TSX Webinar: How to Protect your Brokerage from Social Engineering Tactics June 22, 2017
Presenter & Panelist
Grant Patten Digital Media & User Experience Specialist, CSIO
Rob Hanson Assistant Vice President, Financial Lines Chubb Insurance Company of Canada
Today’s Agenda • Definition and stats • Social engineering tactics • Chubb: SEF Overview • Case studies • Prevention tips • Resources & Questions
Definition: What Is Social Engineering?
Social engineering, also known as “human hacking�, takes advantage of common human behaviour to trick employees into downloading malicious code onto company computers or divulging sensitive information. Remember, it is much easier to trick someone into giving up a password than to invest the effort to crack into a computer system.
Social Engineering By The Numbers ● Humans, or users, account for 90% of security incidents. (Verizon) ● 156 million phishing emails are sent globally every day. (PCI Security Standards Council)
● Of over 200 security leaders surveyed, 60% say their organizations were, or may have been, victim of at least one targeted social engineering attack in 2016. (Agari) ● 49% rated the effectiveness of the current controls they deploy to defend against social engineering attacks as average or below.
Phishing ● The most common form of social engineering ● Phishing is on the rise – in fact, 23% of recipients open phishing emails and 11% click on attachments (Verizon)
Spear Phishing â—? More sophisticated, targeted form of phishing because the emails ostensibly come from a known or trusted sender â—? The data breach at Yahoo! which compromised over 500 million user accounts was done using spear phishing
Ransomware
Ransomware – email phishing example
Ransomware – email phishing example “Enable macro if data encoding is incorrect” is a social engineering technique:
How to counteract phishing ● Only 7% of American organizations do phishing education (Chris Hadnagy, CEO of security consulting firm Social-Engineer) ● Be more discerning when reading and clicking through emails ● Red flags: does the email look impersonal, come from an unfamiliar organization, contain typos, or include a .ZIP file attachment?
How to counteract phishing
How to counteract spear phishing
Vishing (voice solicitation) â—? Social engineering over the phone to gain access to private personal and financial information from the public for the purpose of financial reward
https://youtu.be/lc7scxvKQOo
Vishing (voice solicitation)
How to counteract vishing ● Be wary of “false sense of urgency” – this sense of urgency will almost always be fabricated by social engineers ● Insist that you must verify their identity before giving them any information. If they can’t verify, simply hang up the phone or ignore the message ● Be suspicious. Never bypass established security procedures/policies
Smishing (SMS phishing) ● SMS phishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information ● March 2017, UK: three Santander (British bank) customers lost a total of £36,000. Attackers used number spoofing, which makes the text message appear on an existing thread of genuine messages from the bank to make them look more convincing
How to counteract smishing ● Never share personal or security details such as your PIN or full password ● Don’t immediately assume an email/text is genuine – even if it looks really official ● Don’t feel pressured into responding back – if it’s a genuine organization, they will let you take your time ● Only call/text a number that you know is genuine (the bank’s number can be found on the back of your card)
Baiting â—? Baiting is another form of social engineering that plays on our natural human curiosity. An attacker will leave a malware-laden device, such as a USB key, in an open area where someone will likely find it
How to counteract baiting â—? Develop strict policies regarding devices brought in from outside the company; block unknown USBs by default
Tailgating â—? Tailgating occurs when an attacker attempts to gain unauthorized access to company premises by following closely behind an employee entering a facility
How to counteract tailgating â—? Have strict policies/employee training on displaying security badges and other credentials and making sure all guests are escorted â—? Would be advisable to use a waste management service that has dumpsters with locks on them
Poll Question
What do you think is the most dangerous social engineering threat to organizations?
SEF Overview
Social Engineering Fraud Overview • First to market • There is a demand! o Chubb 7-year Internal Study • Dozens of contentious claims denials o Insured was ‘duped’ into transferring money to the wrong party. o Lack of brokerage Commercial Crime knowledge
The Fraudster’s Process
Vendor Email Imitated The controller for a distributor of component parts was responsible for making regular payments to overseas vendors from which the distributor purchased products for resale in Canada. After many months of working with one particular vendor and receiving regular shipments, the controller received an email that appeared to come from his vendor contact, indicating that the vendor’s bank was having issues with accepting payments, and asking if the next payment could be made to a new bank. Due to the vendor’s overseas location, verification was a challenge. After the supposed vendor applied some pressure, the controller paid the invoice via wire transfer. RESOLUTION The following month, the real vendor realized that the distributors’ payment was overdue. An investigation was launched and it was determined that the fraudster had tricked the distributor into believing that the requested bank account change was authentic. The fraudster absconded with the almost $250,000 payment.
The Fraudster’s Process
Base Crime Wording Why not covered?
Why not covered? •Computer Fraud: o direct siphoning by Third Party only *Voluntary Parting of Funds Exclusion Coverage does not apply to loss due to an Insured knowingly having given or surrendered Money...in exchange or purchase to a Third Party not in collusion with an Employee. - Was the Insured aware of the transaction itself? Intend to make the payment? - Not a guarantee for Insured’s internal controls or business risks
Why not covered? •Funds Transfer Fraud: oFraudulent instructions must be provided directly by Third Party to FI oInsured has no knowledge of the transfer occurring until loss is discovered
SEF Coverage Extension
Social Engineering Fraud Coverage - Chubb • Insures a range of social engineering fraud losses, including: o Vendor or supplier impersonation o Executive impersonation o Client impersonation • Contains a full carve back to the voluntary purchase and exchange exclusion • Employs broad all-risk language • No Conditions Precedent!
Social Engineering Fraud Coverage – Version 1 Insuring Clause: *Social Engineering Fraud Coverage Insuring Clause
The Company shall pay the Insured for loss resulting from an Insured having transferred, paid or delivered any Money or Securities as the direct result of Social Engineering Fraud committed by a person purporting to be a Vendor, Client, or an Employee who was authorized by the Insured to instruct other Employees to transfer Money or Securities.
*Chubb Insurance Company of Canada: EP Crime form CE 14-02-4028
Social Engineering Fraud Coverage Two new terms are added: *Social Engineering Fraud means the intentional misleading of an Employee, through misrepresentation of a material fact which is relied upon by an Employee, believing it be genuine. *Vendor means any entity or natural person that has provided goods or services to an Insured under a legitimate pre-existing arrangement or written agreement.
*Chubb Insurance Company of Canada: EP Crime form CE 14-02-4028
What can Companies do?
What can Companies do? Risks that employ the following procedures may be less susceptible to social engineering fraud: • • • • •
Reduce the reliance on email for all financial transactions. Establish call-back procedures: dual / additional customer verification systems. Establish procedures to verify any changes to customer or vendor details, independent of the requester of the change. Avoid allowing new customers or clients to “pre-pay” for your services, unless a thorough background check is performed on them. Periodic penetration testing of systems/procedures.
What can Companies do?…continued Risks that employ the following procedures may be less susceptible to social engineering fraud: • • • • •
Conduct a data classification assessment. Avoid using or exploring “rogue devices”. Be suspicious of unsolicited emails. Always shred and/or destroy documents prior to disposal. TRAINING.
Chubb Risk Mitigation Resources
Chubb – Claims Examples
Case Studies - RSA Security LLC
Case Studies - RSA Security LLC
Case Studies - @N Twitter hack
https://medium.com/@N
Case Studies - @N Twitter hack
Case Studies - Stuxnet
Case Studies - Stuxnet
Case Studies - Stuxnet
Social Engineering Prevention Tips – 2FA ● Use two-factor authentication (2FA) wherever possible BUT know that it isn’t foolproof. 2FA adds an extra step to the basic login procedure, e.g., Twitter’s 2FA verifies logins by sending an SMS text with a code to the user’s phone
Social Engineering Prevention Tips – 2FA ● Two-factor authentication (2FA) smishing scam:
Social Engineering Prevention Tips – 2FA ● Google Authenticator app
Social Engineering Prevention Tips ● Implement an internal information security awareness and training program, which includes a module on social engineering ● Never release sensitive information to someone you don’t know or who doesn’t have a valid reason for having it – even if the person identifies themselves as a co-worker ● Consider simulating a social engineering attack. This type of test depends on the information that can be obtained from the public domain about the organization
Social Engineering Attack Simulation ● Arm your employees to beat modern social engineering attacks by going through a simulation ● Phishing simulations can be conducted by your IT team
● Advantage of using a cybersecurity contractor to do the simulation would be a more detached, neutral stance ● Debrief conversation should be about remediation and education, rather than blame and sanctions
Social Engineering Incident Response Plan ● What was or is being attacked, and how ● Which resources are threatened or compromised ● How to shut down an ongoing attack with the least amount of disruption to the business ● How to recover from the attack ● How to implement protections against similar attacks
Learn More at CSIO.com
Members Section gives access to: • CSIO Forms
• TSX Webinars (accredited)
Educational Resources: •Infosheets, Articles, White papers •Videos •Twitter: @CSIO •Email: info@csio.com
CSIO Infosheets & Video Series
Thank you for attending our Talk, Share, eXchange!
Recording of the webinar (and slides) can be found here: https://www.csio.com/news-events/tsx-webinars CSIO.com