Category: Cyber Security

Cyber Security, Data Breach, Disaster Recovery, Education, Tip of the Week

Phishing Lifecycle

Rose

Phishing is a form of social engineering and works like a con game. A phishing attack is performed using email, a malicious website, or even a direct phone call to the victim. The many purposes of phishing include collecting personal information, gaining access to corporate information, gaining access to corporate information systems, installing malware, or even holding data hostage by changing local encryption keys! The information that is accessed or copied by the attacker is used for gaining access to your accounts such as your financial accounts, committing identity theft, gaining access to corporate networks and systems, changing credentials, or even holding your data hostage.

Quote Mitnick

Social Engineering can be a positive or negative attack using human interactions to obtain information about your organization. The person attacking could potentially be someone hired by the company to locate gaps in their security or, more likely, maliciously by those wanting to hurt you or your organization. During the attack, the person will seem unassuming, or even helpful, and be able to blend in with the employees. Through this process, he/she/they are able to ask questions, retrieve data, take photos for evidence if hired by the company or infiltrate the office or department.

Lure hook catchThe attacker might send a false e-mail often that look surprisingly legitimate, and may seem valid. However, it is important to view the URL in the address field which can tell you if the page you have been directed to is not valid. The email might come from a credit card company requesting you to respond and might often come from other types of organizations such as charities during a natural disaster, holidays, etc. Some phishing attacks involve a phone call directly to the target, where the attacker often claims to be another employee, perhaps calling from the I.T. Helpdesk.

According to the U.S. CERT and IRS remaining alert and knowing the tricks can assist you in avoiding or repelling these malicious attacks. Here are their explanation (2015, January 30):

Spot common elements of the phishing lifecycle

  1. A Lure: enticing email content.
    • Example 1 of actual phishing email – see below
    • Example 2 of actual phishing email – see below
  2. A Hook: an email-based exploit.
    • Email with embedded malicious content that is executed as a side effect of opening the email
    • Email with malicious attachments that are activated as a side effect of opening an attachment
    • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
  3. A Catch: a transaction conducted by an actor following a successful attempt.
    • Unexplainable charges
    • Unexplainable password changes

Sample of Phishing Email from IRSIRS does not initiate taxpayer communications via email

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Again, don’t be a victim and watch for any unexplainable changes to your financial accounts. If you think there’s a slight chance that your sensitive information was breached, change your passwords immediately. If you use the same passwords in multiple areas, it is important to change each one of those accounts as well. Remember not to use that particular password again in the future.

If you receive a phone call that you suspect of being a phishing attack, tell the caller that you need to call them back at the number you know to be the person or department they represent. For example, if the caller claims to be from the I.T. Helpdesk, tell them you are calling them back at the officially listed number (Never at the number the caller gives you), and hang up. Using a corporate directory, a known number, or a number in your contact list on your corporate-owned phone, call that department back and verify the communication to you, and their request. Never connect to a remote access service such as GoToMyPC, or setup a remote service request through Microsoft Windows when receiving a phone call that you did not initiate.

References

Mitnick. K.(2000, March 2). Frontline: The testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html

Phishing. (2015). TechTerms.com. Retrieved from http://techterms.com/definition/phishing

U.S. Computer Emergency Readiness Team. (2013). Security tip (ST04-014): Avoiding social engineering and phishing attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-014

U.S. Computer Emergency Readiness Team. (2015, January 30). Security Tip(ST15-001): IRS and US-CERT Caution users. Retrieved from https://www.us-cert.gov/ncas/tips/ST15-001

Cyber Security, Data Breach, Education, Tip of the Week

Medical Identity Theft

Rose

Medical identity theft is the act of using someone else’s identity to obtain medical services, prescription medications and/or goods. This theft often includes fraudulent billing.

A Medical Record is a perpetual record that contains identifiable medical information, and is intended for use in decision making relevant to a patient’s health coverage, diagnosis and treatment. It contains a written account of a patient’s examination and treatment with medical history, patient complaints, physician’s findings, lab results, procedure results, medications, and other therapeutic measures. When stored on an information system it is often referred to as an Electronic Medical Record (EMR) or Electronic Health Record (EHR).

According to a research sponsored by the Medical Identity Fraud Alliance (MIFA), the increasing costs of resolving the problem of medical fraud influenced the Affordable Care Act to address medical identity theft. “Sixty-five percent of medical identity theft victims in our study had to pay an average of $13,500 to resolve the crime” and “victims learn about the theft of their credentials more than three months following the crime and 30 percent do not know when they became a victim” according to the Fifth Annual Study on Medical Identity Theft. In addition, only 3 percent of an average healthcare organization’s IT budget were being used for data protection.

Percent IT budget

One of the most striking results from the research was the answers to the following questions:

  1. How did the medical identity theft happen? The number of people increased from 4 percent from 2012 to 12 percent in 2014 who provided their personal information to a fake email or spoofed website. With the amount of information online and in the news on how to prevent identity theft, it is still surprising that we as a society are not changing the culture by building awareness within your organization from policies/procedures to education.
  2. How did the medical identity theft happen? Healthcare provider or insurer-experienced a data breach increased from 6 percent in 2012 to 10 percent in 2014. It is RISC’s position that this is probably due to increased awareness, however, thereby an increased number of complaints filed. Greater deployment of security technologies, and increased security training quite often result in statistical jumps like these as more events are recognized, not necessarily occurring.
  3. How did the medical identity theft incident affect your reputation? 89 percent said that embarrassment due to disclosure of sensitive personal health condition affected them while loss of career opportunities was identified by a surprising 19 percent.
  4. How did you resolve the medical identity theft? In 2012, a shocking 45 percent reported to paying the healthcare provider for services that the thief incurred. Last year, only 24 percent of those who experienced medical identity theft carefully reviewed their credit reports and only 15 percent said their contacted the credit bureaus to fix errors in their credit report.

A good example of dealing with medical identity theft begins from page five of an article from the Attorney General Kamala D. Harris of California which mentions prevention, detection and mitigation (California Department of Justice, 2013 October).

If you find your organization has experienced a security incident or suspects a data breach, know that there is help available. If you are a consumer who suspects medical identity theft, there is a great deal of help available to you. As taxpayers, we should all be concerned about this issue even if we do not personally experience it at work or as healthcare consumers!

OFFICIAL RISC Logo

RISC and VA in HIMSS15

References

California Dep. Of Justice. (2013, October). Medical identity theft: Recommendations for the age of electronic medical records. Retrieved from http://medidfraud.org/wp-content/uploads/2014/07/Medical-ID-Theft-Recommendations-FINAL.pdf

Fifth Annual Study on Medical Identity Theft. (2015, February).  Retrieved from http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf