ID-Theft-MDP-2006090101 - Holistic Operational Readiness

advertisement
Personal Privacy
Identity protection in this wired world
Identity Theft?
Described by the federal Fair
Credit Reporting Act as "the use
or attempted use of an account or
identifying information without the
owner's permission“.
Simple Facts
 Federal and state authorities alike have
labeled it the country's fastest-growing
white-collar crime since the late 1990s.
 The number of people victimized annually
was last estimated at about 10 million by
the Federal Trade Commission.
 It is a problem that has affected millions of
Americans, including Oprah Winfrey, Bill
Gates, and Tiger Woods. Chances are it has
hurt someone in this room.
Cost of ID Theft?
 US victims spend an average of
$1,500 and 175 hours to recover
www.fightidentitytheft.com
 Current annual cost - $56.6
billion www.bbbonline.org.
 Average loss per victim $6,383.
 Businesses spend an average of
$18,000 per incident.
 U.S. business spend over $400
billion per year just on the
insider threat.
Cyber Streetwise
We shred financial documents and unsolicited,
pre-approved credit card offers; check credit
reports regularly; keep Social Security numbers
as private as possible; delete e-mail from
unknown senders as soon as it arrives; and
frequently update antivirus, firewall and spamblocking software.
But …..
We're All Vulnerable
 We live in an age where everything
from tax records to Social Security
numbers to credit card data resides in
databases that can be hacked,
phished or pharmed by anyone with
sinister motives and enough knowhow.
ID Theft: A Growing Concern
 At least 130 reported breaches exposed
more than 55 million Americans to potential
identity theft in 2005.
 Identity theft in is the fastest growing crime
in the United States.
Recent Reported Data Exposures









Department of Energy 1,500
Internal Revenue Service 291
ChoicePoint 145,000
Bank of America 1.2 million
CardSystems 40 million
Citi Financial 3.9 million
Time Warner 600,000
Department of Veterans Affairs 26.5 million
United States Air Force 33,000
ID Theft Complaints by Consumer Age
29%
24%
20%
13%
9%
5%
Under 18
18-29
30-39
40-49
2005 Percentages by age
50-59
60+
Be Vigilant
 Deter identity thieves by
safeguarding your information.
 Detect suspicious activity by
routinely monitoring your financial
accounts and billing statements.
 Defend against ID theft as soon as
you suspect a problem.
Common Ways ID Theft Happens









Common Theft
Dumpster Diving
Skimming
Phishing Schemes
Change of Address Scheme
Pretexting
Work-at-Home Swindle
Pharming
Unwanted Guests
Common Theft
 This is by far the most common cause
of identity theft cases.
 Lost or stolen identification
 Lost or stolen schedulers
 Lost or stolen PDA or computers
 Lost or stolen storage devices
 Company insiders
and …
The Red Flag!





You have mail!
Checks
Bills
Account information
Pre-approved
Dumpster Diving
 Criminals engage in "dumpster diving"
going through your garbage cans or a
communal dumpster or trash bin -- to
obtain copies of your checks, credit card or
bank statements, or other records that
typically bear your name, address, and
even your telephone number.
 These types of records make it easier for
criminals to get control over accounts in
your name and assume your identity.
Skimming
 Thieves target account information
embedded in ATM, debit and credit cards by
breaking into or otherwise compromising
the equipment and systems used for
processing payments.
 The California Bankers Association reported
in 2005 that scammers had taken to
attaching wireless video cameras to the
front of ATMs in hopes of capturing your
card number and PIN from a remote
location.
Phishing Schemes
 Phishing is the act of tricking someone into
giving out confidential information or tricking
them into doing something that they normally
wouldn’t do or shouldn’t do.
 Gartner, a market-research firm, reports that in
the 12 months ending in May 2005, phishers
duped 2.4 million Americans into revealing
personal info, costing victims, banks and credit
card companies $929 million.
 The volume of phishing e-mail has reached
astounding levels at over 1.5 billion messages
a day.
Change of Address Scheme
 Rerouting your mail is easier than you might think.
 If you have bank or credit card accounts, you should
be receiving monthly statements that list transactions
for the most recent month or reporting period.
 Check the Post Office for change of address cards on
file.
 If you're told that your statements are being mailed to
another address that you haven't authorized, tell the
Postmaster, financial institution, or credit card
representatives immediately that you did not
authorize the change of address and that someone
may be improperly using your information.
Pretexting
 ID thieves just ask for your personal
information.
 In one common approach, they claim
to be conducting a survey on behalf
of your bank and ask questions
designed to get your account number,
date of birth, social security number,
etc.
Work-at-Home Swindle
 The rise of Internet use brings more
deceptive and misleading promotions,
bogus travel offers, contests, lotteries, and
other illegal practices on the Web.
 Always use common sense. If you have a
gut feeling that something is not legitimate,
you’re probably right.
 Make sure the company has a phone
number and a physical address – not just a
post office box or e-mail address.
Pharming?
 Maybe you've heard of "pharming," in
which legitimate websites are hit with
malicious computer code that steers
those visiting them to look-alike sites.
Data can then be harvested without a
key being struck. In a twist, there's
crimeware that instead attacks
browsers (Internet Explorer, for one)
and does its pharming from there.
Unwanted Guests
 Another ripe target for identity thieves: the
wireless networks that more and more
companies and individuals are setting up.
 Failure to block access to these networks
can allow prying eyes into your hard drive,
where you may store financial information
in programs like Quicken.
 An unsecured wireless access point can
open the door to more than just data theft.
 Access into your company through mobile
devices or gadgets.
But Wait! There Is More







Fake Jury Duty Con
Medicare Fraud
"IRS" Phishing Scam
Internet Telephony Trickery
Grant Flimflams
Child Identity Theft
The Next Targets?
Child Identity Theft
 An estimated 400,000 children had their identities
stolen in 2005.
 Two-thirds of child ID thefts are perpetrated by family
members.
 Instruct your children NEVER to give out any personal
information over the Internet, such as whole names,
addresses, phone numbers, school names or
photographs.
 Instruct your children to tell you about -- and not
respond to -- any messages they read that make
them feel uncomfortable.
 Order credit reports on your child from the three
nationwide credit bureaus. The credit search should
come up empty.
Eavesdroppers and Snoopers
 Eavesdroppers listen to your
conversations without your
knowledge.
 Snoopers observe your computer
screen or items on your desk without
your knowledge.
 Bluetooth technology may provide a
speakerphone behind closed doors.
The Next Targets
 Homeland Security has warned that cell
phones and other handhelds (like
BlackBerrys) are becoming increasingly
vulnerable to hackers and viruses.
 Instant messaging (IM) is becoming a
popular target.
 More attacks on browsers with the intent of
embedding crimeware on PCs.
 Popular blogs and social networking sites
like MySpace.com.
Safeguard Your Information






Shred paperwork with personal information and financial documents
before you discard them.
Don’t carry your Social Security card in your wallet or write your Social
Security number on a check. Give it out only if absolutely necessary;
you can always ask to use another identifier.
Don’t give out personal information on the phone, through the mail, or
over the Internet unless you are sure who you are dealing with.
Never click on links sent in unsolicited emails; instead, type in a web
address you know.
Don’t use obvious passwords. Your mother’s maiden name, or the last
four digits of your Social Security number – all are obvious passwords.
Keep your personal information in a secure place at home, especially if
you have roommates, employ outside help, or are having work done in
your house.
Question
 If someone has stolen information
about your financial accounts, it’s best
to wait for several weeks to see what
they do with it before taking action?
The answer is?
Your best first step is to contact your
credit card companies and close your
accounts. Also, talk with your bank
about whether to close other accounts
or take other steps.
Question
 One of the best ways to protect your identity is
by using online passwords only you would know
– like your mother’s maiden name or the last
four digits of your Social Security Number?
The answer is?
This is an incorrect statement. Crooks can often
find this type of information about you … and
then, it’s “so long, identity!” It’s better to use
random numbers and letters, and commit them
to memory.
Question
 If the stolen information includes your
Social Security Number, you can place
an “initial fraud alert” by calling one of
the three nationwide consumer
reporting companies?
The answer is?
Correct! Placing such an alert can help
stop someone from opening new credit
accounts in your name.
Question
 If someone has stolen your identity,
and then you notice you’re no longer
receiving bills from creditors, this is a
sign that your identity has been
restored?
The answer is?
No! If bills stop coming, it may be a
sign that someone is still “hijacking”
your identity, and changing the
address your bills are being sent to.
Question
 The names of the three nationwide
consumer reporting companies are
Equinox, ExperiCorps, and
TransAmerica?
The answer is?
Good eye! The actual names are
Equifax, Experian, and TransUnion. If
you would like a free annual credit
report, visit annualcreditreport.com.
Question
 Identity theft refers only to the theft of
drivers’ licenses or name badges?
The answer is?
While those are types of identity theft,
the term refers to a broad variety of
criminal misuses of your name, Social
Security Number, and financial
information.
Question
 My employer protects personally
identifying information from hackers
and other external threats. My identity
is perfectly safe right?
The answer is?
While reasonable controls may be in
place protecting the corporate
perimeter, the REAL threat comes from
the “Trusted” employee with access
and control of this information.
Individual Quick Facts
It’s important to protect your personal information, and to take certain steps
quickly to minimize the potential damage from identity theft if your
information is accidentally disclosed or deliberately stolen:

Close compromised credit card accounts immediately.

If someone steals your social security number (SSN), contact one of the three nationwide
consumer reporting agencies — Equifax, Experian, or TransUnion — and place an initial
fraud alert on your credit reports.

Monitor your credit report. Keep in mind that fraudulent activity may not show up right away.

Consult with your financial institution about handling the effects on bank or brokerage
accounts.

Contact relevant government agencies to cancel and replace any stolen drivers licenses or
other identification documents, and to “flag” your file.

Watch for signs of identity theft: late or missing bills, receiving credit cards that you didn’t
apply for, being denied credit or offered less favorable terms for no apparent reason, or
getting contacted by debt collectors or others about purchases you didn’t make.
Tell Tale Signs
 You are receiving credit cards that you
didn't apply for.
 You are being denied credit, or being
offered less favorable credit terms, like a
high interest rate, for no apparent reason.
 You are getting calls or letters from debt
collectors or businesses about
merchandise or services you didn't buy.
Here's What To Do

File a report with your local police or the police in the
community where the identity theft took place. Get a copy
of the report or at the very least, the number of the report,
to submit to your creditors and others that may require
proof of the crime.

Contact the fraud departments of any one of the three
consumer reporting companies to place a fraud alert on
your credit report.

Close the accounts that you know or believe have been
tampered with or opened fraudulently.

File your complaint with the FTC. The FTC maintains a
database of identity theft cases used by law enforcement
agencies for investigations.
Corporate concerns







Loss of productivity
Loss of intellectual property
Damage to reputation
Loss revenue
Executive responsibility
Legal implications
Damage to business
Trusted agents
 Attacks are perpetrated by people with
trusted insider status.




Employees
Ex-employees
Contractors
Business partners
 Insiders pose a far greater threat to
organizations in terms of potential cost per
occurrence and total potential cost than
attacks mounted from outside.
Insider threat motivators





Trust and physical access
Challenge
Curiosity
Revenge
Financial gain
Inside Attackers Profile
 Male
 17-60 years old
 Holds a technical position (86%
chance)
 May or may not be married (50/50
chance)
 Racially and ethnically diverse
Additional statistics
 In 92 percent of the incidents investigated, revenge was
the primary motivator.
 Sixty-two percent of the attacks were planned in
advance.
 Eighty percent exhibited suspicious or disruptive
behavior to their colleagues or supervisors before the
attack.
 Only 43 percent had authorized access (by policy, not
necessarily via system control).
 Sixty-four percent used remote access to carry out the
attack.
 Most incidents required little technical sophistication.
Data handled









Employee social security numbers
Employee salary data
Employee banking data
Employee health data
Customer credit card data
Customer banking data
Customer credit history data
Financial transactions
Corporate financial information
Compliance implications
 SOX - Sarbanes-Oxley
 PCI – Payment Card Industry
 HIPAA - Health Insurance Portability
and Accountability Act
 GLBA - Gramm-Leach Bliley Act
 DOI – Department of Insurance
 State specific regulations
Current numbers
 Internal attacks cost U.S. business
$400 billion per year, according to a
national fraud survey conducted by
The Association of Certified Fraud
Examiners.
 $348 billion can be tied directly to
privileged users.
Organizational Quick Facts
It’s important to protect your customer’s and employee’s information, and to
take certain steps quickly to minimize the potential damage from critical
information if it is accidentally disclosed or deliberately stolen:





Although white collar criminal charges are usually
brought against individuals, corporations may also be
subject to sanctions for these types of offenses.
Encourage open communication regarding issues of
misconduct, and provide a confidential and anonymous
mechanism for stakeholders to report fraud without
fear of retaliation.
Be prepared to promptly review, assess, investigate
and resolve reported issues.
Set policies and train stakeholders on important
policies related to organizational risk.
Decide who will be notified about tips or
incidents.
2005 Law Enforcement Contact
Victims Did
Not Notify
Police
61%
Police
Notified But
Report Was
Not Made
Police
9%
Notified And
Report Was
Made
30%
Beating the Thieves










Install security software and stay current with the latest patches.
Always be suspicious of unsolicited e-mail.
Monitor the volume and origin of pop-up ads. A change may signal something
sinister.
Visit the FBI's new Web site, lookstoogoodtobetrue.gov, for tips.
Use debit cards like credit cards, i.e., with a signature, not a PIN code.
If you live in one of the 20 states where it's possible, place a freeze on credit
reports. This stops any credit activity in your name unless you specifically initiate
it.
Keep an eye out for "skimmers" lurking in places where you use cards or keep
customer credit information.
Enable encryption on wireless routers immediately upon setting up a home or
corporate network.
Shop only on secure Web sites (look for the padlock or "https" in the address
bar); use credit, not debit, cards; don't store your financial info in an "account" on
the Web site.
Be mindful of the insider threat!
Identity Triad – Recommended personal credit review cycle.
T-1
T-2
T-3
http://www.experian.com
http://www.equifax.com
http://www.transunion.com
T-1 = January, February, March, April
T-2 = May, June, July, August
T-3 = September, October, November, December
Monitor Your Credit Report
 Review and monitor your credit report!
 Visit www.annualcreditreport.com to obtain your free
credit report
 Citi Credit Monitoring Service:
http://www.creditmonitoring.citi.com
 Credit Expert: http://www.creditexpert.com
 Credit Manager: www.experian.com
 www.transunion.com
 www.equifax.com
 If you suspect you are a victim place a fraud alert on
your credit report.
Michael D. Peters
MBA, CISSP
Director of Security Services
Lazarus Alliance Inc.
About Michael

Michael is a founding member of Lazarus Alliance Incorporated. He has more than 20 years of networking and
system development experience. He is an MBA, CISSP and is certified in several products which include Sun
Microsystems UNIX.

More than 14 years of his experience has been devoted to information and network security for organizations
from United States Defense, Healthcare, Software Development, Manufacturing, Transportation, Insurance,
Communications, and Financial markets.

Michael received his MBA in Information Technology Management from Western Governors University.

He is the creator of "SafetyNET" which is a UNIX based intrusion prevention appliance suite available only from
Lazarus Alliance.

The innovator behind the Holistic Operational Readiness Security Evaluation (HORSE) project and Wiki.

A contributing author to the Sun Microsystems BigAdmin community, Wikipedia, Snort.org, SANS.org, and The
White Hat Encyclical.

Michael D. Peters is currently the President of the Kentuckiana chapter of the Information Systems Security
Association (ISSA) and WGU Alumni InfoSec Forum Moderator.

Guest speaker on matters of security especially concerning compliance, auditing, investigation, and best
practices for secure computing to various organizations, Public Radio, technical institutions, and in University
classrooms.
Lazarus Alliance Inc.






Lazarus Alliance Incorporated offers professional services and products dealing exclusively in the areas of
Security Architecture and Engineering, Compliance Auditing, Risk Assessments, Penetration Testing, Incident
Response, Forensic Analysis, and Disaster Recovery. Delivering security with integrated products and expert
services to ASSESS, PROTECT, EMPOWER and MANAGE business processes and information assets.
The Lazarus Alliance professional security assessment auditor.s provide expert assistance to your
organization in all areas of information protection and assurance. We are focused on helping companies in all
industries improve their current security posture. Providing the compliance resources our clients require for
ISO 17799, HIPAA, Sarbanes Oxley, Gramm-Leach-Bliley, and other legislation is the heart of the Lazarus
Alliance security audit practice.
The Lazarus Alliance research and development engineers have created world-class security solutions.
Lazarus Alliance protects your digital assets and business processes. We offer the SafetyNET suite of
Intrusion Prevention and Intrusion Detection appliances that are available only from Lazarus Alliance. Our
customers benefit from personal attention, zero-day solutions, and ingenious security solutions.
The Lazarus Alliance consulting service team empowers our clients with the expert knowledge our
consultant's provide. The Lazarus Alliance consulting team provides more than security products and
services, they provide value added expert level advice and information during the life cycle with our client's
engagements and customer relationships.
The Lazarus Alliance security service organization teams provides managed security services to our
customers leveraging the expertise and knowledge of the Lazarus Alliance research and development
engineers, the Lazarus Alliance security consultants, and security service team.
www.lazarusalliance.com
References













www.consumer.gov
www.bbbonline.org
www.ic3.gov
www.banktechnews.com
http://www.fivecentnickel.com
www.experian.com
www.transunion.com
www.equifax.com
www.lazarusalliance.com
http://www.lazarusalliance.com/horsewiki/
http://www.ftc.gov/privacy/
http://www.issa-kentuckiana.org
http://issa-kentuckiana.org/infosec/2006/
Download