Upload
molly-neal
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Computer Fraud and Identity Theft
November 24, 2009
A Presentation by: John R. Robles, CISA, CISM
www.johnrrobles.com
Puerto Rico Puerto Rico ChapterChapter
Association of Certified Fraud ExaminersPuerto Rico Chapter
Puerto Rico Puerto Rico ChapterChapter
22
Agenda
Identity Theft: A New Frontier For Hackers and Cybercrime
Identity Theft Federal Regulations FFIEC - Financial Institution Letters Identity Theft and Corporations’ Due
Diligence What Every IT Auditor Should Know About
Identity Theft The Business Model for Information Security
Puerto Rico Puerto Rico ChapterChapter
33
Internet Identity Theft You are identified by ones and zeroes in a computer (digital
data, not by a person or photo) Anyone can say they are you without strong authentication
techniques
Definition Identity theft can be defined as the use of information about
a person obtained from the Internet, with the purpose of identifying oneself as that person to take illegal actions
Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Puerto Rico ChapterChapter
44
Why It Happens
Commit frauds directly Sell the data to others so they can commit frauds Obtain economic information and spy on bank accounts Open new credit positions Generate new forms of illegality
There is no limit to the criminal mind!
Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Puerto Rico ChapterChapter
55
How It Happens - Threats and Techniques Used to Collect Personal Information
Get the data of many people through a corporate database Or, individually, by making people hand over the information,
via phishing (fraudulent emails and bogus web sites) Stealing ID documents, credit cards, personal informaiton,
passwords and PINs Disgruntled employees who know the insides of the system Unsecured wireless media (Wi-Fi, Bluetooth, etc) Facebook, MySpace, and other social media Social engineering (calling people and trying to get personal
info)
Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Puerto Rico ChapterChapter
66
Theft of correspondence Intercepting emails Intercepting data in transit Penetrating computer with special programs (malware, spyware,
etc.) Obtaining information from the workplace Purchasing personal data from illegal data banks Personal identifying data and banking information, which are
often stored in the computer Phishing
Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Puerto Rico ChapterChapter
77
How Identity Thieves Use Victims’ Personal Information Open bank accounts with victim’s identifying data Withdrawing money from victim’s bank accounts Charging purchases on the victim’s credit cards Hard battle to recovery good name to to reonstruct their
economic good standing
Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Puerto Rico ChapterChapter
88
Identity Theft: A New Frontier For Hackers and Cybercrime
Reducing the Risk of Becoming a Victim
Limit personal information in purses, wallets, pockets, etc. Do not supply information to an unsolicited request Know the people to whom you are giving personal information on
the Internet Make online purchase from know companies Regularly verify credit card and bank statements Before getting rid of a computer,destroy all personal data on it Encrypt data on computer
Puerto Rico Puerto Rico ChapterChapter
99
Identity Theft Federal Regulations
FFIEC – Financial Institution Letters Institutions must have an Identity Theft Prevention Program Reasonable Policies, Procedures, and Practices Management Must Approve, Oversee, and Update the Program Enforcement
Cease and desist order Order directing compliance with information security standards Enforcement actions related to employees
Puerto Rico Puerto Rico ChapterChapter
1010
FFIEC - Financial Institution Letters
Name Date Number
Security Standards for Customers Information (based on Gramm-Leach-Bliley Act of 1999)
March14, 2001 FLI-22-2001
Final Guidance on Response Programs - Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Notification to Customers of Information Breach)
April 1, 2005 FIL-27-2005
Identity Theft - FDIC’s Supervisor Policy on Identity Theft
April 11, 2007 FIL-32-2007
Identity Theft Red Flags Interagency - Final Regulation and Guidelines
November 15, 2007
FIL-100-2007
Identity Theft Red Flags, Address Discrepancies, and Changes of Address Regulations – Examination Procedures
October 16, 2008
FIL-105-2008
Identity Theft Red Flags, Address Discrepancies, and Change : Frequently Asked Questions
June 11, 2009 FIL-30-2009
Puerto Rico Puerto Rico ChapterChapter
1111
Identity Theft Federal Regulations
Identity Theft Prevention Program “Covered Account” – Relationship between person and Financial institution or creditor primarily for
persona, family, or household purposes
Identify ID theft red flags (patterns, practices, and activities that indicate possible ID theft) Alerts, Notifications, and Warnings from a Credit Reporting Company Suspicious Documents Suspicious Personal Identifying Information Suspicious Account Activity Notice from other sources
Puerto Rico Puerto Rico ChapterChapter
1212
Identity Theft Federal Regulations
Detect ID theft red flags During opening of New Accounts or changes to Existing Accounts During verification and authentication By telephone, mail, Internet, or wirless system
Respond to ID Theft red flags (Prevent and Mitigate) Monitor accounts Contact customer Change passwords and security codes Close an account Not open a new account Notifying law enforcement Determine that no response is necessary
Puerto Rico Puerto Rico ChapterChapter
1313
Identity Theft Federal Regulations
Update the program Technology changes Thieves change tactics Keep Program current with identity theft risks
Puerto Rico Puerto Rico ChapterChapter
1414
Identity Theft and Corporations’ Due Diligence
Business Implications Consider the outcome of negative and
embarrassing information Legal and regulatory concerns Lost of confidence in the company Lose credibility and business to a competitor Lose in share price
Puerto Rico Puerto Rico ChapterChapter
1515
Steps Toward Prevention Shred, shred, shred Storage media no loner needed must be properly
disposed Implementation of preventive and detective controls Limit access to information Classifying data (identify personal information) Risk Assessment Take appropriate measures to reduce the risk of fraud
through ID theft
Identity Theft and Corporations’ Due Diligence
Puerto Rico Puerto Rico ChapterChapter
1616
What Every IT Auditor Should Know About Identity Theft
Be Aware of Regulations and Public Policy Federal laws and regulations
HIPAA, Grammm-Leach-Bliley Act, Red Flags, etc. State laws and regulations concerning privacy of
information
Concerns and Controls Perform a Risk Assessment Research and implement appropriate prevention
techniques, tools, and policies Ensure there is a Recovery Plan is data is
destroyed Establish an Incident Response Plan
Puerto Rico Puerto Rico ChapterChapter
1818
Systems Thinking
Or how systems interact in the company How does Information Security relate to the company Creativity and planning not reactivity Plan on security do not react to threats
Puerto Rico Puerto Rico ChapterChapter
1919
The Intentional Information Security Culture
Awareness campaigns Security Awareness activities and educational sessions Training to show security’s importance to the company
Cross-functional teams Information Security Steering Committee
Management commitment Senior management and board of directors,
Puerto Rico Puerto Rico ChapterChapter
2020
The Intentional Information Security Culture
Alignment of Information Security and business objectives
A risk-based approach
Balance among organization, people, process and technology
Allowance for the convergence of security strategies
Puerto Rico Puerto Rico ChapterChapter
2222
Elements
Organization Design and Strategy
People
Process
Technology
Dynamic Interconnections
Puerto Rico Puerto Rico ChapterChapter
2323
Dynamic Interactions
Governing
Culture
Enabling and Support
Emergence
Human factors
Architecture
Puerto Rico Puerto Rico ChapterChapter
2424
Current and Future Issues
Regulatory Requirements
Globalization
Growth and Scalability
Organizational Synergies
Evolving Technology
Puerto Rico Puerto Rico ChapterChapter
2525
Current and Future Issues
Economic Markets
Human Resources
Competition
Ever-changing Threats
Innovation
Puerto Rico Puerto Rico ChapterChapter
2626
What’s Next
Shifting From Functional to Intentional Security Culture
Move Technology
From To
• Unsure about the level of security the technology provides.•Seeing security-related technology as disruptive and cumbersome to use.
•Technology used is based on an assessment of the risk.•Seeing new security technology as a mean to enhance the sales process.
Puerto Rico Puerto Rico ChapterChapter
2727
What’s Next
Shifting From Functional to Intentional Security Culture
Move Process
From To
•Security brought in when there is a suspected breach.•Security maintains expert knowledge.
•Security involvement in the earliest planning phases of campaigns.•Security shares its knowledge and expertise, developing broader security awareness across the enterprise.
Puerto Rico Puerto Rico ChapterChapter
2828
What’s Next
Shifting From Functional to Intentional Security Culture
Move People
From To
•Security as an entity that enforces compliance.•Security as a functional expert.
•Security as a partner that creates awareness and commitment.•Security as a partner that transfer security knowledge and expertise to its sales customers.
Puerto Rico Puerto Rico ChapterChapter
2929
What’s Next
Shifting From Functional to Intentional Security Culture
Move Enterprise
From To
•Limited visibility or awareness of security issues.•Security structure focused on technical expertise.
•Receiving regular updates about potential risk.•Security structure supports processes of its customers.