View
375
Download
4
Category
Tags:
Preview:
DESCRIPTION
Fraud awareness for companies and their employees covering legal aspects of securing confidential information, social engineering techiniques and what to look for in suspect emails.
Citation preview
A Global Reach with a Local Perspective
www.decosimo.com
Fraud Awareness-What You and Your Employees Really Need to Know
Pam Mantone, CPA, CFF, CFE, CITP, FCPA, CGMA
Senior Manager pammantone@decosimo.com 423-756-7100
The contents and opinions contained in this presentation are my opinions and do not reflect the representations and opinions of Decosimo.
• Analytic process used to deny an adversary information
• Risk assessment tool
Military term meaning
Operational Security
• Examines day-to-day activities • Controls information
Universal concepts
• Equally applicable to individuals and businesses in general
• Identifies security risks Applied in any environment
A strict set of rules and
procedures
An expensive and time-
consuming process
Used only by the
government or military
Loss of customer trust and business
Possible law suits
Legal issues • Gramm-Leach-Bliley Act • Fair Credit Reporting Act • Federal Trade Commission Act • Health Insurance Portability and Accountability Act (HIPPA) • Family Educational Rights and Privacy Act • Drivers Privacy Protection Act • Privacy Laws • State Laws
“Consumer report
information”
Examples
• Personal and credit characteristics
• Character • General reputation • Must be prepared by a
consumer reporting agency
• Consumer reports in background checks of employees
• Customer credit histories
• Requires businesses who have information covered by the FCRA to take reasonable measures when disposing the information
• Businesses that collect consumer credit information, credit reports, or background employee histories should ensure compliance
• Free credit report once every 12 months • Limitation on printing credit card numbers • Red Flag Rule
• Identity theft program • Must respond to notices of discrepancies • Assess validity of change of address on issuers of debit
and credit cards • Regulations apply to all businesses that have “covered
accounts” • Defined as any account for which there is a
foreseeable risk of identity theft
Fair and Accurate Credit Transactions Amendment
• Fraud alerts required • Summary of rights of identity
theft victims • Blocking of information
resulting from identity theft • Coordination of identity theft
complaint investigations
Applies to “financial institutions”
• Broadly defined as any business engaged in a wide range of financial activities • Car dealers • Tax preparers • Courier services in some cases • Financial institutions not regulated by other agencies
Requires businesses to have reasonable policies and procedures to ensure security and confidentiality of customer information
Prohibits deceptive or unfair trade practices
Businesses must handle consumer information in a way that is consistent with their promises to their customers
Must avoid data security practices that create an unreasonable risk of harm to
consumer data
Regulates the use and disclosure of protected health information
Generally limits release of information to the minimum reasonably needed for the purpose of
disclosure
Enables patients to find out how their information may be used and what disclosures have been
made
Note: Medical record data is currently worth more on the black market compared to social security
numbers, credit card information, etc.
Medical records - $50 Social Security Numbers - $3 Credit card information - $1.50 Date of birth - $3 Mother’s maiden name - $6 Depending upon account balance – bank account
numbers - $100 - $500 From veriphyr.com
THE GOING RATE
Bottom Line – Companies must develop and maintain reasonable procedures to
protect sensitive information
Know the threat
Know what to protect
Know how to protect
Adversary – the Bad Guy
Terrorist groups
Criminals
Organized crime
Hackers/Crackers
Insider threats – generally more costly and often overlooked
“Q: What is the percentage of insider vs external attacks? Can Dawn share empirical evidence that the number of security incidents related to insiders is increasing or is the evidence anecdotal?”
“Dawn: We ask those questions in our survey every year. We have been doing our survey for seven years and every year consistently it has shown insiders to outsiders at around 1/3 insiders and 2/3 outsiders, but don’t forget, most (67%) say that insider attacks are more costly. This year the numbers actual changed for the first time. Insider attacks dropped down to approximately 27%.”
from Combat Insider Threat: Proven Strategies from CERT; Dawn Cappeli, Technical Manager of CERT’S Enterprise Threat and Vulnerability Management Team at Carnegie Mellon University’s Software Engineering Institute
Possible economic gains
Possible political gains
Advantage in global markets
Self-Interest
Revenge
External pressure
This is quite simple – sensitive information
• Personnel information • Customer information • Intellectual property • Company-generated internal reports • Financial information • Medical information • ----and the list goes on--------
If you are not sure – then be conservative – “loose lips sink ships”
• Know what personal information you have in your files and on computers
• Keep only what you need for your business
• Protect the information that you want to keep
• Properly dispose of what you no longer need
• Create a plan to respond to security incidents
• Periodic employee awareness training • If you don’t have time or expertise in-
house, use a trusted advisor to assess the current posture of the business and develop a sound security plan
Understand common social engineering techniques Social engineering defined as the manipulation of the
natural human tendency to trust The art and science of getting people to do what you want
them to do “ A social engineer is a hacker who uses brains instead of
computer brawn. Hackers call and pretend to be customers who have lost their passwords or show up at a site and simply wait for someone to hold a door open for them. Other forms of social engineering are not so obvious. Hackers have been known to create phony websites, sweepstakes or questionnaires that ask users to enter a password.” – Karen J. Bannan, Internet World. January 1, 2001
Information gathering
Developing a relationship
Execution
Exploitation
• Looking over one’s shoulder
Shoulder surfing
• Checking out the trash
Dumpster diving
• Surveys
Mail-outs
• Curiosity • Deliberately leaving item for discovery and use
Baiting
• Convincing victims to supply sensitive information
• Fairly basic • Very widely used • Phisher often purchases a domain that is
designed to imitate an official resource
Phishing
• Direct call requesting “security verification • Email with instructions to call a telephone number to
verify account information before granting access • Fake interactive techniques such as “press 1” • Call and try to convince purchase or install of
software
Vishing
• Gaining access to a restricted area by following someone
• Preys on common courtesy
Tailgating
• Something for something • Often used against office workers • Attacker pretends to b a “tech support employee
returning a call until he or she finds someone in genuine need of support and extracts other information or requests software downloads
“Quid pro quo”
• Common technique used to convince couriers into believing a delivery is to be received elsewhere
“Diversion theft”
Impersonation
Name dropping
Aggression
Conformity
Friendliness
• Repairman • Helpdesk tech • Trusted third party
Impersonation
• Using names of people from your company to make you believe they know you and gain your trust
Name Dropping
• Intimidation by threatening to escalate to a manager or executive if you do not provide requested information
Aggression
Conformity
• “Everyone else has provided the information so it’s fine for you to provide the same.”
• Moves responsibility away from the target
• Avoids the feeling of guilt
Friendliness
• Contacts over a period of time with the intent of building up a rapport so that when the attacker asks for sensitive information, trust has already been developed.
• Communication on a personal level removes the realization of pressure being applied to supply information
Increased compliance if:
• Attacker avoids conflict by using a consultative approach
• Attacker develops and builds a relationship through previous dealings so victim will probably comply with a large request when having previously complied with a smaller one.
• Attacker is able to appeal to the victim’s senses thus building a better relationship by appearing to be “human” rather than a voice or an email message
• Attacker has a quick mind and is able to compromise
RECOGNIZE THE SIGNS
Unsolicited requests for sensitive information
Content appears genuine
Disguised hyperlinks and sender address
Consists of a clickable image
Generic greetings
Use various tricks to entice recipients to click • Customer account details need to be updated due to a software or security
upgrade • Customer account may be terminated if account details are not provided within a
specific time frame • Suspect or fraudulent activity involving the user’s account has been detected and
the user must provide information • Routine or random security procedures requiring the user to verify his or her
account by providing requested information
Spelling and bad grammar
Links in emails
Threats
Spoofing popular websites or companies
Why am I being asked for this information?
Is it usual to be asked for this sort of information in
this format?
Is the request coming from a known source?
What consequences might come from
misusing the information that I
have been asked to provide?
Is there pressure to take action
now?
Federal Trade Commission, BCB Business Center www.ftc.gov
OSPA www.opsecprofessionals.org
Cornell University IT: Phish Bowl www.it.cornell.edu/security/safety/phishbowl.cfm
Protect your business by understanding common social engineering techniques, Small Business Blog http://googlesmb.blogspot.com/2012/04/protect-your-
business-by-understanding.html Microsoft
www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
SOURCES
Grammar, Spacing, Capitalization
Embedded link
Period, no space, no capitalization on start of new sentence
Capitalization
Threat-immediate action required
Embedded link
Threat-immediate action required
Spelling
Violation of a company policy also a violation of law?
Grammar-” Windows”
Embedded link
Grammar – “link below”
Grammar-Windows Defender. Yes, it is a legit software program.
Threat-immediate action required
LinkedIn does not send reminders
Grammar
Embedded link
Great job on website impersonation!
1)Imposed threat requiring immediate action 2)No Section 765 in bylaws 3) AICPA does not regulate CPA status
grammar
Embedded link
Generic greeting
Zip file with embedded malware
Ticket number does not exist
Recommended