[106] proactively detect identity theft and privacy breaches by insiders scce compliance &...

SCCE 2014 Annual Conference

Live, Step-by-Step Tutorial of

Proactive Detection Techniques

You Can Use Now!

Alan Norquist, CEO, Veriphyr

Proactively Detect

Identity Theft and Privacy Breaches

by Insiders

Problem - Insider Identity Theft / Privacy Breach

Top Concerns (1)

# 1 - Meeting Compliance Requirements

# 2 - Requirements/Expectations of Customers

Insiders, Not Outsiders, Accounted For (2)

71% of Customer Records Compromised or Stolen

63% of Employee Records Compromised or Stolen

www.veriphyr.com 29/15/2014

"Organizations who have good insider threat and data protection programs

will be around in 10 years, and those that don't -- won't”

- Patrick Reidy - FBI Chief Information Security Officer (3)

You Can Keep Out the Hackers…


But Not Your Employees, Contractors, etc.

www.veriphyr.com 49/15/2014Cartoon by P. Daily

Difference Identity Theft vs Privacy Breach

Identity Theft

Stealing Personally Identifiable Data

Purpose - Enable Stealing of $$ Via Identity Fraud

Privacy Breach

Learning Embarrassing Personal Information

Purpose is Rarely $$

Purpose - Enable Ridicule or Blackmail


How Bad Can Insider Theft Be?


FBI/Police or Victim, In Most Cases, Discovered the Crime

… and Discovered the Organization that was the Source of Identity Theft

Bank Insider Stole Identity of

300 Customers. Confederates Withdrew

$10 Million from Accounts (4)

Retail Insider Stole Identity of

500 Customers and Sold to

Criminals for Identity Fraud (5)

TeleCom Customer Service Rep Stole

Customer Identities to Wire Transfers $

from Bank Accounts (6)

Restaurant Chain Employee Abused

Legitimate Access to Steal Employee

Names, SS# & Birth Dates (7)

Government Board Receptionist Stole

Identities used for $2 Million in Bank

Withdrawals & Fraudulent Purchases (8)

Insurance Employee Breached

the Privacy of Customers for

3 Years Before Being Caught (9)

Billing Clerk Stole the Identity of

12,000 Customer Over

18 Month Period (10)

Hospital Medical Assistant Breached the

Privacy of 3,600 Patients for

More Than 3 Years (11)

So What? - Stole Our ID Data Not Our $

Organization Pays to

Overcome Bad Public Relations and Broken Trust

Notify Breach Victims & Provide Credit Monitoring

Sometimes it is Both Your Data and Your $

Bank Lost $10 Million When Insider Leaked 300 Customers’ Info (4)

Class Action by Customers

$3 Million Settlement in FL Even Though No Proof of Harm (12)

WV Supreme Court OK’s Suit with No Proof of Injury (13)

$4 Billion Suit of CA Healthcare Firm Would Have Gone to Trial

if “proof unauthorized person accessed stolen material.” (14)


So What? - Stole Our ID Data Not Our $ (p2)

FTC

Suing Hotel Chain and Settled with Healthcare Firm

"not using readily available measures to prevent and detect unauthorized

access to personal information.“ (15) (16)

Attorney Generals

$750,000 Settlement by MA AG for Identity Data Loss in MA (17)

$150,000 Settlement by MA AG for MA Residents Loss in RI (18)

Insurance Firm Settlement with Connecticut AG (19)

Consulting Firm Sued by Minnesota AG (20)

U.S. Dept of Health and Human Services

$4.8 Million and $1 Million Fines for Hospitals (21)


Why is Identity Theft Growing?

Organizations Store More Identity Data

More Employees Need/Given Access to Identity Data

Identity Data More Valuable Than Credit Card (22)

Medical Record = $50.00

Credit Card # = $ 1.50

Fraud Using Stolen Identity Data is Lucrative

Stolen Identity Refund Fraud (SIRF) = $21 Billion 2012-2017 (23)

$2.1 Million for a Single Refund (24)

34% of All Reported Identity Fraud (25)

Credit Card (17%), Bank (8%), and Loan (4%) (25)


Dealing Identity Replaces Dealing Drugs

Quoting from FBI Press Release (26)


“A confidential source (CS) initially approached

[criminal] and inquired about purchasing narcotics.

[Criminal] told the CS that he did not have any

narcotics but that he did have personal identity

information (PII) that he was willing to sell to

the CS….

[Criminal] provided the CS with specific instructions

on what information to enter into the web pages of

the Internet-based tax services to obtain a tax

refund.

An examination of the PII revealed that it was from

a medical services provider.”

Lessons from Review of Past Identity Thefts

Any Industry can be a Victim

Insiders are Not “Techies” “Authorized users doing authorized things for malicious purposes” - FBI (27)

Insider Threat by Employee Type (1)

#1 - Non-technical employees w/ legitimate access to sensitive data

#2 - Third party contractors with legitimate access

Theft Occurs Over Time, Not a One-Off

Insiders Often “Good” Employees with Hidden Problems Insiders Steal Identity & Outsiders Commit Fraud

Recruited by Outsider and Insider has No Record

FBI/Police Discover Your Employee’s ID Theft, Not You

After Damage Done to Customers & Employees

Too Late to Save “Good” Employee Gone Astray


Apply Fraud Triangle to Identity Theft


Opportunity

RationalizationPressure

Donald R. Cressey (28)

I Will NOT Get Caught

Misusing My Access to

Sensitive Identity Data

“Unshareable”

Financial

Pressure

I’m Only Sharing

People’s Names

and Stuff.

I am Not the One

Committing

Identity Fraud.

Apply Fraud Triangle to Privacy Breach


Opportunity

RationalizationCuriosity

Wow! No One Noticed

or Complained

Just

Curious

I Guess It Can’t

Be a Real Problem

If No One Noticed

Or Complained.

I Can Do It

Again.

Not Being Caught for Privacy Breach Emboldens Employee Identity Theft

Donald R. Cressey (28)

Original Strategy No Longer Works

Initially Built Wall to Catch Leakage of Identity Data

Data Leak Protection (DLP)

Insufficient to Catch Insiders

Why?

Identity Data on Screen + Phone Camera = Identity Theft

FBI/Police Reports of Evidence Shows

“computer screen-shot printouts displaying patients’ personal

information from a local hospital” (29)


Proactively Deter and Detect ID Theft

Identity & Access Intelligence - IAI (Identified by Gartner)

http://www.gartner.com/it-glossary/identity-and-access-intelligence/

Employees Doing Similar Jobs Behave Similarly

Compare Employee Activity to Peers to Find Anomalies

Uses Existing Application Logs of Employee Access to Identity Data

Investigate Anomalies with Managers and Employee

Employees Know They are Being Effectively Monitored

Deters Identity Theft (Reducing “Opportunity" in Triangle)

Detect Identity Theft in Early Stages

Intervene Before Employee Breaks the Law


Live, Step-by-Step Tutorial of

IAI Techniques You Can Use NOW!

Using Software Tools You Already Know and Have

Using Raw Activity Logs and Identity Data

Your Systems Already Produce

No New Hardware/Software Required

Detailed Instructions and Examples

Discover Identity Theft and Privacy Breach Activity


Questions


Footnotes – Click on Link to Access Source Doc

Slide 21) http://bit.ly/SCCE_201409_Veriphyr_01

2) http://bit.ly/SCCE_201409_Veriphyr_02











http://bit.ly/SCCE_201409_Veriphyr_12a




Slide 8 (continued)













Slide 12/1328) http://bit.ly/SCCE_201409_Veriphyr_28



http://bit.ly/SCCE_201409_Veriphyr_01












http://bit.ly/SCCE_201409_Veriphyr_12a


















SCCE Annual

For more information contact meAlan Norquist

[email protected]

Blog.Veriphyr.com

www.Veriphyr.com

Proactively Detect

Identity Theft and Privacy Breaches

by Insiders

mailto:[email protected]

[106] proactively detect identity theft and privacy breaches by insiders scce compliance &...

Education