© 2017 all rights reserved brown smith wallace llp · 2018-03-31 · •usa.gov •identitytheft...
TRANSCRIPT
1
2
3
4
© 2017 All Rights Reserved Brown Smith Wallace LLP
• Identify and discuss major issues related to cybercrime and
the increasing risks associated with cybercrime
• Identify ways in which owners/operators can help protect their
senior living residents from cybercrime
• Identify and discuss identity theft issues, other than those
related to cybercrime
– Protecting information maintained in paper form
– Assisting your seniors to be proactive in protecting their
own personal information
– Crime in which someone wrongfully obtains and uses another
person’s personal information in some way that involves fraud or
deception, usually for personal gain
– Tax ID Theft
– Medical ID Theft
– SSN Theft
– Higher all the time
– Especially high for those over 50 years of age
– Frequently more financially stable and don’t
check credit reporting agencies often
– Vulnerable population
– Hesitant to report
– May not be computer savvy
– Emails frequently look legitimate
– Look closely at the url
– Contain links that may:
• Access your email account and all your contacts
• Infect your system with a virus
• Access personal information you have utilized via email
– Foreign royalty/money scams
– IRS—Email is never the first point of contact from the IRS
– Sham charities
– Sham sweepstakes—you “won a prize”
• Technical systems
• Technical support
• Education for Resident Population
– Licensed Areas
• Charts
• Face Sheets
• Short Stay
• Transfer Documents
– Independent Living
• Documents in the residence
• Security of the residence
– The “Can You Hear Me” scam
– Bail money or ransom
– IRS
– Bank
• Monitor bank accounts and the credit reporting agencies
• Shred old documents
• Be mindful of what you are carrying with you
• Secure documents with identifying information
• Secure your mail
• Share your personal information with caution
– Don’t open unexpected email or email from unknown sources
– Don’t click on links contained in the email
– Federal Trade Commission (FTC)--obtain ID Theft Affidavit
– Local law enforcement—provide them with ID Theft Affidavit. Should
get an ID Theft Report
– You will need these two documents to report to other
agencies/organizations
– Banks/creditors where fraudulent accounts may have been opened
– Your insurance company, if medical identity theft is suspected
– IRS
– Your bank/creditors/retailers
– Credit Reporting Agencies
– State Consumer Protection Agency/State Attorney General
• ftc.gov/scams
• dor.mo.gov/personal/individual/identity_theft
• www.idtheftcenter.org
• USA.gov
• IdentityTheft.info
• According to the 2017 Trustwave Global Security Report, phishing
and social engineering increased 141% from 2015 to 2016,
making it the second most popular contributor to data
compromise.
© 2017 All Rights Reserved
• In the 2017 Verizon Data Breach Report, it was reported that 51%
of breaches involved malware. While this threat is beginning to
taper off compared to prior years, it still remains one of the most
frequent threat vectors for all organizations.
Malicious or criminal attacks include
malware, criminal insiders (employees,
contractors or other third parties),
phishing/social engineering and web site
attacks
Human error is negligent insiders that
are individuals who cause a data breach
because of their carelessness, as
determined in a post data breach
investigation.
System glitch includes loss of system or
component, IT and Business process
failures
Brown Smith Wallace LLP
Almost
by a ransomware attack, according to a survey by
security firm Malwarebytes.
• Financial Institutions
– Financial motives
– Social Security Numbers
• Health Care
– Social Security Numbers
– Health data (WannaCry hit NHS)
• Public Sector
– Social Security Numbers
– Health data
– Activism
• Nation States
– Attack Public Sector and Infrastructure
– Motivation is to instill fear within populace
– North Korea believed to be behind WannaCry
• Hobbyists
– Financially motivated
– Accepting ransoms for financial gain
• Russia, Eastern Europe, and China?
– Highly educated population
– High unemployment in some countries
• US credit bureau Equifax has acknowledged a breach that may have
compromised as many as 143 million records.
• At the moment, nobody not under NDA knows the full details of the breach,
including what could have been done to stop it.
• This breach is in a class by itself and should invite immediate Congressional
hearings
• The exposed data include Social Security numbers (SSNs), birth dates, and
driver's licenses. The breach also compromised payment card numbers of
more than 200,000 consumers
• It has been estimated this breach impacts 57% of adult Americans.
• Equifax set up a web site to allow you to check whether you are impacted,
but it requires the last six digits of your SSN, and suggests returning
regularly to make sure your status hasn't changed.
• Taking action to establish credit monitoring and lock your credit profile would
be more prudent.
The most common type is email phishing
• “It’s like a fake ATM that prints out an error message when you try to use
it, but in the meantime has taken your credit card details and pin number.”
• “It’s like fishing, hence the name. The phisher casts the net (usually by
sending out spurious emails to a large group of people) and waits for an
unsuspecting user to be drawn in. Or in the case of ‘spear phishing’, the
phisher targets a specific user, usually by posing as someone they know
well. But it’s also not like fishing, which suggests a fairly harmless amateur
pastime.”
- sidewaysdictionary.com
= icious Soft
• Command and control – a hacker uses your computer resources to
their benefit
• Ransomware – a hacker encrypts your data and holds it hostage for a
sum of money
• Spyware – a hacker reads all of your computer inputs and steals your
passwords
• Backdoors – a hacker gains complete access to your computer
• Data exfiltration – a hacker downloads your personal or company
information
• Provide staff with security awareness training
• Actively engages users to adhere to security and privacy policies
• Keeping up-to-date systems is critical – patching/configuration
• Comprehensive and regular backups
• Antivirus with Malware detection is up-to-date
• Restrict internal user permissions
If your organization is unfortunate enough to be hit
with an infection:
• Do you have an Incident Response Plan?
• Isolate the workstations immediately from the network to stop
any further incursions.
• Do not re-image the PC until it is determined what the infection
was.
• Start cleaning-up the infection by contacting your endpoint
security vendor’s support staff, who will be able to assist with any
clean-up activities and ensure the infection is completely
removed.
If your organization is unfortunate enough to be hit
with an infection:
• Determine the nature of that particular infection with your
vendor’s support staff.
• Check if user data was encrypted. The earlier this is done the
better.
• Alert other employees if this was a targeted attack, or about the
threat vector, if appropriate.
• Notify law enforcement.
NIST is a great resource!
Challenges for Small Businesses:
• People
• Budget
• Knowledge
Small businesses are becoming a target for hackers.
Goal for a small business is to deter hacker enough to move onto the
next small business.
What can small business do?
• Document and communicate policies and procedures
• Complete background checks on employees
• Limit access to IT resources and use strong passwords
• Patch systems
• Use firewalls, set up spam filters, and secure wireless networks
• Encrypt sensitive data and laptops
• Install and monitor anti-virus
• Develop incident response, disaster recovery, continuity plans
• Take backups and test data recovery
What can small business do?
• Pay attention to the people you work with and around
• Be careful of email attachments and web links
• Use separate personal/business computers, mobile devices, accounts
• Do not connect personal or untrusted storage devices or hardware into
your computer, mobile device, or network
• Be careful downloading software
• Do not give out personal or business information
• Watch for harmful pop-ups
• Use strong passwords
• Conduct online business more securely
1. Annual Risk Assessment is a foundational requirement in all new
compliance models
a) How do you take inventory of risk in your environment?
b) How are you treating that risk?
c) Are there risks that haven’t been treated or mitigated?
2. Outsourcing of services is leading to Vendor Management
programs to monitor security obligations
a) How much trust are you putting into a Managed IT Service Provider?
b) Are you hosting your data with a third party?
Tony Munns| [email protected] | 314-983-1297
6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200
1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100
1.888.279.2792 │ bswllc.com
Brown Smith Wallace is a Missouri Limited Liability Partnership
Suzanne Sheldon-Krieger | [email protected]