Teach a Man to Phish

Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life."

- @thegrugq

Information Security
Is Hard

What is InfoSec?

"Information Security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information."

The focus of InfoSec is balancing protection of the Confidentiality, Integrity and Availability of data. Data security should focus on effective policies that don't impede operational efficiency.

Threat Modeling

Assets
Threats
Vulnerabilities

more info: https://www.owasp.org/index.php/Application_Threat_Modeling

Data!

Notes About PHI

PHI: health status, provision of health care, or payment for health care created or collected by a Covered Entity

Difficult/impossible to change if compromised
Can be used to commit health care fraud or other identity theft
Can be held for ransom

What are the threats we

might be facing?

The Government?

Hackers?

Organized Crime?

Where are we vulnerable?

Some Areas of Vulnerability

Servers
Email
People
Login systems
Connections to 3rd parties

Meltdown and Spectre

Meltdown

This exploit breaks application isolation and allows one program running on an OS to access memory used by other applications. We were vulnerable to this until Aptible rolled out a fix early this week!

Spectre

Spectre exploits a CPU's speculative execution of code and can be used to read data from the CPU's cache. This can allow attackers to access things like passwords typed into different browser tabs.

https://meltdownattack.com/

Phishing

Common Phishing Attacks

Deceptive Phishing - pretending to be a legitimate site
Spear Phishing - highly personalized
CEO fraud - spear phishing directed at CEOs
Pharming - redirecting http traffic
Dropbox Phishing - harvesting credentials with dropbox links
Google Docs Phishing

Login and 3rd Parties

Http can leak credentials
Sending unnecessary info risks leaks
Giving access to 3rd parties exposes our system to 3rd party risk

Sometimes you just fail.

What can we do?

mitigate – build layers of defence to address our assessed threats and vulnerabilities
transfer – outsource some risk where we don't have a core competency. (like Aptible)
accept – weigh costs and benefits, no security is perfect and near perfect might be prohibitively expensive

Mitigation

Defense in Depth
Good Policies
Training
Cryptography

Teach a Man to Phish

Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life."

Information Security
Is Hard

What is InfoSec?

Threat Modeling

Data!

Notes About PHI

What are the threats we

might be facing?

The Government?

Hackers?

Organized Crime?

Where are we vulnerable?

Some Areas of Vulnerability

Meltdown and Spectre

Meltdown

Spectre

Phishing

Common Phishing Attacks

Login and 3rd Parties

Sometimes you just fail.

What can we do?

Mitigation

Cyber Security!

Further Reading

Thanks for listening,

please use a password manager.

Teach a Man to Phish

Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life."

Information Security Is Hard

What is InfoSec?

Threat Modeling

Data!

Notes About PHI

What are the threats we

might be facing?

The Government?

Hackers?

Organized Crime?

Where are we vulnerable?

Some Areas of Vulnerability

Meltdown and Spectre

Meltdown

Spectre

Phishing

Common Phishing Attacks

Login and 3rd Parties

Sometimes you just fail.

What can we do?

Mitigation

Cyber Security!

Further Reading

Thanks for listening,

please use a password manager.

Information Security
Is Hard