services and public relations expenses incurred resulting

from a security or privacy breach. Also pays costs of

notifying consumers as required by various state, federal

or international laws or regulations.

Breach Response Expenses

• Covers the insured for Intellectual Property (copyright

infringement, etc.) and Personal Injury (defamation, etc.)

perils that result from an error or omission in content on

their website. Multimedia coverage is also available.

• Provides coverage for expenses and/or losses incurred

as the result of an extortion threat made against an

insured.

• Provides coverage for business interruption loss and/or

business restoration expense incurred by the insured as

the direct result of a security breach that caused system

failure.

Media Liability/Cyber Extortion/Business Interruption

• Pays the reasonable costs incurred by the insured, in

excess of any normal operating costs, for the restoration

of any data stored.

• Technology E&O and/or certain Miscellaneous

Professional Liability exposures may be combined with

the cyber coverage in one policy.

Data Restoration and Professional Liability

Data Breach or cyber insurance policies are becoming a more

important part of a company’s preparedness plans.

In 2013, only 10% of respondents said their company purchases a

policy. In 2014 the percentage more than doubled to 26%

Gaining Traction

Final Thoughts

• Any one who collects, stores (either on their system, a third

party vendor or the cloud) and/or shares customer information

(PII or PHI) has an exposure regardless of industry class or

size.

• Size doesn’t matter!

– “Targets of opportunity” are based on “ease of access” &

likelihood of breach being detected.

• This coupled with the probability of human error or

unintended disclosure can result in significant costs.

QUESTIONS?

Contact Information

Raja Paranjothi

CBIZ Business and Technology

Risk Services

913.234.1869

rparanjothi@cbiz.com

Kyle Konopasek

CBIZ Business and Technology

Risk Services

913.234.1020

kkonopasek@cbiz.com

Damian Caracciolo

CBIZ Risk & Consulting

443.472.8096

dcaracciolo@cbiz.com