sign in sign up
<<
Home , Spyware

Defending Against the : Protect from , , and Keyloggers

Course description: Course Level : Beginner Estimated time to complete : 3 hours Course: : Data Theft Prevention and Protection Every few seconds, someone has his or her identity stolen. Computers are hacked, wallets are stolen, credit cards are compromised, credit is ruined…and the instigators make more in a day than most of us make in a year. The fact is, the system we function under is set up to fail—and unless businesses take proactive action and consumers know their options, it’s just a matter of time before they are all victimized.

There is a reason why we keep hearing about data breaches involving millions of credit card and account numbers: Data breaches cost thousands to millions of dollars per incident, and organizations and corporations take on a huge potential financial loss when it comes to the potential of and data forfeiture. The bleeding will not stop anytime soon—and the more time you spend uninformed, the better your chances of being targeted.

During this presentation, Robert Siciliano will examine: v The clever ways thieves look for—and get—information v Numerous strategies you can protect your valuable data v How you can use various tools to ensure the data that criminals want are impossible to get

Introduction The topic or issue of security is something most people try to avoid. Just the mere thought of security means something “bad” may happen and when that thought comes to mind, most people prefer to look the other way and say “it can’t happen to me” and proceed to function in a state of denial.

However while consumers are confident they’re safe online, but have proven otherwise, stealing $172 billion from 978 million consumers in 20 countries in the past year.

Obviously, corporations, businesses, government agencies are made up of people. And the problem here, specifically when it comes to data security, is that looking the other way, or “inaction” results in data breaches and identity theft. In the past decade, we have seen billions of records compromised resulting and millions of identities stolen.

1 Course Action Items

Print out the following. This bulleted list is what you will learn from this course and these are all reminders and action items for you to keep yourself, your business and the data you posses, secure.

v Hardware: Make sure your devices such as PC’s, laptops, mobiles, modems, routers and any peripherals are newer. Old hardware (5+ years) sometimes lacks internal resources to run current more secure and firmware. v Software: Keep all devices operating systems updated with the latest software updates and critical security patches. v Security Software: Install and run a paid version of antivirus, anti-spyware, anti- and a 2 way . v WiFi Security: Set up a secure WiFi connection in your home or business. v VPN: Ensure your laptop and mobile devices and its data are protected on open free WiFi by using a VPN or “virtual private network” v : Protect your data with encryption software. v Tracking: Install, set up and enable tracking software for lost or stolen laptops and mobile phones v : Back up and sync all your information on redundant internal and external local hard drives. Back up externally to cloud based backup sites. Back up all data on iPhone and Android mobiles. v : Set up and run manager software and eliminate password re-use by having a different password for every online account. v Two Factor: Set up two-factor or two step for any and all critical accounts that deploy it. v Social Engineering: Recognize social engineering scams every time the phone rings, an email comes in or someone knocks on the door. v IT Vendors: Use your circle of influence or trusted network to make recommendations when hiring IT security contractors to ensure the security of your network.

2 Awareness

A lack of security appreciation contributes directly to poor security awareness, most notably at the personnel level. vThis is one of the leading contributors to the human error factor with most security breaches. vSecurity needs to be everyone’s business. vCorporations and government agencies are directly responsible for protecting personal information entrusted to them by their consumers, so measures must be taken to increase awareness in the everyday IT environment. vThe most critical step to changing behavior is to build a secure-minded culture from the ground up. vTo create this culture, all employees need to be educated and tested on security threats and how their day-to-day computer use behavior can affect their organization’s security posture. CIO Magazine

3 Malicious Insider Attacks A malicious insider is; a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information. CERT.

Methods/tactics: Recruiting: vSystem admins vNew hires vDisgruntled; sabotage vFriends/relations vOpportunists: vUnknowingly contribute vTheft of intellectual property vMoney/incentives v Social engineering vThreats/violence

“Our whole system is based on personal trust,” James Clapper, director of national intelligence said adding that there were no “mousetraps” in place to guarantee there wouldn’t be another - Edward Snowden.

Protect Yourself From Social Engineering Scams

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim. THERE IS NO PATCH FOR HUMAN GULLIBILITY

v Lose something v Thieves pose as You v Gain something v Spouse v Fear/greed v Bill collector v “Principles of Influence and v Bank Persuasion” v Utility v email v Fellow employee v telephone v Government agency v in person

4 5 Hack a Company w/…

v Scour all of the social networking sites for employees of target company like LinkedIn, Twitter , and .com v Find numerous people who openly discussed what they did for a living v Create a Facebook group site identified as “Employees of” the company. v Using a fictitious identity proceed to “friend,” or invite, employees to our “company” Facebook site. Membership grows exponentially each day. v By creating a group, you access to employees profiles. The “group” is a place where those who you know, like and trust are your “Friends” and in this case fellow employees who you have no reason to distrust. v Chose to use the identity of one of our Facebook-friended employees to gain access to the building. v Relative to as companies size you may be able to recreate the identity of an employee that’s not known to the branch office to breach. But the name needs to be in the system. v A little creativity, a fake business card and enough information gleaned off of Facebook, you’re in.

6 Data Breaches

v Social engineering v Hackers v Irresponsible/malicious insiders v 3rd party fault v Laptop theft v Physical security vulnerabilities v Loss

7 8 Cybercriminals Sneak Into Realty Deals and Sneak Out With 100k or More. Your Closing Funds Might be heading to a Cyber Criminal.

9 10 Password Security v Social engineering v Phishing v Password re-use v Insecure/weak pass v Password managers v Two step verification v NO PASSWORDs

11 12 Anti-Virus

v Install virus protection and keep it automatically updated* v Default configurations v Save registration emails, beware of renewal periods. v Beware of

13 Wireless Security To Protect Your Data vWi-fi is insecure v300-500 ft range vFree wi-fi vEvil twins vSecure Mobiles vVirtual Private Network (VPN)

14 Second Hand Devices

v Printers v Craigslist v 30 devices v 30 mile radius of Boston v Basic forensics v Half provided data

Prevent Phishing Scams That Empty Bank Accounts

vSpray and Pray vCEO fraud (BEC) vSpear Phishing vSocial Media Phishing vSMS Mobile Smishing vPhishing Simulation training

15 Phishing Phishing

16 Whats in your SPAM folder?

Protect Yourself From Evil Cyber Scams To Prevent Fraud

vScareware: tricks a user into buying fake Anti-virus vRansomware: holds data for extortion vTech Support Scams: claim to be / Apple vSpyware Software: spys without their knowledge vKey Loggers: Hardware logs keyboard strokes vIRS Scams: Scares victim to pay a bogus tax bill vCustomer Support Scams: bogus phone numbers vRomance Scams: targeting emotionally vulnerable

17 Ransomware Scareware Tech Support Scam

18 Spyware Spyware KeyLogger

19 IRS Scam IRS Customer Support Scam Romance Scams Romance

20 Smart Security Considerations

v Background Checks: verify education, work experience, criminal histories. v Dumb Terminals: PCs with no hard drives, email or printers. No cell phones, notebooks or pens. v Automatic lockout: former employees are security risks v Beef up access control v Shred Shred Shred Shred Shred Shred Shred v Review policies for remote computing v Shut down networks when not in use. 24/7 no good v Hire a Penetration tester/ vulnerability assessment

Identity Theft : Secure Your Data Theft Prevention and Protection v Credit Freeze: Upon the consumers request, the 4 credit bureaus provide freezes on consumer credit reports preventing new account fraud. Keep good records so you can unfreeze whenever you need. And make sure to freeze your kids credit and your parents credit. v Credit Checks: Check it at least annually and look for anomalies or accounts not authorized by you. Do the same for family members and request clients check theirs too. v Identity Theft Protection: There are a few free and many services that offer fee based identity theft protection. These services watch your credit reports, seek out your data on the dark web and provide restoration should your identity get stolen. v Information Security: Make sure to print out, review and take action on the “Course Action Items” from the “Information Security: Data theft Prevention and Protection” course to stop most forms of fraud and prevent most forms of digital identity theft. v Credit Cards: Sign up for text or email alerts and notifications via your bank or card companies website. These alerts notify you in real time of charges, withdrawals, deposits on all card activity whether card present at a merchant, over the phone or not present online. v Tax Identity Theft: Head to IRS.gov and download and install the form 14039 (Google it) the IRS Identity Theft Affidavit. If you have ever received notification your data was compromised in a breach, list it out on the form. Monitor your business credit to stay on top of potential fraud. v Medical Identity Theft: Simply be cognizant of it. Monitor your insurance statements and any bills that come in. Consider not carrying your medical insurance card in your wallet unless you are going to the doctor that day. v Business Embezzlement: If anyone other than you is responsible for or has access to your books and bank account then you need to have a forensics accountant come in at least biannually to make sure nothing is missing and the books are in order. v Mail and Sensitive Docs: Get a locking mailbox. Shred everything disposable that can be used against you or a client. v ATM Skimming: Cover up the keypad or monitor with your other hand while entering your PIN code. Pay attention to your statements. v Banking Online: As long as your devices are properly secured then banking online is fine. Eliminate manually bill pay and set up EFTs via “Lifestyle” credit cards and enjoy more points and more security.

Course Action Items Media: text/pdf v Credit Freeze: Upon the consumers request, the 4 credit bureaus provide freezes on consumer credit reports preventing new account fraud. Keep good records so you can unfreeze whenever you need. And make sure to freeze your kids credit and your parents credit. v Credit Checks: Check it at least annually and look for anomalies or accounts not authorized by you. Do the same for family members and request clients check theirs too. v Identity Theft Protection: There are a few free and many services that offer fee based identity theft protection. These services watch your credit reports, seek out your data on the dark web and provide restoration should your identity get stolen. v Information Security: Make sure to print out, review and take action on the “Course Action Items” from the “Information Security: Data theft Prevention and Protection” course to stop most forms of fraud and prevent most forms of digital identity theft. v Credit Cards: Sign up for text or email alerts and notifications via your bank or card companies website. These alerts notify you in real time of charges, withdrawals, deposits on all card activity whether card present at a merchant, over the phone or not present online. v Tax Identity Theft: Head to IRS.gov and download and install the form 14039 (Google it) the IRS Identity Theft Affidavit. If you have ever received notification your data was compromised in a breach, list it out on the form. Monitor your business credit to stay on top of potential fraud. v Medical Identity Theft: Simply be cognizant of it. Monitor your insurance statements and any bills that come in. Consider not carrying your medical insurance card in your wallet unless you are going to the doctor that day. v Business Embezzlement: If anyone other than you is responsible for or has access to your books and bank account then you need to have a forensics accountant come in at least biannually to make sure nothing is missing and the books are in order. v Mail and Sensitive Docs: Get a locking mailbox. Shred everything disposable that can be used against you or a client. v ATM Skimming: Cover up the keypad or monitor with your other hand while entering your PIN code. Pay attention to your statements. v Banking Online: As long as your devices are properly secured then banking online is fine. Eliminate manually bill pay and set up EFTs via “Lifestyle” credit cards and enjoy more points and more security.

21 Identity Theft Definition; Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. Fakes IDs Fakes

22 Fake IDs Fake

Fake Ids

7/2/19

Legal Forms of ID Circulating

v 49 versions of Social Security card v 14,000 types of birth certificates v 200 plus forms of driver’s licenses v 14 states/Feds no photo v Signature?

23

What is a signature?

Identity Theft and Scams

vNew Account Fraud Using another's personal identifying information (SSN) to obtain products and services using that person’s good credit standing. vAccount Takeover Fraud Using another persons account numbers such as a credit card number to obtain products and services using that person’s existing accounts or extracting funds from a persons bank account. vChild Identity Theft Studies show child identity theft is affecting over 1 million kids every year. vTax Identity Theft Tax-related scams hit $240 million in 2017 with 109,000 victims. About 10,000 business returns have been identified by the IRS as potential identity theft.

24 Identity Theft Frauds and Scams

vMedical Identity Theft The deadliest form of identity theft. 2.3 Million victims. The motivation of the thief is medical procedures or any form of attention regarding healthcare vCriminal Identity Theft Someone commits a crime and uses the assumed name another person. The thief in the act of the crime or upon arrest poses as the identity theft victim. vBusiness or commercial identity theft Using a businesses name to obtain credit or even billing those businesses clients for products and services. vIdentity Cloning Encompasses all forms of identity theft. The thief is actually living and functioning as the victim on purpose

Information Security: Data Theft Prevention and Protection v Hardware: Make sure your devices such as PC’s, laptops, mobiles, modems, routers and any peripherals are newer. Old hardware (5+ years) sometimes lacks internal resources to run current more secure software and firmware. v Software: Keep all devices operating systems updated with the latest software updates and critical security patches. v Security Software: Install and run a paid version of antivirus, anti-spyware, anti-phishing and a 2 way firewall. v WiFi Security: Set up a secure WiFi connection in your home or business. v VPN: Ensure your laptop and mobile devices and its data are protected on open free WiFi by using a VPN or “virtual private network” v Encryption: Protect your data with encryption software. v Tracking: Install, set up and enable tracking software for lost or stolen laptops and mobile phones v Backup: Back up and sync all your information on redundant internal and external local hard drives. Back up externally to cloud based backup sites. Back up all data on iPhone and Android mobiles. v Passwords: Set up and run password manager software and eliminate password re-use by having a different password for every online account. v Two Factor: Set up two-factor or two step authentication for any and all critical accounts that deploy it. v Social Engineering: Recognize social engineering scams every time the phone rings, an email comes in or someone knocks on the door. v IT Vendors: Use your circle of influence or trusted network to make recommendations when hiring IT security contractors to ensure the security of your network.

25 Credit Card Security and Protection vCheck statements / refute unauthorized charges within 60 days vUse credit cards instead of debit cards vPay attention to the expiration date of credit cards and look for arrival of new cards vSign cards? vThin out your wallet vSet up “transaction notifications” and/or “push alerts” “push notifications”

26 Documents

v Dumpster diving v Use authorized shred services v Ask public /private entities about policies for disposal v Opt out of and destroy pre-approved credit card offers v Eliminate paper statements v Photocopy all documents in your wallet/purse v Reconcile bills and statements diligently and timely v Secure all receipts, legal docs, account numbers, tax docs, cancelled checks

Data from… v Steal from your home - known - unknown v Steal wallet/pocketbook v Inside an organization v Social/ancestor sites v Public records, courts, tax assessors v From your license plate v Intercepting cordless or cellular transmissions v hacking v Phishing v CID Spoof

27