ID Theft and Data Breach Mitigation Jeremy Gilbert,

ID Theft and Data Breach Mitigation Jeremy Gilbert,

ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA IT Advisory 1 Agenda Consumer ID theft issues Data breach trends Laws and regulations Assessing and mitigating your risk

IT Advisory 2 Consumer Identity Theft Issues IT Advisory 3 Consumer ID Theft Statistics ID theft up 16% in 2016 1 In 2014, IRS paid $5.8 billion in fraudulent refunds 2

Virginia: 56,000 PHI records stolen since 2016 3 Federal Trade Commission 2 Government Accountability Office 3 US Department of Health and Human Services Office for Civil Rights 1 IT Advisory 4

How to Respond to ID Theft File a police report File a complaint with the FTC File form 14039 with the IRS Place fraud alert on your credit report Consider a credit freeze Dispute fraudulent accounts Contact your creditors

IT Advisory 5 How Your ID is Stolen Personal carelessness External hackers Data breaches

Your information is for sale Social engineering Targeting either you or someone you do business with Social engineering example IT Advisory 6 Fusion: Real Future, episode 8 IT Advisory

7 The Price of Your Identity Common prices for ID information: US Fullz - $30 Health Insurance Credentials - $20 Bank account with $75,000 - less than $300 Date of birth - $11 Credit card account - $4 to $13 Source: Dell SecureWorks IT Advisory

8 Protecting Yourself Never re-use passwords Guard personal information Never re-use passwords Use multi-factor authentication Set account access PINs at phone and

utility providers Never re-use passwords, seriously IT Advisory 9 Data Breach Trends IT Advisory 10 2015 Data Breaches Xoom: Victim of $31 million Business Email Compromise (BEC)

IT Advisory 11 Recent Data Breaches Anthem and Premara breaches 80 million and 11 million PHI records US Office of Personnel Management 21 million victims Ashley Madison Equifax

143 million customers IT Advisory 12 Breach Methods Phishing and Spear Phishing attacks 13% of users will click on links in Phishing emails1 Stolen, weak, or default credentials Used in 63% of breaches 1

Verizon 2016 Data Breach Investigations Report IT Advisory 13 Breach Methods Web app attacks Attacks against existing pages Hacking servers to host malicious pages Point of sale intrusions/card skimmers Used to scrape credit card data

Target, Home Depot, Hilton Worldwide Insider attacks IT Advisory 14 Breach Methods Mistakes Accidental misdelivery

Physical theft Malware Malvertising Deliberate cyber attack Industrial espionage IT Advisory 15 Cost of a Breach

Average breach cost:1 Small businesses: $86,500 Large businesses: $861,000 Notable exceptions: Anthem Healthcare: $5.55 million fine Cost of Target breach: $252 million Equifax 2017 breach: estimated $300 million to $4 billion 1 Kaspersky Labs survey IT Advisory

16 Laws and Regulations IT Advisory 17 Careful With the Word Breach Breach has legal meaning Suggests you may have legal liability Security teams should use Security Incident until its determined a breach has occurred

IT Advisory 18 Federal Laws and National Regulations HIPPA-HITECH Healthcare data (PHI) FTC Red Flags Rule Applies to financial institutions PCI-DSS Payment cards

FISMA Applies to federal contractors IT Advisory 19 State Laws 48 different state laws All vary in timing, method, and extent of notice required Virginia If breach of PII is identified Must notify Virginia Attorney General and

all affected Virginia residents IT Advisory 20 Assessing and Mitigating Your Risk IT Advisory 21 Assessing Your Risk 77% of business have suffered some

form of data loss1 Matter of when, not if Higher risk if you handle Financial information Healthcare data 1 Kaspersky Labs survey IT Advisory 22

Information Security Lifestyle IT Advisory 23 Security Process Identify Assess Your IT Environment and understand nature of your data Understand industry

and regulatory compliance requirements Perform Information Security Risk Assessment IT Advisory 24 Protect the Environment Implement Controls Based Upon

Security Risk Assessment Physical Technical Administrative Assign Roles & Responsibilities for Maintaining Controls IT Advisory 25 Detect Incidents

Monitoring & Event Logging Functions Automated Solutions Where Possible, But.. Tailor Alerting to Limit False Positives! IT Advisory 26

Respond to Incidents Execution of Incident Response Plan Strong Response Capabilities Can Limit Impact Understand Specific Reporting Requirements and Key Contacts IT Advisory

27 Recover Recover Plans and Activities to Restore Business Services Recovery Planning Key to Organizational Resilience Work with Contracting Officers and Authorities

IT Advisory 28 Additional Resources FTC Guide for Assisting Identity Theft Victims https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf FTC Consumer ID Theft Guide https://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf IdentityTheft.gov Experian Credit Freeze Procedures https://www.experian.com/freeze/center.html

Equifax Credit Freeze Procedures https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp TransUnion Credit Freeze Procedures https://www.transunion.com/credit-freeze/place-credit-freeze TwoFactorAuth.org website https://twofactorauth.org/ IT Advisory 29 ID Theft and Data Breach Mitigation Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG IT Advisory

843-727-3251 IT Advisory 30

Recently Viewed Presentations

  • Population Viral Load Measures and A Recent HIV

    Population Viral Load Measures and A Recent HIV

    Research question. Is there an association between population viral load and viral load suppression and the probability of at least one recent HIV-1 infection in the surveys' smallest geographic sampling unit (an enumeration area)?
  • Comprehensive Case Study: Cancer Patient and Malnutrition

    Comprehensive Case Study: Cancer Patient and Malnutrition

    PES statement: Suboptimal intake, unintentional WT loss, malnutrition in the context of chronic disease. Interventions: Monitored intake at meals & reinforced importance of adequate intake. Provided magic cu/ ensure supplementation with meals. TPN rec—followed nutrition support team. Monitored WT and...
  • Explicit aqueous phase redox and pH dynamics added

    Explicit aqueous phase redox and pH dynamics added

    Contact: Peter Thornton, 865-241-3742, [email protected] Funding: DOE Office of Science, BER, Terrestrial Ecosystem Science and Earth System Modeling programs. Objective. Combine geochemical and biological modeling components to describe the production of CO. 2 and CH 4. in warmed Arctic soils.
  • Announcements  All participants must register for the Monthly

    Announcements All participants must register for the Monthly

    If the CIR was created via a MER, Index Case Information will be pre-populated from the corresponding fields within the MER for the patient. To update this information, return to the MER, make necessary corrections, and re-submit. ... Reporting Unit....
  • Pathophysiology of Disease - USSJT7-30-1

    Pathophysiology of Disease - USSJT7-30-1

    An interval scale that has an absolute reference point. the Kelvin temperature scale. 0K is -273.16C. the reference point is absolute. absolute zero (0K) is, well, absolute! for our everyday lives, time is a ratio scale. zero time is absolute....
  • Introduction

    Introduction

    aims. to explain the emphasis that Kantian ethics theory places on intention, reason and freedom. to explain why Kant believed actions that are motivated by a reason-based sense of duty to be most deserving of ethical esteem
  • Properties of Minerals - Fort Mill Middle School

    Properties of Minerals - Fort Mill Middle School

    Properties of Minerals. Density. Defined as the amount of matter per unit volume. Density = mass divided by volume. In minerals, the term specific gravity is used in describing density.
  • Object Oriented Analysis Process - Knowledge Unlimited

    Object Oriented Analysis Process - Knowledge Unlimited

    Use Case are scenarios for understanding system requirements. A use case is an interaction between users of the system and the system itself. It captures the goal of the users and the responsibility of the system to its users. A...