Final presentation january iia cybersecurity securing your 2016 audit plan

of 52 /52
January IIA Meeting Topic: Cybersecurity - Securing Your 2016 Audit Plan January 5, 2016

Embed Size (px)

Transcript of Final presentation january iia cybersecurity securing your 2016 audit plan

  • January IIA MeetingTopic: Cybersecurity - Securing Your 2016 Audit Plan

    January 5, 2016

  • Agenda

    2015 Major Published Cybersecurity Incidents 2015 Global Threat Index 2016 Threat Predictions Facts & Figures Potential Risks of Cyber-Attacks 10 Cybersecurity Areas to Consider Auditing Questions


  • 3CrossCountry Confidential1/6/2016

    What is Cybersecurity?

    Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. -

    Confidentiality: Protecting information from unauthorized disclosure

    Integrity: Protecting information from being modified by an unauthorized party

    Availability: Ensuring information is available to authorized parties when needed

  • 4CrossCountry Confidential1/6/2016

    2015 Major Published Cybersecurity Incidents

    Q1 February Anthem healthcare insurance firm databases hacked, containing 80 million customers personal data

    March State Dept. is breached by Russian hackers and shuts down to remove malware

    Q2 June Office of Personnel Management hearings occur as result of 21.5 million names, addresses and social security numbers

    hacked, some entire background checks were stolen.

    Q3 July Fiat Chrysler remote hack vulnerability affecting transmission and steering (recalled 1.4 million vehicles)

    July --The UCLA Health System discovered that hackers had access to 4.5 million patients health records


    November Hilton acknowledges that customers credit card information was breached via malware on the point of sale system

    November Pearson VUE credential system was successfully targeted, law enforcement and forensics are still analyzing

  • 5CrossCountry Confidential1/6/2016

    World Economic Forum2015 Global Threat Index

    Technological (Purple):

    Critical Information Infrastructure Breakdown

    Cyber Attacks Misuse of

    Technologies Data Fraud or Theft


    Failure of critical infrastructure

    Failure of Financial Institutions

    Terrorist Attack

  • 6CrossCountry Confidential1/6/2016

    Top Cybersecurity Risk Predictions for 2016

    Internet of Things (IoT) Gartner predicts 21 billion online by 2020 (FitBitsto Refrigerators, Cars to Thermostats)

    Operational Technology (OT) systems that operationalize utilities, power systems, water, etc. increasingly networked

    Artificial Intelligence (AI) IT cognitive functions advancing in 2016, difficult to know human from computer communications

    Insider Threat Roughly 75% of IT professionals are most concerned about malicious or negligent employees, and the FBI and DHS agree

    Cloud Provider Target Increasing hacker targets beyond businesses and web servers

    Mobile Malware Malvertising, injecting malicious adverts into legitimate online advertising networks

    eCommerce Banking Google Wallet, ApplePay present new targets for hackers

    Healthcare Provider Data Children in particular are lucrative targets, given the long-range benefit to hackers of a lifetime of identity theft

  • 7CrossCountry Confidential1/6/2016

    Facts & Figures

    73% - Americans who have fallen victim to cybercrime (

    $3 trillion the total global impact of cybercrime (ISACA) 556 million people who fall prey to cybercrime annually,

    resulting in more than 232 million identities exposed (FBI Cyber Crime) 15 million mobile devicesmostly Androidthat are infected

    with malware (Alcatel-Lucents Kindsight Security Labs) 37.9% US Web pages infected with malware (Inspired eLearning) 600,000 Facebook accounts that are compromised each day (FBI

    Cyber Crime)

    38% smartphone users who have been a victim of cybercrime (2013 Norton Report)

    1 in 5 mature organizations that do not have a cybersecurity framework (FINRA Cybersecurity Report, 2015)

  • 8CrossCountry Confidential1/6/2016

    Potential Risks of Cyber-Attacks

    Major Risks include: Loss of intellectual property Breach of customer data privacy Service and business interruptions Damage to Information Technology infrastructure Loss of brand value Recovery and response costs Loss of stock market value Regulatory inquiries and litigation Management distraction

  • 9CrossCountry Confidential1/6/2016

    Top 10 Cybersecurity Audit Considerations for 2016

    1. Cybersecurity Framework2. Vulnerability Assessments3. Insider Threats4. 3rd Party Management5. Business Continuity & Disaster Recovery6. Data Governance7. Network Monitoring8. Cloud Security9. Mobile Security10. Security Awareness & Training

  • 10CrossCountry Confidential1/6/2016

    The stories you are about to hear are mostly true

    Names have been changed to protect the innocent.

  • 11CrossCountry Confidential1/6/2016

    1. Cybersecurity Framework

    What is it: A supportive cybersecurity structure that leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO).

    Why you should care: Cybersecurity frameworks provide an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.

  • 12CrossCountry Confidential1/6/2016

    Case Study: Cybersecurity Framework

    I thought having a cybersecurity framework would be a costly and time consuming process to adopt and implement. Things move so fast that we often dont have time to consider yet another set of processes. Instead, we sustained a major data breach in a business area that we didnt even realize was vulnerable, and the costs were exponentially higher than any framework would have been.

    Wellina Intentioned (CISO, Investment Group)

  • 13

    Cybersecurity Framework Audit Considerations

    Stakeholder Cybersecurity Framework Questions to Consider

    Board/Audit Committee What is the communication plan for cybersecurity issues and tone at the top?

    What cybersecurity or risk framework governs the organization?

    Information Technology (IT)

    What cybersecurity or risk framework governs IT activities related to IT assets and staff, policies and procedures?

    How often are IT assets and documentation reviewed to ensure holistic risk assessment occurs related to a framework?

    CISO What cybersecurity or risk framework governs CISO activities related to IT assets and staff, policies and procedures?

    How often are IT assets and documentation reviewed to ensure holistic risk assessment occurs related to a framework?

    Business Units When selecting new systems or tools, do you engage with a change control board?

    What sort of approval is required to stand up new systems, tools or data types?

  • 14CrossCountry Confidential1/6/2016

    Cybersecurity Framework Benefits & Considerations

    Benefits: Reduces risk by identifying areas for improvement Increases efficiencies and reduce the possibility of

    miscommunication within your information security program and with other organizations such as partners, suppliers, regulators, and auditors

    Aids in holistic view of organizational cybersecurity risk

    Considerations: Its a framework, not a prescription It provides a common language and systematic methodology for

    managing cyber risk It does not tell a company how much cyber risk is tolerable Having a common lexicon to enable action across diverse set of


  • 15CrossCountry Confidential1/6/2016

    2. Vulnerability Assessments

    What are they: A process that defines, identifies, and classifies the security vulnerabilities in a computer, network, or communications infrastructure. In addition, vulnerability assessments can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. (

    Why you should care: Hackers can exploit vulnerabilities in your network and gain access to data. Common vulnerabilities are often widely know and easily exploited. Data breaches and other incidents are often crimes of opportunity, meaning hackers look for targets with specific vulnerabilities.

  • 16CrossCountry Confidential1/6/2016

    Case Study: Vulnerability Assessments

    We didnt think we needed to perform monthly vulnerability assessments on all of our end user equipment, we have anti-virus and that should have caught all issues. We didnt realize that there were vulnerabilities that our anti-virus software couldnt detect, or that specialized tools existed to perform more in-depth security inspections.

    Ineda Clue (VP of IT, Non-Profit)

  • 17

    Vulnerability Assessments Audit Considerations

    Stakeholders Vulnerability Assessments Questions to Consider


    Does your organization perform periodic vulnerability assessments? Are you aware of any instances where vulnerabilities were exploited and

    adversely affected your organization?

    Information Technology (IT)

    How often do you perform periodic vulnerability assessments? Are assessments performed internally or by external vendors? Are there separation of duties between system owners and assessment

    teams? What mechanism are you using to keep track of open vulnerabilities? Do the assessments consist only of vulnerability scanning or do they include

    detailed penetration testing?

    CISO Do you regularly review the results of vulnerability assessments? Do the results of vulnerability assessments drive changes in security

    measures? Are there separation of duties between the system owners and assessment

    teams? How are tools selected, relative to IT environment and CISO objectives?

    Business Units Are you aware of any open vulnerabilities in any of the systems that you utilize?

    Are you aware of any instances where vulnerabilities were exploited and adversely affected your group?

  • 18CrossCountry Confidential1/6/2016

    Vulnerability Assessments Tools & Techniques

    Network Security (Routers, Firewalls, OS and Patch) Tools: Tenable Nessus, Retina Security Scanner Nmap, Wireshark NIST & DoD Guides and Controls

    Operating System (Windows, Unix, Linux, Mac OS) Tools: NIST & DoD Guides and Controls Various automated scripts Password Crackers (John the Ripper, Brutus, Medusa)

    Web Server (IIS, Apache, WebLogic, Web apps) Tools: WebInspect, AppScan NIST & DoD Guides and Controls

    Database (Oracle, MySQL, SQL) Tools: AppSentry, AppDetective NIST & DoD Guides and Controls

  • 19CrossCountry Confidential1/6/2016

    3. Insider Threats

    What is it: The risk that an internal user, maliciously or accidently, performs an action that compromises the confidentiality, availability, and/or integrity of an organizations data.

    Why you should care: Since insiders inherently have easier access to data, losses resulting from insider threats are often more damaging than those posed by external parties.

  • 20CrossCountry Confidential1/6/2016

    Case Study: Insider Threat

    A vengeful employee recently reset a large number of our servers to factory settings after he found out he was losing his job. We could not conduct normal business operations for about 30 days, resulting in lost revenue totaling more than $500,000.

    Losta Lottawork (CISO, Oil and Gas Industry)

  • 21

    Insider Threats Audit Considerations

    Stakeholders Insider Threats Questions to Consider


    Have you been informed of the risks posed by Insider Threats? Does your organization perform periodic security risk assessments with

    consideration of Insider Threats?

    Information Technology (IT)

    Do you utilize data loss prevention tools? Is logging and monitoring performed on accounts with elevated access? Do you have a process for controlling access to removable media? Do you limit administrative access based on job responsibilities? Is data appropriately encrypted?

    CISO Have you established a mechanism for reporting security issues? Have there been any security issues related to Insider Threats? Are you aware of common threat actors for your industry?

    Business Units Is separation of duties enforced for key activities? Do you perform background checks on new hires? Are you aware of warning signs for disgruntled employees? Do you have a mechanism to report concerns of insider threat warning


  • 22CrossCountry Confidential1/6/2016

    Insider Threat Data Loss Prevention Tools

    Data Loss Prevention Tools use automated means to detect and prevent data loss (offerings from Symantec, Intel, Websense, etc.)

    They can assist in identifying where sensitive data is stored and/or prevent senstive data from being transmitted via unauthorized means (e.g., email, thumb drive)

    These tools are often used to comply with standards such as HIPAA, PCI-DSS, and HITECH

    Tools can be perimeter-based or client-based

    Installing these tools requires a balance of cost, system performance, and effectiveness

  • 23CrossCountry Confidential1/6/2016

    4. 3rd Party Risk

    What is it: The potential risk that arises from institutions relying upon outside parties to perform services or activities on their behalf

    Why you should care: May reduce managements direct control and can present risks if not properly managed

    3rd Party Relationships







  • 24CrossCountry Confidential1/6/2016

    Case Study: 3rd Party Risk

    One of our outside service providers employees had some of our client data on an iPad that was stolen, and now it looks like were going to have to report this event to regulators in 40 countries. I hate to think what the impact of this is going to be.

    Ima Needajob (CISO, Media Company)

  • 25

    3rd Party Risk Audit Considerations

    Stakeholders 3rd Party Risk Questions to Consider

    Board How are vendors selected? Who manages contracts, and how are cybersecurity considerations included

    in contract language in event of data breach or loss?

    Information Technology (IT)

    How often do you engage vendors? How proactive are vendor system updates made? How do vendors gain access to internal systems? Who within IT reviews vendor systems for vulnerabilities?

    CISO Who are your vendors? How well do you know and understand products and contracts? What top risks are inherent to each vendor technology? Who monitors these risks?

    Business Units Who are your vendors? How well do you know and understand products and contracts? Do you engage Board, IT and CISO when making vendor buying decisions? What criteria is used in selecting vendors? Are criteria set across business

    functions to ensure all requirements are met?

  • 26CrossCountry Confidential1/6/2016

    Managing 3rd Party Risk Best Practices

    Develop a inventory of 3rd parties and classify them by potential risk

    Define governance and ownership Build Service Level Agreements (SLAs) to hold vendors

    accountable Clearly define what data 3rd parties can and cannot access Include audit rights clauses in contracts Obtain and review independent service auditors reports if


  • 27CrossCountry Confidential1/6/2016

    5. Business Continuity & Disaster Recovery

    What is it: The processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. The term Disaster Recovery is often associated with the recovery of IT Infrastructure.

    Why you should care: Without Business Continuity and Disaster Recovery plans, there is a risk that data could be unavailable and potentially irretrievable in the event of a disaster, disrupting or permanently damaging business operations.

  • 28CrossCountry Confidential1/6/2016

    Case Study: Business Continuity Plan

    Our employees are competent, and I thought they would know what to do in an emergency. We did not have a Business Continuity Plan and the data center was flooded during Hurricane Sandy. It took us weeks to resume normal operations and a large amount of company data was unrecoverable.

    T Confident (CIO, Software Vendor)

  • 29

    Business Continuity Audit Considerations

    Stakeholder Business Continuity Questions to Consider


    Is there an organization-wide Business Continuity program that involves the key business areas?

    Have Business Continuity Plans been reviewed by management?

    Information Technology (IT)

    Do you regularly test and update Business Continuity or Disaster Recovery plans? Do you back up data to an offsite location, and have you tested the ability to restore from

    those backups? Do you have an off-site location that could be used to host your organizations IT


    CISO How are security considerations integrated into the Business Continuity strategy? Would the integrity and/or availability of your data be compromised in the event of a

    disaster? What is the physical distance between primary and failover/backup location?

    Business Units Are you involved in the Business Continuity planning process? Have you performed a business impact analysis (prioritization of business functions)? Do you have a plan for resuming business in the event of a disaster? Could your business functions resume without access to IT Infrastructure? Do you have a chain of command or call list for use in a disaster?

  • 30CrossCountry Confidential1/6/2016

    Creating a Business Continuity Plan

    Define the Scope

    Identify Critical Business Functions, Key Processes, and Dependencies

    Determine Acceptable Downtime for Business Functions

    Develop a Recovery Plan (or Plans)

    Periodically Test and Update the Plan(s)

  • 31CrossCountry Confidential1/6/2016

    6. Data Governance

    What is it: Data governance is a framework of roles and responsibilities, decision-making models, and standards/processes governing the management and use of data. Data governance addresses: Who can take what actions With what types of data At what times Under what circumstances (e.g., processes, requirements) For what intended purposes

    Why you should care: Data is everywhere and it is important to consistently prioritize, assess, and manage risk associated with data across an enterprise. Consistent definitions of data and how data can be used will help to ensure good data quality and a balance between securing data and using data as a valuable asset.

  • 32CrossCountry Confidential1/6/2016

    Case Study: Lack of Data Governance

    We had inconsistent systems of record (SORs) and too many sources of data. We did not know where all of our data was located, and who had access to what, why or when. Additionally, historical data was determined to have been lost or disorganized during post merger or acquisition activities.

    Sam Dataman (CISO, Exploration & Production Company)

  • 33

    Data Governance Audit Considerations

    Stakeholder Data Governance Questions to Consider


    Is there a clearly defined and communicated vision and objective for the Data Governance program?

    How are the organizations strategic mission and business objectives aligned with Data Governance objectives?

    Are there metrics to measure the success of Data Governance? Has Data Ownership been clearly defined?

    Information Technology (IT)

    Do automated tools facilitate Data Governance? How do you ensure that Data Governance requirements and initiatives are

    supported by technology? How do you assist business units with ensuring that third parties meet Data

    Governance requirements?

    CISO How do you collaborate with the Chief Privacy Officer? Is security integrated into the Data Governance program? Is Data Governance a driver for security? Have Data Governance Roles and Responsibilities been clearly defined?

    Business Units Is it clear to your group what data you own? Do you have retention policies for data in your group? How do you communicate Data Governance requirements to third parties?

  • 34CrossCountry Confidential1/6/2016

    Data Governance Best Practices

    Understand your data Who utilizes it (need to know, confidentiality, separation of

    duties) What the data is (definition, integrity) When it is required (availability) Where it is located (System of Record (SOR)) Why it is needed (need to know, role based access, value of

    data and loss) Understand your risk Value of Data (Trade Secret, Loss, Corruption) Sensitivity (Top Secret, Confidential, Public)

  • 35CrossCountry Confidential1/6/2016

    7. Network Monitoring

    What is it: The use of a system that continuously monitors a computer network for slow or failing components and that notifies the network administrator (usually via alert, email or other notification mechanism) in case of outages. Commonly measured metrics are response time, availability and uptime. Network monitoring tools can also be used to identify and/or prevent network security issues.

    Why you should care: Network Monitoring can save money in network performance, employee productivity, and infrastructure cost overruns. 24x7 monitoring and knowledge of network health and status information is critical to many businesses. Additionally, information gleaned from this capability area provides valuable insights into attack vectors, threats and trends for further investigation.

  • 36CrossCountry Confidential1/6/2016

    Case Study: Network Monitoring

    We didnt think our network was big enough to justify using Network Monitoring tools and staff. Our system administrators were not able to respond rapidly enough to proactively respond to system failures in real time. We lost two weeks of work. We are still working on establishing lost revenue and work productivity.

    Nat Werk (CISO, Financial Services)

  • 37

    Network Monitoring Audit Considerations

    Stakeholder Network Monitoring Questions to Consider


    Are you aware of any network monitoring of IT assets? Do you know how many times systems have failed or breaches have

    succeeded? Are these activities outsourced to a 3rd party?

    Information Technology (IT)

    What network monitoring tools do you use? Do you utilize Intrusion Detection Systems and/or Intrusion Prevention

    Systems? Have you established who will receive network alerts and defined an

    escalation protocol? Is network monitoring holistic to the entire IT enterprise, or are aspects of

    systems segmented?

    CISO Are you made aware of issues identified through network monitoring? How often do security and IT teams meet to discuss threats, trends and

    failures related to infrastructure and network monitoring?

    Business Units To what extent do you rely on the network to function? Are you aware of any of your critical IT assets requiring 24x7 access? What impact would result in system failure? Are you aware of network monitoring occurring on any of your critical


  • 38CrossCountry Confidential1/6/2016

    Network Monitoring Best Practices

    Baseline Network Behavior Understand normal network to tune alerts to anomalies

    Escalation Matrix Policies and Procedures to escalate up management chain

    Report at Every Layer Monitoring should occur at all layers of OSI Model

    Implement High Availability with Failover Options Remove single point of failure, replicate to failover site

    Configuration Management Proactive planning and prevention of common network

    issues Capacity Planning for Growth Ensure network monitoring scales with IT as it expands

  • 39CrossCountry Confidential1/6/2016

    8. Cloud Security

    What is it: A broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

    Why you should care: Cloud computing typically means that data will be hosted on external servers and databases, possibly in many physical locations and by multiple vendors. If any one of those servers or databases is not adequately protected, your data could be in jeopardy.

  • 40CrossCountry Confidential1/6/2016

    Case Study: Cloud Security

    We consider ourselves a technically progressive company utilizing the latest Software as a Service (SaaS) applications. Unfortunately, an HR employee was able to transfer confidential employee files from our trusted, sanctioned cloud environment (Amazon Web Services) to her own unsanctioned cloud storage tool to work at home. We had to self-report to Legal Council that employee information had left the companys control, as we had no idea where else that confidential information could have been seen.

    Ava Pennysava (CISO, Software Vendor)

  • 41

    Cloud Security Audit Considerations

    Stakeholder Cloud Security Questions to Consider


    Does your company have a policy governing usage of the cloud? Does the company utilize private, public or a hybrid cloud environment?

    Information Technology (IT)

    How prevalent is usage of cloud computing in your organization? Are there plans to move assets or systems to the cloud? Are any 3rd Party vendors cloud-based, or have backend systems supporting

    your organization that utilize the cloud?

    CISO How do you verify the security of data that is hosted in the cloud? Do you obtain and review external audit reports, such as Service

    Organization Controls (SOC) Reports, for your cloud vendors? Do you utilize a framework for managing risk related to cloud providers?

    Business Units Does your business use any software that is externally hosted? Are you looking at any new systems or technologies that are cloud-based? If you did decide to procure or contract cloud-based solutions, how would

    you request permission to implement the services?

  • 42CrossCountry Confidential1/6/2016

    Cloud Security Best Practices

    Learn what cloud applications are being used in the organization, including sanctioned (approved by business) and unsanctioned (personal or not approved)

    Understand work and data flows and information being passed

    Monitor cloud applications using commercial or custom tools

    Understand security mechanisms available, including Identity Management, Role Based Access and Single Sign On

    Ensure that policies and procedures are understood by organization, and extend through cloud environment

  • 43CrossCountry Confidential1/6/2016

    9. Mobile Security

    What is it: A comprehensive set of policies, procedures, and infrastructure that manages the usage of mobile devices in a business setting. These devices include cell phones, tablets, and PDAs.

    Why you should care: Mobile devices are becoming increasingly prevalent, and bring your own device (BYOD) is becoming increasingly common as well. Mobile devices provide additional means of data loss, including additional attack points. Mobile security is a means to harness the increased productivity that comes with mobile devices, while minimizing the risk of their usage.

  • 44CrossCountry Confidential1/6/2016

    Case Study: Mobile Security

    We implemented BYOD at the corporate offices at our firm. We then realized that while iPhones and other Apple devices are widely used throughout the organization, that an iOS 9 password hack had been released. We no longer have confidence that our information or devices are secure. I worry at night that we have external threat actors alive and well, in our internal infrastructure.

    Ivanna Fon (CISO, Health Care Provider)

  • 45

    Mobile Security Audit Considerations

    Stakeholder Cloud Security Questions to Consider


    Does your organization have a policy for mobile device usage? Do you use your mobile device to download work files?

    Information Technology (IT)

    Are mobile devices controlled by enterprise-wide settings? Have you implemented remote management software, including the ability

    to remotely wipe data and locate devices? Is data on mobile devices encrypted?

    CISO Have you performed a mobile security review? Do mobile devices require strong authentication mechanisms? Do you allow employees to bring their own devices and if so, how are you

    managing the associated risk?

    Business Units Do your employees use mobile devices? Is mobile device use in line with company policies?

  • 46CrossCountry Confidential1/6/2016

    Mobile Security Managing BYOD

    Develop a BYOD policy with input across the business Be sure to clearly define what the organization has control over

    and what it doesnt Define what devices can be used by employees Require employees to sign an acceptable use policy Consider using tools that help to manage the risk of BYOD

    these can enable remote-wipe and device tracking Put extra focus on upper-management and executives devices,

    as they have more access to sensitive data

  • 47CrossCountry Confidential1/6/2016

    10. Security Awareness & Training

    What is it: Security Awareness & Training is a formal process for educating employees about various important security risks.

    Why you should care: Employee and contractor behavior is amajor source of costly data breaches. An effective security awareness training program decreases the likelihood of a number of common vulnerabilities.

  • 48CrossCountry Confidential1/6/2016

    Case Study: Security Awareness & Training

    Russian hackers gained access to the White House by way of a phishing email. White House staff declined an optional 90-minute training session on online security offered in advance of the attack.

    Skip DTraining (CISO, Federal Government)

  • 49

    Security Awareness & Training Audit Considerations

    Internal Audit Interest Area

    Security Awareness & Training Questions to Consider


    Have you received Security Training? Is there an organization-wide approach to Security Awareness & Training?

    Information Technology (IT)

    Are employees required to periodically participate in Security Training? Are you involved in developing the content of Security Training?

    CISO Have you established a Security Awareness & Training program? Are roles and responsibilities defined for Security Awareness & Training? Do you raise security awareness through periodic reminders to employees? Is there is a mechanism for reporting security issues? Is Security Training content periodically reviewed and refreshed to confirm

    that it is relevant?

    Business Units Are employees required to periodically participate in Security Training? Do your employees know what to do in the event of a security incident?

  • 50CrossCountry Confidential1/6/2016

    Security Awareness & Training Phishing

    Security Awareness & Training is a preventative measure for Phishing, Spear Phishing, and Whaling.

    Phishing is a type of fraud where the attacker masquerades as a reputable entity vie email or other communication method in order to gain sensitive information such as login credentials

    Spear-Phishing targets a specific individual Whaling targets a high profile target such as a CEO or high-

    ranking politician Vishing, also called Voice Phishing, refers to Phishing

    performed over a phone

  • 51CrossCountry Confidential1/6/2016


  • 52CrossCountry Confidential1/6/2016

    Contact Information

    Cameron Over, CISSPDirector, CrossCountry [email protected]: 703-899-6486

    Zach Walker, CISSP, CISA, CPAManaging Consultant, CrossCountry [email protected]: 410-610-8194

    mailto:[email protected]:[email protected]