Hacking the HumanHow Secure Is Your Organization?
April 23, 2015
CBIZ MHM, LLC – Kansas City
• Social Engineering
– Targets, Costs, Frequency
– Real Life Examples
– Mitigating Risks
– Internal Programs
• Data Security & Privacy Liability
– Cyber Liability
– Cyber Insurance
– Financial Impact
– Key Coverage Components
– Checklist for Assessing your Level of Cyber Risk
Agenda
Social Engineering
The Art of Hacking the Human
1) The clever manipulation of the natural human tendency to trust.
2) Manipulating people into willingly doing something rather than by
breaking in using technical or brute force means.
3) The act of manipulating a person to take an action that may or may
not be in the target’s best interest. ~ Chris Hadnagy
4) The art of intentionally manipulating behavior using specially
crafted communication techniques. ~ Gavin Watson
What Is Social Engineering?
4%
14%
40%
46%
51%
0% 10% 20% 30% 40% 50% 60%
Other
Revenge or personal vendetta
Competitive advantage
Access to proprietary information
Financial gain
Motivations for Social Engineering Attacks
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
• Sensitive Personally Identifiable Information
• System usernames and passwords
• High-value assets
• Trade secrets and proprietary information
Social Engineering Targets
32%
12%
13%
13%
30%
38%
14%
16%
13%
19%
0% 10% 20% 30% 40%
Less than $10,000
$10,000 - $25,000
$25,000 - $50,000
$50,000 - $100,000
More than $100,000
All companies
More than 5,000employees
Typical Cost Per Social Engineering Incident
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
20%
32%
15%
33%
32%
36%
20%
12%
0% 10% 20% 30% 40%
Less than 5 times
5 - 24
25 - 50
More than 50 times
All companies
More than 5,000employees
Frequency of Social Engineering Attacks
Over 2-year Period
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
• Dumpster diving
– Company directory and phone list with email addresses.
– Client sensitive personally identifiable information.
– Employee usernames and passwords to company systems.
– Company policies, procedures, systems, vendors.
– Vertical cut shred in trash bag in dumpster.
– Hand torn documents in trash in dumpster.
An Attack In Action – Stories and Examples
• Email phishing
– New paid time off policy and tracking system.
– Obtain false website address
– Create a mirror image false website.
– Use employee directory from dumpster to email false link to website.
– Require Windows login to gain access.
– Ask employees to update paid time off balances and requests.
• Provide personal incentive to click the link.
An Attack In Action – Stories and Examples
https://www.principal.com/
https://www.princlpal.com/
Fake Web Address Example
• Pretexting, Baiting, and Piggy-backing
– Impersonate telecom, janitorial, security personnel, employees.
– Drop a CD or USB thumb drive with a creative label.
– Follow employees through secured doors.
– Develop rapport and level of comfort.
An Attack In Action – Stories and Examples
5%6%12%
21%
56%Vishing
Other
Criminals
Phishing
Lack of EmployeeAwareness
Social Engineering Threats To Organizations
Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading
60%
44%
38%
33% 32%
23%
New employees
Contractors
Executive assistants
Human resources
Business leaders
IT personnel
Risk of Falling for Social Engineering Attack
Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
Social engineering attacks cannot be prevented—only
mitigated and deterred.
• Policies
– Employees are not allowed to divulge information.
– Prevents employees from being socially pressured or tricked.
– Policies MUST be enforced to be effective.
• Training
– User awareness—user knows giving out information is bad.
Mitigating A Social Engineering Attack
• Password management
• Physical security
• Network defenses may only temporarily repel attacks.
– Virus protection
– Email attachment scanning
– Firewalls, etc.
– Intrusion detection system and intrusion protection system
– Encrypted data at rest
• Security must be tested and updated periodically.
Mitigating A Social Engineering Attack
• Social engineering testing
– IMPORTANT! This is strictly intended to be a learning tool for the
organization—not a punishment for individual employees.
– Who should consider testing?
– Have the tester attempt to acquire information from employees
using social engineering techniques.
• Attack strategically targeted areas of the organization.
– May include technical testing of malware and other abnormalities.
– What a tester legally cannot do.
Mitigating A Social Engineering Attack
Develop Internal Programs
Information Security Program
The written plan created and implemented by the
organization to identify and control risks to information and
information systems and to properly dispose of information.
Security Awareness Program
Security awareness reflects an organization’s attitude
toward protecting the physical and intellectual assets of an
organization. This attitude guides the approach used to
protect those assets.
• When assessing the weakest link, the human factor is very critical
when protecting sensitive information and valuable assets.
• Social engineering testing is an effective method commonly used to
assess the condition of the overall security culture.
• Good habits drive security culture and there are no technologies that
will ever make up for poor security culture.
• Awareness programs, when properly executed, provide knowledge
that instills behavior.
It is better to fail a test in a controlled environment than to be
attacked without knowing how much information will be lost.
Summary
Data Security and
Privacy Liability: Why Cyber Insurance is No Longer Optional!
Threat Matrix – Where Do We Start?
Threats to Cybersecurity are Decentralized and Diverse
Threats to
CybersecuritySpy and
Malware
Spammers
Bot-net Operators
Nation
Phisher
Business competitors
Corporate Espionage
Terrorist
Hacker
Insider
Criminal Groups
Human Error
Statistically Speaking
Why Worry?
The most vigilant network security and most
comprehensive privacy policies remain
vulnerable to hackers, rogue employees, social
engineering and human error!
“Dave” is Responsible for 31% of all Losses
Causes of Loss (2013-14)
• Frequency of privacy breaches are on the rise
– 10% increase year over year
• Threats and vulnerabilities are getting dramatically worse.
• More than 47 states, including U.S. territories, have
enacted privacy laws in response to the increased
frequency of privacy breaches.
Why Cyber Insurance?
• Corporate governance requires organizations address
information technology risks.
• The plaintiffs’ bar is becoming more active in pursing class
action litigation.
• Contracts may require cyber liability insurance.
• Cyber liability insurance can mitigate the financial impact
on a company.
Why Cyber Insurance?
In the past, small businesses (SMB’s) may have been able to
neglect network security with little consequence, but this is
not the case today.
In Symantec’s 2014 Internet security Threat report they
found SMBs (defined as having fewer than 250 employees)
accounted for more than half of all targeted attacks (61%) in
2013. This was an 11 percentage point increase from the
previous year.
A “Not So Positive Trend”
You Are At Risk!
• Cost to defend and/or settle:
– Regulatory investigations.
– Unauthorized access or unauthorized use.
– Allegations that malicious code (such as viruses) caused harm to
the data or computer systems of third parties.
– Allegations that an insured’s computer system denied a third party
the ability to conduct transactions.
– Litigation from customers or employees for identify theft.
Financial Impact of a Security/Privacy Breach?
• Cost to investigate and determine the cause of a security
or privacy breach, including computer forensics.
• Cost to hire a public relations or crisis management firm
to mitigate against reputational harm.
• Cost for legal counsel related to privacy and notification
laws.
Financial Impact of a Security/Privacy Breach?
Example: 2,500 records times $201 equals $502,500
just in notification costs!!
Key Coverage Components
The following are the essential coverage's
when putting together a comprehensive
cyber liability policy…
• Provides liability coverage for damages and claim
expenses arising out of an actual or alleged act, error
omission resulting in:
– The failure to prevent unauthorized access/use to system that
results in:
• The destruction, deletion or corruption of electronic data;
• Theft of loss of data; or
• Denial of service attacks against Internet sites or computers.
Network Security Liability
• The inability of a third party, who is authorized to do so, to
gain access to your system.
• The failure to prevent transmission of Malicious Code
from your system to third-party computers and systems.
Network Security Liability
• Provides liability coverage if an insured fails to protect
electronic or non-electronic private or confidential
information in their care custody and control.
• Provides coverage for defense expenses, and in some
cases penalties/fines, incurred from a regulatory
proceeding resulting from a violation of a privacy law
caused by a covered security breach.
Privacy Liability and Privacy Regulatory Proceeding
• Covers crisis management, including credit monitoring
services and public relations expenses incurred resulting
from a security or privacy breach. Also pays costs of
notifying consumers as required by various state, federal
or international laws or regulations.
Breach Response Expenses
• Covers the insured for Intellectual Property (copyright
infringement, etc.) and Personal Injury (defamation, etc.)
perils that result from an error or omission in content on
their website. Multimedia coverage is also available.
• Provides coverage for expenses and/or losses incurred
as the result of an extortion threat made against an
insured.
• Provides coverage for business interruption loss and/or
business restoration expense incurred by the insured as
the direct result of a security breach that caused system
failure.
Media Liability/Cyber Extortion/Business Interruption
• Pays the reasonable costs incurred by the insured, in
excess of any normal operating costs, for the restoration
of any data stored.
• Technology E&O and/or certain Miscellaneous
Professional Liability exposures may be combined with
the cyber coverage in one policy.
Data Restoration and Professional Liability
Data Breach or cyber insurance policies are becoming a more
important part of a company’s preparedness plans.
In 2013, only 10% of respondents said their company purchases a
policy. In 2014 the percentage more than doubled to 26%
Gaining Traction
Final Thoughts
• Any one who collects, stores (either on their system, a third
party vendor or the cloud) and/or shares customer information
(PII or PHI) has an exposure regardless of industry class or
size.
• Size doesn’t matter!
– “Targets of opportunity” are based on “ease of access” &
likelihood of breach being detected.
• This coupled with the probability of human error or
unintended disclosure can result in significant costs.
QUESTIONS?
Contact Information
Raja Paranjothi
CBIZ Business and Technology
Risk Services
913.234.1869
Kyle Konopasek
CBIZ Business and Technology
Risk Services
913.234.1020
Damian Caracciolo
CBIZ Risk & Consulting
443.472.8096