CybercrimeThe Personal & Organizational Impact

Introduction• Tonia Williams – CIO, IT Director

Tonia.Williams@hacn.org

• Have you had to deal with a cybercrime or any type?

• What exactly is cybercrime?

Definition of Cybercrime: Criminal activity committed using a computer or the internet• Property: illegally possessing an individual’s bank or credit card

details to gain access to funds, make purchases online or run phishing scams to get people to give away their information. They could also use a malicious software to gain access to a web page with confidential information.

• Individual: distributing malicious or illegal information online. This can include cyberstalking, distributing pornography and trafficking.

• Government: cyber terrorism.

Types of Cyber Crimes• Identity Theft: the fraudulent acquisition and use of a person's private

identifying information (PII), usually for financial gain.

• Scamming: ads or spam emails that include promises of rewards or offers of unrealistic amounts of money.

• Social Engineering: the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

• Phishing/Vishing: the fraudulent practice of purporting to be from reputable companies in order to induce individuals to reveal personal information or gain access to accounts.

• Spoofing: to imitate, the act of disguising a communication from an unknown source as being from a known, trusted source.

• Computer Viruses: Used to gain unauthorized access to systems or to destroy them. Viruses can spread through removable devices and the internet.

• Ransomware: malicious software designed to block access to a computer system and/or encrypts files and information until a sum of money is paid

• Cyberstalking: online harassment to intimidate a user and instill fear.

• DDoS Attacks: Make an online service unavailable or take down a network (hackers then hack into systems once network is down)

• Botnets: ‘Malware’ allowing remote access of compromised systems

Other Types of Cyber Crimes

• Fraud

• Hacking

• Cyberstalking

• Child Pornography

• Cyber Bullying

• Logic Bombs

• Malvertising

• Spyware/Adware

• Software Piracy

The DARK WEB

Now You See Me - Airplane Scene - Divulging Personal Info

Vishing – Voice Solicitation

Personally Identifiable Information (PII):Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Non-PII can become PII whenever additional information is made publicly available.

Data Breach: is the intentional or unintentional release of secure or private/confidential information to an untrusted environment

• Cybercrime

• Stolen/Misplaced Device or File

• Unauthorized 3rd party overhears agency employee discussion

• Employee authorized access (Disgruntled and/or Theft for personal gain)

• Unsecured transfer of data

Personal Impact

Adults:• Theft of money and/or property, financial loss

• Credit damage

• Loss of employment

• Emotional harm

Teenagers & Youth: • Personal Safety, Depression, Suicide

• Sexual Solicitation / Child abuse / Human Trafficking

Organizational Impact

• Consumer/Client Trust

• Lost Sales

• Cost of Protection

• Cost of Recovery

• Cost of Settlements

• Bankruptcy

Cybercrimes

Atlanta’s SamSam Ransomware Attack (2018): The attack shut down Atlanta’s city agencies (courts, police, and airport WiFi) along with their financial systems and other internal and customer bill pay systems. Correspondences, employee documents, even police dashcam video records were destroyed and never recovered.

• City auditor’s report published 2 month prior to incident found 1,500 to 2,000 vulnerabilities in the city's systems.

• Atlanta estimated to cost $17M to recover ($51K ransom)• 90% recovery took over 1 year, with some systems still not fully

functional

Cybercrime Prevention: Raising AwarenessPrivacy & Security awareness training is essential for raising awareness of the risk and impact of data breaches, cyber activity, and the need to deploy basic protective measures for internal processes as well as security measures for computer systems, networks, phones and other mobile devices.

• Training

• Use Strong Passwords

• Learn NOT to click on links or attachments from UNTRUSTED senders

• Enable firewalls and (virus) protection solutions

• Apply system updates and use upgraded software

• Being aware of surroundings

Cybercrime Prevention: Raising AwarenessRaising awareness is for the ENTIRE ORGANIZATION, it is not just an IT thing

Internal processes should be reviewed and updated

• MORE Training

• Don’t share Passwords

• Understanding PII and how NOT to share it

• Enable group policy protections

• Enable Advanced Threat Protections

• Monitor for unusual activity

Cybercrime Prevention: Leverage Trusted ResourcesBuilding and maintaining updated online sources of information on how users of ALL levels of technology sophistication can establish and improve their protection profiles in cyberspace. Cybersecurity efforts and campaigns need to scale broadly to accelerate positive change.

• US National Cyber Security Alliance (www.staysafeonline.org)

• UK (www.getsafeonline.org)

• Department of Homeland Security (www.cisa.gov/stopthinkconnect)

• CIS: Center for Internet Security (www.cisecurity.org)

• NIST: National Institute of Standard and Technology (www.nist.gov)

Cybercrime Prevention: Build Economic Framework

Every organization is different, and no single solution is the best investment. What works for one may not be feasible for another.

• Apply basic securities (System updates, access controls, User limits)

• Analyze environment (Research)

• Determine vulnerabilities (Research)

• Decide what is acceptable & unacceptable risk (Research)

• Research

Cybercrime Prevention: Work with Invested Partners

• Collaborate and seek support from department heads & leaders

• Leverage information sharing with external sources

• Establish working relationships with trusted resources

• Actively communicate with your technology vendors (Software/Hardware)

Cybercrime Prevention, Prepare for a Breach

Response Plan • Put strong plans in place – NOW: At a minimum, you’ll want to identify key personnel,

responsibilities, communication protocols, and timelines.

• Gather and Leverage your Resources: your company may not be able to handle everything. Don’t be afraid to bring in outside help.

• Timing Matters: A great summary of these differences is found in a report from Baker & Hostetler, which summarizes data breach laws by state.

• Don’t forget the customer/client: This part boils down to empathy and communication. Address the situation openly and transparently, including the nature of the breach and the type of data impacted.

• Put the right solution in place: Security systems can be automated, replacing or assisting human operators in the detection of a breach in the first place. It’s extremely important to ensure these defenses are kept up-to-date to respond to the latest security threats.

• Test, Test, Test: There’s no such thing as being too prepared, and you’ll want to be sure your response plan is sound before a real breach occurs. Better to spend the time and energy on stress-testing it now, rather than expending more energy responding to a catastrophe.

Cybercrimes• TARGET Missed Alarms and 40 Million Stolen Credit Card Numbers (2013): Someone installed malware using

stolen credentials of a contractor, into Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores, during Thanksgiving CHRISTMAS shopping.

• IRS employee charged with identity theft (2014): Viririana Hernandez and three of her friends stole $1.2 million from 160 people

• 5 Indicted in Identity Theft Scheme That Bilked Millions From Veterans (2019): The defendants obtained Social Security numbers and bank account information from a technician who worked for the military.

• Veterans Affairs Data Theft (2006):data analyst took home a laptop and an external hard drive containing unencrypted information on 26.5 million people. The laptop was stolen in a home burglary.

• Jeb Bush email dump reveals citizens' names, emails, Social Security numbers (2015): In a bid for public transparency, former Florida Gov. Jeb Bush released a massive database of personal correspondence from his time in office – except the project also published the names, email addresses, and Social Security numbers of his constituents.

• Equifax (2017): An application vulnerability on one of their websites led to a data breach that exposed about 147.9 million consumers.

• Sony Email Hack (2014): Embarrassment - North Korea (The Interview), casually racist (President Obama comments), Sexists (Hunger Games Jennifer Lawrence)

Closing – resource examples• The Cost of Malicious Cyber Activity to the U.S. Economy, The Council of

Economic Advisers February 2018 (.PDF): https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf

• OMB Memo 17-12– Preparing for and responding to a Breach of PII (.PDF): http://www.osec.doc.gov/opog/privacy/Memorandums/OMB_M-17-12.pdf

• Baker & Hostetler, Data breach laws by state (.PDF): https://www.bakerlaw.com/files/uploads/documents/data%20breach%20documents/state_data_breach_statute_form.pdf

Account take over