Workplace Crime Handbook

What is Your BCP* Score?

(*Business Crime Probability)

0 points for every YES answer; 1 point for every NO answer

1. We conduct criminal or civil background checks before hiring employees who have access to personal identifying information.

YES 0 NO 1

2. We provide cross-cut paper shredders, or locked shredding bins for each department, work station and cash register area.

YES 0 NO 1

3. We have a policy for protecting laptop computers containing sensitive information, both on premises and away from the business, and all employees have been trained on that policy.

YES 0 NO 1

4. We use an alternate number instead of social security numbers for employees, client/customer ID numbers.

YES 0 NO - 1

5. We never send out mail with customers or employees SSNs and financial institution account numbers. We have trained staff about secure procedures for sending sensitive personal data by fax, email and phone. YES 0 NO - 1

6. Non-essential doors and windows are kept locked at all times.

YES 0 NO - 1

7. Sensitive information of customer and employees (timecards, badges, SSNs, addresses, work schedules, licenses) cannot be seen in our public areas. YES 0 NO - 1

8. We provide a secure holding place for all outgoing and incoming mail, a place that is only accessible to approved employees. YES 0 NO - 1

9. We use photos on employees ID cards.

YES 0 NO - 1

10. We keep all personal data about employees and customers in locked files and restrict access to a select few supervisors and managers. YES 0 NO - 1

11. We encrypt or password guard all sensitive data stored on computers and we allow access only on a need-to-know basis.

YES 0 NO 1

12. We have trained employees in secure methods for collecting personal identifying information from customers and clients. For example, not asking people to repeat a SSN aloud in a public area.

YES 0 NO - 1

13. We notify customers and employees in advance why data is being collected, to whom it will be distributed, and the subsequent use after fulfillment of the original purpose; and we never ask for more data than absolutely necessary. YES 0 NO - 1

14. All visitors, job applicants, vendors, etc. are escorted by a company employee while in our facility. YES 0 NO - 1

15. We provide the means for customers to swipe their own credit or

debit card and forbid employees from handling them.

YES 0 NO - 1

My BCP Score _________

Scoring

8-15 points - You are at high risk of being a crime victim. We recommend you use the attached check list to reduce your vulnerability.

4-7 points - Your odds of being victimized are about average. Use the attached check list to identify additional changes that will reduce your risk.

0-3 points - Congratulations. Keep up the good work, but check the attached list for anything you may have overlooked.

(Original Probability Quiz was created by the Identity Theft Resource Center, but has been modified for this presentation)

Business Security Checklist

GENERAL RECOMMENDATIONS

1. Have clearly defined security policies for your business.

2. Train all employees in those security policies and provide frequent reminders.

3. Make sure that all employees know how seriously you take those policies and the consequences for the customer, the business and the employee if those policies are not followed.

4. Supervise employees stay involved with their work on a regular basis.

5. Test your plan. Once you've put in place appropriate measures, have internal auditors or independent data security experts test them periodically, looking for holes.

6. Plan for the worst. No matter how good your information security system is, there is always the potential for a breach. Have a written response plan in place to deal with data recovery, customer notification, public relations, and legal issues.

7. Become informed on scams that target businesses and train your employees also.

8. Read the fine print before you sign anything.

9. Periodically look at your business through the eyes of a criminal.

DATA SECURITY

1. Only hold personal data you need. Nonessential data can be a liability rather than an asset. Do you really need customers' Social Security numbers? Do you have to store their credit card numbers forever? Archive data after use rather than storing in accessible customer master files, and discard or archive data for inactive accounts.

2. Store electronic data securely, preferably in encrypted form.

3. Avoid storing personal data on laptops, PDAs, other mobile devices.

4. Limit access to only those who need it. Have a full audit trail of who accesses each record.

5. Restrict large-scale downloads and monitor employees for unusual access volume or timing.

6. Ensure good physical as well as information systems security over personal data.

7. Consider security aspects of transmitting personal data to customers and employees. Sending thousands of letters or e-mails with such data is asking for trouble, as they can be intercepted.

8. Do what you say you'll do. Only promise employees and customers a level of personal data security that you can deliver. Whatever you promise, ensure you adhere to it.

9. Make data security a priority with your employees. Background checks are essential on all employees who will have access to personal information. In the event of a security breach by an employee, the fact that you conducted background checks will help demonstrate that you took reasonable precautions to guard against theft.

10. In addition to background checks, employees should be required to sign non-disclosure agreements that prohibit them from misusing confidential data.

11. Enlist all employees to help protect the security of sensitive personal data. Develop a written data security policy that clearly explains what data is considered confidential and what steps employees are expected to take to safeguard that data.

12. Regularly train your employees on acceptable security practices and remind them of their legal obligation to protect customer information. Ensure they know their access to data is monitored and recorded to help prevent and detect data theft. Remind them this is a crime and that you will refer cases for prosecution.

13. Ask your casualty and liability insurer about computer intrusion and employee forgery and computer misuse coverage.

14. If you use vendors to handle, process or store personal data, ensure that their data security measures at least equal yours. Require them to sign nondisclosure agreements to protect data. Insist on periodic security audits and vulnerability assessments.

15. SHRED, SHRED, SHRED and if sensitive documents are not shredded immediately, keep them under lock and key until they are.

MAIL SECURITY

1. Establish incoming/outgoing mail security procedures and notify customers and employees of procedures. Mail should be kept in a secure manner prior to pick up and after delivery to your business. An open box or basket in a public area is an invitation to mail theft.

2. Keep mail processing area separate from all other operations.

3. Restrict employees from bringing personal items into the mailroom: purses, backpacks, coolers. Establish a policy allowing the inspection of all items brought into, or taken out of the mailroom.

4. Maintain a list of employees who receive mail.

5. Suggest that outgoing sensitive mail be prepared by the mailer, and not by employees of the mailroom.

BUILDING & PROPERTY SECURITY

1. Require deliveries to be made in restricted confined areas and restrict drivers to an area separate from mail operations.

2. Provide secure storage for employees persona effects

3. Do not tolerate disturbances in your facility

4. All visitors, job applicants, strangers, vendors, etc should be escorted while in your facility

5. Keep all non-essential doors and windows locked, and unlocked entrances should be continually monitored

6. Train employees in proper ways to approach visitors to your facility, and do not let any visitor go unchallenged.

(Developed in part by the Association of Certified Fraud Examiners)

RETAIL BUSINESS PRECAUTIONS

1. Require another form of identification when accepting a credit card as payment.

2. Do not accept any credit card that is not signed.

3. Train employees to protect against diversion burglaries.

4. Stress to employees the importance of keeping doors locked.

5. Look for alternatives to checks for paying bills.

FACTS BUSINESSES SHOULD KNOW

Under Federal Laws/Rules, Consumers Have the Right to:

1. Request a free copy of their credit report once a year from each of the three credit reporting agencies. If they dispute credit report information, credit bureaus must resolve their dispute within 30 days and send written notice of the results of the investigation, including a copy of the credit report, if it has changed.

2. Opt Out of credit card companies and banks marketing programs, including convenience checks sent on your credit card account by calling the companies customer service numbers.

3. Opt Out of credit card solicitations

1-888-567-8688

www.optoutprescreen.com

Under Colorado Law, Consumers Have the Right to:

1. Remove their SSN from drivers licenses and health insurance cards.

2. Have no more than five (5) digits printed on their credit card receipts.

3. Have their identity verified by credit card solicitors before they send a credit card to an address different than theirs.

4. Have the right to ask businesses, non-profit, and government agencies about their policies for disposal of personal identifying documents.

5. Freeze their credit reports

Miscellaneous Facts:

1. The Fair and Accurate Transactions Act (FACT ACT) mandates that businesses, whether employing one or one million, must take reasonable measures to destroy information derived from consumer credit reports before discarding them. Failure to adequately protect clients, customers, or employees private information may result in:

civil penalties up to $1000 per person

class action lawsuits

federal fines up to $2500 per violation

state fines up to $1000 per violation

2. Colorado requires all businesses, non-profit organizations and government agencies to have policies for the safe disposal of personal identifying documents.

3. Under Title V of the Gramm-Leach-Bliley Act (GLB), financial institutions are required to take steps to protect their customers data and face the possibility of fines or jail time for failure to comply.

4. The Health Insurance Portability and Accountability Act (HIPAA) imposes strict guidelines on healthcare plans and providers to guard against the disclosure of patient data.

5. Trash is not private property.

6. Under Colorado Law it is illegal for a business to write or have written on any check presented for payment the Social Security Number or credit card number of the person presenting the check.

7. 70% of data security breaches are done by insiders.

8. Colorado law requires entities to conduct a prompt and good faith investigation upon learning of a security breach (Colorado Revised Statutes 6-1-716). Organizations must also provide prompt notice to those who might be impacted by the breach. If more than 1000 Colorado residents are impacted, the organization must also notify the national credit reporting agencies.

9. Identity theft has evolved from a consumer fraud issue into a serious threat to corporate reputations and finances.

Preventative Measures For Cyber Attacks Against Your Business

Over the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization's ability to detect and respond to similar incidents quickly and thoroughly.

Attacker Methodology:

In general, the attackers perform the following activities on the networks they compromise:

1. They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.

2. They use "xp_cmdshell", an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.

3. They obtain valid Windows credentials by using fgdump or a similar tool.

4. They install network "sniffers" to identify card data and systems involved in processing credit card transactions.

5. They install backdoors that "beacon" periodically to their command and control servers, allowing surreptitious access to the compromised networks.

6. They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.

7. They use WinRAR to compress the information they pilfer from the compromised networks.

We are providing the following preventive measures. Performing these steps may not prevent the intruders from gaining access, but they will severely impact their effectiveness based on current attack methods.

Recommendation 1: Disable potentially harmful SQL stored procedure calls.

The xp_cmdshell, OPENROWSET, and OPENDATASOURCE stored procedures should be disabled on all databases unless they are explicitly serving a business need within the network.

The xp_cmdshell procedure allows someone to execute commands on a local system from the database, with the permissions of the service account used for the database. The OPENROWSET and OPENDATASOURCE procedures allow one to cause the database to transfer data from the local database to a remote database and vice versa.

The following two steps should be taken to remove the potentially harmful stored procedure calls.

1. Disable access to the xp_cmdshell functions within Microsoft SQL Server.

Microsoft SQL Server 2000

EXEC sp_dropextendedproc 'xp_cmdshell'

Microsoft SQL Server 2005

EXEC sp_configure 'xp_cmdshell', 0

2. Remove the "xplog70.dll" file from the server.

If it is necessary to use the potentially harmful stored procedure calls, limit the exposure by applying IP filters on the SQL servers. Assign explicit ALLOW rules to the interfaces for the application the SQL server is supporting. Disallow communication between SQL Server hosts unless an application necessitates otherwise.

Recommendation 2: Deny extended URLs.

Excessively long URLs can be sent to Microsoft IIS servers, causing the server to fail to log the complete request. Unless specific applications require long URLs, set a limit of 2048 characters. Microsoft IIS will process requests over 4096 bytes long, but will not place the contents of the request in the log files. This has become an effective means to evade detection while performing attacks.

1. Modify "%windir%\system32\inetsrv\urlscan\urlscan.ini"

a. Ensure "MaxQueryString=2048" is present

b. Ensure "LogLongUrls=1" is present

Recommendation 3: Implement specific approaches to secure dynamic web site content.

Certain measures can be taken to mitigate the risk of these types of attacks by developing a secure code base. The steps below are a few of the best practices for secure coding that will help prevent the attack associated with this incident. Additional information can be found at http://msdn2.microsoft.com/en-us/library/ms998271.aspx.

1. Replace escape sequences

                  private string SafeSqlLiteral(string inputSQL)

                  inputSQL.Replace("'", "''");

2. Use parameters with stored procedures

                  using (SqlConnection connection = new SqlConnection

                          connectionString))

               DataSet userDataset = new DataSet();

                  SqlDataAdapter myDataAdapter = new SqlDataAdapter(

"SELECT au_lname, au_fname FROM Authors WHERE au_id =      @au_id",connection);

         myCommand.SelectCommand.Parameters.Add("@au_id",

                 SqlDbType.VarChar, 11);

               myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;

               myDataAdapter.Fill(userDataset);

3. Constrain input in ASP.NET web pages

                  if (!Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$"))

                  throw new FormatException("Invalid name format");

Recommendation 4: Install and run authorized Microsoft SQL Server and IIS services under a non-privileged account.

Unless a specific application requires system or administrative level permissions, all instances of Microsoft SQL Server and IIS should run under accounts with restricted user permissions.

Recommendation 5: Apply the principle of 'least privilege' on all SQL machine accounts.

The attackers generally create tables into which they store malware or data collected from the enterprise. Unless specific applications dictate otherwise, restrict the capabilities of the accounts used to modify databases on the servers. In particular, remove the ability to create new tables, denying the attackers a means of transporting malware and stolen data.

Recommendation 6: Require the use of a password on Microsoft SQL Server administrator, user, and machine accounts.

Several SQL servers examined had an empty password on the "sa" SQL account. All accounts with access to resources should be protected with passwords or certificates.

Recommendation 7: Lock out accounts on the mainframes after several unsuccessful logon attempts.

Locking accounts and requiring IT support to restore service aids in protection against brute force attacks. This can serve as an early detection of potential security problems.

Recommendation 8: Run the minimum required applications and services on servers necessary to perform their intended function.

Several servers, to include Active Directory master servers, have unnecessary software installed (e.g. Microsoft Office). In addition, ensure that no unnecessary services are running. This includes SQL Server and SQL Server Express on support and other workstations. Should these services be necessary, restrict access through IP filters on Microsoft Windows or through third-party firewall software.

Recommendation 9: Deny access to the Internet except through proxies for Store and Enterprise servers and workstations.

Attacks on victim networks make extensive use of HTTP, HTTPS, and DNS network ports. Denying direct access to the Internet will frustrate and mislead an attacker.

Recommendation 10: Implement firewall rules to block or restrict Internet and intranet access for database systems.

Disallow all traffic outbound from servers harboring sensitive data. Communication to the SQL servers and data warehousing servers should be tightly controlled. Restrict traffic between data centers and stores to essential ports and services only.

Recommendation 11: Implement firewall rules to block known malicious IP addresses.

Firewall rule sets designed to block all ingress (incoming) and egress (outgoing) traffic to the known malicious IP addresses have been put in place. Note that traffic violating the rules should be logged and observed in near-real time.

Recommendation 12: Ensure your HSM systems are not responsive to any commands which generate encrypted pin blocks. More specifically, HSMs should not accept commands that allow plain text PINs as an argument and respond with encrypted PIN blocks.

HSMs are normally used to verify Personal Identification Numbers (PINs), generate PINs used with bank accounts and credit cards, generate encrypted Card Verification Values (CVVs), generate keys for Electronic Funds Transfer Point of Sale systems (EFTPOS), and generating and verifying Message Authorization Codes (MACs). These systems, if accessed by an unauthorized intruder, can provide the attacker the ability to discover the appropriate PIN number for a corresponding credit or debit card. Therefore, in an effort to prevent this, HSMs should be configured to disallow "in the clear" PINs as an argument for performing its tasks.

(Reprinted from the FBI website, www.fbi.gov, December 15, 2008)

Protecting Business with Positive Pay

Positive Pay can help prevent check fraud through digital confirmation of checks presented for payment.

Positive Pay is an effective automated fraud detection tool offered by the Cash Management Department of most banks. It matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company. All three parts of the check must match exactly or it will not pay.

You transmit a file of issued checks to the bank each day. When those checks are presented for payment at the bank, they are compared electronically against the list of transmitted checks.

When a check is presented that does not have a "match" in the file, it becomes an "exception item". The bank sends a fax or an image of the exception item to the client. The client reviews the image and instructs the bank to pay or return the check.

There is generally a fee charged by the bank for Positive Pay, although some banks now offer the service for free. The fee might well be considered an "insurance premium" to help avoid check fraud losses and liability.

Resources

1. U.S. Postal Inspection Service, Denver Office

303-313-5320

www.usps.com/postalinspectors/

2. Association of Certified Fraud Examiners

www.cfenet.com

The ACFE releases an annual Report to the Nation on Occupational Fraud &

Abuse, which can be obtained from this website.

3. Credit Reporting Agencies

To request a FREE copy of your Credit Report from all three bureaus (you need your Social Security Number and other verifying information.)

Website: www.annualcreditreport.com

Phone: 877-322-8228

To put a fraud alert on your credit report, contact any one of the following:

Equifax 1-800-525-6285, www.equifax.com

Experian 1-888-397-3742, www.experian.com

Trans Union 1-800-680-7289, www.transunion.com

4. ID Theft Assistance

To obtain a free copy of the District Attorneys Identity Theft Workbook, call the

District Attorneys Consumer Protection Line, 720-874-8487.

Identity Theft Resource Center -- www.idtheftcenter.org

For Assistance with Economic Crimes

ARAPAHOE, DOUGLAS, LINCOLN AND ELBERT COUNTIES

District Attorneys Consumer Protection Line

720-874-8547

DENVER CITY AND COUNTY

District Attorneys Economic Crime Unit

720-913-9196 or 720-913-9179.

ADAMS AND BROOMFIELD COUNTIES

District Attorneys Economic Crimes Unit

303-659-7720

BOULDER COUNTY

District Attorneys Consumer Fraud Unit

303-441-3700

JEFFERSON AND GILPIN COUNTIES

District Attorneys Economic Crime Unit

303-271-6980

Workplace Crime Handbook

Scoring

Preventative Measures For Cyber Attacks Against Your Business

Attacker Methodology:

Recommendation 1: Disable potentially harmful SQL stored procedure calls.

The following two steps should be taken to remove the potentially harmful stored procedure calls.

Recommendation 2: Deny extended URLs.

Recommendation 3: Implement specific approaches to secure dynamic web site content.

Recommendation 4: Install and run authorized Microsoft SQL Server and IIS services under a non-privileged account.

Recommendation 5: Apply the principle of 'least privilege' on all SQL machine accounts.

Recommendation 6: Require the use of a password on Microsoft SQL Server administrator, user, and machine accounts.

Recommendation 7: Lock out accounts on the mainframes after several unsuccessful logon attempts.

Recommendation 8: Run the minimum required applications and services on servers necessary to perform their intended function.

Recommendation 9: Deny access to the Internet except through proxies for Store and Enterprise servers and workstations.

Recommendation 10: Implement firewall rules to block or restrict Internet and intranet access for database systems.

Recommendation 11: Implement firewall rules to block known malicious IP addresses.

Recommendation 12: Ensure your HSM systems are not responsive to any commands which generate encrypted pin blocks. More specifically, HSMs should not accept commands that allow plain text PINs as an argument and respond with encrypted PIN blocks.

3. Credit Reporting Agencies

Equifax 1-800-525-6285, www.equifax.com

Trans Union 1-800-680-7289, www.transunion.com

Report a Crime

News & Upcoming Events

E-Mail the D.A.