ID Theft and Data Breach Mitigation

Transcription

1 ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA 1

2 Agenda Consumer ID theft issues Data breach trends Laws and regulations Assessing and mitigating your risk 2

3 Consumer Identity Theft Issues 3

4 Consumer ID Theft Statistics ID theft up 16% in In 2014, IRS paid $5.8 billion in fraudulent refunds 2 South Carolina: 750,000 PHI records stolen since million taxpayer records stolen in Federal Trade Commission 2 Government Accountability Office 3 US Department of Health and Human Services Office for Civil Rights 4

5 How to Respond to ID Theft File a police report File a complaint with the FTC File form with the IRS Place fraud alert on your credit report Consider a credit freeze Dispute fraudulent accounts Contact your creditors 5

6 How Your ID is Stolen Personal carelessness External hackers Data breaches Your information is for sale Social engineering Targeting either you or someone you do business with Social engineering example 6

7 Fusion: Real Future, episode 8

8 The Price of Your Identity Common prices for ID information: US Fullz - $30 Health Insurance Credentials - $20 Bank account with $75,000 - less than $300 Date of birth - $11 Credit card account - $4 to $13 Source: Dell SecureWorks 8

9 Protecting Yourself Never re-use passwords Guard personal information Never re-use passwords Use multi-factor authentication Set account access PINs at phone and utility providers Never re-use passwords, seriously 9

10 Data Breach Trends 10

11 2015 Data Breaches Xoom: Victim of $31 million Business Compromise (BEC) 11

12 2015 Data Breaches Anthem and Premara breaches 80 million and 11 million PHI records US Office of Personnel Management 21 million victims Ashley Madison T-Mobile breach 15 million users Rise of Malvertizing 12

13 Breach Methods Phishing and Spear Phishing attacks 13% of users will click on links in Phishing e- mails SC Department of Revenue started as a Spear Phishing attack Stolen, weak, or default credentials Used in 63% of breaches 1 Verizon 2016 Data Breach Investigations Report 13

14 Breach Methods Web app attacks Attacks against existing pages Hacking servers to host malicious pages Point of sale intrusions/card skimmers Used to scrape credit card data Target, Home Depot, Hilton Worldwide Insider attacks 14

15 Breach Methods Mistakes Accidental misdelivery Physical theft Malware Deliberate cyber attack Industrial espionage 15

16 Example Breaches From the US Department of Health and Human Services Office for Civil Rights: March 2016, Medical Management, LLC April 2012, Bruce G. Peller, DMD, PA , Central Dermatology Center February 2013, Alamance Caswell Hospice 16

17 Cost of a Breach Average breach cost: 1 Small businesses: $86,500 Large businesses: $861,000 Notable exceptions: Anthem Healthcare: $5.55 million fine Cost of Target breach: $252 million 1 Kaspersky Labs survey 17

18 Laws and Regulations 18

19 Careful With the Word Breach Breach has legal meaning Suggests you may have legal liability Security teams should use Security Incident until it s determined a breach has occurred 19

20 Federal Laws and National Regulations HIPPA-HITECH Healthcare data (PHI) FTC Red Flags Rule Applies to financial institutions PCI-DSS Payment cards FISMA Applies to federal contractors 20

21 State Laws 47 different state laws All vary in timing, method, and extent of notice required North Carolina notice must be clear and conspicuous and given without unreasonable delay Must include advice for affected people Can be in writing, electronic, or by phone 21

22 Assessing and Mitigating Your Risk 22

23 Assessing Your Risk 77% of business have suffered some form of data loss 1 Matter of when, not if Higher risk if you handle Financial information Healthcare data 1 Kaspersky Labs survey 23

24 Information Security Lifestyle 24

25 Security Process Identify Assess Your IT Environment and understand nature of your data Understand industry and regulatory compliance requirements Perform Information Security Risk Assessment 25

26 Protect the Environment Implement Controls Based Upon Security Risk Assessment Physical Technical Administrative Assign Roles & Responsibilities for Maintaining Controls 26

27 Detect Incidents Monitoring & Event Logging Functions Automated Solutions Where Possible, But.. Tailor Alerting to Limit False Positives! 27

28 Respond to Incidents Execution of Incident Response Plan Strong Response Capabilities Can Limit Impact Understand Specific Reporting Requirements and Key Contacts 28

29 Recover Recover Plans and Activities to Restore Business Services Recovery Planning Key to Organizational Resilience Work with Contracting Officers and Authorities 29

30 Additional Resources FTC Guide for Assisting Identity Theft Victims FTC Consumer ID Theft Guide IdentityTheft.gov Experian Credit Freeze Procedures Equifax Credit Freeze Procedures TransUnion Credit Freeze Procedures TwoFactorAuth.org website 30

31 Data Breach Prevention and Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG