Personal Privacy Identity protection in this wired world Identity Theft? Described by the federal Fair Credit Reporting Act as "the use or attempted use of an account or identifying information without the owner's permission“. Simple Facts Federal and state authorities alike have labeled it the country's fastest-growing white-collar crime since the late 1990s. The number of people victimized annually was last estimated at about 10 million by the Federal Trade Commission. It is a problem that has affected millions of Americans, including Oprah Winfrey, Bill Gates, and Tiger Woods. Chances are it has hurt someone in this room. Cost of ID Theft? US victims spend an average of $1,500 and 175 hours to recover www.fightidentitytheft.com Current annual cost - $56.6 billion www.bbbonline.org. Average loss per victim $6,383. Businesses spend an average of $18,000 per incident. U.S. business spend over $400 billion per year just on the insider threat. Cyber Streetwise We shred financial documents and unsolicited, pre-approved credit card offers; check credit reports regularly; keep Social Security numbers as private as possible; delete e-mail from unknown senders as soon as it arrives; and frequently update antivirus, firewall and spamblocking software. But ….. We're All Vulnerable We live in an age where everything from tax records to Social Security numbers to credit card data resides in databases that can be hacked, phished or pharmed by anyone with sinister motives and enough knowhow. ID Theft: A Growing Concern At least 130 reported breaches exposed more than 55 million Americans to potential identity theft in 2005. Identity theft in is the fastest growing crime in the United States. Recent Reported Data Exposures Department of Energy 1,500 Internal Revenue Service 291 ChoicePoint 145,000 Bank of America 1.2 million CardSystems 40 million Citi Financial 3.9 million Time Warner 600,000 Department of Veterans Affairs 26.5 million United States Air Force 33,000 ID Theft Complaints by Consumer Age 29% 24% 20% 13% 9% 5% Under 18 18-29 30-39 40-49 2005 Percentages by age 50-59 60+ Be Vigilant Deter identity thieves by safeguarding your information. Detect suspicious activity by routinely monitoring your financial accounts and billing statements. Defend against ID theft as soon as you suspect a problem. Common Ways ID Theft Happens Common Theft Dumpster Diving Skimming Phishing Schemes Change of Address Scheme Pretexting Work-at-Home Swindle Pharming Unwanted Guests Common Theft This is by far the most common cause of identity theft cases. Lost or stolen identification Lost or stolen schedulers Lost or stolen PDA or computers Lost or stolen storage devices Company insiders and … The Red Flag! You have mail! Checks Bills Account information Pre-approved Dumpster Diving Criminals engage in "dumpster diving" going through your garbage cans or a communal dumpster or trash bin -- to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. These types of records make it easier for criminals to get control over accounts in your name and assume your identity. Skimming Thieves target account information embedded in ATM, debit and credit cards by breaking into or otherwise compromising the equipment and systems used for processing payments. The California Bankers Association reported in 2005 that scammers had taken to attaching wireless video cameras to the front of ATMs in hopes of capturing your card number and PIN from a remote location. Phishing Schemes Phishing is the act of tricking someone into giving out confidential information or tricking them into doing something that they normally wouldn’t do or shouldn’t do. Gartner, a market-research firm, reports that in the 12 months ending in May 2005, phishers duped 2.4 million Americans into revealing personal info, costing victims, banks and credit card companies $929 million. The volume of phishing e-mail has reached astounding levels at over 1.5 billion messages a day. Change of Address Scheme Rerouting your mail is easier than you might think. If you have bank or credit card accounts, you should be receiving monthly statements that list transactions for the most recent month or reporting period. Check the Post Office for change of address cards on file. If you're told that your statements are being mailed to another address that you haven't authorized, tell the Postmaster, financial institution, or credit card representatives immediately that you did not authorize the change of address and that someone may be improperly using your information. Pretexting ID thieves just ask for your personal information. In one common approach, they claim to be conducting a survey on behalf of your bank and ask questions designed to get your account number, date of birth, social security number, etc. Work-at-Home Swindle The rise of Internet use brings more deceptive and misleading promotions, bogus travel offers, contests, lotteries, and other illegal practices on the Web. Always use common sense. If you have a gut feeling that something is not legitimate, you’re probably right. Make sure the company has a phone number and a physical address – not just a post office box or e-mail address. Pharming? Maybe you've heard of "pharming," in which legitimate websites are hit with malicious computer code that steers those visiting them to look-alike sites. Data can then be harvested without a key being struck. In a twist, there's crimeware that instead attacks browsers (Internet Explorer, for one) and does its pharming from there. Unwanted Guests Another ripe target for identity thieves: the wireless networks that more and more companies and individuals are setting up. Failure to block access to these networks can allow prying eyes into your hard drive, where you may store financial information in programs like Quicken. An unsecured wireless access point can open the door to more than just data theft. Access into your company through mobile devices or gadgets. But Wait! There Is More Fake Jury Duty Con Medicare Fraud "IRS" Phishing Scam Internet Telephony Trickery Grant Flimflams Child Identity Theft The Next Targets? Child Identity Theft An estimated 400,000 children had their identities stolen in 2005. Two-thirds of child ID thefts are perpetrated by family members. Instruct your children NEVER to give out any personal information over the Internet, such as whole names, addresses, phone numbers, school names or photographs. Instruct your children to tell you about -- and not respond to -- any messages they read that make them feel uncomfortable. Order credit reports on your child from the three nationwide credit bureaus. The credit search should come up empty. Eavesdroppers and Snoopers Eavesdroppers listen to your conversations without your knowledge. Snoopers observe your computer screen or items on your desk without your knowledge. Bluetooth technology may provide a speakerphone behind closed doors. The Next Targets Homeland Security has warned that cell phones and other handhelds (like BlackBerrys) are becoming increasingly vulnerable to hackers and viruses. Instant messaging (IM) is becoming a popular target. More attacks on browsers with the intent of embedding crimeware on PCs. Popular blogs and social networking sites like MySpace.com. Safeguard Your Information Shred paperwork with personal information and financial documents before you discard them. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Give it out only if absolutely necessary; you can always ask to use another identifier. Don’t give out personal information on the phone, through the mail, or over the Internet unless you are sure who you are dealing with. Never click on links sent in unsolicited emails; instead, type in a web address you know. Don’t use obvious passwords. Your mother’s maiden name, or the last four digits of your Social Security number – all are obvious passwords. Keep your personal information in a secure place at home, especially if you have roommates, employ outside help, or are having work done in your house. Question If someone has stolen information about your financial accounts, it’s best to wait for several weeks to see what they do with it before taking action? The answer is? Your best first step is to contact your credit card companies and close your accounts. Also, talk with your bank about whether to close other accounts or take other steps. Question One of the best ways to protect your identity is by using online passwords only you would know – like your mother’s maiden name or the last four digits of your Social Security Number? The answer is? This is an incorrect statement. Crooks can often find this type of information about you … and then, it’s “so long, identity!” It’s better to use random numbers and letters, and commit them to memory. Question If the stolen information includes your Social Security Number, you can place an “initial fraud alert” by calling one of the three nationwide consumer reporting companies? The answer is? Correct! Placing such an alert can help stop someone from opening new credit accounts in your name. Question If someone has stolen your identity, and then you notice you’re no longer receiving bills from creditors, this is a sign that your identity has been restored? The answer is? No! If bills stop coming, it may be a sign that someone is still “hijacking” your identity, and changing the address your bills are being sent to. Question The names of the three nationwide consumer reporting companies are Equinox, ExperiCorps, and TransAmerica? The answer is? Good eye! The actual names are Equifax, Experian, and TransUnion. If you would like a free annual credit report, visit annualcreditreport.com. Question Identity theft refers only to the theft of drivers’ licenses or name badges? The answer is? While those are types of identity theft, the term refers to a broad variety of criminal misuses of your name, Social Security Number, and financial information. Question My employer protects personally identifying information from hackers and other external threats. My identity is perfectly safe right? The answer is? While reasonable controls may be in place protecting the corporate perimeter, the REAL threat comes from the “Trusted” employee with access and control of this information. Individual Quick Facts It’s important to protect your personal information, and to take certain steps quickly to minimize the potential damage from identity theft if your information is accidentally disclosed or deliberately stolen: Close compromised credit card accounts immediately. If someone steals your social security number (SSN), contact one of the three nationwide consumer reporting agencies — Equifax, Experian, or TransUnion — and place an initial fraud alert on your credit reports. Monitor your credit report. Keep in mind that fraudulent activity may not show up right away. Consult with your financial institution about handling the effects on bank or brokerage accounts. Contact relevant government agencies to cancel and replace any stolen drivers licenses or other identification documents, and to “flag” your file. Watch for signs of identity theft: late or missing bills, receiving credit cards that you didn’t apply for, being denied credit or offered less favorable terms for no apparent reason, or getting contacted by debt collectors or others about purchases you didn’t make. Tell Tale Signs You are receiving credit cards that you didn't apply for. You are being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason. You are getting calls or letters from debt collectors or businesses about merchandise or services you didn't buy. Here's What To Do File a report with your local police or the police in the community where the identity theft took place. Get a copy of the report or at the very least, the number of the report, to submit to your creditors and others that may require proof of the crime. Contact the fraud departments of any one of the three consumer reporting companies to place a fraud alert on your credit report. Close the accounts that you know or believe have been tampered with or opened fraudulently. File your complaint with the FTC. The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Corporate concerns Loss of productivity Loss of intellectual property Damage to reputation Loss revenue Executive responsibility Legal implications Damage to business Trusted agents Attacks are perpetrated by people with trusted insider status. Employees Ex-employees Contractors Business partners Insiders pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. Insider threat motivators Trust and physical access Challenge Curiosity Revenge Financial gain Inside Attackers Profile Male 17-60 years old Holds a technical position (86% chance) May or may not be married (50/50 chance) Racially and ethnically diverse Additional statistics In 92 percent of the incidents investigated, revenge was the primary motivator. Sixty-two percent of the attacks were planned in advance. Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack. Only 43 percent had authorized access (by policy, not necessarily via system control). Sixty-four percent used remote access to carry out the attack. Most incidents required little technical sophistication. Data handled Employee social security numbers Employee salary data Employee banking data Employee health data Customer credit card data Customer banking data Customer credit history data Financial transactions Corporate financial information Compliance implications SOX - Sarbanes-Oxley PCI – Payment Card Industry HIPAA - Health Insurance Portability and Accountability Act GLBA - Gramm-Leach Bliley Act DOI – Department of Insurance State specific regulations Current numbers Internal attacks cost U.S. business $400 billion per year, according to a national fraud survey conducted by The Association of Certified Fraud Examiners. $348 billion can be tied directly to privileged users. Organizational Quick Facts It’s important to protect your customer’s and employee’s information, and to take certain steps quickly to minimize the potential damage from critical information if it is accidentally disclosed or deliberately stolen: Although white collar criminal charges are usually brought against individuals, corporations may also be subject to sanctions for these types of offenses. Encourage open communication regarding issues of misconduct, and provide a confidential and anonymous mechanism for stakeholders to report fraud without fear of retaliation. Be prepared to promptly review, assess, investigate and resolve reported issues. Set policies and train stakeholders on important policies related to organizational risk. Decide who will be notified about tips or incidents. 2005 Law Enforcement Contact Victims Did Not Notify Police 61% Police Notified But Report Was Not Made Police 9% Notified And Report Was Made 30% Beating the Thieves Install security software and stay current with the latest patches. Always be suspicious of unsolicited e-mail. Monitor the volume and origin of pop-up ads. A change may signal something sinister. Visit the FBI's new Web site, lookstoogoodtobetrue.gov, for tips. Use debit cards like credit cards, i.e., with a signature, not a PIN code. If you live in one of the 20 states where it's possible, place a freeze on credit reports. This stops any credit activity in your name unless you specifically initiate it. Keep an eye out for "skimmers" lurking in places where you use cards or keep customer credit information. Enable encryption on wireless routers immediately upon setting up a home or corporate network. Shop only on secure Web sites (look for the padlock or "https" in the address bar); use credit, not debit, cards; don't store your financial info in an "account" on the Web site. Be mindful of the insider threat! Identity Triad – Recommended personal credit review cycle. T-1 T-2 T-3 http://www.experian.com http://www.equifax.com http://www.transunion.com T-1 = January, February, March, April T-2 = May, June, July, August T-3 = September, October, November, December Monitor Your Credit Report Review and monitor your credit report! Visit www.annualcreditreport.com to obtain your free credit report Citi Credit Monitoring Service: http://www.creditmonitoring.citi.com Credit Expert: http://www.creditexpert.com Credit Manager: www.experian.com www.transunion.com www.equifax.com If you suspect you are a victim place a fraud alert on your credit report. Michael D. Peters MBA, CISSP Director of Security Services Lazarus Alliance Inc. About Michael Michael is a founding member of Lazarus Alliance Incorporated. He has more than 20 years of networking and system development experience. He is an MBA, CISSP and is certified in several products which include Sun Microsystems UNIX. More than 14 years of his experience has been devoted to information and network security for organizations from United States Defense, Healthcare, Software Development, Manufacturing, Transportation, Insurance, Communications, and Financial markets. Michael received his MBA in Information Technology Management from Western Governors University. He is the creator of "SafetyNET" which is a UNIX based intrusion prevention appliance suite available only from Lazarus Alliance. The innovator behind the Holistic Operational Readiness Security Evaluation (HORSE) project and Wiki. A contributing author to the Sun Microsystems BigAdmin community, Wikipedia, Snort.org, SANS.org, and The White Hat Encyclical. Michael D. Peters is currently the President of the Kentuckiana chapter of the Information Systems Security Association (ISSA) and WGU Alumni InfoSec Forum Moderator. Guest speaker on matters of security especially concerning compliance, auditing, investigation, and best practices for secure computing to various organizations, Public Radio, technical institutions, and in University classrooms. Lazarus Alliance Inc. Lazarus Alliance Incorporated offers professional services and products dealing exclusively in the areas of Security Architecture and Engineering, Compliance Auditing, Risk Assessments, Penetration Testing, Incident Response, Forensic Analysis, and Disaster Recovery. Delivering security with integrated products and expert services to ASSESS, PROTECT, EMPOWER and MANAGE business processes and information assets. The Lazarus Alliance professional security assessment auditor.s provide expert assistance to your organization in all areas of information protection and assurance. We are focused on helping companies in all industries improve their current security posture. Providing the compliance resources our clients require for ISO 17799, HIPAA, Sarbanes Oxley, Gramm-Leach-Bliley, and other legislation is the heart of the Lazarus Alliance security audit practice. The Lazarus Alliance research and development engineers have created world-class security solutions. Lazarus Alliance protects your digital assets and business processes. We offer the SafetyNET suite of Intrusion Prevention and Intrusion Detection appliances that are available only from Lazarus Alliance. Our customers benefit from personal attention, zero-day solutions, and ingenious security solutions. The Lazarus Alliance consulting service team empowers our clients with the expert knowledge our consultant's provide. The Lazarus Alliance consulting team provides more than security products and services, they provide value added expert level advice and information during the life cycle with our client's engagements and customer relationships. The Lazarus Alliance security service organization teams provides managed security services to our customers leveraging the expertise and knowledge of the Lazarus Alliance research and development engineers, the Lazarus Alliance security consultants, and security service team. www.lazarusalliance.com References www.consumer.gov www.bbbonline.org www.ic3.gov www.banktechnews.com http://www.fivecentnickel.com www.experian.com www.transunion.com www.equifax.com www.lazarusalliance.com http://www.lazarusalliance.com/horsewiki/ http://www.ftc.gov/privacy/ http://www.issa-kentuckiana.org http://issa-kentuckiana.org/infosec/2006/