Category Archives: data encryption

Cybersecurity – Is There a Role for Fraud Examiners?

cybersecurityAt a cybersecurity fraud prevention conference, I attended recently in California one of the featured speakers addressed the difference between information security and cybersecurity and the complexity of assessing the fraud preparedness controls specifically directed against cyber fraud.  It seems the main difficulty is the lack of a standard to serve as the basis of a fraud examiner’s or auditor’s risk review. The National Institute of Standards and Technology’s (NIST) framework has become a de facto standard despite the fact that it’s more than a little light on specific details.  Though it’s not a standard, there really is nothing else at present against which to measure cybersecurity.  Moreover, the technology that must be the subject of a cybersecurity risk assessment is poorly understood and is mutating rapidly.  CFE’s, and everyone else in the assurance community, are hard pressed to keep up.

To my way of thinking, a good place to start in all this confusion is for the practicing fraud examiner to consider the fundamental difference between information security and cybersecurity, the differing nature of the threat itself.   There is simply a distinction between protecting information against misuse of all sorts (information security) and an attack by a government, a terrorist group, or a criminal enterprise that has immense resources of expertise, personnel and time, all directed at subverting one individual organization (cybersecurity).  You can protect your car with a lock and insurance but those are not the tools of choice if you see a gang of thieves armed with bricks approaching your car at a stoplight. This distinction is at the very core of assessing an organization’s preparations for addressing the risk of cyberattacks and for defending itself against them.

As is true in so many investigations, the cybersecurity element of the fraud risk assessment process begins with the objectives of the review, which leads immediately on to the questions one chooses to ask. If an auditor only wants to know “Are we secure against cyberattacks?” then the answer should be up on a billboard in letters fifty feet high: No organization should ever consider itself safe against cyber attackers. They are too powerful and pervasive for any complacency. If major television networks can be stricken, if the largest banks can be hit, if governments are not immune, then the CFE’s client organization is not secure either.  Still, all anti-fraud reviewers can ask subtle and meaningful questions of client management, specifically focused on the data and software at risk of an attack. A fraud risk assessment process specific to cybersecurity might delve into the internals of database management systems and system software, requiring the considerable skills of a CFE supported by one or more tech-savvy consultants s/he has engaged to form the assessment team. Or it might call for just asking simple questions and applying basic arithmetic.

If the fraud examiner’s concern is the theft of valuable information, the simple corrective is to make the data valueless, which is usually achieved through encryption. The CFE’s question might be, “Of all your data, what percentage is encrypted?” If the answer is 100 percent, the follow-up question is whether the data are always encrypted—at rest, in transit and in use. If it cannot be shown that all data are secured all of the time, the next step is to determine what is not protected and under what circumstances. The assessment finding would consist of a flat statement of the amount of unencrypted data susceptible to theft and a recitation of the potential value to an attacker in stealing each category of unprotected data. The readers of this blog know that data must be decrypted in order to be used and so would be quick to point out that “universal” encryption in use is, ultimately, a futile dream. There are vendors who, think otherwise, but let’s accept the fact that data will, at some time, be exposed within a computer’s memory. Is that a fault attributable to the data or to the memory and to the programs running in it? Experts say it’s the latter. In-memory attacks are fairly devious, but the solutions are not. Rebooting gets rid of them and antimalware programs that scan memory can find them. So a CFE can ask,” How often is each system rebooted?” and “Does your anti-malware software scan memory?

To the extent that software used for attacks is embedded in the programs themselves, the problem lies in a failure of malware protection or of change management. A CFE need not worry this point; according to my California presenter many auditors (and security professionals) have wrestled with this problem and not solved it either. All a CFE needs to ask is whether anyone would be able to know whether a program had been subverted. An audit of the change management process would often provide a bounty of findings, but would not answer the reviewer’s question. The solution lies in having a version of a program known to be free from flaws (such as newly released code) and an audit trail of

known changes. It’s probably beyond the talents of a typical CFE to generate a hash total using a program as data and then to apply the known changes in order to see if the version running in production matches a recalculated hash total. But it is not beyond the skills of IT expects the CFE can add to her team and for the in-house IM staff responsible keeping their employer’s programs safe. A CFE fraud risk reviewer need only find out if anyone is performing such a check. If not, the CFE can simply conclude and report to the client that no one knows for sure if the client’s programs have been penetrated or not.

Finally, a CFE might want to find out if the environment in which data are processed is even capable of being secured. Ancient software running on hardware or operating systems that have passed their end of life are probably not reliable in that regard. Here again, the CFE need only obtain lists and count. How many programs have not been maintained for, say, five years or more? Which operating systems that are no longer supported are still in use? How much equipment in the data center is more than 10 years old? All this is only a little arithmetic and common sense, not rocket science.

In conclusion, frauds associated with weakened or absent cybersecurity systems are not likely to become a less important feature of the corporate landscape over time. Instead, they are poised to become an increasingly important aspect of doing business for those who create automated applications and solutions, and for those who attempt to safeguard them on the front end and for those who investigate and prosecute crimes against them on the back end. While the ramifications of every cyber fraud prevention decision are broad and diverse, a few basic good practices can be defined which the CFE, the fraud expert, can help any client management implement:

  • Know your fraud risk and what it should be;
  • Be educated in management science and computer technology. Ensure that your education includes basic fraud prevention techniques and associated prevention controls;
  • Know your existing cyber fraud prevention decision model, including the shortcomings of those aspects of the model in current use and develop a schedule to address them;
  • Know your frauds. Understand the common fraud scenarios targeting your industry so that you can act swiftly when confronted with one of them.

We can conclude that the issues involving cybersecurity are many and complex but that CFE’s are equipped  to bring much needed, fraud related experience to any management’s table as part of the team in confronting them.

The Keys to the Kingdom

CaveOne of our investigators left a comment on a post last week about the policy of her client employer to encrypt laptops and  other data storage devices and the inability of various proprietary vendor key generation products to communicate with each other across different storage platforms.  This issue is important to fraud examiners because we routinely work with lots of different types of encrypted client financial data housed on various platforms, and so need the ability to obtain access and trace transactions across those platforms.  A cryptographic key used to encrypt the data on a storage device, is like the combination to a safe… if you have the combination you can lock and unlock the data for use.

Our clients’ need for some kind of coherent key management solution across devices is driven by the need to encrypt data in storage (data at rest).  As anti-fraud practitioners, we read almost daily in  on-line media  how the law of supply and demand has driven the fraudster’s price for sensitive data, such as bank account and credit card numbers, to lower and lower levels, certainly  facilitated by frequently reported, large scale data breaches of millions and millions of private transaction records.    Complete identities, or other sensitive personal information making it an easy matter to impersonate someone, are now available for as little as $1.00 each.  Fraudsters can obtain names, addresses, dates of birth, phone numbers and for U.S. victims, social security numbers.

The point is that fraudsters  now have little economic incentive to go after the identifying information they need by snooping a corporate target’s network connections when they can compromise a laptop or  storage device of some sort and get access to a lifetime’s worth of exploitable data almost instantly.  Storage devices are targeted by smart fraudsters and criminal gangs because in today’s organizations, that is where the most data are.

Encrypting data stores is thus the best way to minimize the damage to our clients, and their customers,  of data breeches.  But comprehensive key management solutions across platforms and vendor products are still relatively new and there is no universal standard that supports inter-operability of products from different vendors.  With that said, how might a key management solution work?  An encrypting tape drive gets keys from a key server and uses them to encrypt all data that is written to tapes or to decrypt all data that it reads from tapes.  In another solution, an encryption appliance gets keys from its own key server and uses them to encrypt all data written to a Redundant Array of Independent Disks (RAID) array and to de-crypt all data from its array.

Our reader was commenting that, in her experience with today’s products, the examiner cannot always depend on storage devices being able to get keys from a remote key server, so that if a backup tape is encrypted and sent to the backup facility, the offsite storage device may be unable to reach the key server in the data center to obtain a decryption key.

Strong key management is as important as the strength of cryptographic algorithms and the keys themselves when it comes to protecting our clients’ sensitive data.  Key management technology is still relatively new and there appears to be an insufficient degree of inter-operability among the key management solutions of different vendors.   The encryption of data is such an essential preventative control for fraud examiners that our risk assessments should be adjusted to reflect advances in key management technology on as close to a concurrent basis as possible.

VISIT OUR WEBSITE & JOIN THE RICHMOND CHAPTER ON-LINE TODAY!