4 information governance · 2014-09-03 · e-mail spoofing fraud attempt that targets a specific...
TRANSCRIPT
1/23/2014
1
Page
INFORMATION GOVERNANCE
04/29/13
Page
john
Page
john gary iannarelli
1/23/2014
2
Page
4/10/1963
Page
135-60-7481
Page
623-910-0410
1/23/2014
3
Page
623-466-1004
Page
5568-2200-0306-9693
Page
822421362
1/23/2014
5
Page
Page
do you know me?
Page
anthony iannarelli
1/23/2014
6
Page
jean iannarelli
Page
Ms. iannarelli
Page
1/23/2014
7
Page
Page
Page
1/23/2014
8
Page
Page
Page
1/23/2014
9
Page
Page
Page
1/23/2014
10
Page
Page
Page
1/23/2014
11
Page
now do you know me?
Page
i am what i tell you
Page
8 key personal identifiers
1/23/2014
12
Page
namedob
birth certificate
dlssn
passportaddress
phone number
Page
Birth
Misc
Page
search engines
1/23/2014
13
Page
directories
Page
social networking
Page
1/23/2014
14
Page
Policies, procedures, and controls
Implement to manage information on all media
Supports organization’s mission
Mitigates business and legal risks
Information Governance
Page
Policies must be in place for law enforcement to investigate
Without nearly impossible to prove criminal intent
Information Governance
Page
Threat Concerns
Malicious code
Website compromise
Insider sells company trade secrets
Hacker
Social engineering
1/23/2014
15
Page
Street Price of Stolen Internet Items
Item Percentage Price
Bank Account Number 23% $10 -$1,000
Credit Card Number 13% $0.40 - $2.00
Full Identity 9% $1 - $15
Online Auction Account 7% $1 - $8
Email Addresses 5% $0.83/MB - $10/MB
Email Passwords 5% $4 - $30
04/29/13
Page
Identity Theft
Identity Theft: Annual Losses in Excess of $50 billionBy Cyber Security Market
According to the Federal Trade Commission (FTC) estimates in 1 year, as many as 10 million people discover that they are victims of some form of identity theft, translating into reported losses exceeding $50 billion.
A recent report of Market Research Media U.S. Federal Cybersecurity Market Forecast 2010-2015predicts that the Federal government will spend $55 billion over the next five years to fight cyber crime.
The loss of personally identifiable information, such as an individual’s Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain.
Page 45
Dear Nancy,
I know we don't get to talk or see each other much. But being apart for now doesn't change the way I feel about you in my heart. Sure I'm lonely, and sometimes I'm overwhelmed with this emptiness in my chest. But, just remember that I love you and everything about you.
That's what gets me through every minute of every day that I'm without you. Sweetheart, you don't know what I would give to kiss your lips, feel your touch, or even just to see you. I long to hold you and feel your sweet caress. I have never loved anyone as much as I love you.
Nigerian Letters
1/23/2014
16
Page
Phishing Attacks
04/29/13
Page 47
Re-shipping – where is the merchandise?
Page 48
e-mail spoofing fraud attempt that targets a specific organization.
seeks unauthorized access to confidential data.
attempts are not by random hackers
perpetrators after financial gain, trade secrets or military info.
Spear Phishing
1/23/2014
17
Page
Ransomware
1. Malware installed on computer
2. Victim contacted by hacker
3. Hacker provides decryption key upon payment
04/29/13
Page
Creates false copy of a reputable web site
Victim connects to attacker’s web site
Attacker acquires passwords, credit cards
Spoofing
Page 04/29/13
1/23/2014
18
Page 52
Skimming
Page 04/29/13
Page
1/23/2014
19
Page
Curiosity
Personal Fame
Personal Gain ($)
National Interest
Script-Kiddy HobbyistHacker
Expert Specialist
VANDAL
SPY STATE
TRESPASSER
AUTHOR
The Hackers
Page
Reality of Breaches
30% Cyber
70% Insider Threat
1 in 8 employees pose high level of risk
• Answer: RISK PREPAREDNESS AND EMPLOYEE AWARENESS EDUCATION !!!
Page
Real Life Case Example
1/23/2014
20
Page
Victim Company
Debt Consolidation Company
Collects Sensitive Information
12,000 New Client Leads per Month
$450,000 Monthly Marketing Expense
$ 1 Million Monthly Debt Consolidation
100 Employees
Page
Identified suspicious IP accessed network several times over two days
Intruding IP belonged competing company
Owner/employees former employees of Victim
Criminal Activity
Page
SUBJECT #1
Hired by Victim as Vice President of Operations
Submits Letter of Resignation
Victim learns Subject #1 created competing company and using VC clients
1/23/2014
21
Page
Investigation by FBI
Prior to resignation Subject #1
Application filed to reserve corporate name
Filed Articles of Incorporation filed
Website up and running
Page
SUBJECT #2
Hired by Victim
Submits 2 weeks notice
Logs onto Victim’s server from Subject’s IP address
Page
Investigation by FBI
FBI discovered Victim server intrusion from Subject IP address via Subject #2 User ID and Password
Confirmed Subject #2 is employed by Subject with ruse phone
Also confirmed before resignation Subject #2 accessed Victim server from home computer
1/23/2014
22
Page
SUBJECT #3
Hired by Victim
Submits 2 week notice
Informed resignation effective immediately and asked to leave
Page
Page
Lawsuits
2001 Eli Lilly
Disclosed e-mail addresses in Prozac reminder
2007 TJ Max
Hack of customer bank info
2009 Sears/Kmart “Loyalty Club”
spyware on customer computers
1/23/2014
23
Page 67
Lessons Learned
Must have an Information Governance policy
Buy in by all employees
Annual review
Education
IT professional have a key role in developing
Page
Page
John G. IannarelliAssistant Special Agent in Charge
Federal Bureau of [email protected]
623-466-1004
Questions