SlideShare a Scribd company logo

Strengthening the Weakest Link 151210_2225opt

FitCEO, Inc. (FCI)
FitCEO, Inc. (FCI)
1 of 5
Download to read offline
Restricting Authenticating Tracking User Access? 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 Cybercriminals have a staggering variety of ways to get to your company’s systems and sensitive data, and social engineering attacks number among their most successful. Social engineering is the technique of manipulating people into violating security proce- dures by either disclosing sensitive information, or otherwise breaking with security protocol. Outside of the cyber-security context, social engineering is innocent enough: many of us use it when we want something from friends or family, to influence people to our way of thinking, or for other harmless purposes. Cyber-criminals use social engineering for nefarious reasons. Significant improvements in security technology have made it difficult for cybercrimi- nals to steal sensitive data by penetrating computer systems. Social engineering relies on momentary weaknesses in people, and it’s easier to deceive someone than it is to hack into systems. Protecting your company from social engineering attacks requires dedica- tion to a training program that addresses your entire workforce and includes social engineering exercises as a test of the training program’s success. This paper covers several important elements to include in your workforce cybersecurity training program. At minimum, train your workforce to identify the following four attack methods to reduce your vulnerability to social engineering attacks: 1. Phishing – The cybercriminal sends fake emails that appear legitimate to the work- force community. The emails typically include malicious attachments or links, or request that the user send back sensitive information. Some examples can be found here: http://www.it.cornell.edu/security/phishbowl.ctm 2. Pretexting – The cybercriminal calls an employee with a believable story (often imper- sonating a C-level officer, an IT person, or similar trusted role in your company), and asks the employee to disclose sensitive information over the phone. 3. Media Dropping – The cybercriminal puts malicious files on a USB drive and leaves them in high-traffic areas (coffee area, cafeteria, break room, printer room, parking lot, and so forth.). Once an employee inserts the USB drive into the company connected computer, the system is infected with malware that enables the cybercriminal to take control of the employee’s computer. 4. Physical access to sensitive areas – The cybercriminal parks in your company’s park- ing lot and observes the area for weak physical controls. The cybercriminal uses the weak physical controls to gain access to sensitive areas, and then either steals computer systems, or connects to the network to access your systems and steal sensitive data. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Covering the essential information in your cybersecurity training is one thing, but employee retention of the training content is key. Here are some tips for increasing the chances of informa- tion retention: 1. Make it personal – One example of personalizing your cybersecurity training is to incorporate how workforce members can protect themselves both at work and at home. For instance, one of VIMRO’s training sessions includes a checklist for protecting yourself from identity theft (appended to this docu- ment as Attachment A). 2. Incorporate humor – Humor makes the information you disseminate more entertaining and enjoyable for the attendees. VIMRO often shows cartoons or funny videos that are relevant to the essential message, and more likely to hold your employees’ attention. 3. Tell real-world stories – People are more likely to remember something if it actually happened, especial- ly if it happened within your organization. VIMRO usually incorporates lessons learned first-hand and recounts stories of successful and unsuccessful attempts to social engineer access to your company’s network from your company’s last social engineering exercises. For instance, Attachment B lists some data elements that a cybercriminal can learn about a person and their company. Most people do not recognize how much information is available about them and where they work. Learning the publically available information beforehand makes it easier for a criminal to deceive an individual or the individual’s co-work- ers, friends, and family. Examples of how a criminal can use this information include: a. Fraudulent wire transfers b. Impersonating the target victim to obtain their bank account information, passwords, social secu- rity numbers, and other Personally Identifiable Information (PII) from other victims who are associated with the primary target c. Identity theft of either the primary victim or people associated with the primary victim Conduct social engineering exercises at least annually to ensure that your training is effective. An example of VIMRO’s training methodology includes: 1. Social Engineering Phishing Exercise: a. Recreate a client’s website, so that workforce members log into it believing that it is an actual client’s site. The fake website captures account and password information from anyone deceived into logging into the system. b. Send a fake email to workforce members. The email attempts to influence them to log into a fake site using their network account and password. c. Analyze the results and write a report on the exercise. 2. Social Engineering Pretexting Exercise: a. Call users impersonating a trusted source. b. During the call, attempt to obtain user’s account and password. c. Analyze the results of the exercise and write the report. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Conduct social engineering exercises at least annually to ensure that your training is effective.
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS 3. Physical Security Penetration/Walkthrough Exercise: a. Attempt to gain unauthorized access to conference rooms or other work areas. b. Attempt to access the network from a work area that has network access. c. Once on the network, try to find and access weak systems by conducting vulnerability scans and other penetration testing methods. d. Conduct walk-through of work areas in search of sensitive information on desks (unattended logged-on workstations, papers with sensitive information left in plain sight, and so forth.) e. Leave USB drives with harmless files on them in public areas (parking lots, bathrooms, conference rooms, lunch/break rooms, and so forth.). The USB drives report into VIMRO’s secured and monitored systems if anyone plugs them into a network-connected computer. f. Leave an envelope addressed to a specific individual or department from a publically known entity with whom they do business. The envelope contains a note and a CD/USB drive with harmless files on it. The CD/USB drive reports into VIMRO’s secured and monitored systems if someone plugs it into a network-connected computer. g. Analyze the results of the exercise and write the report. Conducting the above training decreases your workforce’s vulnerability to social engineering attacks, and reduces your company’s risk of breaches to sensitive systems and data. You can use the outcomes of these above exercises determine the: • Effectiveness of your existing security program as it relates to human processes and procedures • Extent of your workforce members’ training as it relates to information handling and disclosure • Capability of your workforce members to report incidents to management • Capability of management to respond to incidents reported by workforce members • Capability of your personnel to identify and mitigate social engineering attempts Contact VIMRO for more information about how we have helped organizations create, enhance, and maintain their workforce cybersecurity-training programs. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Attachment A • Get a free credit report using only one of these vendors every 4 months – TransUnion, Equifax, Experian: https://www.annualcreditreport.com/index.action • Create a Google Alert for your name so that you will be alerted when a new address is associated with your name • Conduct a search on your name once every four months: o http://www.whitepages.com/ o https://pipl.com/ o http://www.peekyou.com/ o https://www.facebook.com o http://www.intelius.com/ o http://www.zoominfo.com/ • Opt out of preapproved credit: https://www.optoutprescreen.com/?rf=t • Apply a credit freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs • More tips: https://www.consumer.ftc.gov/topics/identity-theft • If you do not want to do it yourself, consider one of these Identity Theft Protection Service Providers: http://identity-theft-protection-services-review.toptenreviews.com/ Clues That Someone Has Stolen Your Information • You see withdrawals from your bank account that you can’t explain. • You don’t get your bills or other mail. • Merchants refuse your checks. • Debt collectors call you about debts that aren’t yours. • You find unfamiliar accounts or charges on your credit report. • Medical providers bill you for services you didn’t use. • Your health plan rejects your legitimate medical claim because the records show you’ve reached your benefits limit. • A health plan won’t cover you because your medical records show a condition you don’t have. • The IRS notifies you that more than one tax return was filed in your name, or that you have income from an employer you don’t work for. • You get notice that your information was compromised by a data breach at a company where you do business or have an account. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Identity Theft Protection Checklist Authored by VIMRO’s Cybersecurity Leaders
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Attachment B An Example of Internet Intelligence on a Person After the simple task of learning a company technolo- gy executive's name, we searched publicly available information. Within thirty minutes, we obtained his full date of birth, his last four home addresses, six phone numbers for him, and nine current and previ- ous email addresses. We also learned his present home address, when his home was purchased, how much he paid for it, and the names of its additional occupants. He is currently employed by a private, family-run, half-billion-dollar corporation. We identified its CEO, CFO, and several relatives of its original owner. We obtained the birthdate of each of the aforementioned, their present residences, their interests, and hobbies. After cross-referencing social media, we concluded that the family executives of the corporation take an annual vacation abroad at the same time every year. Had we been fueled by malicious intent, we could have easily found deeper details, as well as additional information for socially engineering even more targets. And, if we had nefarious purposes (such as monetary gain or disruption of business for other reasons), we could have leveraged all this information to attack the organization and its employees. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL

Recommended

Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...
Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...
Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...National Institute of Food and Agriculture
 
Advergame - Off
Advergame - OffAdvergame - Off
Advergame - OffGiovanni Vicencini
 
CMR inspiration talk
CMR inspiration talkCMR inspiration talk
CMR inspiration talkThe CMR Agency
 
Consequences Of Stand Age And Structure On Forest Water Yield
Consequences Of Stand Age And Structure On Forest Water YieldConsequences Of Stand Age And Structure On Forest Water Yield
Consequences Of Stand Age And Structure On Forest Water YieldNational Institute of Food and Agriculture
 
[Infographie] GDPR in a nutshell
[Infographie] GDPR in a nutshell[Infographie] GDPR in a nutshell
[Infographie] GDPR in a nutshellWilliams Ould-Bouzid
 
Instituciones sociales
Instituciones socialesInstituciones sociales
Instituciones socialesUFToro
 
Instituciones sociales
Instituciones socialesInstituciones sociales
Instituciones socialesYessicaB1
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrimepatelripal99
 

Recommended

Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...
Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...
Conference: Extreme Climate Event Impacts On Aquatic Biogeochemical Cycles An...National Institute of Food and Agriculture
 
Advergame - Off
Advergame - OffAdvergame - Off
Advergame - OffGiovanni Vicencini
 
CMR inspiration talk
CMR inspiration talkCMR inspiration talk
CMR inspiration talkThe CMR Agency
 
Consequences Of Stand Age And Structure On Forest Water Yield
Consequences Of Stand Age And Structure On Forest Water YieldConsequences Of Stand Age And Structure On Forest Water Yield
Consequences Of Stand Age And Structure On Forest Water YieldNational Institute of Food and Agriculture
 
[Infographie] GDPR in a nutshell
[Infographie] GDPR in a nutshell[Infographie] GDPR in a nutshell
[Infographie] GDPR in a nutshellWilliams Ould-Bouzid
 
Instituciones sociales
Instituciones socialesInstituciones sociales
Instituciones socialesUFToro
 
Instituciones sociales
Instituciones socialesInstituciones sociales
Instituciones socialesYessicaB1
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrimepatelripal99
 
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzFitCEO, Inc. (FCI)
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!FitCEO, Inc. (FCI)
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideFitCEO, Inc. (FCI)
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyFitCEO, Inc. (FCI)
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksFitCEO, Inc. (FCI)
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...FitCEO, Inc. (FCI)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzFitCEO, Inc. (FCI)
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2FitCEO, Inc. (FCI)
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to knowFitCEO, Inc. (FCI)
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesFitCEO, Inc. (FCI)
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROFitCEO, Inc. (FCI)
 
IPV6 a tale of two protocols
IPV6 a tale of two protocolsIPV6 a tale of two protocols
IPV6 a tale of two protocolsFitCEO, Inc. (FCI)
 

More Related Content

More from FitCEO, Inc. (FCI)

The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzFitCEO, Inc. (FCI)
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!FitCEO, Inc. (FCI)
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideFitCEO, Inc. (FCI)
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyFitCEO, Inc. (FCI)
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksFitCEO, Inc. (FCI)
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...FitCEO, Inc. (FCI)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzFitCEO, Inc. (FCI)
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2FitCEO, Inc. (FCI)
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to knowFitCEO, Inc. (FCI)
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesFitCEO, Inc. (FCI)
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROFitCEO, Inc. (FCI)
 

More from FitCEO, Inc. (FCI) (20)

The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to know
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
 
IPV6 a tale of two protocols
IPV6 a tale of two protocolsIPV6 a tale of two protocols
IPV6 a tale of two protocols
 

Strengthening the Weakest Link 151210_2225opt

  • 1. Restricting Authenticating Tracking User Access? 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 Cybercriminals have a staggering variety of ways to get to your company’s systems and sensitive data, and social engineering attacks number among their most successful. Social engineering is the technique of manipulating people into violating security proce- dures by either disclosing sensitive information, or otherwise breaking with security protocol. Outside of the cyber-security context, social engineering is innocent enough: many of us use it when we want something from friends or family, to influence people to our way of thinking, or for other harmless purposes. Cyber-criminals use social engineering for nefarious reasons. Significant improvements in security technology have made it difficult for cybercrimi- nals to steal sensitive data by penetrating computer systems. Social engineering relies on momentary weaknesses in people, and it’s easier to deceive someone than it is to hack into systems. Protecting your company from social engineering attacks requires dedica- tion to a training program that addresses your entire workforce and includes social engineering exercises as a test of the training program’s success. This paper covers several important elements to include in your workforce cybersecurity training program. At minimum, train your workforce to identify the following four attack methods to reduce your vulnerability to social engineering attacks: 1. Phishing – The cybercriminal sends fake emails that appear legitimate to the work- force community. The emails typically include malicious attachments or links, or request that the user send back sensitive information. Some examples can be found here: http://www.it.cornell.edu/security/phishbowl.ctm 2. Pretexting – The cybercriminal calls an employee with a believable story (often imper- sonating a C-level officer, an IT person, or similar trusted role in your company), and asks the employee to disclose sensitive information over the phone. 3. Media Dropping – The cybercriminal puts malicious files on a USB drive and leaves them in high-traffic areas (coffee area, cafeteria, break room, printer room, parking lot, and so forth.). Once an employee inserts the USB drive into the company connected computer, the system is infected with malware that enables the cybercriminal to take control of the employee’s computer. 4. Physical access to sensitive areas – The cybercriminal parks in your company’s park- ing lot and observes the area for weak physical controls. The cybercriminal uses the weak physical controls to gain access to sensitive areas, and then either steals computer systems, or connects to the network to access your systems and steal sensitive data. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks
  • 2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Covering the essential information in your cybersecurity training is one thing, but employee retention of the training content is key. Here are some tips for increasing the chances of informa- tion retention: 1. Make it personal – One example of personalizing your cybersecurity training is to incorporate how workforce members can protect themselves both at work and at home. For instance, one of VIMRO’s training sessions includes a checklist for protecting yourself from identity theft (appended to this docu- ment as Attachment A). 2. Incorporate humor – Humor makes the information you disseminate more entertaining and enjoyable for the attendees. VIMRO often shows cartoons or funny videos that are relevant to the essential message, and more likely to hold your employees’ attention. 3. Tell real-world stories – People are more likely to remember something if it actually happened, especial- ly if it happened within your organization. VIMRO usually incorporates lessons learned first-hand and recounts stories of successful and unsuccessful attempts to social engineer access to your company’s network from your company’s last social engineering exercises. For instance, Attachment B lists some data elements that a cybercriminal can learn about a person and their company. Most people do not recognize how much information is available about them and where they work. Learning the publically available information beforehand makes it easier for a criminal to deceive an individual or the individual’s co-work- ers, friends, and family. Examples of how a criminal can use this information include: a. Fraudulent wire transfers b. Impersonating the target victim to obtain their bank account information, passwords, social secu- rity numbers, and other Personally Identifiable Information (PII) from other victims who are associated with the primary target c. Identity theft of either the primary victim or people associated with the primary victim Conduct social engineering exercises at least annually to ensure that your training is effective. An example of VIMRO’s training methodology includes: 1. Social Engineering Phishing Exercise: a. Recreate a client’s website, so that workforce members log into it believing that it is an actual client’s site. The fake website captures account and password information from anyone deceived into logging into the system. b. Send a fake email to workforce members. The email attempts to influence them to log into a fake site using their network account and password. c. Analyze the results and write a report on the exercise. 2. Social Engineering Pretexting Exercise: a. Call users impersonating a trusted source. b. During the call, attempt to obtain user’s account and password. c. Analyze the results of the exercise and write the report. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Conduct social engineering exercises at least annually to ensure that your training is effective.
  • 3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS 3. Physical Security Penetration/Walkthrough Exercise: a. Attempt to gain unauthorized access to conference rooms or other work areas. b. Attempt to access the network from a work area that has network access. c. Once on the network, try to find and access weak systems by conducting vulnerability scans and other penetration testing methods. d. Conduct walk-through of work areas in search of sensitive information on desks (unattended logged-on workstations, papers with sensitive information left in plain sight, and so forth.) e. Leave USB drives with harmless files on them in public areas (parking lots, bathrooms, conference rooms, lunch/break rooms, and so forth.). The USB drives report into VIMRO’s secured and monitored systems if anyone plugs them into a network-connected computer. f. Leave an envelope addressed to a specific individual or department from a publically known entity with whom they do business. The envelope contains a note and a CD/USB drive with harmless files on it. The CD/USB drive reports into VIMRO’s secured and monitored systems if someone plugs it into a network-connected computer. g. Analyze the results of the exercise and write the report. Conducting the above training decreases your workforce’s vulnerability to social engineering attacks, and reduces your company’s risk of breaches to sensitive systems and data. You can use the outcomes of these above exercises determine the: • Effectiveness of your existing security program as it relates to human processes and procedures • Extent of your workforce members’ training as it relates to information handling and disclosure • Capability of your workforce members to report incidents to management • Capability of management to respond to incidents reported by workforce members • Capability of your personnel to identify and mitigate social engineering attempts Contact VIMRO for more information about how we have helped organizations create, enhance, and maintain their workforce cybersecurity-training programs. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders
  • 4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Attachment A • Get a free credit report using only one of these vendors every 4 months – TransUnion, Equifax, Experian: https://www.annualcreditreport.com/index.action • Create a Google Alert for your name so that you will be alerted when a new address is associated with your name • Conduct a search on your name once every four months: o http://www.whitepages.com/ o https://pipl.com/ o http://www.peekyou.com/ o https://www.facebook.com o http://www.intelius.com/ o http://www.zoominfo.com/ • Opt out of preapproved credit: https://www.optoutprescreen.com/?rf=t • Apply a credit freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs • More tips: https://www.consumer.ftc.gov/topics/identity-theft • If you do not want to do it yourself, consider one of these Identity Theft Protection Service Providers: http://identity-theft-protection-services-review.toptenreviews.com/ Clues That Someone Has Stolen Your Information • You see withdrawals from your bank account that you can’t explain. • You don’t get your bills or other mail. • Merchants refuse your checks. • Debt collectors call you about debts that aren’t yours. • You find unfamiliar accounts or charges on your credit report. • Medical providers bill you for services you didn’t use. • Your health plan rejects your legitimate medical claim because the records show you’ve reached your benefits limit. • A health plan won’t cover you because your medical records show a condition you don’t have. • The IRS notifies you that more than one tax return was filed in your name, or that you have income from an employer you don’t work for. • You get notice that your information was compromised by a data breach at a company where you do business or have an account. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Identity Theft Protection Checklist Authored by VIMRO’s Cybersecurity Leaders
  • 5. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Attachment B An Example of Internet Intelligence on a Person After the simple task of learning a company technolo- gy executive's name, we searched publicly available information. Within thirty minutes, we obtained his full date of birth, his last four home addresses, six phone numbers for him, and nine current and previ- ous email addresses. We also learned his present home address, when his home was purchased, how much he paid for it, and the names of its additional occupants. He is currently employed by a private, family-run, half-billion-dollar corporation. We identified its CEO, CFO, and several relatives of its original owner. We obtained the birthdate of each of the aforementioned, their present residences, their interests, and hobbies. After cross-referencing social media, we concluded that the family executives of the corporation take an annual vacation abroad at the same time every year. Had we been fueled by malicious intent, we could have easily found deeper details, as well as additional information for socially engineering even more targets. And, if we had nefarious purposes (such as monetary gain or disruption of business for other reasons), we could have leveraged all this information to attack the organization and its employees. Strengthening the Weakest Link Reducing Risks from Social Engineering Attacks (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL