powerpoint presentationir-2018-245, december 7, 2018 the irs reminds all professional tax preparers...

Dr. Robert K. MinnitiDBA, CPA, CFE, Cr.FA, CVA, CFF, MAFF, CGMA, PI

President, Minniti CPA, LLC

Cybersecurity Essentials for Tax Preparers

Dr. Robert K. Minniti

DBA – Doctor of Business AdministrationCPA - Certified Public AccountantCFE – Certified Fraud ExaminerCrFA – Certified Forensic AccountantCFF – Certified in Financial ForensicsCVA – Certified Valuation AnalystMAFF – Master Analyst in Financial ForensicsCGMA – Charted Global Management AccountantPI – Licensed Private Investigator

Objectives

Upon completing this class you will be able to:

Identify cybersecurity risksIdentify internal controls for cybersecurity

Securing Personal Information

Client Information

Employee Information

Vendor Information

New Laws

An Issue for Tax Professionals

IR-2018-245, DECEMBER 7, 2018

The IRS reminds all professional tax preparers that they are required by federal law to create and maintain a written data security plan. Sole practitioners are just as vulnerable to data theft as practitioners in large firms.

During the 2018 tax filing season, the IRS received five to seven reports per week from tax firms that have experienced a data theft.

Through Nov. 5, 2018, the IRS received 234 reports for the year. That’s a 29 percent increase from the 182 reports received during the same time in 2017. Generally, these are reports filed by firms, which means hundreds more tax practitioners and tens of thousands of clients are affected.

This increase represents a significant trend in tax-related identity theft, and it’s a sign that tax professionals must take stronger measures to safeguard their clients and their business.

https://www.irs.gov/newsroom/irs-security-summit-partners-warn-tax-professionals-of-high-risk-of-data-theft-attacks

IR-2018-245, DECEMBER 7, 2018

Thieves search for client data so they can create a fraudulent tax return that looks legitimate and might bypass IRS filters. They also impersonate tax professionals, using stolen Electronic Filing Identification Numbers (EFINS), Preparer Tax Identification Numbers (PTINs) and Centralized Authorization File (CAF) numbers.

The Gramm-Leach-Bliley Act of 1999 requires all financial institutions, which it also defines as professional tax preparers, to create and maintain information security plans. The Federal Trade Commission, not the IRS, administers this law and created a Safeguards Rule to administer it. Information about the FTC requirements can be found in IRS Publication 4557, Safeguarding Taxpayer Data.

https://www.irs.gov/newsroom/irs-security-summit-partners-warn-tax-professionals-of-high-risk-of-data-theft-attacks

IRS - INFORMATION SHARING AND ANALYSIS CENTER (ISAC)

https://www.irs.gov/pub/newsroom/IDTTRF%20ISAC%20April%202018%20Annual%20Report.pdf

The ISAC’s purpose is to:

• Facilitate information exchange for tax administration purposes related to identity theft tax refund fraud. • Provide a forum for participants to discuss real-time responses to such fraud schemes. • Promote the advancement of data analysis, capabilities, methodologies and strategies to detect, reduce, and prevent this type of fraud.

IRS - INFORMATION SHARING AND ANALYSIS CENTER (ISAC)

https://www.irs.gov/pub/newsroom/IDTTRF%20ISAC%20April%202018%20Annual%20Report.pdf

IRS - INFORMATION SHARING AND ANALYSIS CENTER (ISAC)

https://www.irs.gov/pub/newsroom/IDTTRF%20ISAC%20April%202018%20Annual%20Report.pdf

Polling Question #1

True or False

The IRS does no believe data breaches are a risk for tax professionals

Cybersecurity Terminology

Threat

An event with the potential to adversely affect an organization

Unauthorized access to systems or data

Destruction of systems or data

Disclosure of data

Modifications or changes to data

Denial of service (DoS)

Cybersecurity Terminology

Adversary

An individual or entity with the intent to harm an organization by conducting cyber attacks

Attacker

An individual or entity attempting to harm an organization by conducting cyber attacks

Cybersecurity Terminology

Authorization

Access privileges granted to users or applications

Authentication

Verifying the identity of a user, software application or device before granting access

Cybersecurity Terminology

Encryption

Converting data to another format that cannot be read or viewed until it is decrypted.

An average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 encryption key.

Cybersecurity Terminology

Hacker

An individual or entity trying to gain access to an IT system to steal or compromise data

Black Hat HackerWhite Hat HackerGray Hat Hacker

Hackers

Hackers have different motivations for their actions

Hacktivists

Cyber Criminals

Insiders

Competitors

Nation States

Joyriders

Upset customers

Law Enforcement

Cybersecurity Terminology

Weakness

A vulnerability in the IT systemSoftware bugs

Hardware issues

Security issues

Cybersecurity Terminology

Exfiltration

The unauthorized theft or transfer of data

Exposure

The time period in which a vulnerability can be exploited

Polling Question #2

True or False

Exfiltration is the unauthorized theft or transfer of data

Backdoors

A backdoor is a route into a computer that circumvents the user authentication process and allows hackers open access to the system once it is installed.

Computer Virus

A computer virus is usually hidden in a computer program and performs functions such as copying or deleting data files. A computer virus creates copies of itself that it inserts in data files or other programs.

Trojan Horse

A Trojan horse is a malware program that is disguised as something else. Users assume it is a beneficial program when it fact it is not. Trojans horses are often used to insert spyware onto computers.

Computer Worms

A computer worm is a type of malware that transmits itself over networks and the internet to infect more computers with the malware.

Polling Question #3

True or False

A computer virus attacks software already on your computer

Internet of Things (IoT)

Devices with access to an IT system or to the internet.Cameras

Microphones

Cars

Thermostats

Appliances

Copiers & office equipment

Cloud Computing

Using the internet to connect with remote servers to access software or data.

INTERNET STRUCTURE

www.cybertraining365.com

Cybersecurity Risks

Civil litigation

Fines

Damage to reputation

Loss of customers

Government settlement – long term audits

Business disruption

Ransom payments

Cybersecurity Risk Factors

Employees

Don’t understand the risksLack of cybersecurity trainingOverride internal controlsInattentionWorking remotelyData & file sharingUsing personal devices

Cybersecurity Risk Factors

IT Systems

Complex IT systemsOlder technologyBring your own device (BYOD)Lack of internal controlsIneffective cybersecurity measuresUndertrained IT personnelFile SharingCloud Computing

Phishing

Used to gain personal or business information, such as usernames, passwords, Social Security numbers, and credit card numbers, etc.

Often accomplished by using fraudulent e-mail messages that appear to come from legitimate businesses or government agencies.

Phishing Example

Phishing Example

Phishing Example

IRS VishingComputer generated voice:

Hello. This call is officially a final notice from the IRS, Internal Revenue Service. The reason of this call is to inform you that IRS is filing lawsuit against you. To get more information about this case file, please call immediately on our department number 202-492-8816. I repeat 202-492-8816. Thank you.

VISHINGVishing is similar to phishing but it occurs over the phone rather than over the internet.

Criminals try to obtain information or try to load malware on the victim’s computer.

DISGUISING A VOICE

When criminals want to disguise their voices over the phone it is easy to do because there are numerous “Apps for that”

SMISHING

Smishing is similar to phishing and vishing but it is done using text messages rather than phone calls or email. Criminals try to obtain information or try to load malware on the victim’s computer.

SPOOFING A PHONE NUMBER

https://www.spoofcard.com/apps

SPOOFING EXAMPLE

https://www.knowbe4.com/

Polling Question #4

True or False

Criminals use phishing emails to obtain information or to load malware on a victim’s computer

Denial of Service Attacks

This cybercrime occurs when the criminals use botnets or networks of infected computers to bring down a website by overloading the server.

Oftentimes criminals follow up with an attempt to hack the system and put malware on the server when the victim is busy repairing the damage

Malware

Malware is placed on computers or cell phones to hijack the computers, steal data, or encrypt the data for ransom.

Ransomware

Ransomware is placed on computers to encrypt your data until a ransom is paid for the decryption key

CryptoLocker is one example of ransomware.

CryptoWall 2.0 is one of the newer versions

The FBI estimates that ransomware is a $1 Billion a year fraud

http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/index.html?section=money_technology

RANSOMWARE

Scareware (Pop-ups)

PC Cyborg (1998)

TeslaCrypt (Gamers)

Locky (Email)

Wannacry (Windows flaw)

https://www.knowbe4.com/

CryptoLocker

Ransomware

RANSOMWARE ATTACKS EMAIL

https://www.knowbe4.com/

Cell Phone Spyware

Popular versions of spyware for cell phones

• HighsterMobile• Spyera• Spyrix• FlexiSpy• Mobile Spy• MobiStealth• mSpy

Cell Phone Spyware

Criminals use charging stations in public places to load malware onto mobile devices.

Always use an electric plug or USB condom when charging your mobile device

Other Spyware

Popular versions of other types of spyware

• Keylogger

• Win-Spy

• Spytech Spy Agent

• SpectorSoft

• 007 Spy Software

Polling Question #5

True or False

One type of ransomware encrypts data on your computer

Data Breaches

Stealing data from computer systems belonging to companies, governmental units, and even not-for-profit organizations.

Large amounts of information are stolen in a short amount of time.

Data Breaches in 2016

2017 Cost of Data Breach Study: Global Analysis, Benchmark research sponsored by IBM, Independently conducted by Ponemon Institute LLC

Sockpuppets

Computer Generated Photos

https://petapixel.com/2018/12/17/these-portraits-were-made-by-ai-none-of-these-people-exist/

Polling Question #6

True or False

Lack of adequate internal controls is one cybersecurity risk

Cybersecurity Risk Management

Managing IT assetsEmployee awareness & trainingBusiness continuationChange managementIT configuration managementData securityDisaster recovery planIncident response plans & teams

Cybersecurity Risk Management

Access controlMonitoring issuesSending alertsManaging media & dataPhysical securityEnvironmental considerationsHardware & software maintenance

Cybersecurity Risk Management

Vendor managementEmployee trainingAssessing new hardware & softwareMobile devicesWork-at-home employeesCustomer accessLegal & regulatory requirementsBacking up data

Cybersecurity Frameworks

COSO Framework for Internal ControlCOBITISO 27001NISTCIS Critical Security ControlsHITRUST

COSO Framework for Internal Controls

The COSO Framework for Internal Controls has five components

Control EnvironmentControl ActivitiesRisk AssessmentInformation & CommunicationMonitoring

2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSO Requirements for IT

Select and Develop General Controls over Technology

Determines Dependency between the Use of Technology in Business Processes and Technology General Controls

Establishes Relevant Technology Infrastructure Control Activities

Establishes Relevant Security Management Process Control Activities

Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COBIT

Created and published by the ISACA

Used in conjunction with the COSO Framework

Often adopted by public companies

A best-practices framework

Four main domains Plan & organize

Acquire & implement

Deliver & support

Monitor & evaluate

ISO 27001

Created and published by International Organization for Standardization (ISO)

Most well known cybersecurity standard

Most commonly used outside the U.S.

Focuses on technology and assets

Concentrates on risk mitigation

NIST

Created and published by the National Institute of Standards and Technology (NIST)

Used for implementing the Federal Information Security Act of 2002 (FISMA)

Developed & used by government agencies and contractors

Sets minimum requirements for IT security

CIS Critical Security Controls

Recommended cybersecurity controls

Provides specific ways to stop attacks

Prioritizes actions with high payoff results

HITRUST

A risk & compliance framework

Mostly used in the US healthcare industry

Designed to protect personal health information (PHI)

Easily modified for flexibility of scale (Size, type, etc.)

Easily updated as regulations change

Defines a set of internal controls

Polling Question #7

True or False

The HITRUST framework is predominately used in the US healthcare industry

Basic Internal Controls

Router & Switch

Firewall (Hardware & Software)

Virtual Private Network (VPN)

Encryption

Proxies

Network Intrusion Prevention System (NIPS)

Network Intrusion Detection System (NIDS)

Security Information and Event Management (SIEM)

Basic Internal Controls

Limit access with user IDs and passwordsRequire complex passphrases

A minimum of 24 characters

Require password changes ever 90 days

Reset the default local administrator password

Spam filters

SOC for Cybersecurity (Vendors & others with access)

Basic Internal Controls

Conduct a background check before hiring an employee who will have access to IT systems.

Conduct regular training for employees on how to protect company information.

Enroll in a back-up or wiping program that backs up smartphones and will allow you to remotely erase the information on a lost or stolen phone.

Basic Internal Controls

Install a good anti-virus program on your computer and keep it up-to-date.

Encrypt your office wireless networks using WPA2.

Do not send company information over public WiFi networks.

Basic Internal Controls

Do not reply to e-mails or click on links in e-mails from unknown sources.

Use a separate computer for bank and financial transactions

Monitor user activity on your IT system

Cyber Insurance

Basic Internal Controls

Have real time monitoring of security events on your IT system

Update all software when vendor updates are made available

Use multi-factor authentication or biometrics

Conduct regular penetration & phishing tests

Polling Question #8

True or False

Internal controls over a company’s IT system and data are essential

Any Questions?