Cyber Coverage Basics

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 9 months ago)

41 views

Cyber Coverage Basics

NetDiligence Conference

June 2013

Panelists

2


Joe DePaul

Cyber Practice Leader

Arthur J. Gallagher


David Molitano

Underwriting Manager

One Beacon Professional

Matt Prevost

Assistant Vice President

Philadelphia Insurance

Max Perkins

Underwriter

Beazley

Moderator:



Meredith
Schnur


Senior Vice President

Professional Risk Group

Wells Fargo Insurance


Phishing



Fishing
Anyone ????

Phishing

is the act of attempting to acquire information such as usernames,
passwords, and credit card details by masquerading as a trustworthy entity in an
electronic communication. Communications purporting to be from popular social web
sites, auction sites, online payment processors or IT administrators are commonly
used to lure the unsuspecting public.

Phishing emails may contain links to websites that are infected with malware.

Phishing
is typically carried out by e
-
mail spoofing

or instant messaging, and it often directs
users to enter details at a fake website whose look and feel are almost identical to the
legitimate one. Phishing is an example of social engineering techniques used to
deceive users,

and exploits the poor usability of current web security technologies.

4

4

Phishing

Really? You can’t be serious…

Virus Protection



The ability, often through the successful deployment of software
-
based solutions, to proactively defend against malicious attempts to compromise an
organization’s networks, systems, and/or applications.

6

6

Virus Protection

Self Assessment



Utilizing contemporary knowledge of a given topic (such as
Information Security) based upon current industry standards, existing
laws/regulations, and emerging trends


and then applying those against the
capabilities within one’s own organization in order to develop awareness of the
organization’s maturity level on the topic and to identify near
-
to
-
medium term
recommendations for targeted improvement.

8

8

Self Assessment

What is a DDS?

A
denial
-
of
-
service attack

(
DoS attack
) or
distributed denial
-
of
-
service attack

(
DDoS
attack
) is an attempt to make a machine or network resource unavailable to its
intended users. Although the means to carry out, motives for, and targets of a DoS
attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt
or suspend services of a host connected to the Internet.

One common method of attack involves saturating the target machine with external
communications requests, so much so that it cannot respond to legitimate traffic, or
responds so slowly as to be rendered essentially unavailable. Such attacks usually lead
to a server overload.

10

10

Denial of Service (DDoS)

Penetration Testing (aka Pen Testing?)

Pen Testing, formally known as a
penetration test,

is a method of evaluating the
computer security of a computer system or network by simulating an attack from
external threats and internal threats. The process involves an active analysis of the
system for any potential vulnerabilities that could result from poor or improper system
configuration, both known and unknown hardware or software flaws, or operational
weaknesses in process or technical countermeasures.


This analysis is carried out from
the position of a potential attacker and can involve active exploitation of security
vulnerabilities.

Security issues uncovered through the penetration test are presented to the system's
owner.


Effective penetration tests will couple this information with an accurate
assessment of the potential impacts to the organization and outline a range of
technical and procedural countermeasures to reduce risks.


12

12

Penetration Testing

What is a Privacy Breach / Security Breach?

A

privacy

breach

is

the

theft,

loss

or

unauthorized

disclosure

of

personally

identifiable

non
-
public

information

(PII)

or

third

party

corporate

confidential

information

that

is

in

the

care,

custody

or

control

of

the

organization

or

an

agent

or

independent

contractor

that

is

handling,

processing,

sorting

or

transferring

such

information

on

behalf

of

the

Organization
.



A

computer

security

breach

is
:



the inability of a third party, who is authorized to do so, to gain access to an
organization’s systems or services;


the failure to prevent unauthorized access to an organization’s computer systems
that results in deletion, corruption or theft of data;


a denial of service attack against an organization’s internet sites or computer
systems; or


the failure to prevent transmission of malicious code from an organization’s
systems to a third party computers and/or systems.