Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Preventing IT Fraud: You (and Your Employees) are the Weakest Link!
Presented by
Nick DeLena, CISA, CRISC, MBA Senior Manager, IT Audit
O’Connor & Drew P.C. [email protected]
Agenda
• IT fraud threat vectors ▫ Internal & external
• Why is everyone getting hacked? • What can we do about it?
IT fraud threat vectors
• Internal threats ▫ IT staff buying extra hardware and
software and… Reselling it on auction sites, Returning it for cash or credit, or Keeping it for personal use
IT fraud threat vectors
• Internal threats ▫ Using corporate resources for
personal use Running seedy websites Peer-to-peer file sharing
IT fraud threat vectors
• Internal threats with external partners ▫ Paying more for items or buying
unneeded upgrades from 3rd party IT staff gets a kickback
IT fraud threat vectors
• External threat ▫ Hackers (white/gray/black hat) ▫ Script kiddies ▫ Hacktivists ▫ State-sponsored ▫ Corporate espionage ▫ Terrorism
IT fraud threat vectors
• CIA Dir. John Brennan hack ▫ “Hey it’s CWA.” ▫ “What do you want?” ▫ “2 trillion dollars hahaha, just joking” ▫ “How much do you really want?” ▫ “We just want Palestine to be free and for you to
stop killing innocent people.”
Why do we keep getting hacked?
• Three reasons: ▫ PII including credit cards ▫ Target of opportunity ▫ “Hacktivism”
Why do we keep getting hacked?
• Three reasons: ▫ Companies or Nation States want
the info we have ▫ Intellectual property / Research ▫ Recently, physical harm
Why do we keep getting hacked?
• Three reasons: ▫ Target of opportunity Casting a wide net Lets see who we pick up The thief who tries every door, just
to find the open car
Why do we keep getting hacked?
• Three reasons: ▫ Hacktivism Payback for a perceived wrong Anonymous Fight against ISIS Environmental - dieselgate?
We are really, REALLY, bad at security
• Most popular passwords in 2014: ▫ 123456 ▫ password ▫ 12345 ▫ 12345678 ▫ qwerty
We are really, REALLY, bad at security
• Our teams find: ▫ 50% of assessments have the
“Crown Jewels” by 9:30am ▫ 100% of assessments have the
“Crown Jewels” by lunch time
ON MONDAY
How are they doing it?
How are they doing it?
How are they doing it?
• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester
How are they doing it?
• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester
How are they doing it?
• Spam • Phishing • Spear Phishing • Whaling • Watering hole attack
How are they doing it? • Some examples of Phishing ▫ Emails from people you know claiming to be stranded in a
foreign country, asking you to wire money so that they can travel home.
▫ Emails claiming to be from reputable news organizations capitalizing on trending news. These emails generally ask recipients to click a link to read the full story, which in turn leads the user to a malicious website.
▫ Emails claiming to be from organizations like the FTC and FDIC, referencing complaints filed or asking recipients to check their bank deposit insurance coverage.
▫ Emails from your bank, asking you to change your username and password.
Phishing
• Home Attacks
Phishing
• Home Attacks
Phishing
• Home Attacks ▫ Links on your phone are
especially dangerous. ▫ You often cannot “hover
over” the link.
How many errors can you spot?
Phishing
• Home Attacks ▫ Links on your phone are
especially dangerous. ▫ You often cannot “hover
over” the link.
Phishing
• Home Attacks ▫ Links on your phone are
especially dangerous. ▫ You often cannot “hover
over” the link.
http://bit.ly/1WB0vwF
Phishing
• Work Attacks
Spear-Phishing
• Targeting Attacks
Spear-Phishing & Watering hole
• Targeting Attacks
Then what?
• Backdoor
Exfiltration
What can we do about it?
• Internal threats ▫ Learn the IT basics ▫ Trust, but verify ▫ Asset management ▫ 3rd party reviews
What can we do about it?
• External threats ▫ END USER EDUCATION ▫ Perimeter security ▫ Desktop security ▫ FTC?
What can we do about it?
• End user education ▫ Awareness is key ▫ This session, tell your friends ▫ Social Engineering Tests Call the helpdesk, can you obtain
someone else's password reset? Fake email campaign (with immediate
re-education)
What can we do about it?
• End user education ▫ IT Department notices; will never
request passwords or other personal information via e-mail.
▫ Should not include a link to the “IT site” for more info –Reinforcing bad behavior
What can we do about it?
• End user education ▫ Social Engineering Tests First - educate employees (people are
emotional, computers are not) Second – test Immediate feedback on what they did
wrong and how to prevent the behavior in the future
What can we do about it?
• End user education ▫ Be wary of emails with links or language
errors ▫ Don’t give in to pressure to provide info
What can we do about it?
• End user education ▫ Don’t open LinkedIn invites via email ▫ During benefits annual enrollment
periods ▫ Shipping notices during the holidays ▫ IRS tax refund by April 15th
What can we do about it?
• End user education
What can we do about it?
• End user education
What can we do about it?
• Perimeter security ▫ Advanced firewall protection ▫ Unified Threat Management (UTM)
What can we do about it?
• Desktop security ▫ Keep operating systems and browsers
patched ▫ Anti-Virus / Anti-Malware up to date
and running ▫ Data Loss Prevention (DLP) tools
What can we do about it?
Conclusion
• We make it easy for fraud to happen ▫ Educate yourself ▫ Trust, but verify ▫ PLEASE, don’t click on links in email ▫ Know who to call when you suspect
an issue
Our Staff
Michael Hammond– IT Audit & Security Director Michael is the Director of IT Audit & Security at O’Connor & Drew. With over 20 years in various strategic and administrative IT positions, including 15 years designing and implementing security architecture and security controls, Michael is widely considered a foremost expert in IT security. Michael has traveled extensively as a frequent speaker on trending security topics. In addition to speaking on audit and security, Michael has performed audits and assessments on five continents spanning more than 12 regulatory authorities. Certifications and designations: • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • Certified Information Systems Security Professional (CISSP) • Certified Ethical Hacker (C|EH) • Michael is a member of InfraGard association.
A joint partnership between the FBI and private sector.
Nick DeLena– Senior Manager, IT Audit Nick is the lead Senior IT Audit Manager at O’Connor & Drew. He works in concert with internal senior management to scope and budget engagements. He provides oversight and training to existing staff. Nick’s prior engagements includes SOX compliance, SAS70, and FFIEC compliance. In addition to Nick’s 5 years audit and advisory experience, he also has 12 years in various IT operations and analyst positions. Certifications and designations: • Masters in Business Administration (MBA), Brown University • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • CompTIA Security+ • ITIL v3 Foundations Certification (ITILv3F) • Nick is a member of InfraGard association.
A joint partnership between the FBI and private sector.
George Calapai – IT Auditor George is a staff auditor with O’Connor & Drew. Prior to joining the firm, George was a senior IT management consultant and technical services lead for a number of medical startups. Currently, George performs IT audit control testing for O’Connor & Drew clients. Recent work include: • IT Risk and control assessments • Database account administration audits • Routing, firewall, wireless and IDS/IPS • VMware
Michael Huffman – IT Auditor Michael is a recent MBA graduate of UMass Dartmouth, with a degree in Supply Chain Management and Information Technology. Michael has assisted on several IT general controls reviews and vulnerability assessments for auto dealers.
O’Connor & Drew P.C.
Email: [email protected] LinkedIn: www.linkedin.com/in/nickdelena Twitter: @ocdcpa