1

Corporate Customer TrainingCybersecurity & CATO

2

Circa 2009

Today….

3

2020 Breaches

January 2020

• Customer support database unprotected

• 280 million customer records

• Emails, IP addresses, support case details

• No other personal information compromised

4

• Former employee responsible for breach

• ”Undisclosed number of customers”

• Name, SSN, drivers license info, address, DOB, account numbers, etc.

February 2020

February 2020

• Third-party vendor

• Employee laptop theft

• 654k members personal and medical info exposed

5

February 2020

• 10.6 million customer records published to hacking forum

• Personal info and contact details for tourists, travelers, celebrities, CEOs, government officials, etc.

• Security incident uncovered in summer 2019

March 2020

• Employee and customer information accessed

• Compromised employee email

• Names, addresses, SSN

• Passport and drivers license numbers

• Credit card and account information

6

March 2020

• Employee email account compromised

• Third-party email vendor

• Unknown amount of personal information

• Name, addresses, SSN

• Drivers license numbers, billing information

March 2020

• Third-party application breach

• 5.2 million guest records impacted

• Names, emails, phone numbers

• Linked loyalty programs

• 2nd known breach in 2 years

7

Time to Act

Criminal Objectives

• Access or manipulate data

• Destruction of data

• Extortion or ransom

• Disruption

8

9

10

Phishing Objectives

• Install malware

• Steal credentials

• Obtain information

• Perform a task

2019 Verizon Data Breach Investigation Report

• 3% of users will click on any phishing campaign

• Average 16 minutes until the first click on a phishing campaign

• First report from a savvy user will arrive after an average of 28 minutes

11

Examples

Examples

12

Examples

Examples

• Posing as vendor to change bank account information

• Use similar domain name

• joe@alIiedconsulting.com

• joe@alliedconsulting.com

• aliiedconsulting.com

13

Examples

Examples

14

Examples

Examples

15

Examples

Examples

16

Examples

Examples

17

Examples

One click… that’s all it takes!

18

Malware Evolution

19

Fileless Malware

• More prevalent in 2019 than ransomware

• Exploit vulnerabilities in browsers and associated programs or via phishing attack

• Code runs and calls on programs already installed on the system, rather than installing its own

20

Corporate Account Takeover (CATO)

Corporate Account Takeover (CATO)

• Criminals gain access to bank account

• Obtain user credentials

• Phishing email

• Keylogger malware

• Obtain access

• Physical

• Remote

21

Corporate Account Takeover (CATO)

• System access dangers

• Logged into Internet banking

• Password management auto-populates passwords

• Sends code to text or email on system

• Guess answers to knowledge-base questions via social networking research

CATO Damages

• Add new user accounts

• Initiate transfers

• ACH

• Wires

• Other external transfer options

• Access to confidential data for additional attacks

22

CATO Protection & Prevention

• Banking Controls

• Multi-factor authentication

• New user alerts

• Device authentication/restriction

• Enhanced high risk transaction controls

23

Phishing Attempts

• Inspect for typos

• Check email address and domain name

• Click correctly

• Hover over link

• Right click and copy

• Visit website manually

Phishing Attempts

• It doesn’t feel right

• Tone is off

• Urgent/threatening

• Unfamiliar or unexpected

24

Malware & Patch Management

Malware & Patch Management

• Servers

• Workstations

• Laptops

• Mobile devices

• Peripheral devices

• IoT

25

Malware & Patch Management

• Centralized system

• All devices present

• Receive latest updates or definition files

• Remediate issues

• Limit users’ rights

• Downloaded apps from Internet

• Browser add-ons

Wi-Fi Networks

• Ubiquitous access

• Risks

• Malware can spread

• Traffic sniffing

• Vulnerability scanning

26

Wi-Fi Networks

• Be wary of public Wi-Fi

• Use HTTPS

• Turn off file sharing

• Use VPN

Password Security

27

Password Security

• Numbers, characters, symbols

• Avoid common words

• >12 characters

• Unique and private passwords

• Business vs personal

• Layered security

Web Surfing

• Avoid questionable websites

• Cautious downloads

• Current browser

• Inspect URL

• Malvertising

28

Data Storage

• Save files to appropriate location

• Beware

• External drives

• Mobile devices

• Rogue cloud storage and sharing

Vendor Management

• New vendor relationships

• Procedures for evaluating vendors

• Risk assessment

• Contract review

• Approval procedures

• Existing vendor relationships

• Periodic oversight procedures

29

Social Networking

• Impersonation

• Phishing & Vishing

• ID Theft

• Pretexting

• Security questions & answers

• Data is not always private

Mobile Devices

• Automatic lockout

• Biometric/PIN

• Inactivity

• Encryption

• Remote wipe

• Data storage

• Patches & updates

30

Email

• Easily spoofed

• Not all services are encrypted

• Accounts easily hacked

• Be careful what you send in email

Training

• Training methods vary

• Seminar, emails, newsletters

• Anyone can teach!

• Training should be completed

• Upon hire

• Annually

• Continuously

31

Important Takeaways

• Be vigilant of phishing attempts

• Practice top tips

• Train employees

• Work proactively with partners

• Trust your instincts

© 2020 Capin Technology LLC

Thanks!

Thomas L. Tyler, Jr.Cybersecurity Advisor

ttyler@capincrouse.com

505.50.CAPIN x2009