This document discusses information technology security and fraud prevention. It begins by outlining the top IT security concerns, including data security, network security, and managing risk. It then examines specific threats like data breaches, hacking, and internal fraud. The document provides examples of major data incidents and their impacts. It emphasizes the importance of physical security, access controls, encryption, and policies/procedures to mitigate risks. Throughout, it stresses planning, governance, training, and incident response to help organizations strengthen their security posture.

1. Information Technology Security:
Where are Your Problems?
Precision Plus, Inc.
Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH
LemmermannJ@preplus.com
International Institute of Municipal Clerks
2014 Conference
May 17 - 22, 2014 – Milwaukee, WI

2. 1
Information Security
1. Managing & retaining data (2)
2. Securing the IT environment (1)
3. Managing IT risk & compliance
4. Ensuring privacy
5. Managing system implementation
(6)
Topping The Charts Everywhere!
AICPA 2013 Top 10 Technology Initiatives
6. Preventing & responding to fraud (9)
7. Enabling decision support & managing
performance
8. Governing & managing IT
investment/spending
9. Leveraging emerging technologies (6)
10.Managing vendors and service
providers
Importance of Data Security
 Regulations
 HIPAA
 GLBA / SOX 404
 FACTA
 Red Flag Rules
 PCI Standards
 Publicity
“No such thing is bad publicity
…except your own obituary.”
- Brendan Behan, Irish Dramatist
 Damage to reputation.
 Loss of consumer confidence.
 Redirection of resources
SONY
77 Million User Accounts – 12 Million Unencrypted CC #s
Playstation Network Taken Down – Cost’s over $178 M
Fidelity Info Services
$13M Loss – Unauthorized
Credit Card Activities
SEGA
1.3M subscribers: names, birth dates, e-mail addresses, and passwords
UW - Milwaukee
Names and SS #s of 75,000 Students and Staff
Regulation Changes
1. Electronic documents are treated the same as physical documents!
2. Requires Organizations to know what data you have and in which format it
exists.
3. Forensic Professionals on many sides of a case:
1. Recovering lost or unintentionally deleted items
2. Producing evidence that opponent said was not available
4. Handling of computer evidence
1. Preserve evidence
2. Maintain chain of custody
Changes to the Federal Rules of Civil Procedure
Enacted December 1, 2006

3. 2
Where Is Your Data?
 The Obvious
 Network File/Data Servers
 Laptop Computers
 Backup Storage Media
 The Obscure
 Smartphones / Tablets
 Portable Storage (USB Drives)
 E-Mail Attachments
 The Forgotten
 Disposed Equipment – LEASED Equipment!
Proper Disposal Rules
“Disposal practices that are reasonable and
appropriate to prevent unauthorized access to –or
use of- information in a consumer report.”
 Burn, pulverize, or shred papers so they cannot be reconstructed.
 Destroy or erase electronic files or media so information cannot be
read or reconstructed.
 Conduct due diligence and hire a document destruction contractor.
 Due diligence could include:
 Reviewing contractor’s independent audit
 Obtain information from several references
 Require certification by recognized trade association
 Review contractor’s information security policies or procedures
Hard Drive Data
 Study of 2nd Hand Drives
 O & O Company:
 2004: 88% of Disks from EBay contained recoverable data.
 2005: 71%
 Edith Cowan University – Annual study of 2nd hand hard drives
 2006: 48% 2009: 39% 2012: 47%
 2007: 40% 2010:
 2008: 38% 2011:
 Type of recoverable data:
 Internal company memos
 Legal correspondence of governmental agency
 Credit ratings (Bank owned hard drive)
 File erasing Utilities
 Eraser (Freeware - up to 35 overwrite passes)
 Steganos Security Suite (up to 100 passes)

4. 3
Hard Drive Data Worries
 What About Smartphones?
 Deleting Apps Might Not Delete Data
 SD Card Storage
 Data Stored By Service Providers
 Tablet Computers – Same Issues as Smartphones
 Solid State Drives (SSDs)
 Traditional Disk Wiping Utilities Do Not Work
 “Nearly impossible to completely delete data from SSD’s”
 Physical Destruction Highly Recommended
 Newer SSDs – Deletion Utilities with Drives
Data Security
How can we keep our data safe?
 Case Study: Open Records
 How “open” do you mean?

5. 4
Security Points
Five Key Points of Data Security:
Physical Security
Network Security
Application Security
External Security
Planning & Governance
Physical Security
 Access to Equipment
 Locked server room, mobile equipment logs
 Theft Prevention Procedures
 Cameras, user policies on mobile equipment
 Separation of Duties
 Ordering / Inventory separate from Installers
 Hardware Inventory
 Serial numbers, internal configurations, assignments
Network Security
 Password Policies
 Minimum characters, forced changes, complexity
 No sticky notes!
 Unattended Terminal Protection
 Password protected screensavers, firm policies
 Network File Structure Security
 User site of files, annual review process!
 Auditing Logs
 Activate logging, review logs
 Control of Backup Tapes
 Physical security, password protection

6. 5
Password Complexity Demo
 Importance of non-dictionary passwords
 Dictionaries now including numbers added to words
 Alternate spelling meth0ds 1nclud3d
 Importance of length
 Ease of brute-force attacks
 Flaw in some encryption methods
 Importance of other characters
 Adds to password possibilities
 Helps to beat dictionary cracks
Password Recommendations
 Secure Password Techniques:
 Use modified pass phrases
 4score&7yearsago
 Let’sg0r3d
 Connect words with modifier in middle
 Milwaukeejtl07Bucks
 Aries01thejtlram
 Stick with constant formulas
 Use secure password database managers
 PC / PocketPC – KeePass (http://keepass.sourceforge.net)
 Android – KeePass, LastPass, SplashId
 iPhone / iPad – DataVault Password Manager (iTunes store)
Application Security
 Key Application Security
 Accounting, HR, or other sensitive data applications
 Follow password standards of network
 Segregation of duties / Reporting Controls
 Anti-Virus Protection (Symantec, McAfee, etc.)
 Server based, automatic updates of workstations
 E-mail protection
 Patch Maintenance
 Windows Update Services
 Employee Training
 Dangerous Files, E-Mail Concerns, Web Surfing
 Spyware Protection

7. 6
Spyware – Detecting & Eliminating
 Signs you have been infected:
 Random “Security” Pop-up windows appear when browsing.
 Normal home page has been replaced.
 Drop in computer performance.
 New search bars have appeared in web browser.
 Removal help:
 Cleaning Programs: ComboFix, SpyBot Search & Destroy
 Monitoring & Prevention: SuperAntiSpyware, MS Defender
 Other Tools:
 Startup Inspector
 Pop-up Blocker - Google
 www.processlibrary.com
External Access Security
 Cannot have without other elements!
 Weakness in other areas can defeat the best external security.
 Access method security (vpn, citrix, etc.)
 Data Encryption
 User Education
 Activities to avoid
 Popular methods of capturing data:
 Shoulder surfing
 Key logging / capturing programs
 Packet sniffing
 Wireless worries
Wireless Security
 Control Access
 Change Defaults!
 Administrator Password
 Network SSID
 MAC Filtering
 List of authorized wireless Ethernet cards
 Minimize Access Points
 Scan self for “rogue” access points
 Heatmapper
 WiFi Analyzer (Android Tool)
 Control own equipment’s access

8. 7
Wireless Security
 Control Data - Encryption
 WEP – Wired Equivalency Protocol
 Set to highest level supported
 WEP has deficiencies:
 Both 40-bit and 128-bit keys have been hacked
 Use still will prevent or delay hack attempts
 WPA – Wi-Fi Protected Access (WPA2)
 Subset of developing 802.11i Standard
 Some devices updateable to support standard
 Case Study: Wireless Risks
 The “Cantenna” T.J. Maxx Breach
Planning & Governance
 Align IT Goals with Business Goals
 Does the IT Department work for you or run you?
 Is IT Planning part of the overall strategic planning process?
 Steering committee: department head involvement!
 Must-Have Plans:
 Disaster Recovery Business Continuity
 Testing!
 Involvement of all departments – what are their needs?
 Incident Response Plan
 Data disclosure events
 Contact Requirements

9. 8
Case Study: Incident Response Plans
Starting point: April, 2011
Type: Network Intrusion - External
Records affected: 101.6 million
Estimated costs: $171 million outlay
($1025 Million all considered*)
Affected entities: Sony Pictures, Sony
Corporation of America, Sony Online
Entertainment, Sony Play Station Network.
* - lost business, various compensation costs and new
investments—assuming that no additional security
problems emerge.
Sony – Breach Timeline
 2009 – “geohot” announces intention to jailbreak PS3
 March, 2010 – Sony removes functionality on PS3 to
install another O/S (to block jailbreak effort.)
 January 2, 2011 - Geohot (George Holtz) jailbreaks
PS3 and publishes code online
 January 11, 2011 – Sony sues geohot – seeks to stop
 April 2, 2011 – Sony announces settlement
 April 13, 2011 – Anonymous announces attack on Sony
“In the eyes of the law, the case is closed, for Anonymous
it is just beginning… prepare for the biggest attack you
have ever witnessed, Anonymous style.”
Sony – Breach Timeline
 April 16 – Sony Online Entertainment (SOE)
 25 million user details / 23 K credit/debit cards
 April 17 – PlayStation Network
 77 million user details
 April 20 – Sony shuts down PlayStation Network
 April 26 – Sony publically discloses PlayStation breach
 May 1 – Investigators discover SOE breach
 May 2 – Sony publically discloses SOE breach
“We are trying to fight criminal activities by corporations
and governments, not steal credit cards.”

10. 9
Sony – Lesson 1
 In the public eye - assume you are going to be a
target
 Was Sony right to go after geohot?
 Doesn’t matter if you are in IT
 If the effort is coordinated they will get in
 Limit the attack surface
 Only ask for and store necessary data from users
 What really needs to be exposed to the Internet?
Sony – Lesson 2
 PR Campaigns Matter
 Minimize enemy creation
 Response to hacking incident is critical to retention
 People hate being lied to!
 Contingency Plan Development
 DDOS attacks are form of disaster event
 Practice recovering from them
Policies & Procedures
 Policies in general:
 Signature requirements acknowledgement
 Redistribution of policy general availability
 Centralize & minimize total number
 Training opportunity on changes!
 Important groupings:
 Computer Use Policy
 Internet Use
 E-Mail Use
 IT Security Policy
 Confidentiality statements
 Data handling and storage
 Data retention & destruction

11. 10
Policies & Procedures – Updating
 The importance of reviewing and updating policies:
 What happens when two worlds collide?
 Can social media be used for public debate?
 What rules are in place for posting information by the elected?
 How can the use of social media be policed?
Sunshine Laws
Data Security
Updating our policies and procedures is a
critical part of the circle.
Knowing Our Enemies
Is that all there is to it?
FRAUD:
deceit, trickery, sharp practice, or breach of confidence,
perpetrated for profit or to gain some unfair or dishonest
advantage.
No functional network is impervious.

12. 11
Internal Fraud
 Fraud usually comes from within:
 On average, 6% of an organizations revenue is lost to internal
fraud.
 Small company loss - $127,500 per incident
 Large company loss - $97,000 per incident
 Schemes involving non-cash assets are more costly
 Men out-steal women $200,000 to $60,000 per incident
 Education levels:
 Those with a high school education steal $70,000 per incident
 Those with a post-graduate degrees steal $162,000
 Those with a bachelor degrees steal $243,000
 45% of companies report unauthorized access of data by insiders!
 Case Study: The City of San Francisco
 Who’s network is it anyway?
 Terry Childs – Cisco Certified Internetworking Engineer
 Built & Managed the city-wide network (core of networks)
 Elevated rights to sole administrator – always on call
Attack Origins
Points of Origins of Network Attacks
 Internal
 Harder to protect against – productivity vs. security
 Motivations:
 Personal Gain
 Revenge (Missed promotion, about to be fired)
 Job Security
 External
 Hard to identify source
 Motivations:
 Random Attack
 Revenge (Former employee, angry client, competitor)
 Industrial Espionage

13. 12
A Typical IT Hack
Organization Data Store
Unethical Hacker
SS’s Information
SS’s Information
Employee
Customer
Vendor
HH Buys Information
Transfers Money
Opens Charge Account
UH Steals Information
Cracks Database
Wireless Sniff
Social Engineering
UH Posts Information
Computer Fraud – First Steps
1. Stop using compromised system!
 Every action changes computer environment
 Preservation of hard drive and memory contents
 Isolate System
 Physically disconnect system from Internet if exposed
 If intranet threat is possible, isolate from local network
1. Record visual information from PC
 Running applications
 Items in system tray
2. Utilize drive duplication tools to create copy of drive
 Refer to item #1
 Allows for other tests to be tried without losing original evidence
Goals of Computer Forensics
Preservation of Evidence
Adherence to carefully developed set of procedures that
address security, authenticity, and chain-of-custody.
• Analysis of User Activity
Reporting of all user activity on computer and company
network including, but not limited to,e-mail, Internet and
Intranet files accessed, files created and deleted, and user
access times.
• Password Recovery
Accessing and recovering data from password protected files.

14. 13
Fraud: Preemptive Tools
 Computer audit logs
 Enable auditing (default is normally not enabled)
 Ensure size is sufficient (avoid overwriting)
 Copied to remote storage/permanent media on regular intervals
 Utilize other logging tools:
 Keystroke Loggers
 Screenshot Recording
 Shadowing Capabilities
 E-Mail and Instant Messaging Archives
 Ethical Considerations
 Computer Use Policy – notification of right to trace actions
 Control access to implemented tools
 Ensure proper and ethical use
Other Threats:
 Phishing
 Banking Spoofs, E-Bay Accounts, etc.
 New Evolution: Pharming
 “Poisoning” of DNS Record to redirect request
 Site could be exact duplicate of intended site
 Malware
 Key-loggers & Screen Capture Programs
 Browser Hi-jacks
Phishing – How can you tell?
 How can you tell a legitimate email from a phony?

15. 14
Other Threats:
 URL Shorteners
 Tinyurl, bit.ly, sn.im
 Creates a short link from a long internet address
 Problem if malware site is being hidden
 Study of URL shorteners:
 Stage 1 Compliant if it appears to use a security service or blacklist to
identify malicious domains and does not allow a user to create a shortened
link to any infected domain.
 Stage 2 Compliant if it uses a security service or blacklist to identify
malicious domains and does not allow a user to create a shortened link to
any infected domain or malicious full URL hosted on that domain.
Scanning Yourself
 Footprinting
 Gaining parameters of network
 Areas of search
 Google Searches
 Usegroup/Newsgroup Searches
 ARIN Records – DNS Stuff
 Vulnerability Assessments
 Finding rabbit holes - weak points in your network
 Online Tools
 Nessus (www.nessus.org)
 Registered vs. Direct Feed
 Windows & Linux Versions
 External Use
 Internal Use
 Penetration Testing
 How far down does the rabbit hole go?
 Care in performing exploits – not for amateurs!
 Metasploit
Understand Your Enemies
 You have to understand their tactics to better stop them.
 Hacking for Dummies by Kevin Beaver, Stuart McClure
 Certified Ethical Hacking – Training & Certification
 Vulnerability Assessments
 Penetration Testing
 On-line Resources
 Print Resources

16. The Elements of IT Security
Example one: PHISHING
Right click the message and select “VIEW SOURCE”

17. The Elements of IT Security
Actual source of the e-mail in html format:

18. The Elements of IT Security
Example 2: Citibank Phishing
FRAUD ALERT
CitiBank phishing email - "Read Now! Important Message From Citibank"
Date Issued: April 13 2004
Customers of CitiBank are the targets of the latest phishing email scams.
The email claims to be from "Citi Identity Theft Solutions", and directs customers they must update their ATM/Debit Card
PIN. Users are instructed to click on a link within the email and enter their debit card number and ATM PIN in a form on a
fake website. The fake website is displayed in a small window, while the real CitiBank website is displayed in the
background. This gives the users a false sense of security in entering their personal information.
A copy of the email is displayed below:

19. The WebSite is shown below:
What to do?
If you receive an e-mail similar to this, do nothing. Do not reply to the e-mail and do not give any personal details to the
sender.
If you do receive similar emails, or any email that you think may be fraudulent, please forward to FraudWatch International
at:
scams@fraudwatchinternational.com

20. Reprinted from: http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf
Sample Acceptable Use Policy
1.0 Overview
InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary
to <Company Name>. established culture of openness, trust and integrity. InfoSec is committed to
protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by
individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software,
operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP,
are the property of <Company Name>. These systems are to be used for business purposes in serving the
interests of the company, and of our clients and customers in the course of normal operations. Please
review Human Resources policies for further details.
Effective security is a team effort involving the participation and support of every <Company Name>
employee and affiliate who deals with information and/or information systems. It is the responsibility of
every computer user to know these guidelines, and to conduct their activities accordingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>.
These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes
<Company Name> to risks including virus attacks, compromise of network systems and services, and legal
issues.
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company
Name>, including all personnel affiliated with third parties. This policy applies to all equipment that is
owned or leased by <Company Name>.
4.0 Policy
4.1 General Use and Ownership
1. While <Company Name>'s network administration desires to provide a reasonable level of
privacy, users should be aware that the data they create on the corporate systems remains the
property of <Company Name>. Because of the need to protect <Company Name>'s network,
management cannot guarantee the confidentiality of information stored on any network device
belonging to <Company Name>.
2. Employees are responsible for exercising good judgment regarding the reasonableness of personal
use. Individual departments are responsible for creating guidelines concerning personal use of
Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by
departmental policies on personal use, and if there is any uncertainty, employees should consult
their supervisor or manager.
3. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted.
For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For
guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative.
4. For security and network maintenance purposes, authorized individuals within <Company Name>
may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy.
5. <Company Name> reserves the right to audit networks and systems on a periodic basis to ensure
compliance with this policy.
4.2 Security and Proprietary Information
1. The user interface for information contained on Internet/Intranet/Extranet-related systems should
be classified as either confidential or not confidential, as defined by corporate confidentiality
guidelines, details of which can be found in Human Resources policies. Examples of confidential
information include but are not limited to: company private, corporate strategies, competitor

21. sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all
necessary steps to prevent unauthorized access to this information.
2. Keep passwords secure and do not share accounts. Authorized users are responsible for the
security of their passwords and accounts. System level passwords should be changed quarterly,
user level passwords should be changed every six months.
3. All PCs, laptops and workstations should be secured with a password-protected screensaver with
the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for
Win2K users) when the host will be unattended.
4. Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy.
5. Because information contained on portable computers is especially vulnerable, special care should
be exercised. Protect laptops in accordance with the “Laptop Security Tips”.
6. Postings by employees from a <Company Name> email address to newsgroups should contain a
disclaimer stating that the opinions expressed are strictly their own and not necessarily those of
<Company Name>, unless posting is in the course of business duties.
7. All hosts used by the employee that are connected to the <Company Name>
Internet/Intranet/Extranet, whether owned by the employee or <Company Name>, shall be
continually executing approved virus-scanning software with a current virus database. Unless
overridden by departmental or group policy.
8. Employees must use extreme caution when opening e-mail attachments received from unknown
senders, which may contain viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these restrictions
during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need
to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of <Company Name> authorized to engage in any activity that is
illegal under local, state, federal or international law while utilizing <Company Name>-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall
into the category of unacceptable use.
System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade secret, patent or
other intellectual property, or similar laws or regulations, including, but not limited to, the
installation or distribution of "pirated" or other software products that are not appropriately
licensed for use by <Company Name>.
2. Unauthorized copying of copyrighted material including, but not limited to, digitization and
distribution of photographs from magazines, books or other copyrighted sources, copyrighted
music, and the installation of any copyrighted software for which <Company Name> or the end
user does not have an active license is strictly prohibited.
3. Exporting software, technical information, encryption software or technology, in violation of
international or regional export control laws, is illegal. The appropriate management should be
consulted prior to export of any material that is in question.
4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan
horses, e-mail bombs, etc.).
5. Revealing your account password to others or allowing use of your account by others. This
includes family and other household members when work is being done at home.
6. Using a <Company Name> computing asset to actively engage in procuring or transmitting
material that is in violation of sexual harassment or hostile workplace laws in the user's local
jurisdiction.
7. Making fraudulent offers of products, items, or services originating from any <Company Name>
account.
8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

22. 9. Effecting security breaches or disruptions of network communication. Security breaches include,
but are not limited to, accessing data of which the employee is not an intended recipient or
logging into a server or account that the employee is not expressly authorized to access, unless
these duties are within the scope of regular duties. For purposes of this section, "disruption"
includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service,
and forged routing information for malicious purposes.
10. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is
made.
11. Executing any form of network monitoring which will intercept data not intended for the
employee's host, unless this activity is a part of the employee's normal job/duty.
12. Circumventing user authentication or security of any host, network or account.
13. Interfering with or denying service to any user other than the employee's host (for example, denial
of service attack).
14. Using any program/script/command, or sending messages of any kind, with the intent to interfere
with, or disable, a user's terminal session, via any means, locally or via the
Internet/Intranet/Extranet.
15. Providing information about, or lists of, <Company Name> employees to parties outside
<Company Name>.
Email and Communications Activities
1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising
material to individuals who did not specifically request such material (email spam).
2. Any form of harassment via email, telephone or paging, whether through language, frequency, or
size of messages.
3. Unauthorized use, or forging, of email header information.
4. Solicitation of email for any other email address, other than that of the poster's account, with the
intent to harass or to collect replies.
5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
6. Use of unsolicited email originating from within <Company Name>'s networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by
<Company Name> or connected via <Company Name>'s network.
7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups
(newsgroup spam).
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.
6.0 Definitions
Term Definition
Spam Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History

23. Questions & Answers
"The search for static security - in the law and elsewhere -
is misguided. The fact is security can only be achieved
through constant change, adapting old ideas that have
outlived their usefulness to current facts."
- Canadian physician, William Osler
Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH
Chief Financial Officer / Information Officer
Precision Plus, Inc.
840 Koopman Ln.
Elkhorn, WI 53121
LemmermannJ@preplus.com