Presentation on theme: "Computer Fraud and Identity Theft November 24, 2009 A Presentation by: John R. Robles, CISA, CISM 787-647-3961 Puerto."— Presentation transcript:
Computer Fraud and Identity Theft November 24, 2009 A Presentation by: John R. Robles, CISA, CISM Puerto Rico Chapter Association of Certified Fraud Examiners Puerto Rico Chapter
2 Agenda zIdentity Theft: A New Frontier For Hackers and Cybercrime zIdentity Theft Federal Regulations zFFIEC - Financial Institution Letters zIdentity Theft and Corporations’ Due Diligence zWhat Every IT Auditor Should Know About Identity Theft zThe Business Model for Information Security
Puerto Rico Chapter 3 zInternet Identity Theft yYou are identified by ones and zeroes in a computer (digital data, not by a person or photo) yAnyone can say they are you without strong authentication techniques zDefinition yIdentity theft can be defined as the use of information about a person obtained from the Internet, with the purpose of identifying oneself as that person to take illegal actions Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Chapter 4 zWhy It Happens yCommit frauds directly ySell the data to others so they can commit frauds yObtain economic information and spy on bank accounts yOpen new credit positions yGenerate new forms of illegality xThere is no limit to the criminal mind! Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Chapter 5 zHow It Happens - Threats and Techniques Used to Collect Personal Information yGet the data of many people through a corporate database yOr, individually, by making people hand over the information, via phishing (fraudulent s and bogus web sites) yStealing ID documents, credit cards, personal informaiton, passwords and PINs yDisgruntled employees who know the insides of the system yUnsecured wireless media (Wi-Fi, Bluetooth, etc) yFacebook, MySpace, and other social media ySocial engineering (calling people and trying to get personal info) Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Chapter 6 yTheft of correspondence yIntercepting s yIntercepting data in transit yPenetrating computer with special programs (malware, spyware, etc.) yObtaining information from the workplace yPurchasing personal data from illegal data banks yPersonal identifying data and banking information, which are often stored in the computer yPhishing Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Chapter 7 zHow Identity Thieves Use Victims’ Personal Information yOpen bank accounts with victim’s identifying data yWithdrawing money from victim’s bank accounts yCharging purchases on the victim’s credit cards yHard battle to recovery good name to to reonstruct their economic good standing Identity Theft: A New Frontier For Hackers and Cybercrime
Puerto Rico Chapter 8 Identity Theft: A New Frontier For Hackers and Cybercrime zReducing the Risk of Becoming a Victim yLimit personal information in purses, wallets, pockets, etc. yDo not supply information to an unsolicited request yKnow the people to whom you are giving personal information on the Internet yMake online purchase from know companies yRegularly verify credit card and bank statements yBefore getting rid of a computer,destroy all personal data on it yEncrypt data on computer
Puerto Rico Chapter 9 Identity Theft Federal Regulations zFFIEC – Financial Institution Letters zInstitutions must have an Identity Theft Prevention Program zReasonable Policies, Procedures, and Practices zManagement Must Approve, Oversee, and Update the Program zEnforcement yCease and desist order yOrder directing compliance with information security standards yEnforcement actions related to employees
Puerto Rico Chapter 10 FFIEC - Financial Institution Letters NameDateNumber Security Standards for Customers Information (based on Gramm-Leach-Bliley Act of 1999) March14, 2001FLI Final Guidance on Response Programs - Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Notification to Customers of Information Breach) April 1, 2005FIL Identity Theft - FDIC’s Supervisor Policy on Identity Theft April 11, 2007FIL Identity Theft Red Flags Interagency - Final Regulation and Guidelines November 15, 2007 FIL Identity Theft Red Flags, Address Discrepancies, and Changes of Address Regulations – Examination Procedures October 16, 2008FIL Identity Theft Red Flags, Address Discrepancies, and Change : Frequently Asked Questions June 11, 2009FIL
Puerto Rico Chapter 11 Identity Theft Federal Regulations zIdentity Theft Prevention Program y“Covered Account” – Relationship between person and Financial institution or creditor primarily for persona, family, or household purposes zIdentify ID theft red flags (patterns, practices, and activities that indicate possible ID theft) yAlerts, Notifications, and Warnings from a Credit Reporting Company ySuspicious Documents ySuspicious Personal Identifying Information ySuspicious Account Activity yNotice from other sources
Puerto Rico Chapter 12 Identity Theft Federal Regulations zDetect ID theft red flags yDuring opening of New Accounts or changes to Existing Accounts yDuring verification and authentication yBy telephone, mail, Internet, or wirless system zRespond to ID Theft red flags (Prevent and Mitigate) yMonitor accounts yContact customer yChange passwords and security codes yClose an account yNot open a new account yNotifying law enforcement yDetermine that no response is necessary
Puerto Rico Chapter 13 Identity Theft Federal Regulations zUpdate the program yTechnology changes yThieves change tactics yKeep Program current with identity theft risks
Puerto Rico Chapter 14 Identity Theft and Corporations’ Due Diligence zBusiness Implications yConsider the outcome of negative and embarrassing information yLegal and regulatory concerns yLost of confidence in the company yLose credibility and business to a competitor yLose in share price
Puerto Rico Chapter 15 zSteps Toward Prevention yShred, shred, shred yStorage media no loner needed must be properly disposed yImplementation of preventive and detective controls yLimit access to information yClassifying data (identify personal information) yRisk Assessment yTake appropriate measures to reduce the risk of fraud through ID theft Identity Theft and Corporations’ Due Diligence
Puerto Rico Chapter 16 What Every IT Auditor Should Know About Identity Theft zBe Aware of Regulations and Public Policy yFederal laws and regulations xHIPAA, Grammm-Leach-Bliley Act, Red Flags, etc. yState laws and regulations concerning privacy of information zConcerns and Controls yPerform a Risk Assessment yResearch and implement appropriate prevention techniques, tools, and policies yEnsure there is a Recovery Plan is data is destroyed yEstablish an Incident Response Plan
Puerto Rico Chapter 17 The Business Model for Information Security
Puerto Rico Chapter 18 Systems Thinking zOr how systems interact in the company zHow does Information Security relate to the company zCreativity and planning not reactivity zPlan on security do not react to threats
Puerto Rico Chapter 19 The Intentional Information Security Culture zAwareness campaigns ySecurity Awareness activities and educational sessions yTraining to show security’s importance to the company zCross-functional teams yInformation Security Steering Committee zManagement commitment ySenior management and board of directors,
Puerto Rico Chapter 20 The Intentional Information Security Culture zAlignment of Information Security and business objectives zA risk-based approach zBalance among organization, people, process and technology zAllowance for the convergence of security strategies
Puerto Rico Chapter 21 The Business Model for Information Security
Puerto Rico Chapter 22 Elements zOrganization Design and Strategy zPeople zProcess zTechnology zDynamic Interconnections
Puerto Rico Chapter 23 Dynamic Interactions zGoverning zCulture zEnabling and Support zEmergence zHuman factors zArchitecture
Puerto Rico Chapter 24 Current and Future Issues zRegulatory Requirements zGlobalization zGrowth and Scalability zOrganizational Synergies zEvolving Technology
Puerto Rico Chapter 25 Current and Future Issues zEconomic Markets zHuman Resources zCompetition zEver-changing Threats zInnovation
Puerto Rico Chapter 26 What’s Next Shifting From Functional to Intentional Security Culture Move Technology FromTo Unsure about the level of security the technology provides. Seeing security-related technology as disruptive and cumbersome to use. Technology used is based on an assessment of the risk. Seeing new security technology as a mean to enhance the sales process.
Puerto Rico Chapter 27 What’s Next Shifting From Functional to Intentional Security Culture Move Process FromTo Security brought in when there is a suspected breach. Security maintains expert knowledge. Security involvement in the earliest planning phases of campaigns. Security shares its knowledge and expertise, developing broader security awareness across the enterprise.
Puerto Rico Chapter 28 What’s Next Shifting From Functional to Intentional Security Culture Move People FromTo Security as an entity that enforces compliance. Security as a functional expert. Security as a partner that creates awareness and commitment. Security as a partner that transfer security knowledge and expertise to its sales customers.
Puerto Rico Chapter 29 What’s Next Shifting From Functional to Intentional Security Culture Move Enterprise FromTo Limited visibility or awareness of security issues. Security structure focused on technical expertise. Receiving regular updates about potential risk. Security structure supports processes of its customers.