powerpoint presentationir-2018-245, december 7, 2018 the irs reminds all professional tax preparers...
Post on 16-Oct-2020
0 Views
Preview:
TRANSCRIPT
Dr. Robert K. MinnitiDBA, CPA, CFE, Cr.FA, CVA, CFF, MAFF, CGMA, PI
President, Minniti CPA, LLC
Cybersecurity Essentials for Tax Preparers
Dr. Robert K. Minniti
DBA – Doctor of Business AdministrationCPA - Certified Public AccountantCFE – Certified Fraud ExaminerCrFA – Certified Forensic AccountantCFF – Certified in Financial ForensicsCVA – Certified Valuation AnalystMAFF – Master Analyst in Financial ForensicsCGMA – Charted Global Management AccountantPI – Licensed Private Investigator
Objectives
Upon completing this class you will be able to:
Identify cybersecurity risksIdentify internal controls for cybersecurity
Securing Personal Information
Client Information
Employee Information
Vendor Information
New Laws
An Issue for Tax Professionals
IR-2018-245, DECEMBER 7, 2018
The IRS reminds all professional tax preparers that they are required by federal law to create and maintain a written data security plan. Sole practitioners are just as vulnerable to data theft as practitioners in large firms.
During the 2018 tax filing season, the IRS received five to seven reports per week from tax firms that have experienced a data theft.
Through Nov. 5, 2018, the IRS received 234 reports for the year. That’s a 29 percent increase from the 182 reports received during the same time in 2017. Generally, these are reports filed by firms, which means hundreds more tax practitioners and tens of thousands of clients are affected.
This increase represents a significant trend in tax-related identity theft, and it’s a sign that tax professionals must take stronger measures to safeguard their clients and their business.
https://www.irs.gov/newsroom/irs-security-summit-partners-warn-tax-professionals-of-high-risk-of-data-theft-attacks
IR-2018-245, DECEMBER 7, 2018
Thieves search for client data so they can create a fraudulent tax return that looks legitimate and might bypass IRS filters. They also impersonate tax professionals, using stolen Electronic Filing Identification Numbers (EFINS), Preparer Tax Identification Numbers (PTINs) and Centralized Authorization File (CAF) numbers.
The Gramm-Leach-Bliley Act of 1999 requires all financial institutions, which it also defines as professional tax preparers, to create and maintain information security plans. The Federal Trade Commission, not the IRS, administers this law and created a Safeguards Rule to administer it. Information about the FTC requirements can be found in IRS Publication 4557, Safeguarding Taxpayer Data.
https://www.irs.gov/newsroom/irs-security-summit-partners-warn-tax-professionals-of-high-risk-of-data-theft-attacks
IRS - INFORMATION SHARING AND ANALYSIS CENTER (ISAC)
https://www.irs.gov/pub/newsroom/IDTTRF%20ISAC%20April%202018%20Annual%20Report.pdf
The ISAC’s purpose is to:
• Facilitate information exchange for tax administration purposes related to identity theft tax refund fraud. • Provide a forum for participants to discuss real-time responses to such fraud schemes. • Promote the advancement of data analysis, capabilities, methodologies and strategies to detect, reduce, and prevent this type of fraud.
IRS - INFORMATION SHARING AND ANALYSIS CENTER (ISAC)
https://www.irs.gov/pub/newsroom/IDTTRF%20ISAC%20April%202018%20Annual%20Report.pdf
IRS - INFORMATION SHARING AND ANALYSIS CENTER (ISAC)
https://www.irs.gov/pub/newsroom/IDTTRF%20ISAC%20April%202018%20Annual%20Report.pdf
Polling Question #1
True or False
The IRS does no believe data breaches are a risk for tax professionals
Cybersecurity Terminology
Threat
An event with the potential to adversely affect an organization
Unauthorized access to systems or data
Destruction of systems or data
Disclosure of data
Modifications or changes to data
Denial of service (DoS)
Cybersecurity Terminology
Adversary
An individual or entity with the intent to harm an organization by conducting cyber attacks
Attacker
An individual or entity attempting to harm an organization by conducting cyber attacks
Cybersecurity Terminology
Authorization
Access privileges granted to users or applications
Authentication
Verifying the identity of a user, software application or device before granting access
Cybersecurity Terminology
Encryption
Converting data to another format that cannot be read or viewed until it is decrypted.
An average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 encryption key.
Cybersecurity Terminology
Hacker
An individual or entity trying to gain access to an IT system to steal or compromise data
Black Hat HackerWhite Hat HackerGray Hat Hacker
Hackers
Hackers have different motivations for their actions
Hacktivists
Cyber Criminals
Insiders
Competitors
Nation States
Joyriders
Upset customers
Law Enforcement
Cybersecurity Terminology
Weakness
A vulnerability in the IT systemSoftware bugs
Hardware issues
Security issues
Cybersecurity Terminology
Exfiltration
The unauthorized theft or transfer of data
Exposure
The time period in which a vulnerability can be exploited
Polling Question #2
True or False
Exfiltration is the unauthorized theft or transfer of data
Backdoors
A backdoor is a route into a computer that circumvents the user authentication process and allows hackers open access to the system once it is installed.
Computer Virus
A computer virus is usually hidden in a computer program and performs functions such as copying or deleting data files. A computer virus creates copies of itself that it inserts in data files or other programs.
Trojan Horse
A Trojan horse is a malware program that is disguised as something else. Users assume it is a beneficial program when it fact it is not. Trojans horses are often used to insert spyware onto computers.
Computer Worms
A computer worm is a type of malware that transmits itself over networks and the internet to infect more computers with the malware.
Polling Question #3
True or False
A computer virus attacks software already on your computer
Internet of Things (IoT)
Devices with access to an IT system or to the internet.Cameras
Microphones
Cars
Thermostats
Appliances
Copiers & office equipment
Cloud Computing
Using the internet to connect with remote servers to access software or data.
INTERNET STRUCTURE
www.cybertraining365.com
Cybersecurity Risks
Civil litigation
Fines
Damage to reputation
Loss of customers
Government settlement – long term audits
Business disruption
Ransom payments
Cybersecurity Risk Factors
Employees
Don’t understand the risksLack of cybersecurity trainingOverride internal controlsInattentionWorking remotelyData & file sharingUsing personal devices
Cybersecurity Risk Factors
IT Systems
Complex IT systemsOlder technologyBring your own device (BYOD)Lack of internal controlsIneffective cybersecurity measuresUndertrained IT personnelFile SharingCloud Computing
Phishing
Used to gain personal or business information, such as usernames, passwords, Social Security numbers, and credit card numbers, etc.
Often accomplished by using fraudulent e-mail messages that appear to come from legitimate businesses or government agencies.
Phishing Example
Phishing Example
Phishing Example
IRS VishingComputer generated voice:
Hello. This call is officially a final notice from the IRS, Internal Revenue Service. The reason of this call is to inform you that IRS is filing lawsuit against you. To get more information about this case file, please call immediately on our department number 202-492-8816. I repeat 202-492-8816. Thank you.
VISHINGVishing is similar to phishing but it occurs over the phone rather than over the internet.
Criminals try to obtain information or try to load malware on the victim’s computer.
DISGUISING A VOICE
When criminals want to disguise their voices over the phone it is easy to do because there are numerous “Apps for that”
SMISHING
Smishing is similar to phishing and vishing but it is done using text messages rather than phone calls or email. Criminals try to obtain information or try to load malware on the victim’s computer.
SPOOFING A PHONE NUMBER
https://www.spoofcard.com/apps
SPOOFING EXAMPLE
https://www.knowbe4.com/
Polling Question #4
True or False
Criminals use phishing emails to obtain information or to load malware on a victim’s computer
Denial of Service Attacks
This cybercrime occurs when the criminals use botnets or networks of infected computers to bring down a website by overloading the server.
Oftentimes criminals follow up with an attempt to hack the system and put malware on the server when the victim is busy repairing the damage
Malware
Malware is placed on computers or cell phones to hijack the computers, steal data, or encrypt the data for ransom.
Ransomware
Ransomware is placed on computers to encrypt your data until a ransom is paid for the decryption key
CryptoLocker is one example of ransomware.
CryptoWall 2.0 is one of the newer versions
The FBI estimates that ransomware is a $1 Billion a year fraud
http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/index.html?section=money_technology
RANSOMWARE
Scareware (Pop-ups)
PC Cyborg (1998)
TeslaCrypt (Gamers)
Locky (Email)
Wannacry (Windows flaw)
https://www.knowbe4.com/
CryptoLocker
Ransomware
RANSOMWARE ATTACKS EMAIL
https://www.knowbe4.com/
Cell Phone Spyware
Popular versions of spyware for cell phones
• HighsterMobile• Spyera• Spyrix• FlexiSpy• Mobile Spy• MobiStealth• mSpy
Cell Phone Spyware
Criminals use charging stations in public places to load malware onto mobile devices.
Always use an electric plug or USB condom when charging your mobile device
Other Spyware
Popular versions of other types of spyware
• Keylogger
• Win-Spy
• Spytech Spy Agent
• SpectorSoft
• 007 Spy Software
Polling Question #5
True or False
One type of ransomware encrypts data on your computer
Data Breaches
Stealing data from computer systems belonging to companies, governmental units, and even not-for-profit organizations.
Large amounts of information are stolen in a short amount of time.
Data Breaches in 2016
2017 Cost of Data Breach Study: Global Analysis, Benchmark research sponsored by IBM, Independently conducted by Ponemon Institute LLC
Sockpuppets
Computer Generated Photos
https://petapixel.com/2018/12/17/these-portraits-were-made-by-ai-none-of-these-people-exist/
Polling Question #6
True or False
Lack of adequate internal controls is one cybersecurity risk
Cybersecurity Risk Management
Managing IT assetsEmployee awareness & trainingBusiness continuationChange managementIT configuration managementData securityDisaster recovery planIncident response plans & teams
Cybersecurity Risk Management
Access controlMonitoring issuesSending alertsManaging media & dataPhysical securityEnvironmental considerationsHardware & software maintenance
Cybersecurity Risk Management
Vendor managementEmployee trainingAssessing new hardware & softwareMobile devicesWork-at-home employeesCustomer accessLegal & regulatory requirementsBacking up data
Cybersecurity Frameworks
COSO Framework for Internal ControlCOBITISO 27001NISTCIS Critical Security ControlsHITRUST
COSO Framework for Internal Controls
The COSO Framework for Internal Controls has five components
Control EnvironmentControl ActivitiesRisk AssessmentInformation & CommunicationMonitoring
2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO Requirements for IT
Select and Develop General Controls over Technology
Determines Dependency between the Use of Technology in Business Processes and Technology General Controls
Establishes Relevant Technology Infrastructure Control Activities
Establishes Relevant Security Management Process Control Activities
Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COBIT
Created and published by the ISACA
Used in conjunction with the COSO Framework
Often adopted by public companies
A best-practices framework
Four main domains Plan & organize
Acquire & implement
Deliver & support
Monitor & evaluate
ISO 27001
Created and published by International Organization for Standardization (ISO)
Most well known cybersecurity standard
Most commonly used outside the U.S.
Focuses on technology and assets
Concentrates on risk mitigation
NIST
Created and published by the National Institute of Standards and Technology (NIST)
Used for implementing the Federal Information Security Act of 2002 (FISMA)
Developed & used by government agencies and contractors
Sets minimum requirements for IT security
CIS Critical Security Controls
Recommended cybersecurity controls
Provides specific ways to stop attacks
Prioritizes actions with high payoff results
HITRUST
A risk & compliance framework
Mostly used in the US healthcare industry
Designed to protect personal health information (PHI)
Easily modified for flexibility of scale (Size, type, etc.)
Easily updated as regulations change
Defines a set of internal controls
Polling Question #7
True or False
The HITRUST framework is predominately used in the US healthcare industry
Basic Internal Controls
Router & Switch
Firewall (Hardware & Software)
Virtual Private Network (VPN)
Encryption
Proxies
Network Intrusion Prevention System (NIPS)
Network Intrusion Detection System (NIDS)
Security Information and Event Management (SIEM)
Basic Internal Controls
Limit access with user IDs and passwordsRequire complex passphrases
A minimum of 24 characters
Require password changes ever 90 days
Reset the default local administrator password
Spam filters
SOC for Cybersecurity (Vendors & others with access)
Basic Internal Controls
Conduct a background check before hiring an employee who will have access to IT systems.
Conduct regular training for employees on how to protect company information.
Enroll in a back-up or wiping program that backs up smartphones and will allow you to remotely erase the information on a lost or stolen phone.
Basic Internal Controls
Install a good anti-virus program on your computer and keep it up-to-date.
Encrypt your office wireless networks using WPA2.
Do not send company information over public WiFi networks.
Basic Internal Controls
Do not reply to e-mails or click on links in e-mails from unknown sources.
Use a separate computer for bank and financial transactions
Monitor user activity on your IT system
Cyber Insurance
Basic Internal Controls
Have real time monitoring of security events on your IT system
Update all software when vendor updates are made available
Use multi-factor authentication or biometrics
Conduct regular penetration & phishing tests
Polling Question #8
True or False
Internal controls over a company’s IT system and data are essential
Any Questions?
top related