This document discusses information technology security and fraud prevention. It begins by outlining the top IT security concerns, including data security, network security, and managing risk. It then examines specific threats like data breaches, hacking, and internal fraud. The document provides examples of major data incidents and their impacts. It emphasizes the importance of physical security, access controls, encryption, and policies/procedures to mitigate risks. Throughout, it stresses planning, governance, training, and incident response to help organizations strengthen their security posture.
Exploring the Future Potential of AI-Enabled Smartphone Processors
IT Security Presentation - IIMC 2014 Conference
1. Information Technology Security:
Where are Your Problems?
Precision Plus, Inc.
Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH
LemmermannJ@preplus.com
International Institute of Municipal Clerks
2014 Conference
May 17 - 22, 2014 – Milwaukee, WI
2. 1
Information Security
1. Managing & retaining data (2)
2. Securing the IT environment (1)
3. Managing IT risk & compliance
4. Ensuring privacy
5. Managing system implementation
(6)
Topping The Charts Everywhere!
AICPA 2013 Top 10 Technology Initiatives
6. Preventing & responding to fraud (9)
7. Enabling decision support & managing
performance
8. Governing & managing IT
investment/spending
9. Leveraging emerging technologies (6)
10.Managing vendors and service
providers
Importance of Data Security
Regulations
HIPAA
GLBA / SOX 404
FACTA
Red Flag Rules
PCI Standards
Publicity
“No such thing is bad publicity
…except your own obituary.”
- Brendan Behan, Irish Dramatist
Damage to reputation.
Loss of consumer confidence.
Redirection of resources
SONY
77 Million User Accounts – 12 Million Unencrypted CC #s
Playstation Network Taken Down – Cost’s over $178 M
Fidelity Info Services
$13M Loss – Unauthorized
Credit Card Activities
SEGA
1.3M subscribers: names, birth dates, e-mail addresses, and passwords
UW - Milwaukee
Names and SS #s of 75,000 Students and Staff
Regulation Changes
1. Electronic documents are treated the same as physical documents!
2. Requires Organizations to know what data you have and in which format it
exists.
3. Forensic Professionals on many sides of a case:
1. Recovering lost or unintentionally deleted items
2. Producing evidence that opponent said was not available
4. Handling of computer evidence
1. Preserve evidence
2. Maintain chain of custody
Changes to the Federal Rules of Civil Procedure
Enacted December 1, 2006
3. 2
Where Is Your Data?
The Obvious
Network File/Data Servers
Laptop Computers
Backup Storage Media
The Obscure
Smartphones / Tablets
Portable Storage (USB Drives)
E-Mail Attachments
The Forgotten
Disposed Equipment – LEASED Equipment!
Proper Disposal Rules
“Disposal practices that are reasonable and
appropriate to prevent unauthorized access to –or
use of- information in a consumer report.”
Burn, pulverize, or shred papers so they cannot be reconstructed.
Destroy or erase electronic files or media so information cannot be
read or reconstructed.
Conduct due diligence and hire a document destruction contractor.
Due diligence could include:
Reviewing contractor’s independent audit
Obtain information from several references
Require certification by recognized trade association
Review contractor’s information security policies or procedures
Hard Drive Data
Study of 2nd Hand Drives
O & O Company:
2004: 88% of Disks from EBay contained recoverable data.
2005: 71%
Edith Cowan University – Annual study of 2nd hand hard drives
2006: 48% 2009: 39% 2012: 47%
2007: 40% 2010:
2008: 38% 2011:
Type of recoverable data:
Internal company memos
Legal correspondence of governmental agency
Credit ratings (Bank owned hard drive)
File erasing Utilities
Eraser (Freeware - up to 35 overwrite passes)
Steganos Security Suite (up to 100 passes)
4. 3
Hard Drive Data Worries
What About Smartphones?
Deleting Apps Might Not Delete Data
SD Card Storage
Data Stored By Service Providers
Tablet Computers – Same Issues as Smartphones
Solid State Drives (SSDs)
Traditional Disk Wiping Utilities Do Not Work
“Nearly impossible to completely delete data from SSD’s”
Physical Destruction Highly Recommended
Newer SSDs – Deletion Utilities with Drives
Data Security
How can we keep our data safe?
Case Study: Open Records
How “open” do you mean?
5. 4
Security Points
Five Key Points of Data Security:
Physical Security
Network Security
Application Security
External Security
Planning & Governance
Physical Security
Access to Equipment
Locked server room, mobile equipment logs
Theft Prevention Procedures
Cameras, user policies on mobile equipment
Separation of Duties
Ordering / Inventory separate from Installers
Hardware Inventory
Serial numbers, internal configurations, assignments
Network Security
Password Policies
Minimum characters, forced changes, complexity
No sticky notes!
Unattended Terminal Protection
Password protected screensavers, firm policies
Network File Structure Security
User site of files, annual review process!
Auditing Logs
Activate logging, review logs
Control of Backup Tapes
Physical security, password protection
6. 5
Password Complexity Demo
Importance of non-dictionary passwords
Dictionaries now including numbers added to words
Alternate spelling meth0ds 1nclud3d
Importance of length
Ease of brute-force attacks
Flaw in some encryption methods
Importance of other characters
Adds to password possibilities
Helps to beat dictionary cracks
Password Recommendations
Secure Password Techniques:
Use modified pass phrases
4score&7yearsago
Let’sg0r3d
Connect words with modifier in middle
Milwaukeejtl07Bucks
Aries01thejtlram
Stick with constant formulas
Use secure password database managers
PC / PocketPC – KeePass (http://keepass.sourceforge.net)
Android – KeePass, LastPass, SplashId
iPhone / iPad – DataVault Password Manager (iTunes store)
Application Security
Key Application Security
Accounting, HR, or other sensitive data applications
Follow password standards of network
Segregation of duties / Reporting Controls
Anti-Virus Protection (Symantec, McAfee, etc.)
Server based, automatic updates of workstations
E-mail protection
Patch Maintenance
Windows Update Services
Employee Training
Dangerous Files, E-Mail Concerns, Web Surfing
Spyware Protection
7. 6
Spyware – Detecting & Eliminating
Signs you have been infected:
Random “Security” Pop-up windows appear when browsing.
Normal home page has been replaced.
Drop in computer performance.
New search bars have appeared in web browser.
Removal help:
Cleaning Programs: ComboFix, SpyBot Search & Destroy
Monitoring & Prevention: SuperAntiSpyware, MS Defender
Other Tools:
Startup Inspector
Pop-up Blocker - Google
www.processlibrary.com
External Access Security
Cannot have without other elements!
Weakness in other areas can defeat the best external security.
Access method security (vpn, citrix, etc.)
Data Encryption
User Education
Activities to avoid
Popular methods of capturing data:
Shoulder surfing
Key logging / capturing programs
Packet sniffing
Wireless worries
Wireless Security
Control Access
Change Defaults!
Administrator Password
Network SSID
MAC Filtering
List of authorized wireless Ethernet cards
Minimize Access Points
Scan self for “rogue” access points
Heatmapper
WiFi Analyzer (Android Tool)
Control own equipment’s access
8. 7
Wireless Security
Control Data - Encryption
WEP – Wired Equivalency Protocol
Set to highest level supported
WEP has deficiencies:
Both 40-bit and 128-bit keys have been hacked
Use still will prevent or delay hack attempts
WPA – Wi-Fi Protected Access (WPA2)
Subset of developing 802.11i Standard
Some devices updateable to support standard
Case Study: Wireless Risks
The “Cantenna” T.J. Maxx Breach
Planning & Governance
Align IT Goals with Business Goals
Does the IT Department work for you or run you?
Is IT Planning part of the overall strategic planning process?
Steering committee: department head involvement!
Must-Have Plans:
Disaster Recovery Business Continuity
Testing!
Involvement of all departments – what are their needs?
Incident Response Plan
Data disclosure events
Contact Requirements
9. 8
Case Study: Incident Response Plans
Starting point: April, 2011
Type: Network Intrusion - External
Records affected: 101.6 million
Estimated costs: $171 million outlay
($1025 Million all considered*)
Affected entities: Sony Pictures, Sony
Corporation of America, Sony Online
Entertainment, Sony Play Station Network.
* - lost business, various compensation costs and new
investments—assuming that no additional security
problems emerge.
Sony – Breach Timeline
2009 – “geohot” announces intention to jailbreak PS3
March, 2010 – Sony removes functionality on PS3 to
install another O/S (to block jailbreak effort.)
January 2, 2011 - Geohot (George Holtz) jailbreaks
PS3 and publishes code online
January 11, 2011 – Sony sues geohot – seeks to stop
April 2, 2011 – Sony announces settlement
April 13, 2011 – Anonymous announces attack on Sony
“In the eyes of the law, the case is closed, for Anonymous
it is just beginning… prepare for the biggest attack you
have ever witnessed, Anonymous style.”
Sony – Breach Timeline
April 16 – Sony Online Entertainment (SOE)
25 million user details / 23 K credit/debit cards
April 17 – PlayStation Network
77 million user details
April 20 – Sony shuts down PlayStation Network
April 26 – Sony publically discloses PlayStation breach
May 1 – Investigators discover SOE breach
May 2 – Sony publically discloses SOE breach
“We are trying to fight criminal activities by corporations
and governments, not steal credit cards.”
10. 9
Sony – Lesson 1
In the public eye - assume you are going to be a
target
Was Sony right to go after geohot?
Doesn’t matter if you are in IT
If the effort is coordinated they will get in
Limit the attack surface
Only ask for and store necessary data from users
What really needs to be exposed to the Internet?
Sony – Lesson 2
PR Campaigns Matter
Minimize enemy creation
Response to hacking incident is critical to retention
People hate being lied to!
Contingency Plan Development
DDOS attacks are form of disaster event
Practice recovering from them
Policies & Procedures
Policies in general:
Signature requirements acknowledgement
Redistribution of policy general availability
Centralize & minimize total number
Training opportunity on changes!
Important groupings:
Computer Use Policy
Internet Use
E-Mail Use
IT Security Policy
Confidentiality statements
Data handling and storage
Data retention & destruction
11. 10
Policies & Procedures – Updating
The importance of reviewing and updating policies:
What happens when two worlds collide?
Can social media be used for public debate?
What rules are in place for posting information by the elected?
How can the use of social media be policed?
Sunshine Laws
Data Security
Updating our policies and procedures is a
critical part of the circle.
Knowing Our Enemies
Is that all there is to it?
FRAUD:
deceit, trickery, sharp practice, or breach of confidence,
perpetrated for profit or to gain some unfair or dishonest
advantage.
No functional network is impervious.
12. 11
Internal Fraud
Fraud usually comes from within:
On average, 6% of an organizations revenue is lost to internal
fraud.
Small company loss - $127,500 per incident
Large company loss - $97,000 per incident
Schemes involving non-cash assets are more costly
Men out-steal women $200,000 to $60,000 per incident
Education levels:
Those with a high school education steal $70,000 per incident
Those with a post-graduate degrees steal $162,000
Those with a bachelor degrees steal $243,000
45% of companies report unauthorized access of data by insiders!
Case Study: The City of San Francisco
Who’s network is it anyway?
Terry Childs – Cisco Certified Internetworking Engineer
Built & Managed the city-wide network (core of networks)
Elevated rights to sole administrator – always on call
Attack Origins
Points of Origins of Network Attacks
Internal
Harder to protect against – productivity vs. security
Motivations:
Personal Gain
Revenge (Missed promotion, about to be fired)
Job Security
External
Hard to identify source
Motivations:
Random Attack
Revenge (Former employee, angry client, competitor)
Industrial Espionage
13. 12
A Typical IT Hack
Organization Data Store
Unethical Hacker
SS’s Information
SS’s Information
Employee
Customer
Vendor
HH Buys Information
Transfers Money
Opens Charge Account
UH Steals Information
Cracks Database
Wireless Sniff
Social Engineering
UH Posts Information
Computer Fraud – First Steps
1. Stop using compromised system!
Every action changes computer environment
Preservation of hard drive and memory contents
Isolate System
Physically disconnect system from Internet if exposed
If intranet threat is possible, isolate from local network
1. Record visual information from PC
Running applications
Items in system tray
2. Utilize drive duplication tools to create copy of drive
Refer to item #1
Allows for other tests to be tried without losing original evidence
Goals of Computer Forensics
Preservation of Evidence
Adherence to carefully developed set of procedures that
address security, authenticity, and chain-of-custody.
• Analysis of User Activity
Reporting of all user activity on computer and company
network including, but not limited to,e-mail, Internet and
Intranet files accessed, files created and deleted, and user
access times.
• Password Recovery
Accessing and recovering data from password protected files.
14. 13
Fraud: Preemptive Tools
Computer audit logs
Enable auditing (default is normally not enabled)
Ensure size is sufficient (avoid overwriting)
Copied to remote storage/permanent media on regular intervals
Utilize other logging tools:
Keystroke Loggers
Screenshot Recording
Shadowing Capabilities
E-Mail and Instant Messaging Archives
Ethical Considerations
Computer Use Policy – notification of right to trace actions
Control access to implemented tools
Ensure proper and ethical use
Other Threats:
Phishing
Banking Spoofs, E-Bay Accounts, etc.
New Evolution: Pharming
“Poisoning” of DNS Record to redirect request
Site could be exact duplicate of intended site
Malware
Key-loggers & Screen Capture Programs
Browser Hi-jacks
Phishing – How can you tell?
How can you tell a legitimate email from a phony?
15. 14
Other Threats:
URL Shorteners
Tinyurl, bit.ly, sn.im
Creates a short link from a long internet address
Problem if malware site is being hidden
Study of URL shorteners:
Stage 1 Compliant if it appears to use a security service or blacklist to
identify malicious domains and does not allow a user to create a shortened
link to any infected domain.
Stage 2 Compliant if it uses a security service or blacklist to identify
malicious domains and does not allow a user to create a shortened link to
any infected domain or malicious full URL hosted on that domain.
Scanning Yourself
Footprinting
Gaining parameters of network
Areas of search
Google Searches
Usegroup/Newsgroup Searches
ARIN Records – DNS Stuff
Vulnerability Assessments
Finding rabbit holes - weak points in your network
Online Tools
Nessus (www.nessus.org)
Registered vs. Direct Feed
Windows & Linux Versions
External Use
Internal Use
Penetration Testing
How far down does the rabbit hole go?
Care in performing exploits – not for amateurs!
Metasploit
Understand Your Enemies
You have to understand their tactics to better stop them.
Hacking for Dummies by Kevin Beaver, Stuart McClure
Certified Ethical Hacking – Training & Certification
Vulnerability Assessments
Penetration Testing
On-line Resources
Print Resources
16. The Elements of IT Security
Example one: PHISHING
Right click the message and select “VIEW SOURCE”
17. The Elements of IT Security
Actual source of the e-mail in html format:
18. The Elements of IT Security
Example 2: Citibank Phishing
FRAUD ALERT
CitiBank phishing email - "Read Now! Important Message From Citibank"
Date Issued: April 13 2004
Customers of CitiBank are the targets of the latest phishing email scams.
The email claims to be from "Citi Identity Theft Solutions", and directs customers they must update their ATM/Debit Card
PIN. Users are instructed to click on a link within the email and enter their debit card number and ATM PIN in a form on a
fake website. The fake website is displayed in a small window, while the real CitiBank website is displayed in the
background. This gives the users a false sense of security in entering their personal information.
A copy of the email is displayed below:
19. The WebSite is shown below:
What to do?
If you receive an e-mail similar to this, do nothing. Do not reply to the e-mail and do not give any personal details to the
sender.
If you do receive similar emails, or any email that you think may be fraudulent, please forward to FraudWatch International
at:
scams@fraudwatchinternational.com
20. Reprinted from: http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf
Sample Acceptable Use Policy
1.0 Overview
InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary
to <Company Name>. established culture of openness, trust and integrity. InfoSec is committed to
protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by
individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software,
operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP,
are the property of <Company Name>. These systems are to be used for business purposes in serving the
interests of the company, and of our clients and customers in the course of normal operations. Please
review Human Resources policies for further details.
Effective security is a team effort involving the participation and support of every <Company Name>
employee and affiliate who deals with information and/or information systems. It is the responsibility of
every computer user to know these guidelines, and to conduct their activities accordingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>.
These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes
<Company Name> to risks including virus attacks, compromise of network systems and services, and legal
issues.
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company
Name>, including all personnel affiliated with third parties. This policy applies to all equipment that is
owned or leased by <Company Name>.
4.0 Policy
4.1 General Use and Ownership
1. While <Company Name>'s network administration desires to provide a reasonable level of
privacy, users should be aware that the data they create on the corporate systems remains the
property of <Company Name>. Because of the need to protect <Company Name>'s network,
management cannot guarantee the confidentiality of information stored on any network device
belonging to <Company Name>.
2. Employees are responsible for exercising good judgment regarding the reasonableness of personal
use. Individual departments are responsible for creating guidelines concerning personal use of
Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by
departmental policies on personal use, and if there is any uncertainty, employees should consult
their supervisor or manager.
3. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted.
For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For
guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative.
4. For security and network maintenance purposes, authorized individuals within <Company Name>
may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy.
5. <Company Name> reserves the right to audit networks and systems on a periodic basis to ensure
compliance with this policy.
4.2 Security and Proprietary Information
1. The user interface for information contained on Internet/Intranet/Extranet-related systems should
be classified as either confidential or not confidential, as defined by corporate confidentiality
guidelines, details of which can be found in Human Resources policies. Examples of confidential
information include but are not limited to: company private, corporate strategies, competitor
21. sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all
necessary steps to prevent unauthorized access to this information.
2. Keep passwords secure and do not share accounts. Authorized users are responsible for the
security of their passwords and accounts. System level passwords should be changed quarterly,
user level passwords should be changed every six months.
3. All PCs, laptops and workstations should be secured with a password-protected screensaver with
the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for
Win2K users) when the host will be unattended.
4. Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy.
5. Because information contained on portable computers is especially vulnerable, special care should
be exercised. Protect laptops in accordance with the “Laptop Security Tips”.
6. Postings by employees from a <Company Name> email address to newsgroups should contain a
disclaimer stating that the opinions expressed are strictly their own and not necessarily those of
<Company Name>, unless posting is in the course of business duties.
7. All hosts used by the employee that are connected to the <Company Name>
Internet/Intranet/Extranet, whether owned by the employee or <Company Name>, shall be
continually executing approved virus-scanning software with a current virus database. Unless
overridden by departmental or group policy.
8. Employees must use extreme caution when opening e-mail attachments received from unknown
senders, which may contain viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these restrictions
during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need
to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of <Company Name> authorized to engage in any activity that is
illegal under local, state, federal or international law while utilizing <Company Name>-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall
into the category of unacceptable use.
System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade secret, patent or
other intellectual property, or similar laws or regulations, including, but not limited to, the
installation or distribution of "pirated" or other software products that are not appropriately
licensed for use by <Company Name>.
2. Unauthorized copying of copyrighted material including, but not limited to, digitization and
distribution of photographs from magazines, books or other copyrighted sources, copyrighted
music, and the installation of any copyrighted software for which <Company Name> or the end
user does not have an active license is strictly prohibited.
3. Exporting software, technical information, encryption software or technology, in violation of
international or regional export control laws, is illegal. The appropriate management should be
consulted prior to export of any material that is in question.
4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan
horses, e-mail bombs, etc.).
5. Revealing your account password to others or allowing use of your account by others. This
includes family and other household members when work is being done at home.
6. Using a <Company Name> computing asset to actively engage in procuring or transmitting
material that is in violation of sexual harassment or hostile workplace laws in the user's local
jurisdiction.
7. Making fraudulent offers of products, items, or services originating from any <Company Name>
account.
8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
22. 9. Effecting security breaches or disruptions of network communication. Security breaches include,
but are not limited to, accessing data of which the employee is not an intended recipient or
logging into a server or account that the employee is not expressly authorized to access, unless
these duties are within the scope of regular duties. For purposes of this section, "disruption"
includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service,
and forged routing information for malicious purposes.
10. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is
made.
11. Executing any form of network monitoring which will intercept data not intended for the
employee's host, unless this activity is a part of the employee's normal job/duty.
12. Circumventing user authentication or security of any host, network or account.
13. Interfering with or denying service to any user other than the employee's host (for example, denial
of service attack).
14. Using any program/script/command, or sending messages of any kind, with the intent to interfere
with, or disable, a user's terminal session, via any means, locally or via the
Internet/Intranet/Extranet.
15. Providing information about, or lists of, <Company Name> employees to parties outside
<Company Name>.
Email and Communications Activities
1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising
material to individuals who did not specifically request such material (email spam).
2. Any form of harassment via email, telephone or paging, whether through language, frequency, or
size of messages.
3. Unauthorized use, or forging, of email header information.
4. Solicitation of email for any other email address, other than that of the poster's account, with the
intent to harass or to collect replies.
5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
6. Use of unsolicited email originating from within <Company Name>'s networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by
<Company Name> or connected via <Company Name>'s network.
7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups
(newsgroup spam).
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.
6.0 Definitions
Term Definition
Spam Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History
23. Questions & Answers
"The search for static security - in the law and elsewhere -
is misguided. The fact is security can only be achieved
through constant change, adapting old ideas that have
outlived their usefulness to current facts."
- Canadian physician, William Osler
Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH
Chief Financial Officer / Information Officer
Precision Plus, Inc.
840 Koopman Ln.
Elkhorn, WI 53121
LemmermannJ@preplus.com