Back ] Home ] Next ]

Tampa Bay Chapter - ACFE       http://TampaBayCFE.org          November 2008
 

"Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking . . . Social Engineering is the single greatest security risk in the decade ahead." The Gartner Group

Social engineering is the art of deception to gain access to information that would not normally be available.  Attacks are most commonly through email and phone calls, but can be in person. 

Attacks on proprietary information are becoming more frequent with the use of social engineering techniques.  Social networking sites have made it much easier for criminals to gain access to your information with very little effort.  With the state of the current economy, and the advances in technology, your information is even more at risk than it has ever been before. 

One would think it would be nearly impossible to obtain a full list of employees and contact information for a mid sized American bank, let alone their usernames and passwords.  Not so according to the article, Social Engineering - Testing the Human Factor of Security.  According to this article, it can be relatively easy to elicit this information with simple social engineering techniques.  The methods used in this case were not sophisticated and required minimal technical knowledge. 

Many people now use social networking sites, forums and newsgroups to interact with other people in the same line of work as them.  These are a goldmine for social engineers as they can gain inside information on a company and it’s employees.  If an IT person was to post information regarding a particular flaw they were having issues with on their network, asking if anyone else had come across it and their screen name was Bob ABC Company, it would not take a social engineer long to get what they needed by offering assistance with the problem.  This sounds like a crazy scenario, but it happens all the time.  What about Julie the receptionist who hates her boss, and has a blog on a social networking site.  Her blog entries include dates when her boss will be away as well as descriptions of the internal goings on of the company she works for.  Imagine how this information could be used. 

 

Tampa Bay Chapter

Dinner Meetings

January 13, 2009
"PBS&J Embezzlement Scheme"
Gary Jordan

February 10, 2009
"Medicaid Fraud"
Carol Conry, Lieutenant, Medical Fraud Control Unit, Office of Attorney General

March 10, 2009
"Contractor Fraud"
Richard B. Campbell, Esquire
Carey, O'Malley, Whitaker & Mueller, P.A. 

10th Annual Fraud & Computer Crimes Seminar

May 12-13, 2009
Ruth Eckerd Hall
Clearwater, Florida
1111 McMullen Booth Road
Clearwater, FL 33759

2008 - 2009
OFFICERS & DIRECTORS

PRESIDENT
Steve Hooper, CIA, CFE, CCSA, CGAP
Clerk of the Circuit Court Hillsborough County, FL
(813) 276-2029 x3703

VICE PRESIDENT
Christine Dever, CPA, CFE
City of Tampa
(813) 274-7166

SECRETARY
Ellen Wilcox, CFE
Florida Department of Law Enforcement
(727) 298-2482

TREASURER
Laura Krueger Brock, CPA, CFE
Kirkland, Russ, Murphy & Tapp, P.A.
(727) 572-1400

DIRECTOR
 Mark Dubina, CFE
Florida Department of Law Enforcement
(813) 878-7366

DIRECTOR
Sharon Shaw, CFE
Tel: (727) 674-8399

DIRECTOR
Debbie Venanzio, CFE
Branch Banking & Trust Co.
Tel: (727) 302-5498

DIRECTOR
Bill Miles, CFE
Florida Department of Law Enforcement
Tel: (863) 701-1474

DIRECTOR
Gary Chapman, CIA, CGAP, CFE
City of Tampa
Tel: (813) 274-7163

CHAPTER TRAINING
Wayne Boytim, CFE
Retired
(813) 274-7167
Some of the most common methods of social engineering are: 
  • Impersonating IT Staff – The social engineer poses as a member of the IT staff so that they can gain access to the individuals account.  They may use a real IT persons name, and claim that the individuals account has been suspended and will not be reactivated until the password is given. 
  • Playing on a users sympathy- The social engineer will appear to be in dire need of your help and without it there may be major consequences for them.  For example, they may tell the person who holds the key to the server room that they are new on the job and they need to get access to the server room to fix a wiring problem.  If they are not back in the office within the hour, their boss will be livid.  This technique plays on the helpful nature of people.
  • Wooing- This can be as elaborate as starting a relationship with someone just so that you can eventually obtain their access.
  • Intimidation – The social engineer pretends to be someone very important and threatens the employee with the loss of their job if they do not give the information requested.

How do you prevent against this potentially catastrophic type of attack?  You should educate your employees and make sure they adhere to the strict procedures regarding the release of any information or access to proprietary information.  If there are instances where passwords must be given out, there should be a second step which must be completed before access to a system is allowed.  You should always be suspicious of calls and emails that seem out of the ordinary.  Always verify through other means who is asking for the information before giving anything out.   You can not restrict what employees do in their private time, but you can guide them as to best practices and safety protocol. 

Although technology has advanced, the methods used by criminals have not; they have just adapted to incorporate and take advantage of ever-evolving technology.

Sources:
 10 Common Social Engineering Ploys 
 How to Defend your Network Against Social Engineers

News from the ACFE

ACFE Celebrates 20th Anniversary

The ACFE is commemorating 20 years of leadership in the fight against fraud. Celebrations will start with the November/December issue of Fraud Magazine, and continue through to the 20th Annual Fraud Conference and Exhibition in Las Vegas. Thank you to all the members, past and present, who have contributed to the growth and success of the ACFE for the past 20 years.

New Product - Understanding the Basics of Mortgage Fraud

With this new self-study course from the ACFE, explore the foundations of this crisis by investigating the history of the mortgage industry, examine the life cycle of a mortgage loan to help identify potential areas where fraud is likely to occur and learn techniques to identify red flags of common mortgage fraud schemes and techniques for prevention. 12 CPE credits

2009 - 2010 Board of Regents Elections

The ACFE's Nominations Committee has selected six candidates to compete for two positions on the 2009 -2010 Board of Regents.  The board sets membership standards to promote professionalism and ensure the reputation of the CFE credential.  Online voting for CFE members begins November 1st and ends December 31. Click here to cast your vote VOTE NOW

Chapter News

New Certified Fraud Examiners

 

Hats Off! to our newest CFE

 

Andrew Tyack who is with Tyack & Associates.

 

Congratulations and well done Andrew!

Chapter Member to be published in Computer Fraud Casebook 

Due to be released in January, Computer Fraud Casebook: The Bytes that Bite, includes a case investigated by Stephen R. Menge, CFE.  The book is a collection of actual cases written by fraud examiners. 

Stephen R. Menge, CFE, has been a law enforcement officer for the past 17 years with the Polk County Sheriff’s Office and the office of the state attorney. He has actively conducted fraud and economic crime investigations for the past 14 years. He holds a master of business administration from Saint Leo University.

Congratulations Stephen.

Exam Prep Study Course Scholarship

We have received one CFE exam prep study course from the ACFE in recognition of our contribution to the silent auction that was held at the National Conference.  We have decides to give this away to a deserving member who would like to take the exam and become certified.  Information regarding how to apply will be coming out to those that are eligible shortly.

Dinner Meeting News

Our next Dinner Meeting is scheduled for January 13, 2009

Our third dinner presentation of the year will be "PBS&J Embezzlement Scheme" by Gary Jordon, Post, Buckley, Schuh & Jernigan.

The dinner meeting will be held at the Westshore Hotel, located at 1200 N. Westshore Boulevard. The hotel is just north of I-275 and Cypress Avenue on the east side of Westshore (map). Evenings will begin with a social at 6:00 P.M., followed by a buffet dinner at 6:30 and a presentation at 7:00. The cost is $25.00, payable at the door.

To make your reservation, please use the following link Chapter Meeting Reservation and complete the form at the bottom of the page.  You can also make your reservation by emailing Wayne Boytim by September 8, 2008. Reservations will be accepted after that date and walk-ups are always welcome. Please remember that cancellations are accepted up to the afternoon of the meeting. No shows will be billed after the second missed meeting. Please help us keep our costs down by letting us know if you are unable to attend.

How Safe Is Your Clients Information?

How do you decide what is at risk, who it may be at risk from and how much risk is there?  Your network is obvious but what about your trash can, or those unlocked filing cabinets full of personal client information.  What about the cleaning staff?  Did you carry out an in depth background security check before hiring them?  Unless it’s a blank piece of paper, lock it away or put it in a locked recycle bin as soon as you are done with it: but are those bins shredded on site or are they taken away to be shredded later?  If they are taken away, what steps are taken to ensure that all of the papers are shredded without anyone gaining access to them?  These are just a handful of questions that you should know the answer to if you are going to keep your clients information safe. 

  • What do you do once you have figured out what the risks may be?      

Once you have figured out what information may be at risk you then need to analyze how you can protect it.  You should have a written set of procedures that clearly details how you keep client information that you send and receive safe.

  • Where is the sensitive data stored?  How is it sent/received? Who has access?

Confidential information containing social security numbers and credit card details may arrive via regular mail or by courier as well as through email, what happens to this when it arrives?  Do you log it in and move it to a back room immediately or is it simply put in a pile at the reception desk were it can easily be removed without anyone's knowledge?  What about when you have outgoing mail containing confidential information is it kept in a secure area or again left at the reception desk?  Who has access to the rooms that contain sensitive information?  Do you have segregation of duties so that no one person is able to access everything?  Outsourcing is becoming increasingly cost effective today but will it save you money in the end if your clients information is breached.  You should do a thorough background check on any company that you plan to hire, and investigate their information security policies to ensure that they are in line with your own. 

  • Do you really need to keep all of this information?

Decide what you really need to keep.  If you are required to keep certain information for an extended period by law, then create a written records retention policy and adhere to it.  You should never use social security numbers for referencing customers, and credit card information should not be retained unless absolutely necessary.  Review your data gathering forms is it necessary to have all of the information that you are asking for.  Check your software to ensure that is not saving credit card information unnecessarily.  If your system is set to the original defaults it will make it even easier for someone to take your information.   

  • Lock it up!

Many security breaches happen through lost or stolen documents so you should do everything in your power to protect these.  You should train employees to report any suspicious activity, and control access to your offices.  A clean desk policy that is strictly enforced will go a long way in keeping prying eyes from viewing sensitive material. However if the documents are placed in an unlocked drawer. it will not be as successful.  You should take extra precautions with laptops, as they pose an even bigger risk than regular desktop computers.  Consider installing an “auto destroy” function that will automatically destroy all information on the laptop if it is stolen.  It may also be a better idea to have files stored on a secure central computer instead of on the laptop, and again restrict access to these. 

  • Destroy It!

Any information that is not required should be destroyed immediately.  One-way of destroying paper documents on site is with a shredder machine.  One that cross-cuts so that you end up with tiny squares  is preferable.  Never, ever use these shreds for packaging as they can be reconstructed: yes some people have excessive time on their hands and will do this! When disposing of old computer equipment you should use wipe utility programs, as deleting alone will not get rid of files from the system.  Disks and CD’s should be melted to ensure that no data can be recovered. 

In addition to taking the above precautions, you should also have a plan of response to a security breach.  Who will you contact? Who will be responsible for investigating?  What will be the effect on business?  These are just a few considerations. 

Your number one defense against security breaches is your employees; you can have the most up-to-date, expensive security system ever created, but without cautious employees, it is useless.  It is imperative that you provide continual training in security policies, and not just a once a year memo.  Security training not only applies to your network defense system but also any other proprietary information.  

The Carnegie Mellon University has published a useful tutorial on Informational Assurance in Small Organizations.  It has many worksheets and helpful ideas to help you create an information security program  www.cert.org/archieve/pdf/tutorial-workbook.pdf.   

The FTC have an informative tutorial on their website along with a wealth of other information:
 http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html
http://www.ftc.gov/index.shtml

President's Message

British novelist, playwright and critic Arnold Bennett once said that “Any change, even a change for the better, is always accompanied by drawbacks and discomforts.” That is my feeling today, as I cannot bring you any additional information concerning our committees until after the New Year.  As I said last month, the foundation has been laid, and the sub-floor is in place. I have learned that change is not instant – but it happens over time. To those who have volunteered, I should have more information and look forward to working with you as the New Year unfolds. 

Some news you should be interested in.  This summer the Chapter donated to the Association, a two-day registration to our Fraud and Computer Crimes Seminar as part of their silent auction.  Recently, the Association, in appreciation of our donation, gave the Chapter a 2008 CFE Prep Study Course (worth over $700) to do with it as we please.  The board has voted, and it was agreed to award the course to one of our Associate members.  In addition, the board agreed to cover the exam cost if it is found to be not included with the study course. Gary Chapman will be emailing each Associate with the details on how to enter the competition for this prize course.  I have asked our Training Director, Wayne Boytim to Chair a committee for the selection process, so he may be looking for a couple CFE members to assist in that endeavor.

Our October dinner meeting was a huge success with 43 of you making reservations. I didn’t get the official count but I know the room was full. I want to thank all of those who attended. I also want to extend a hearty welcome to our first time attendees:  They were:

·         Justin Bollenback - MBA student USF - St. Pete

·         Peter Ceccacci - Kerkering, Barberio & Co

·         Erika Jennison - Kirkland Russ Murphy & Tapp

·         Jill Steinhoff - Kerering, Barberio & Co.

I believe all of you will join with me in thanking Scott Flint for his excellent presentation on “Health Care Fraud,” which gave us an interesting defense lawyer’s perspective . We still need a presenter for our April dinner meeting, so if you know of someone that would like to share their fraud related experiences with the Chapter, let me, or Christine Dever know.

I hope to see you at our next dinner meeting, which is on January 13, 2009.  Gary Jordan will speak on the "PBS&J Embezzlement Scheme"  Until then, on behalf of the officers and directors of your chapter, let me wish each of you a very happy and safe holiday season.

Steve Hooper