Professional Documents
Culture Documents
What is cybercrime?
Cybercrime is a crime that involves a computer and a network. The computer may have been used in the
commission of a crime, or it may be the target. Cybercrime may harm someone's security and financial
health.
Identity theft happens when someone steals your personal information to commit fraud. This theft is
committed in many ways by gathering personal information such as transactional information of
another person to make transactions
Under RA 10175, Computer-related Identity Theft is the intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another, whether natural or
juridical, without right.
Identity theft occurs when someone steals your personal information—such as your Social Security
Number, bank account number, and credit card information. Identity theft can be committed in many
different ways. Some identity thieves sift through trash bins looking for bank account and credit card
statements.
Once identity thieves have your personal information they may: Go on spending sprees using your
credit and debit account numbers to buy “big ticket” items like computers or televisions that they can
easily re-sell.
The three most common types of identity theft are financial, medical and online. Learn how you can
prevent them and what to do if they happen to you.
COMMON QUESTION FOR IDENTITY THEFT
What is ID theft?
Texas Penal Code 32.51 is the section that provides for identify theft as a crime in Texas: “A person
commits an offense if the person, with the intent to harm or defraud another, obtains, possesses,
transfers, or uses an item of identifying information of another person without the other person's
consent …”
Remain calm. This will be a lengthy and stressful process, but as long as you know you are following a
plan, you can increase your chances of solving most, if not all of the problems you face, and increase
your chances of recovering as much as the money you have lost as possible.
Your first step will probably not involve notifying authorities; although that is one of the steps you will
likely take. Your very first step will be to pull your credit report from all 3 major credit reporting
agencies.
This is free if you have not received a copy of your report in the previous 12 months. In most cases, you
can do this online.
Preparation and organization will help you immensely as you navigate through this process. Keep track
of your time and expenses with as much documentation and journaling as possible. Start a file, if not
several files, so that you can keep your information organized.
Check the Office of the Attorney General's Consumer Protection Division's guide to identity theft.
Credit Card Skimming. This involves the use of technology that can sometimes be spotted at gas stations
or ATMs. The “skimmer” is placed on top of the actual scanner, so it’s sometimes hard to spot.
Hacking. Electronically breaking into personal computers, databases at financial institutions, and online
retailers to steal personal information
Stealing personal effects (purse, wallet). Using someone’s driver’s license, personal checks, or credit or
debit cards directly
Phishing. Using spam email or the phone to pose as a legitimate organization to lure victims into
revealing bank or brokerage account information, password, PINs, Social Security numbers, and other
types of confidential information
Retirement income
Employment
The chance of recovering all of the money you have lost is slim. However, the Identity Theft Guide and
other resources can help ensure that you receive as much money as possible.
1. Secure your social security number (SSN). Don’t carry your social security card in your wallet or
write your number on your checks. Only give out your SSN when absolutely necessary.
2. Don’t respond to unsolicited requests for personal information (your name, birthdate, social
security number, or bank account number) by phone, mail, or online.
3. Watch out for “shoulder surfers.” Shield the keypad when typing your passwords on computers
and at ATMs.
4. Collect mail promptly. Ask the post office to put your mail on hold when you are away from
home for several days.
5. Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.
6. Review your receipts. Promptly compare receipts with account statements. Watch for
unauthorized transactions.
7. Shred receipts, credit offers, account statements, and expired cards, to prevent “dumpster
divers” from getting your personal information.
10. Create complex passwords that identity thieves cannot guess easily. Change your passwords if a
company that you do business with has a breach of its databases
11. Order your credit report once a year and review it to be certain that it doesn't include accounts
that you have not opened. Check it more frequently if you suspect someone has gained access
to your account information.
Those who have cognitive issues or age-related mental incapacity (e.g., dementia or Alzheimer’s
patients)
Those who are grieving the loss of a loved one or in another way emotionally vulnerable
Near-retirees
www.idtheft.gov
www.bbb.org
www.victimsofcrime.org
www.victimbar.org
www.annualcreditreport.com
www.consumerfinance.gov
https://www.fbi.gov/investigate/white-collar-crime/identity-theft
http://www.utica.edu/academic/institutes/cimip/idcrimes/resources.cfm
www.idtheftcenter.org
https://postalinspectors.uspis.gov/investigations/mailfraud/fraudschemes/
mailtheft/IdentityTheft.aspx
https://www.usa.gov/identity-theft
http://www.idtheftcenter.org/States/texas.html
http://texasattorneygeneral.gov/identitytheft
www.dps.texas.gov/driverlicense/idtheft/idtheft2.htm
I have reported my ID theft to several agencies. Why haven’t they called me back?
Reporting is important. It will allow you to assert certain rights, it will allow research agencies to more
accurately account for how much identity theft is occurring, and where and when and to whom it is
occurring, it allows for the sharing of information to other reporting agencies that can protect
consumers by working on prevention and detecting fraud.
That said, sometimes those are the only purposes for reporting. In other words, in many cases, the act
of reporting does not cause a case to be opened or an investigation to begin. Therefore, the agency will
not have a need to return your call or to follow up on your report. Managing expectations regarding
your claims will help you as you work to clear up all the problems resulting from this criminal act.
This is often the case. However, this does not necessarily prevent the victim from being able to recover
their money. In some cases, organizations, institutions, and even the credit reporting agencies may be
liable for some of the damages you have incurred.
You may want to contact the National Crime Victim Bar Association for a referral to an attorney who
can litigate on your behalf. You might find private attorneys that will offer their initial consultations at no
cost or obligation.
The threats are real – and it’s not some shady character with a gray hooded sweatshirt
looking at scrolling lines of green code. From a volume standpoint, it’s largely automated and
in general broadcast to large swaths of the Internet (although the most significant threats are
targeted). Cisco Talos has hard statistics on the fact that roughly 85% of all email traversing
the Internet is spam – either marketing or malware. The spam filters do a good job at
catching and stopping that 85% but some are bound to go unnoticed and pass through to
your users.
Any system or service exposed to the public Internet is threatened – every 39 seconds an
attack hits an Internet-connected system or web server on average according to the
University of Maryland. Again, many of these are unsuccessful, but it only takes one hitting
unpatched or particularly vulnerable computer systems to cause trouble.
Wire transfer fraud occurs when a manual bank transfer occurs to transfer funds between
entities. Attackers compromise an organization’s email system and use their unauthorized
access to start looking for finance and payment-related employees. Our Incident Response
team sees attackers lurk in the email for months waiting for a payment to compromise. Then
the two entities exchange emails with payment info, they will insert a second email making it
seem like there was a transcription error and to please use the new account number (or take
the exchanged credentials and attack the bank account directly). They then divert the
transferred money out of the fake destination before anyone notices. There are other
flavors of this type of attack, but this example demonstrates the need for authenticated
verification of wire transfers that use multiple mechanisms to prevent this type of theft.
Ransomware is a flavor or malicious software (malware) that encrypts data and critical
system files, rendering computers and data unusable without decryption. Decryption is only
possible with a key that is only provided if a ransom is paid to the attacker. These ransoms
are paid using cryptocurrencies like Bitcoin and range from hundreds to millions of dollars in
value. The attacks have gotten quite sophisticated in their methods for attacking, gaining
unauthorized access, and infecting organizations (while attacks against home users are
down, targeted attacks against companies and municipalities is sharply increasing) have
evolved to include sophisticated and difficult to discern emails (phishing) or using other
malware to spread their ransomware payloads (the Emotet virus is currently the most
common).
These ransomers have developed into sophisticated operations with help desks, 24×7
technical support, and trained negotiators. They make every attempt to encrypt during off-
hours and target backup mechanisms to make recovery without paying the ransom very
difficult – as a result, many organizations pay the ransom to recover their computer systems
and critical sensitive data in days rather than weeks or months (or not at all). Ransomware-
infected companies have even had to go out of business because of the cost of recovery.
3. What are our compliance obligations regarding sensitive data?
While one can argue that the reasons of maintaining the confidentiality, integrity, and
availability of data and services to their employees, partners, consumers, and customers are
a sufficient reason to have a robust information security program, many organizations are
not aware that they are legally required to have a robust program to prevent and respond to
data breaches. Sometimes the subtlety of whether or not you must comply with a particular
compliance regime is difficult. Getting expert help from a trusted advisor is recommended if
there is any question as to whether you have compliance obligations regarding sensitive
information or confidential data.
For example – an organization provides a portal for consumers to find a healthcare provider
and also has the ability to allow the consumer/potential patient to upload insurance and
health-related information to aid the search and communicate with the potential provider.
They assumed that because they were handling healthcare-related confidential data that
they were required to comply with HIPAA. It turns out that as a result of the American
Recovery and Reinvestment Act of 2009 (ARRA 2009) there is a distinction for health
records collected and handled by non-HIPAA-covered entities. In this case the data they
were collecting was considered a “Personal Health Record” and not “Protected Health
Information” and thus was covered by the Federal Trade Commission – which does not have
the same compliance requirements for the use of this sensitive data but does have very
strict breach notification rules.
A 2011 Symantec Threat Management Survey found that “most enterprises are not
confident in their security posture and that staffing is a major issue limiting IT security’s
effectiveness.” Specifically, 46 percent of those who lack confidence cited insufficient
security staff, while 45 percent pointed to a lack of time to respond to new security threats.
Worldwide, 43 percent reported understaffing as a major issue. While in North America, that
number is 53 percent. This is significant. There is a lack of trained and experienced
information security and risk management candidates. Some estimates say that unfilled
cybersecurity jobs worldwide will reach 3.5 million by 2021.
Many organizations have a need for information security and risk management in their
business but do not have enough work to justify the salary of a dedicated resource. In this
case, they turn to a trusted cyber security advisor to help them develop a reasonable and
appropriate information security program.
5. Does anyone on the board have Information Security and Risk Management expertise?
Many information sources have begun talking about the importance of information security
and risk management oversight by the board of directors. Computer systems and data
systems were once a business enhancement – they have transitioned to business-critical
tools (our ransomware experience has made this obvious). As a result, boards must be aware
of the confidentiality, integrity, and availability of their sensitive data and computing services
and systems. At a minimum, there should be a formal mechanism (usually a formal
committee of cyber security professionals) that includes experts in information technology,
security, risk management, and business to digest the current threat and risk landscape and
make recommendations to address these risks to the board.
This seemingly simple question is very difficult to answer succinctly. It very much depends
on the answer to all the other questions presented in this list of questions… The size,
complexity, geography, business type, customer characteristics, specific technologies in use,
compliance obligations, etc… all directly affect the answer. To effectively answer the
question requires a good understanding of the threat and risk landscapes that the
organization operates within. This is the true value of a robust risk-based cybersecurity
program – it allows an organization to make staffing and business decisions that are
reasonable and appropriate to address their needs and obligations.
Cybersecurity questions related to your existing information security
program
7. Am I spending enough / appropriately on information security-related tools and
controls? (Is there a network security or information security tool I should buy?)
Similar to the staffing question, the answer here is nuanced. It depends. In our experience
with helping organizations get their arms around their threats and risks and developing a
reasonable and appropriately-scaled information security program, they have most (if not all)
the licenses and tools they need to address their risks. The difficulty is in their configuration
and the ability of the information technology organization to get meaningful information
from them. Often the roadblock to an effective program is one of time and availability of IT
staff. It is not uncommon for IT staffing to be less than what is required given the size and
complexity of the organization. In addition, automating tasks that cause IT staff to be
diverted from projects due to an endless break/fix cycle can improve the chances of
information security-related projects being successful.
Currently, because the insurance companies want to sell the insurance to these threatened
companies, the cost of cybersecurity insurance is very low. Making sure that you have the
RIGHT insurance with an appropriate level of coverage is a challenge. As a result, we work
with several insurance brokers to identify the best practices for good cybersecurity
insurance coverage. Like many of the questions presented here, determining the correct
level of coverage depends upon an awareness of the threats and risks facing an organization.
Ultimately, there are three things an organization can do with risk – they can address it
directly by making a change or implementing a tool, they can insure themselves to address
the risk (in the insurance industry they refer to this as “transferring” the risk), or they can just
decide to “assume” the risk and hope it doesn’t happen.
The holy grail of information security is strong alignment with the business. Everyone has
access to the security system tools and data they need to do their work (but no more), the
data and services are available when needed, and the data and the analysis of that data are
trustworthy and accurate. Striking the balance between protection and convenience (and
monetary cost, frankly) is the difficult part.
10. Is our written information security program (WISP) based upon an appropriate
information security framework?
There is a wide variety of information security and information technology frameworks that
provide guidance to appropriate controls to protect the confidentiality, integrity, and
availability of data and services (some you might have heard of include NIST SP800-53, NIST
Cyber Security Framework, ISO 27001, HITRUST, Cobit, ITIL, CIS Controls, and AICPA Trust
Services Criteria). Choosing the correct one depends on your compliance obligations,
geography, business vertical, and organizational complexity. It is possible to map one
framework to another – and some of them have been designed for just that purpose.
HITRUST and the CIS controls are built with this in mind. HITRUST certification is an
expensive, but effective way to demonstrate compliance – and anyone can download the
actual controls for free. The CIS controls is a framework created by industry experts, maps
well to other frameworks and is intended to be free for anyone to download and implement.
Often an organization’s written policies and standards are very well written and line up with
their compliance obligations. An auditor comes in, reviews the documents, and gives the
documents a passing grade… Unfortunately, the things written in these documents do not
line up with what is actually happening in the organization. Our approach is to have lean,
well-organized documentation that addresses the threats and risks facing an organization in
clear and concise language. The end result is that instead of having compliance without real
information security, an organization is secure by design and compliant by default.
12. Do we know where our data is and how it is protected (data lifecycle management)?
Having a documented plan (that is updated as personnel and the environment change) for
how to respond to an incident or its big brother, a disaster, is only the first step. Educating
the people who must respond when an emergency occurs (and their backups in the event
they are unavailable) is the next task. Finally, and perhaps most important, is testing that
plan regularly (and learning from and addressing the results of those tests). Again – having
something lean and useful is more important than reams of paper sitting on a shelf.