Cyber Fraud in 2016 Spring Accounting Expo Dan Ramey, CPA May 17, 2016

Transcription

1 Cyber Fraud in 2016 Spring Accounting Expo Dan Ramey, CPA May 17,

2 Dan Ramey, CPA/CFF/CITP/ABV, CFE, CVA, CIA/CRMA, CISA/CISM and CMA Dan is the president and founder of Houston Financial. Dan s professional certifications include: CPA/CFF/CITP/ABV, CFE, CVA, CIA/CRMA, CISA/CISM and CMA. He is the past president of the Houston Chapter of the Institute of Internal Auditors and formerly a member of the board of governors. Dan formerly served as chairman of the Houston CPA Society s Forensic and Valuation Committee for two terms and currently serves as Treasurer of the Houston InfraGard Chapter. He is also active in the Houston FENG Chapter where he was held several leadership roles. Dan is also a member of the University of Houston Bauer School of Business Accounting Advisory Board. He is an adjunct professor in the Graduate Accounting program at the University of Houston Bauer College of Business where he teaches graduate level fraud classes. Dan is also a frequent speaker to business and professional groups on fraud, internal audit, Committee of Sponsoring Organizations (COSO) 2013, valuation methodology, due diligence, third party risk management, and fraudulent financial reporting. Dan is a graduate of Baylor University with a degree in accounting and an executive MBA from Houston Baptist University. He is also a member of Second Baptist Church where he serves as a deacon. Houston Financial Houston Financial is a provider of professional services to corporations, nonprofits, and professional service firms in the areas of internal audit, fraud investigation, enterprise and IT risk assessment, fraud risk assessment, internal controls, forensic accounting, business valuation, litigation support, Sarbanes Oxley 404, internal audit department quality assessment reviews, third party risk management, and due diligence for mergers and acquisitions. Houston Financial Forensics is not a CPA firm. 2

3 Agenda What is Cyber Fraud Cyber Fraud in the News Impact of Cyber Fraud Best Practices and Protecting Your Data Cyber Security References Cyber Fraud 3

4 Cyber Fraud / Cyber Crime Any type of deliberate deception for unfair or unlawful gain that occurs online Cyber Fraud Statistics 7% of US organizations lost $1 million or more due to cybercrime incidents in 2013 Worldwide the average cost to a company for a data breach was $3.5 million in US $ Symantec discovered more than 430 million new and unique pieces of malware in 2015, up 36 percent from the year before 4

5 Categories of Cyber Crimes Computer Break Ins Phishing Attacks Malware / Ransonware Distributed Denial of Service Child Pornography Cyber Fraud Examples Hacking into personal accounts Hacking into corporate databases / information Breaking into competitor databases Various forms of internet theft and fraud Schemes / scams based on fake web sites Credit related thefts 5

6 Cyber Fraud Examples Piracy Advanced Fee Fraud Ransonware Identity Theft Hackers Hackers understand the intense complexity of the World Wide Web, which changes every day. They know the weaknesses of the common browsers, programming languages and operating systems that we all use. Modern cyber criminals might pretend to be a government agency, bank or trusted friend in order to gain access to your personal information. The Law Dictionary 6

7 Who Are the Hackers Nation States Hacktivists Organized Crime Syndicates Insiders 7 Most Expensive Words In Business 7

8 Personally Identifiable Information (PII) Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de anonymizing anonymous data can be considered PII. Sensitive PII Non Sensitive PII Non Sensitive PII Name Work and Personal Address Home and Work Addresses Business Phone Number Work and Personal Cell Phone Numbers 8

9 Sensitive PII Ethnicity / Race ID Number (Social Security / Passport) Employment History Date of Birth / Place of Birth Medical History / Medical Conditions Financial Accounts Drivers License Number Mother s Maiden Name Ransomware 9

10 Ransomware Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker). TrendMicro Ransomware Ransom $ in Bitcoin Businesses are prime target 35% increase during 2015 Target devices: PCs, smartphones, Mac, and Linux systems 10

11 Target Data Breach Target Data Breach Target booked $162 million of expenses Effected 70 million customers name, address, , and phone number 40 million credit and debit cards stolen Breach occurred between Nov 27 th and Dec 15 th, 2013 CEO terminated 11

12 Target Data Breach $200 million cost for credit unions and community banks to reissue 21.8 million cards $100 million expense Target will spend to upgrade payment system to Chip and PIN enabled cards $ median price range per card resold on the black market 1 3 million cards sold and used on the black market Target Data Breach 12

13 Paymetric Since the Target breach, there has been a major data breach discovered almost every month. Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, ebay and P.F. Chang s Chinese Bistro A recent Ponemon Institute survey estimates 47 percent of all American adults have been affected by data breaches in the last year, with an estimated 432 online accounts being affected There were more than 600 reported data breaches in 2013., a 30 % increase over 2012 The retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers, according to the Verizon 2013 Data Breach Investigation Report Cybercrime has cost the global economy $575 billion and the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country, according to a report from Intel Security and the Center for Strategic and International Studies Data Breaches Category YTD Breaches Records 67.9 Million Million 2.5 Million Source: Privacy Rights Clearinghouse 13

14 Cyber Security Best Practices Mobile Devices Limit access to work materials on approved devices Used secured networks when accessing work materials on personal devices Protect access with passwords Cyber Security Best Practices Employee Theft Limit access to sensitive information on a need to know basis that s frequently re evaluated Monitor employee usage of sensitive information 14

15 Cyber Security Best Practices Malware and Phishing s Train employees not to click on phishing s or visit suspicious websites Filter access to harmful sites and s Cyber Security Best Practices Third party Vendors Ensure that subcontractors have vigorous data protection systems in place Provide for contractual wording that: Requires specific infrastructure protection Ability to audit prior to contract commencement date Ability to perform audits during the course of the contact Ability to immediately perform an audit when a breach is suspected 15

16 Cyber Security Best Practices Software and Hardware Establish controls to prevent unauthorized access to a organization s systems and data Encrypt data to protect it from unauthorized access Perform penetration testing (internal and external) periodically depending on sensitivity of data Keep data and systems backed up Keep security software current on all devices Cyber Security Best Practices National Cyber Security Awareness Month NCSAM 2016 Weekly Themes Week 1: October 3 7, 2016 General Cybersecurity with the Stop.Think.Connect. Campaign Week 2: October 10 14, 2016 Cyber in the Workplace Week 3: October 17 21, 2016 Cybercrime Week 4: October 24 28, 2016 Cyber and Cutting Edge Technology Week 5: October 31, 2016 Cyber and Critical Infrastructure 16

17 Passwords Passwords A recent study of 11 million passwords found that: 10.3% of users employ the 20 most popular passwords With fewer than 20 tries anyone can log in to roughly 1 out of 10 accounts Top password is and is so common that it makes up 4.1% of all passwords 17

18 Application Requirements for Password Password Recommendations Minimum Length Mobile devices 8 Networked computers 8 Admins and Privileged Accounts Password Difficulty Must contain 1 alphabetic, 1 numeric, and 1 symbol character Passphrases Never forgot that your wife s birthday is on October 23! Nftyw bioo23! 18

19 Passwordmeter.com Cyber Security and IT Risk Assessment Tools IIA GAIT (Guide to the Assessment of IT Risk t/ NIST Cyber Security Framework based on existing standards, guidelines, and practices 19

20 NIST Cyber Security Framework Tools Framework for Improving Critical Infrastructure Cybersecurity ecurity framework pdf Framework for Improving Critical Infrastructure Cybersecurity Roadmap ap pdf NIST Cyber Security Framework Tools Cybersecurity Framework Core XLS work for improving critical infrastructurecybersecurity core.xlsx Industry Tools industry resources.cfm 20

21 Questions 21

22 References 7 Encryption and Privacy Tips: matters/7 encryption and privacy tips 7eee81f3a309?sample_rate=0.1&snippet_name=561 4#.ng3w2v7qh List of Data Breaches: References DataBreach Today: Verizon Data Breach Report: lab/dbir/ Krebs on Security: 22

23 Referencs National Cyber Security Awareness Month: cyber securityawareness month Preparing For and Responding to a Computer Security Incident Mayer Brown Law: guidepreparing for a computer security incident/ Protiviti KnowledgeLeader Protiviti KnowlegeLeader is a repository of audit programs, checklists, tools, resources and best practices: US/Pages/KnowledgeLeader.aspx 23

24 References ISACA Knowledge Center: Center/Pages/default.aspx Ponemon Institute: InfraGard: References Protiviti Resource Guides: US/Pages/Resource Guides.aspx FBI Incidents of Ransomware on the Risk: 4/22/ransomware understanding the risk/ 24

25 References International Fraud Awareness Week: Third Week in November each year: Microsoft Ransonware Understanding the Risk: ansomware understanding the risk/ Microsoft Threat Intelligence Reports Ransomware: ansomware understanding the risk/ References How Secure is My Password: Password Meter: IC3 Internet Crime Complaint Center: 25

26 References ISACA Glossary IT Terminology: Privacy Rights Clearinghouse: Center for Internet Security: Dan Ramey Contact Information Contact Information Dan Ramey CPA/CFF/ABV/CITP, CVA, CIA/CRMA, CISA/CISM, CMA, CFE Houston Financial Cell: