how cyber-criminals steal and profit from your...

How Cyber-Criminals Steal and Profit from your Data

Presented by:

Nick Podhradsky, SVP Operations

SBS CyberSecurity

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 1

Agenda

• Why cybersecurity is now your responsibility?

• What are the bad guys after?

• How do they get what they want?

• How can I stop them or slow them down?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 2

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 3

You Have Been Enlisted

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 4

Strength or Weakness

• People are easier to defeat than technology!

© SBS CyberSecurity, LLC www.sbscyber.com Consulting Network Security IT Audit Education 5

What does a hacker look like?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 6

What does a “hacker” look like?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 7

Costs of Cybersecurity?

• Estimated annual global cost could reach $6 trillion by 2021 (estimated at $3 trillion in 2015) – Cybersecurity Ventures

• Data breaches average a cost of around $154 per record –www.cyberark.com

• Significant reputational damage associated with a data breach.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 8

How hackers make money?

• Compromise Internet Banking Activity

• Credit Cards

• Health Information

• Ransomware

• User or Admin Credentials

• Personal Data

• Contact information including email addresses

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 9

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 10

Data Values – December 2015 (foxnews.com)

• Average estimated price for stolen debit and credit cards in US: $5 - $30

• Bank login credentials for a $2,200 balance bank account: $190

• Bank login credentials plus stealth funds transfers to US Banks for a $20,000 account balance: $1,200

• Online payment service credentials (paypal, etc.) for $1,000 balance: $50

• The more information provided, the higher the value.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 11

How do “bad guys” get that data?

• Social Engineering

Wikipedia definition: in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 12

Social Engineering Types

• Email Phishing

• Phone Calls - Vishing

• Social Media

• USB Devices

• Dumpster Diving

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 13

Phish Finder –Who, What, Where

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 14

WHO?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 15

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 16

What?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 17

What?

© SBS CyberSecurity, LLC www.sbscyber.com Consulting Network Security IT Audit Education 18

Phishing Example

© SBS CyberSecurity, LLC www.sbscyber.com

Consulting Network Security IT Audit Education 19

Where?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 20

WHO? WHAT? WHERE?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 21

Phishing Scenario Walkthrough

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 22

I clicked on the link

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 23

See what the hacker gets?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 24

What about attachments?

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 25

Enabling content will run malware

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 26

What can you do?

• Understand the Importance of Cybersecurity

• Spoofed Wireless

• Strong Passwords

• Multi-Factor Authentication

• Be suspicious of Downloads

• Use Anti-Virus, but be aware that it’s not entirely effective!

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 27

Understand the Importance of Cybersecurity

• You have a responsibility as an employee to help protect the network and data. Get educated

• If you’ve done something you shouldn’t have DON’T cover it up – let someone know.

• Remember that security controls may not be fun to have, but they are there to protect you and your data.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 28

Spoofed Wireless Networks

© SBS CyberSecurity, LLC www.sbscyber.com Consulting Network Security IT Audit Education 29

• If you aren’t certain of the network, don’t connect.

• Never access confidential information while connected to unsecure wifi.

• If you can VPN through this, your traffic becomes encrypted and is safe.

• Using your “Mobile Data” and shutting off Wifi is also considered safe.

Strong Passwords

• Don’t use passwords in multiple locations – especially banking or confidential website passwords

• Use phrases: Iwah4C;Oahwd! “I want a hippopotamus for Christmas; Only a hippopotamus will do!”

• Use a Password keeper such as KeePass, LastPass; ensure that your password for that is strong.

• Change your password often

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 30

Multi-Factor Authentication

• Multi-Factor Authentication is the use of 2 or more identifiers to verify the user. 1 - something you have 2 - something you know 3 -something you are

• Most email providers OFFER multi-factor authentication. First factor is generally the password, 2nd factor is often an email or text with a code or a security question

• Security questions can be a 2nd factor, make sure that answers are not simple (birthdate – may be on social media; high school – may be found online; pet’s name – social media)

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 31

Be suspicious of Downloads

© SBS CyberSecurity, LLC www.sbscyber.com Consulting Network Security IT Audit Education 32

• Ensure it’s from a trusted source. Go directly to the company site.

• Know what brand of antivirus you have.

• Don’t panic when something happens that looks like the picture to the right.

Use Anti-Virus – but be aware it’s not entirely effective!

• Most sophisticated and new scams will get around anti-virus unnoticed.

• Anti-virus will catch older and very prevalent viruses.

• There are many good anti-viruses available with paid and free versions – paid versions are generally better – there is no reason not to have one.

• Be careful when downloading a new anti-virus (go directly to the company, not to a 3rd party site.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 33

HCPD Partnership

• HCPD cares about the CyberSecurity of your organization and wants to help!

• HCPD and SBS have partnered on a 5 phase approach to helping HCPD customers improve their Cybersecurity.

• HCPD will pay for 50% of the cost annually, up to $5,000!

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 34

HCPD Phase 1 Cybersecurity Services

• IT Asset Discovery• Identifies hardware and software used by the organization.

• Internal Vulnerability Assessment• Identifies soft spots on the inside of your network that cybercriminals could

exploit.

• Information Security Risk Assessment• A document that identifies the most and least risky use of technology in the

organization

• Cyber Risk Management Prioritization• Based on the 3 items above – SBS will put together a plan for the organization

on how to immediately improve their cybersecurity posture.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 35

Investment

• Pricing based on the number of meters the customer has

• You can start with Phase 2-5 if you would prefer (contact SBS for more information.

• Time investment for Phase 1 ranges from ½ day to 3 days depending on size.

• SBS would do a presentation for your management/ board if you would like to further discuss.

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 36

Nick Podhradsky

© SBS CyberSecurity, LLC

www.sbscyber.com Consulting Network Security IT Audit Education 37

605-770-3926

Madison, SD

www.sbscyber.com

Nick@sbscyber.com

Let’s Connect!