cybersecurity threats – what you need to know as an insurance professional and as a consumer...
TRANSCRIPT
![Page 1: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/1.jpg)
Cybersecurity Threats – What You Need to Know as an Insurance
Professional and as a Consumer
Aurobindo SundaramVP IS Assurance & Data Protection, Reed Elsevier Inc.
November 2014
![Page 2: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/2.jpg)
2Security Leaders Summit Southeast
Agenda
• A Primer on Attacks• Global Target Trends• Global Attack Trends and Attacker Profiles
» Custom malware and targeted social engineering» Indirect attacks (e.g. through third parties)
• An Example Attack• Why Should Insurance Companies Care?• Risk Mitigation
![Page 3: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/3.jpg)
3Security Leaders Summit Southeast
Attacks ...
“Hacking”
• Basic MO is to get through your systems before you patch them (network, application, custom code).
• Defend by equal parts luck, technology, and diligent process.
• Expose as little as you can, detect/prevent obvious attacks, and deflect attacks.
Denial of Service
• Almost always nuisance value from security perspective, less so from a loss of revenue perspective.
• Consider denial of service protection services (if your firewalls/border routers/ISPs are not up to the task)
Solid infrastructure should make both of these straightforward (but not easy!) to deal with
![Page 4: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/4.jpg)
4Security Leaders Summit Southeast
Attacks ...
Phishing
• More sophisticated than ever• Spear phishing - Targeting
specific individuals (e.g. senior executives)
• Quickly adapt to clone changes on legitimate websites
• Some variants even pass through to legitimate website
Targeted Malware
• Integrated with hacking and phishing attacks to create enduring weaknesses in infrastructure
• Not just financial customers that are targeted – web of compromise continues to expand.
• Hard to detect; once infected, you’re toast.
User education is criticalDo newer tools (e.g. FireEye) help? Unclear.
![Page 5: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/5.jpg)
5Security Leaders Summit Southeast
Advanced Persistent Threats
… a group, such as a foreign government or organized crime, with the capability and intent to persistently and effectively target a specific
entity
• Social activism (“hacktivism”)• Threats targeting financial institutions
(directly or indirectly)• Threats targeting other firms housing
personal information (Legal, Insurance, Retail, etc.)
• Threats targeting infrastructure
Tempting to say “If xxx can be hacked, what chance do I have?”Detection and response capabilities are key
![Page 6: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/6.jpg)
6Security Leaders Summit Southeast
Global Target Trends
• Attempting to retrieve financial information on consumers (e.g. through hacks of credit card databases; cloning of cards; and evasion of fraud detection mechanisms).
• Attempting to retrieve personal information on consumers (HR, health, shopping, insurance/claims) to use in future perpetration of identity theft.
• Attempting to retrieve corporate secrets (attacking legal firms, investment banks, high technology firms) for national or individual gain.
• Attempting to compromise user systems and use them as DDoS bots against targets (usually multi-player gaming systems – Sony, XBox, LoL, etc.).
![Page 7: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/7.jpg)
7Security Leaders Summit Southeast
Attacker Profiles
• Generally resident in countries where Rule of Law is weak (Eastern Europe, West Africa, etc.)
• Use a complex set of intermediaries to avoid detection• Attacking systems (bots, etc.)
• Accessories (J1 visas, etc.)
• Use advanced technology and stealth measures to avoid detection• Tor
• Bitcoin
• Custom malware
• (Can spend weeks to months breaking into a corporation)
• But also use simple attack mechanisms• Guessing of passwords
• Simple phishing attacks and other social engineering
![Page 8: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/8.jpg)
8Security Leaders Summit Southeast
An Example Attack
J1 Mule Operator• Aka the mastermind. He orchestrates the entire crime and reaps most of
its proceeds (along with co-conspirators).
J1 Mule• Foreign citizens that come to the US on J1 (exchange visitor) visas and
then carry back currency to their home country.
Runner• A go-between to receive money from a J1 mule and pass it on to a
sender.
Sender• A participant who retrieves funds to send to a foreign Receiver.
Receiver• A foreign agent who receives funds from the crime to deliver to the J1
Mule Operator.
![Page 9: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/9.jpg)
9Security Leaders Summit Southeast
An Example Attack
J1 MuleOperator
(1) OnlineResearch User
Launch phishing email
With compromised ID,access wealthy victim’s
information(2) PersonalRecords
Runner
SendersSendersSendersSendersSendersSendersSendersSendersSendersSenders
ReceiversReceiversReceiversReceiversReceiversReceiversReceivers
Impersonate (4) victimVictim’s
BankVictim’s
BankVictim’s
Bank(3) Victim’s
Banks
J1 MuleJ1 MuleJ1 Mules
![Page 10: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/10.jpg)
10Security Leaders Summit Southeast
An Example Criminal Enterprise Infrastructure
![Page 11: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/11.jpg)
11Security Leaders Summit Southeast
Why Should Insurance Companies Care?
• You access, store, or process significant sensitive personal information (SSNs, DOBs, bank account information from quotes, claims, etc.). You’re as tempting a target as – a retail store, a public records company, a hospital...
• Some of you are also financial institutions or have links with them.
• You have thousands of agents and associates that access sensitive personal information, and any of them could be social engineered for their user credentials.
![Page 12: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/12.jpg)
12Security Leaders Summit Southeast
Risk Mitigation
How much risk do you want to mitigate and how much do you want to accept?
Perimeter Protections• Firewalls with strict ingress/egress rules.• Web hygiene checking (i.e. dynamic URL blocking).• Intrusion detection/prevention systems.• Penetration testing.
Host Protections• Current anti-virus with updates (brand is not
important).• Patch management program.
Application Protections• Authentication enhancements (e.g. strong
passwords, multi-factor authentication).• Web application security scans.
Other
• User need for access to services.
• Instrumentation and monitoring of outbound traffic (particularly web) – fraud detection, data leakage protection, correlation analysis.
• Logging and monitoring of network, application, and host traffic.
• User education (social engineering prevention, etc.).
• Document your Information Security Program.
Optional / Buy with care• Specialized monitoring (e.g. botnet detectors).• Denial of service protection devices.
* Use standards such as ISO 27002:2013 to determine the technical controls you need.
![Page 13: Cybersecurity Threats – What You Need to Know as an Insurance Professional and as a Consumer Aurobindo Sundaram VP IS Assurance & Data Protection, Reed](https://reader030.vdocuments.us/reader030/viewer/2022032702/56649ccb5503460f94995009/html5/thumbnails/13.jpg)
13Security Leaders Summit Southeast
Contact Information
Presenter Contact informationAurobindo Sundaram,
VP Information Assurance & Data Protection
+1-678-694-3663