By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop...
Transcript of By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop...
![Page 1: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/1.jpg)
By Keith TurpinCISO Universal Weather and Aviation
![Page 2: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/2.jpg)
How Are Organizations Doing?
66% Lack a complete inventory of third parties
69% No centralized control over third-party relationships
18% Know if vendors are sharing their information
* 2018 Ponemon Institute Report: Data Risk in the Third-Party Ecosystem
![Page 3: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/3.jpg)
When Supply Chains Fails• Theft of intellectual property
• Data breaches
• Inability to conduct operations
• Direct financial loss
• Lawsuits
• Government fines
• Product recalls
![Page 4: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/4.jpg)
A Story about the Target Store Breach
In 2013 Target got hacked They lost private data belonging to 70 Million Customers Target payed settlements totaling $153.9 Million
The Internet
Customer Information
HACKER
Contract Service Provider
@
Customers
Computerized Air Conditioners
(Industrial Control Systems)
Target Breach
![Page 5: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/5.jpg)
A Story about Ransomware targeting small municipal agencies
22 agencies from towns in Texas hit in August 2019 by a single attacker Most lost the ability to conduct important business operations Attacker demanded $2.5 million for the decryption key
Texas Government Office Ransomware
HACKER
IT Service Provider
RansomwareDecryption Key
Available$2.5 Million
![Page 6: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/6.jpg)
A Story about Corruption in the Supply Chain
Sinovel Wind Group stole source code for turbine software The theft cost American Superconductor more than $800 million
American Superconductor Corp.- Intellectual Property Theft
SinovelBuilds Wind Turbines
American SuperconductorMakes wind turbinecontroller software
Licensed Software
DisgruntledProgrammer
FBI
SinovelFound guilty of:- Theft of trade secrets - Wire fraudSettled for $60 Million
![Page 7: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/7.jpg)
Business Email Fraud
![Page 8: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/8.jpg)
The Basic Scam
Bank where money should go
Fraudulent bank account
![Page 9: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/9.jpg)
Reconnaissance• Understand the business
• Identify suppliers, partners and customers
• Discover the identities of key people
• Collect document and email samples
• Understand financial processes
• Identify vulnerable email accounts and systems
![Page 10: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/10.jpg)
Impersonated Registry
Domain Name: SINQAPOREAIR.COM
Registration Service Provider: Vistaprint
Admin Organization: REDACTED FOR PRIVACY
Admin Email: REDACTED FOR PRIVACY
Common Attack Characteristics• Use branded email messages (Logos, signature blocks, etc.)
• May emphasize urgency, contain threats or state key people are unavailable
• May include phone calls to appear more legitimate
• Attacker may acquire an internet domain similar to that of the business• [email protected] vs [email protected]
VistaPrint is frequently used those committing fraud
Real Registry
Domain Name: singaporeair.com
Registrar: CSC CORPORATE DOMAINS, INC.
Admin Organization: Singapore Airlines Limited
Admin Email: [email protected]
![Page 11: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/11.jpg)
Hacking Your Inbox
VendorPurchaser
Attacker
![Page 12: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/12.jpg)
Two Ways to be Impacted
![Page 13: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/13.jpg)
Who is at Fault
An Insider leaked information
A mailbox account was compromised
The email system was compromised
An endpoint was compromised
![Page 14: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/14.jpg)
Defending Against Email Fraud
• Establish formal policies for handling banking account changes
• Verify change requests using a known good contact
• Use two-factor authentication on all email portals
• Train staff to identify suspicious email
• Use email security gateways to stop clearly malicious email
• Add an EXTERNAL label to email from outside the company
• Be prepared if your customer gets scammed by someone pretending to be you
![Page 15: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/15.jpg)
Supply Chain RelationshipsOrganizations outside the core business have supply chains
• Technology services
• Software development
• Product engineering
• Transportation
• Enterprise resource planning
• Employee pay and benefits
• Sales and marketing
• Building operations and maintenance
• Cafeteria and food services
• Logistics and distribution
• Staffing
![Page 16: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/16.jpg)
Contract Considerations• Define security requirements as part of the RFP
• Create and use a baseline security addendum
• Include secure coding requirements for software
• Examine and document all assumptions Undocumented assumptions can lead to disputes and ambiguous liability
• Address sub-contracting limitations, visibility and approvals
• Specify how compliance will be measured
• Fully address vendor termination
![Page 17: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/17.jpg)
Supply Chain Risks• Supplier with access to your IT systems or sites
• Supplier managed code or IT systems running in your IT environment
• Supplier storing or processing sensitive data
• Regulatory requirements apply to your supply chain (Examples: PCI, GDPR, DFARs)
• Value of data or intellectual property exposed in the relationship
• Impact of supply chain disruption (Single sourcing)
• Contractual obligations
• Size of the supplier
![Page 18: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/18.jpg)
Conducting Your Own Evaluations
• Assessing security and privacy policies can reduce incidents by 20%
• Use a tiered assessment model based on levels of risk
Assessing Supplier Security
• Security Standards like ISO 27001 or NIST 800 should be guidelines
• Tailor assessments to align with products and services
• Review the scope of assertion certifications like SSAE 16 SOC 2
![Page 19: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/19.jpg)
• FICO Enterprise Security ScoreRatings scale from 300 – 850
• BitSight Third-Party Risk ManagementRating scale from 250-900
• SecurityScorecardLetter based rating scale from A to F
• UpGuardRating called CSTAR, that scores companies from 0-950
• RiskReconRates cyber resilience from 0-10 in three categories
Cybersecurity Rating Services
![Page 20: By Keith Turpin CISO Universal Weather and Aviation · • Use email security gateways to stop clearly malicious email • Add an EXTERNAL label to email from outside the company](https://reader036.fdocuments.us/reader036/viewer/2022071003/5fc008ea3cc1be4f8f7150a7/html5/thumbnails/20.jpg)
Questions