2020 corporate customer training · minutes. 11 examples examples. 12 examples examples ......
TRANSCRIPT
1
Corporate Customer TrainingCybersecurity & CATO
2
Circa 2009
Today….
3
2020 Breaches
January 2020
• Customer support database unprotected
• 280 million customer records
• Emails, IP addresses, support case details
• No other personal information compromised
4
• Former employee responsible for breach
• ”Undisclosed number of customers”
• Name, SSN, drivers license info, address, DOB, account numbers, etc.
February 2020
February 2020
• Third-party vendor
• Employee laptop theft
• 654k members personal and medical info exposed
5
February 2020
• 10.6 million customer records published to hacking forum
• Personal info and contact details for tourists, travelers, celebrities, CEOs, government officials, etc.
• Security incident uncovered in summer 2019
March 2020
• Employee and customer information accessed
• Compromised employee email
• Names, addresses, SSN
• Passport and drivers license numbers
• Credit card and account information
6
March 2020
• Employee email account compromised
• Third-party email vendor
• Unknown amount of personal information
• Name, addresses, SSN
• Drivers license numbers, billing information
March 2020
• Third-party application breach
• 5.2 million guest records impacted
• Names, emails, phone numbers
• Linked loyalty programs
• 2nd known breach in 2 years
7
Time to Act
Criminal Objectives
• Access or manipulate data
• Destruction of data
• Extortion or ransom
• Disruption
8
9
10
Phishing Objectives
• Install malware
• Steal credentials
• Obtain information
• Perform a task
2019 Verizon Data Breach Investigation Report
• 3% of users will click on any phishing campaign
• Average 16 minutes until the first click on a phishing campaign
• First report from a savvy user will arrive after an average of 28 minutes
11
Examples
Examples
12
Examples
Examples
• Posing as vendor to change bank account information
• Use similar domain name
• aliiedconsulting.com
13
Examples
Examples
14
Examples
Examples
15
Examples
Examples
16
Examples
Examples
17
Examples
One click… that’s all it takes!
18
Malware Evolution
19
Fileless Malware
• More prevalent in 2019 than ransomware
• Exploit vulnerabilities in browsers and associated programs or via phishing attack
• Code runs and calls on programs already installed on the system, rather than installing its own
20
Corporate Account Takeover (CATO)
Corporate Account Takeover (CATO)
• Criminals gain access to bank account
• Obtain user credentials
• Phishing email
• Keylogger malware
• Obtain access
• Physical
• Remote
21
Corporate Account Takeover (CATO)
• System access dangers
• Logged into Internet banking
• Password management auto-populates passwords
• Sends code to text or email on system
• Guess answers to knowledge-base questions via social networking research
CATO Damages
• Add new user accounts
• Initiate transfers
• ACH
• Wires
• Other external transfer options
• Access to confidential data for additional attacks
22
CATO Protection & Prevention
• Banking Controls
• Multi-factor authentication
• New user alerts
• Device authentication/restriction
• Enhanced high risk transaction controls
23
Phishing Attempts
• Inspect for typos
• Check email address and domain name
• Click correctly
• Hover over link
• Right click and copy
• Visit website manually
Phishing Attempts
• It doesn’t feel right
• Tone is off
• Urgent/threatening
• Unfamiliar or unexpected
24
Malware & Patch Management
Malware & Patch Management
• Servers
• Workstations
• Laptops
• Mobile devices
• Peripheral devices
• IoT
25
Malware & Patch Management
• Centralized system
• All devices present
• Receive latest updates or definition files
• Remediate issues
• Limit users’ rights
• Downloaded apps from Internet
• Browser add-ons
Wi-Fi Networks
• Ubiquitous access
• Risks
• Malware can spread
• Traffic sniffing
• Vulnerability scanning
26
Wi-Fi Networks
• Be wary of public Wi-Fi
• Use HTTPS
• Turn off file sharing
• Use VPN
Password Security
27
Password Security
• Numbers, characters, symbols
• Avoid common words
• >12 characters
• Unique and private passwords
• Business vs personal
• Layered security
Web Surfing
• Avoid questionable websites
• Cautious downloads
• Current browser
• Inspect URL
• Malvertising
28
Data Storage
• Save files to appropriate location
• Beware
• External drives
• Mobile devices
• Rogue cloud storage and sharing
Vendor Management
• New vendor relationships
• Procedures for evaluating vendors
• Risk assessment
• Contract review
• Approval procedures
• Existing vendor relationships
• Periodic oversight procedures
29
Social Networking
• Impersonation
• Phishing & Vishing
• ID Theft
• Pretexting
• Security questions & answers
• Data is not always private
Mobile Devices
• Automatic lockout
• Biometric/PIN
• Inactivity
• Encryption
• Remote wipe
• Data storage
• Patches & updates
30
• Easily spoofed
• Not all services are encrypted
• Accounts easily hacked
• Be careful what you send in email
Training
• Training methods vary
• Seminar, emails, newsletters
• Anyone can teach!
• Training should be completed
• Upon hire
• Annually
• Continuously
31
Important Takeaways
• Be vigilant of phishing attempts
• Practice top tips
• Train employees
• Work proactively with partners
• Trust your instincts
© 2020 Capin Technology LLC
Thanks!
Thomas L. Tyler, Jr.Cybersecurity Advisor
505.50.CAPIN x2009