[106] Proactively Detect Identity Theft and Privacy Breaches by Insiders SCCE Compliance & Ethics...
-
Upload
society-of-corporate-compliance-and-ethics-scce -
Category
Education
-
view
105 -
download
1
Transcript of [106] Proactively Detect Identity Theft and Privacy Breaches by Insiders SCCE Compliance & Ethics...
SCCE 2014 Annual Conference
Live, Step-by-Step Tutorial of
Proactive Detection Techniques
You Can Use Now!
Alan Norquist, CEO, Veriphyr
Proactively Detect
Identity Theft and Privacy Breaches
by Insiders
Problem - Insider Identity Theft / Privacy Breach
Top Concerns (1)
# 1 - Meeting Compliance Requirements
# 2 - Requirements/Expectations of Customers
Insiders, Not Outsiders, Accounted For (2)
71% of Customer Records Compromised or Stolen
63% of Employee Records Compromised or Stolen
www.veriphyr.com 29/15/2014
"Organizations who have good insider threat and data protection programs
will be around in 10 years, and those that don't -- won't”
- Patrick Reidy - FBI Chief Information Security Officer (3)
Difference Identity Theft vs Privacy Breach
Identity Theft
Stealing Personally Identifiable Data
Purpose - Enable Stealing of $$ Via Identity Fraud
Privacy Breach
Learning Embarrassing Personal Information
Purpose is Rarely $$
Purpose - Enable Ridicule or Blackmail
www.veriphyr.com 59/15/2014
How Bad Can Insider Theft Be?
www.veriphyr.com 69/15/2014
FBI/Police or Victim, In Most Cases, Discovered the Crime
… and Discovered the Organization that was the Source of Identity Theft
Bank Insider Stole Identity of
300 Customers. Confederates Withdrew
$10 Million from Accounts (4)
Retail Insider Stole Identity of
500 Customers and Sold to
Criminals for Identity Fraud (5)
TeleCom Customer Service Rep Stole
Customer Identities to Wire Transfers $
from Bank Accounts (6)
Restaurant Chain Employee Abused
Legitimate Access to Steal Employee
Names, SS# & Birth Dates (7)
Government Board Receptionist Stole
Identities used for $2 Million in Bank
Withdrawals & Fraudulent Purchases (8)
Insurance Employee Breached
the Privacy of Customers for
3 Years Before Being Caught (9)
Billing Clerk Stole the Identity of
12,000 Customer Over
18 Month Period (10)
Hospital Medical Assistant Breached the
Privacy of 3,600 Patients for
More Than 3 Years (11)
So What? - Stole Our ID Data Not Our $
Organization Pays to
Overcome Bad Public Relations and Broken Trust
Notify Breach Victims & Provide Credit Monitoring
Sometimes it is Both Your Data and Your $
Bank Lost $10 Million When Insider Leaked 300 Customers’ Info (4)
Class Action by Customers
$3 Million Settlement in FL Even Though No Proof of Harm (12)
WV Supreme Court OK’s Suit with No Proof of Injury (13)
$4 Billion Suit of CA Healthcare Firm Would Have Gone to Trial
if “proof unauthorized person accessed stolen material.” (14)
www.veriphyr.com 79/15/2014
So What? - Stole Our ID Data Not Our $ (p2)
FTC
Suing Hotel Chain and Settled with Healthcare Firm
"not using readily available measures to prevent and detect unauthorized
access to personal information.“ (15) (16)
Attorney Generals
$750,000 Settlement by MA AG for Identity Data Loss in MA (17)
$150,000 Settlement by MA AG for MA Residents Loss in RI (18)
Insurance Firm Settlement with Connecticut AG (19)
Consulting Firm Sued by Minnesota AG (20)
U.S. Dept of Health and Human Services
$4.8 Million and $1 Million Fines for Hospitals (21)
www.veriphyr.com 89/15/2014
Why is Identity Theft Growing?
Organizations Store More Identity Data
More Employees Need/Given Access to Identity Data
Identity Data More Valuable Than Credit Card (22)
Medical Record = $50.00
Credit Card # = $ 1.50
Fraud Using Stolen Identity Data is Lucrative
Stolen Identity Refund Fraud (SIRF) = $21 Billion 2012-2017 (23)
$2.1 Million for a Single Refund (24)
34% of All Reported Identity Fraud (25)
Credit Card (17%), Bank (8%), and Loan (4%) (25)
www.veriphyr.com 99/15/2014
Dealing Identity Replaces Dealing Drugs
Quoting from FBI Press Release (26)
www.veriphyr.com 109/15/2014
“A confidential source (CS) initially approached
[criminal] and inquired about purchasing narcotics.
[Criminal] told the CS that he did not have any
narcotics but that he did have personal identity
information (PII) that he was willing to sell to
the CS….
[Criminal] provided the CS with specific instructions
on what information to enter into the web pages of
the Internet-based tax services to obtain a tax
refund.
An examination of the PII revealed that it was from
a medical services provider.”
Lessons from Review of Past Identity Thefts
Any Industry can be a Victim
Insiders are Not “Techies” “Authorized users doing authorized things for malicious purposes” - FBI (27)
Insider Threat by Employee Type (1)
#1 - Non-technical employees w/ legitimate access to sensitive data
#2 - Third party contractors with legitimate access
Theft Occurs Over Time, Not a One-Off
Insiders Often “Good” Employees with Hidden Problems Insiders Steal Identity & Outsiders Commit Fraud
Recruited by Outsider and Insider has No Record
FBI/Police Discover Your Employee’s ID Theft, Not You
After Damage Done to Customers & Employees
Too Late to Save “Good” Employee Gone Astray
www.veriphyr.com 119/15/2014
Apply Fraud Triangle to Identity Theft
www.veriphyr.com 129/15/2014
Opportunity
RationalizationPressure
Donald R. Cressey (28)
I Will NOT Get Caught
Misusing My Access to
Sensitive Identity Data
“Unshareable”
Financial
Pressure
I’m Only Sharing
People’s Names
and Stuff.
I am Not the One
Committing
Identity Fraud.
Apply Fraud Triangle to Privacy Breach
www.veriphyr.com 139/15/2014
Opportunity
RationalizationCuriosity
Wow! No One Noticed
or Complained
Just
Curious
I Guess It Can’t
Be a Real Problem
If No One Noticed
Or Complained.
I Can Do It
Again.
Not Being Caught for Privacy Breach Emboldens Employee Identity Theft
Donald R. Cressey (28)
Original Strategy No Longer Works
Initially Built Wall to Catch Leakage of Identity Data
Data Leak Protection (DLP)
Insufficient to Catch Insiders
Why?
Identity Data on Screen + Phone Camera = Identity Theft
FBI/Police Reports of Evidence Shows
“computer screen-shot printouts displaying patients’ personal
information from a local hospital” (29)
www.veriphyr.com 149/15/2014
Proactively Deter and Detect ID Theft
Identity & Access Intelligence - IAI (Identified by Gartner)
http://www.gartner.com/it-glossary/identity-and-access-intelligence/
Employees Doing Similar Jobs Behave Similarly
Compare Employee Activity to Peers to Find Anomalies
Uses Existing Application Logs of Employee Access to Identity Data
Investigate Anomalies with Managers and Employee
Employees Know They are Being Effectively Monitored
Deters Identity Theft (Reducing “Opportunity" in Triangle)
Detect Identity Theft in Early Stages
Intervene Before Employee Breaks the Law
www.veriphyr.com 159/15/2014
Live, Step-by-Step Tutorial of
IAI Techniques You Can Use NOW!
Using Software Tools You Already Know and Have
Using Raw Activity Logs and Identity Data
Your Systems Already Produce
No New Hardware/Software Required
Detailed Instructions and Examples
Discover Identity Theft and Privacy Breach Activity
www.veriphyr.com 169/15/2014
Footnotes – Click on Link to Access Source Doc
Slide 21) http://bit.ly/SCCE_201409_Veriphyr_01
2) http://bit.ly/SCCE_201409_Veriphyr_02
3) http://bit.ly/SCCE_201409_Veriphyr_03
Slide 64) http://bit.ly/SCCE_201409_Veriphyr_04
5) http://bit.ly/SCCE_201409_Veriphyr_05
6) http://bit.ly/SCCE_201409_Veriphyr_06
7) http://bit.ly/SCCE_201409_Veriphyr_07
8) http://bit.ly/SCCE_201409_Veriphyr_08
9) http://bit.ly/SCCE_201409_Veriphyr_09
10) http://bit.ly/SCCE_201409_Veriphyr_10
11) http://bit.ly/SCCE_201409_Veriphyr_11
Slide 712) http://bit.ly/SCCE_201409_Veriphyr_12
http://bit.ly/SCCE_201409_Veriphyr_12a
13) http://bit.ly/SCCE_201409_Veriphyr_13
14) http://bit.ly/SCCE_201409_Veriphyr_14
Slide 815) http://bit.ly/SCCE_201409_Veriphyr_15
Slide 8 (continued)
16) http://bit.ly/SCCE_201409_Veriphyr_16
17) http://bit.ly/SCCE_201409_Veriphyr_17
18) http://bit.ly/SCCE_201409_Veriphyr_18
19) http://bit.ly/SCCE_201409_Veriphyr_19
20) http://bit.ly/SCCE_201409_Veriphyr_20
21) http://bit.ly/SCCE_201409_Veriphyr_21
Slide 922) http://bit.ly/SCCE_201409_Veriphyr_22
23) http://bit.ly/SCCE_201409_Veriphyr_23
24) http://bit.ly/SCCE_201409_Veriphyr_24
25) http://bit.ly/SCCE_201409_Veriphyr_25
Slide 1026) http://bit.ly/SCCE_201409_Veriphyr_26
Slide 1127) http://bit.ly/SCCE_201409_Veriphyr_27
Slide 12/1328) http://bit.ly/SCCE_201409_Veriphyr_28
Slide 1429) http://bit.ly/SCCE_201409_Veriphyr_29
www.veriphyr.com 189/15/2014
SCCE Annual
For more information contact meAlan Norquist
Blog.Veriphyr.com
www.Veriphyr.com
Proactively Detect
Identity Theft and Privacy Breaches
by Insiders