Category Archives: Digital Incident Response Planning

Regulating the Financial Data Breach

During several years of my early career, I was employed as a Manager of Operations Research by a mid-sized bank holding company. My small staff and I would endlessly discuss issues related to fraud prevention and develop techniques to keep our customer’s checking and savings accounts safe, secure and private. A never ending battle!

It was a simpler time back then technically but since a large proportion of fraud committed against banks and financial institutions today still involves the illegal use of stolen customer or bank data, some of the newest and most important laws and regulations that management assurance professionals, like CFEs, must be aware of in our practice, and with which our client banks must comply, relate to the safeguarding of confidential data both from internal theft and from breaches of the bank’s information security defenses by outside criminals.

As the ACFE tells us, there is no silver bullet for fully protecting any organization from the ever growing threat of information theft. Yet full implementation of the measures specified by required provisions of now in place federal banking regulators can at least lower the risk of a costly breach occurring. This is particularly true since the size of recent data breaches across all industries have forced Federal enforcement agencies to become increasingly active in monitoring compliance with the critical rules governing the safeguarding of customer credit card data, bank account information, Social Security numbers, and other personal identifying information. Among these key rules are the Federal Reserve Board’s Inter-agency Guidelines Establishing Information Security Standards, which define customer information as any record containing nonpublic personal information about an individual who has obtained a financial product or service from an institution that is to be used primarily for personal, family, or household purposes and who has an ongoing relationship with the institution.

Its important to realize that, under the Inter-agency Guidelines, customer information refers not only to information pertaining to people who do business with the bank (i.e., consumers); it also encompasses, for example, information about (1) an individual who applies for but does not obtain a loan; (2) an individual who guarantees a loan; (3) an employee; or (4) a prospective employee. A financial institution must also require, by contract, its own service providers who have access to consumer information to develop appropriate measures for the proper disposal of the information.

The FRB’s Guidelines are to a large extent drawn from the information protection provisions of the Gramm Leach Bliley Act (GLBA) of 1999, which repealed the Depression-era Glass-Steagall Act that substantially restricted banking activities. However, GLBA is best known for its formalization of legal standards for the protection of private customer information and for rules and requirements for organizations to safeguard such information. Since its enactment, numerous additional rules and standards have been put into place to fine-tune the measures that banks and other organizations must take to protect consumers from the identity-related crimes to which information theft inevitably leads.

Among GLBA’s most important information security provisions affecting financial institutions is the so-called Financial Privacy Rule. It requires banks to provide consumers with a privacy notice at the time the consumer relationship is established and every year thereafter.

The notice must provide details collected about the consumer, where that information is shared, how that information is used, and how it is protected. Each time the privacy notice is renewed, the consumer must be given the choice to opt out of the organization’s right to share the information with third-party entities. That means that if bank customers do not want their information sold to another company, which will in all likelihood use it for marketing purposes, they must indicate that preference to the financial institution.

CFEs should note , that most pro-privacy advocacy groups strongly object to this and other privacy related elements of GLBA because, in their view, these provisions do not provide substantive protection of consumer privacy. One major advocacy group has stated that GLBA does not protect consumers because it unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect his or her data, GLBA weakens customer power to control their financial information. The agreement’s opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to do so by their customers and, if customers neglect to respond, it gives institutions the freedom to disclose customer nonpublic personal information.

CFEs need to be aware, however, that for bank clients, regardless of how effective, or not, GLBA may be in protecting customer information, noncompliance with the Act itself is not an option. Because of the current explosion in breaches of bank information security systems, the privacy issue has to some degree been overshadowed by the urgency to physically protect customer data; for that reason, compliance with the Interagency Guidelines concerning information security is more critical than ever. The basic elements partially overlap with the preventive measures against internal bank employee abuse of the bank’s computer systems. However, they go quite a bit further by requiring banks to:

—Design an information security program to control the risks identified through a security risk assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.
—Evaluate a variety of policies, procedures, and technical controls and adopt those measures that are found to most effectively minimize the identified risks.
—Application and enforcement of access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
—Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
—Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may gain access.
—Procedures designed to ensure that customer information system modifications are consistent with the institution’s information security program.
—Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
—Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
—Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
—Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

The Inter-agency Guidelines require a financial institution to determine whether to adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this control, a financial institution also should consider the need for a firewall to safeguard confidential electronic records. If the institution maintains Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, the institution must consider whether its risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt necessary encryption measures that protect information in transit, in storage, or both. The Inter-agency Guidelines do not impose specific authentication or encryption standards, so it is advisable for CFEs to consult outside experts on the technical details applicable to your client institution’s security requirements especially when conducting after the fact fraud examinations.

The financial institution also must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, the institution should evaluate the ability, or lack thereof, of its staff to rapidly and accurately identify an intrusion. It also should assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken.

The regulatory agencies have also provided our clients with requirements for responding to information breaches. These are contained in a related document entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Incident Response Guidance). According to the Incident Response Guidance, a financial institution should develop and implement a response program as part of its information security program. The response program should address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Finally, the Inter-agency Guidelines require financial institutions to train staff to prepare and implement their information security programs. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

For example, an institution should:

—Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext spam calling.
—Provide staff members responsible for building or maintaining computer systems and local and wide area networks with adequate training, including instruction about computer security.
—Train staff to properly dispose of customer information.

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

Making Sure It Sticks

Download our Chapter’s Free App – RVACFESon Google Play!

As a follow-on to our last blog post (see To Have and to Hold immediately above), I thought I’d talk a little about the documents our investigating CFE was able to find.

These case documents proved critical to the examination and were found in both paper and digital form.   Of the two types of evidence, the digital documents proved the most voluminous and the trickiest from an investigative point of view.  Suspected frauds, such as the one our CFE reader was investigating, leave behind data on computer systems, all kinds of data. Despite the ubiquity of this digital evidence, though, it’s often overlooked, collected incorrectly, or analyzed ineffectively. The rub is that, if relevant evidence isn’t gathered at the very beginning of an investigation, it may be too late to do so later in the process. Therefore, ideally, a CFE’s client organization’s management should consider the importance of digital evidence from the outset of its operations and be prepared to gather it for a wide range of financial fraud related scenarios; indeed, most of the larger, more sophisticated companies, finding themselves routinely under cyber-attack, already do so.

It’s been my experience that many organizations underestimate just how often they may need to produce reliable evidence of what has happened in their information systems.  And, importantly, from the individual CFE’s point of view, they also may underestimate the demands that the legal system makes in terms of ensuring the admissibility and reliability of digital evidence. Unless an organization has developed a detailed incident response plan, much potential evidence will never be collected or will become worthless as a result of contamination. As a preliminary to any investigation involving digital data, CFE’s should assess whether the client organization has applied a consistent and effective approach to managing information security incidents, including staff and organizational responsibilities and procedures; not having done so can prove a significant legal problem for the client in court.  When a follow-up action against a person after an information security related fraud involves legal action, evidence should be collected, retained, and presented to conform to the rules for evidence promulgated by the relevant jurisdiction(s). The examination should also review whether documented procedures are developed and followed when collecting and presenting routine evidence for internal disciplinary actions.

Digital forensic readiness (DFR) focuses on proactively collecting and preserving potential digital evidence. This can limit business risk by providing support for all kinds of legal defense, civil litigation, criminal prosecution, internal disciplinary actions, intellectual property claims, and due care documentation.  It also can document the impact of a crime or disputed action for an insurance or damage claim. In addition, digital forensics can support the recovery process indirectly after an incident (something that proved very important for the client of our CFE in the ‘To Have and to Hold’ case).

When preparing data for use as evidence, all CFE’s know that it’s often necessary to provide further supporting information. It’s important to show that audit trail information can demonstrate that the system used to preserve evidence is functioning appropriately. It’s also important to demonstrate how information progresses through it. Audit trails need to be comprehensive and overseen appropriately, because without them the integrity and authenticity – and thus the evidential weight – of the data stored in the system could be questioned in court.  In addition to the system’s effectiveness, CFE’s need to be concerned with whether access to audit trail information was controlled adequately. In some applications, access may be needed infrequently, thus it’s important that the access procedures be documented.

In most jurisdictions, the legal admissibility of digital evidence (or any evidence) in a court of law is governed by three fundamental principles: relevance, reliability, and sufficiency. Digital evidence is relevant when it can prove or disprove an element of the specific case being investigated. Although the meaning of reliable (i.e., authentic and accurate) varies among jurisdictions, a general principle is to ensure the digital evidence is what it purports to be and has not been spoiled. It is not always necessary to collect all data or to make a complete copy of the original evidence. In many jurisdictions, the concept of sufficiency means that enough evidence has been collected to prove or disprove the elements of the matter.

Information security is key when discussing legal admissibility.  Was the process for capturing electronic information secure? Was the correct information captured, and was it complete and accurate? During storage, was the information changed in any way? When responding to questions by opposing counsel about the authenticity of stored information, organizations must show whether the system was operated correctly at all times. To address this issue, CFE’s should establish that all relevant procedures are well thought out, complete in scope, documented, and operated by competent individuals.

To reduce the risk of legal challenges, CFE’s should consider offering evidence that the client organization has implemented security measures. Management should have reviewed information security systems at planned intervals to determine whether their control objectives, controls, processes, and procedures:

–Conform to the requirements of information security standards and relevant regulations;
–Conform to the identified IT security requirements;
–Are implemented and maintained effectively;
–Are performing as expected.

Determining which digital evidence the organization should be collecting and preserving is a two-step process. First, the crimes and disputes the organization is exposed to must be determined. Second, based on the identified exposure, the organization needs to identify potential evidence based on a risk analysis combined with a cost/benefit approach.

DFR is a natural progression for organizations with a mature information security posture, enabling them to pursue perpetrators in the legal domain when other security measures have failed. Among more security-aware CFE clients, it can enhance existing processes and leverage incident response, business continuity, and crime prevention activities. CFE’s can provide assurance of their client organization’s forensic readiness based on the following criteria suggested by the ACFE:

–Whether the organization has identified the main likely threats it faces;
–Whether the organization has identified what sorts of evidence it is likely to need in a criminal proceeding and how it will secure that data;
–Whether the organization has identified the amount and quality of evidence it already has collected;
–Whether the organization is familiar with potential legal problems such as admissibility, data protection, human rights, limits to surveillance, obligations to staff members and others, and disclosure in legal proceedings;
— Whether the organization has identified the management, skill, and resource implications and developed an action plan.

CFE’s, as part of the planning for a fraud or incident investigation, should ensure the completeness and integrity of digital evidence. Moreover, they should ensure that potentially useful evidence is never overlooked.  A functioning and documented DFR supports such assurance and helps make sure that assurance sticks.

Trust Me

GavelDuring a joint training seminar between our Chapter and the Virginia State Police held earlier this year, I took the opportunity to ask the attendees (many of whom are practicing CFE’s) to name the most common fraud type they’d individually investigated in the past year. Turned out that one form or another of affinity fraud won hands down, at least here in Central Virginia.

This most common type of fraud targets specific sectors of society such as religious affiliates, the fraudster’s own relatives or acquaintances, retirees, racial groups, or professional organizations of which the fraudster is a member. Our Chapter members indicate that when a scammer ingratiates himself within a group and gains trust, an affinity fraud of some kind can almost always be expected to be the result.

Regulators and other law enforcement personnel typically attempt to identify instances of affinity fraud in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, affinity fraud tends to be an under reported crime since victims may be embarrassed that they so easily fell prey to the fraudster in the first place or they may remain connected to the offender because of emotional bonding and/or cultivated trust. Reluctance to report the crime also frequently stems from a misplaced belief that the fraudster is fundamentally a good guy or gal and will ultimately do the right thing and return any funds taken. In order to stop affinity fraud, regulators and law enforcement must obviously first be able to detect and identify the crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

The poster boy for affinity fraud is, of course, Bernard Madoff.   The Madoff tragedy is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s list of victims grew to include prominent persons in the finance, retail and entertainment industries. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and customers were defrauded of approximately twenty billion dollars. It can be debated whether the poor economy, lack of investor education, or ready access to diverse persons over the internet has led to an increase in affinity fraud but there can be no doubt that the internet makes it increasingly easy for fraudsters to pose as members of any community they target. And, it’s clear that affinity frauds have dramatically increased in recent years. In fact, affinity fraud has been identified by the ACFE as one of the top five investment schemes since 1998.

Affinity frauds assume different forms, e.g. information phishing expeditions, investment scams, or charity cons. However, most affinity frauds have a common element and entail a pyramid-type of Ponzi scheme. In these types of frauds, the offender uses new funds from fresh victims as payment to initial investors. This creates the illusion that the scam is profitable and additional victims would be wise to invest. These types of scams inevitably collapse when it either becomes clear to investors or to law enforcement that the fraudster is not legitimate or there are no more financial backers for the fraud. Although most fraud examiners may be familiar with the Madoff scandal, there are other large scale affinity frauds perpetrated across the United States almost on a daily basis that continue to shape how regulators and other law enforcement approach these frauds.

Perpetrators of affinity frauds work hard, sometime over whole years, to make their scams appealing to their targeted victims. Once the offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential investors. By having an esteemed figurehead who appears to be knowledgeable about the investment and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was an esteemed member of the community. As a former chair of the National Association of Securities Dealers (NASD) and owner of a company ranked sixth largest market maker on the National Association of Securities Dealers Automated Quotations (NASDAQ), Madoff’s reputation in the financial services industry was impeccable and people were eager to invest with him.

The ACFE indicates that projection bias is yet another reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Sigmund Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they shared the same value system.

Success of affinity fraud stems from the higher degree of trust and reliance associated with many of the groups targeted for such conduct. Because of the victim’s trust in the offender, the targeted persons are less likely to fully investigate the investment scheme presented to them. The underlying rationale of affinity fraud is that victims tend to be more trusting, and, thus, more likely to invest with individuals they have a connection with – family, religious, ethnic, social, or professional. Affinity frauds are often difficult to detect because of the tight-knit nature common to some groups targeted for these schemes. Victims of these frauds are less likely to inform appropriate law enforcement of the problems and the frauds tend to continue until an investor or outsider to the target group finally starts to ask questions.

Because victims in affinity frauds are less likely to question or go outside of the group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religious cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to believe they have been defrauded and also unlikely to investigate the con. Regulators and other law enforcement personnel can also learn from prior failures in identifying or stopping affinity frauds. Because the Madoff fraud is one of the largest frauds in history, many studies have been conducted to determine how this fraud could have been stopped sooner. In hindsight, there were numerous red flags that indicated Madoff’s activity was fraudulent; however, appropriate actions were not taken to halt the scheme. The United States Securities and Exchange Commission (SEC) received several complaints against Madoff as early as 1992, including several official complaints filed by Harry Markopolos, a former securities industry professional and fraud investigator. Every step of the way, Madoff appeared to use his charm and manipulative ways to explain away his dealings to the SEC inspection teams. The complaints were not properly investigated and subsequent to Madoff’s arrest, the SEC was the target of a great deal of criticism. The regulators obviously did not apply appropriate professional skepticism while doing their jobs and relied on Madoff’s reputation and representations rather than evidence to the contrary. In the wake of this scandal, regulatory reforms were deemed a priority at the SEC and other similar agencies.

Education is needed for the investing public and the regulators and law enforcement personnel alike to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of frauds. This is where Fraud Examiners are uniquely qualified to offer their communities much needed assistance. Affinity frauds are not easily anticipated by the victims. Madoff whistleblower Markopolos asserted that “nobody thinks one of their own is going to cheat them”.

Affinity frauds will not be curtailed unless the public, the auditing and fraud examination communities, and regulators and other law enforcement personnel are all involved.

E-Discovery & Fraud Mitigation

Keyboard2One of our fellow Chapter members currently finds himself consumed by a complex examination involving e-discovery issues.  It seems the case involves the production to the court by our member’s client of all the e-mails of 20 named employees directly or indirectly involved in a suspected fraud over a three year period.  Needless to say, the client organization, a medium sized company with outsourced administration of its IT to the cloud, is struggling to comply within the court’s strict timeframe for compliance.

The U.S. court system’s Federal Rules of Civil Procedure (FRCP) have required for the last decade or so that any enterprise that might find itself involved in litigation in federal court must maintain electronic records.  The general term “electronically stored information” (ESI) as applied to today’s vast array of electronically generated documents, encompasses more than just the simple fact of storage and retention, but extends on to the requirement that the ESI generated by an enterprise is also secure and protected from unauthorized access, use or destruction.  Further, the FRCP rules require that company attorneys and IT managers be able to clearly demonstrate to the court how ESI is stored, the company procedures established to manage, control, protect and retrieve it under court order and the policies governing their retention.  If all that weren’t enough for any organization, the rules require evidence of an established history (and an implementation routine) for any deletion of our client companies ESI.  Feigned ignorance and plausible denial of the requirements are not tolerated and can lead to heavy fines and penalties.

Two important concepts involving ESI have complicated the case of our member’s client; hold management and spoliation.  Hold management refers to the company’s ability to effectively respond to a legal action.   Once an enterprise is notified of a legal action, all records that may relate to that action are placed on legal hold; they may not be destroyed or altered and their profile information may not be modified.  They must be protected from destruction until the hold is lifted by the court.  Our member’s client, in the normal course of business, had overwritten a number of relevant employee e-mails in the understandable effort to make room for new data on its e-mail server.

As a consequence and to make matters worse, during the legal process the client firm also found itself potentially guilty of spoliation of evidence.  Spoliation of evidence refers to the willful destruction of evidence that’s germane to the case in litigation and this includes destruction of ESI.  Spoliation is an issue fraught with complication in our cloud based world; given the volume of electronic documents created in virtually every business today it’s necessary to delete, archive and overwrite documents in the routine and normal course of business.  Indeed, many client companies have existing data management systems and/or data retention policies in place which mandate deletion on a regular basis. That’s exactly the case with our member’s client.

Fortunately, for the client, it had a formally documented, board approved, data retention policy in place.  Section 26(f) of the FRCP provides for a safe harbor against sanctions being imposed in the event that electronic information might be lost under the “routine good faith operation” of such a data management system or data retention policy as the client’s.  It’s important to emphasize, however, that this amendment doesn’t provide a shield for any party that “intentionally” destroys specific information due to its relationship to litigation or for a party that allows such information to be destroyed in order to make it unavailable to discovery by exploiting the routine operation of an information system.

As a component of our routine fraud risk assessments, we need to point out to our clients, in light of the variety and volume of the communications that pass through their organizations each day, the absolute necessity for a viable, well-thought-out, and fully tested document management program covering communications data currently at rest in all media.  But it isn’t enough to simply have a plan.  The fraud risk assessment tests the likelihood of the occurrence of differing fraud scenarios and tries to propose countermeasures.  Part of the on-going testing of scenarios should be testing of the data management’s plan’s capacity to specifically handle the data demands of the litigation process.  This should even include the evaluation of systems as sources of ESI containing older information; if such information can’t be assessed reasonably and at reasonable cost, a determination should be made (and documented) as to whether the data should be retained.

In the case of fraud, we know it’s not a question of “if” but “when”.  We should recommend, as a component of the fraud prevention program, that the client periodically conduct benchmarking exercises using the enterprise’s data retrieval tools of choice against all the client’s varieties of ESI to establish ease of retrieval metrics.  These types of metrics establish the time frames and costs of searching various electronic communications source systems under various fraud scenarios and their related parameters, i.e., how long will it take to gather all the internal communications having to do with the introduction of a customer service that’s the subject of litigation involving deceptive advertising practices; what are the costs involved in producing all communications involved with a significant management financial fraud, etc. The point is that repeatable data recovery processes that have been periodically tested under a schedule and found to reliably return actionable, sought-after records can be a significant key to the successful negotiation of e-discovery requests as well as significantly reduce the costs associated with fraud mitigation, litigation and loss recovery.

Addressing Information System Fraud Risk through Uniform Control Standards – Part 3


leaf-36This post is Part 3 of a general consideration of how our clients can address the more common risks associated with information systems facilitated fraud by developing an internal uniform set of security standards; the objective of this short series of three posts is to discuss a few of the more common controls COSO based control standards employ to address prominent security risks to information systems thus reducing the risk of internal and external fraud.

The COSO standards define the physical security of hardware and software as one of a number of related controls which also include logical access rights, identification and authentication of users at all levels, and remote access to the client’s systems.  It’s especially important that control standards be well defined and publicized in this area because access is the key to the kingdom.  Physical control standards have to do with some obvious things like keeping computers in locked rooms to limit physical access and related logical controls, which sometimes aren’t so obvious to everyone, such as the use by the organization of security software programs designed to prevent or detect intrusions like unauthorized access to sensitive files like personal health information (PHI).  We need to build client understanding that access controls should be formally developed, fully documented, disseminated throughout the organization (preferably by training)  and periodically updated to provide reasonable assurance that information management resources are protected against unauthorized  modification, disclosure, loss, or impairment.  Fraud examiners can be of great assistance to all the members of the client’s risk control assurance team in demonstrating how inadequate access controls can significantly contribute to the perpetration of numerous external and internal fraud scenarios by diminishing the reliability of computerized data and by increasing the risk of destruction or modification of financial and other records or by its inappropriate disclosure to fraudsters and hackers.  It’s fundamental that control standards for both physical and logical access controls be risk based

One issue that seems to pop up again and again in discussions of access control related weaknesses is user account types and their incorporation into groups; published audit findings related to access security issues identify a significant amount of auditee confusion related to this area of business control.  Control standards should specify that each organization’s process for managing user accounts should include specific identification of the various account types (i.e., individual, group, and system), the establishment of conditions for group membership, and the assignment of associated authorizations.  Additionally, the standards should specify that resource owners periodically identify and re-identify authorized users and specify access rights that are granted on the basis of a valid need to know as determined by authorizing officials in light of separation of duties.  One of the biggest identified control weaknesses is the failure of human resources departments to notify information management account managers when users have had their employment terminated or are transferred to ensure that accounts associated with the user are removed, disabled or otherwise secured.

Antivirus and malware control is an aspect of corporate operations that’s been much in the news lately.  Several large retailers have recently admitted ignoring signals from their own systems that the systems were infected, with truly disastrous consequences for the retailer’s themselves as well as for the integrity of their customer’s accounts.  Standards related to malware and anti-virus control form a subset of network operations controls which also include network device management, patch management, and the logging and monitoring of network transactions and events.

The enterprise’s uniform information security standard should treat anti-virus management as an automated process used to effectively identify, isolate, and eliminate malicious software.  Anti-malware software should be implemented and maintained on computers and critical information system entry points to detect and eradicate malicious software delivered by e-mail, removable media, or other methods.  Standards related to anti-virus and malware controls are important for the detection and removal of malicious computer viruses which can be a vital tool in support of numerous fraud related internal and external exploits.

Finally, a set of controls vital to the work of fraud examiners and forensic accountants are those related to the logging and monitoring of transactions.  How many of us have been stymied in our investigative work by the lack of strong audit trails to guide us through some complicated labyrinth of automated, fraud related transactions?  The security standard should prescribe a process of generating, transmitting, analyzing, storing, and disposing of computer log data related to all the client’s sensitive systems.  Computer security logs are generated by many sources, including security software, such as anti-virus software, firewalls, and intrusion detection and prevention software and including operating systems on servers, workstations and networking equipment.  Given the number of sources and the volume of log data, an automated log management system is an essential for identifying security incidents, policy violations, fraudulent activity and operational problems, all of which can figure prominently in the review work of all assurance professionals.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!


Preventing End Point Related Frauds

Lower-ManhattanThe theft of an unencrypted, network enabled laptop belonging to a system analyst employed by the firm of one of our Chapter members at a conference in San Francisco last month brings to mind the issue of frauds related to end points.   An end point is usually defined as an individual computer system or device that acts as a network client and serves as a workstation or personal computing device.  Common endpoints are laptops, desktops and personal computing devices like smart phones.  The growing number and variety of threats to end points over the last few years as well as the growth of frauds that use end points as a medium of attack, have made end point security even more important today as almost every business has become virtual to a greater or lesser degree.  Current threats to end points include viruses, Trojans, worms, the use of end points as distributed denial-of-service zombie hosts and, of course,  spyware.

It seems to me that the issue of end point fraud prevention needs to be approached from two different angles; protecting the end point itself and, less obviously,  protecting the organization from the end point.

Management needs to define internal and external device security requirement policies, both logical and technical, related to its various types of end points.  Policy should especially be defined for encryption and for remote access, i.e., the level of access that will be permitted for a remote user presenting a given level of authentication; for a user presenting just a user ID and password, what resources are made available as opposed for one using a continuously updated secure token?  Following management’s definition of security policy for each type of end point, every enterprise end point device needs to be inspected to assess and set the level of its security status against the pre-defined policy; thus all the individual types of user and corporate owned end points may not meet basic policy requirements for connection.  After assessment and identification of each device that has been flagged at a trust level that allows connection to the network, its user should be asked to authenticate it prior to use. Access policies should be defined to permit only resource access based on the allowed level of authentication.

Access is allowed depending on the end point’s security status level defined at the policy development stage.  If minimum security status is not met, no access is allowed or special procedures are instituted depending upon the type of session.  For example, when a user connects from an airport public hotspot, all data resulting from the session must be cleared after the session terminates. Continuous monitoring is a must for the enterprise to be able to identify repeated attempts to connect deviant devices or other strange activity and also to investigate any device that is trying to connect; an associated incident reporting capability should be used to assess the ongoing effectiveness of the end point security policy and to analyze threat trends.

All end point device users won’t be happy with having their corporate and non-corporate devices inspected and authenticated to the network; all this takes time.  Users will fret about not being able to download data onto their machines at home or while they’re waiting for a flight at the airport.  All these provisions/requirements for end point connection, and the reasons for them, need to be clearly spelled out in the security policy.

End point devices connected to our client’s networks need to be secured because the perimeter between the inside and the outside of the organization is quickly vanishing and the virtual organization is upon us with more organizations allowing staff members to work from home or from anywhere on their own or on corporate laptops or devices…security perimeters need to be brought closer to where the data are so that end points are secure and, equally important,  the organization is secure from the end points.

Digital Incident Response Planning – a Key to Winning In Court

ControlKeyOur Chapter’s recent webcast on Digital Forensics generated a lot of discussion and some good questions.  I guess a good place to start the subject of this post, digital incident response planning, is by focusing on the good news from the webcast, that crimes involving computer systems and networks usually leave much usable evidence behind.  The bad news is that despite the potential availability of these important bits of digital evidence, much of it tends to be overlooked, collected incorrectly or, if collected at all, analyzed ineffectively.   As our webcast tried to emphasize, if digital evidence is not collected early in a fraud investigation, it may quickly become  too late to safely collect without an elevated  risk of  corrupting or prejudicing it.

In today’s world, it’s not a question of if a large organization will suffer a fraud related incident involving its digital data; it’s a question of when.  Even so, it’s surprising how many enterprises underestimate how often they may need to produce reliable evidence of something that’s happened to their information systems or on their networks.   Organization after organization is in the news, having fallen victim to external or internal digitally related fraud on a large or small scale and having to suffer the consequences in lost reputation and increased vulnerability to competitors.  Our webcast argues that every organization’s management should become pro-active with regard to digital fraud and take steps to insure that when a forensic need for data related to a fraud scenario arises, the victimized organization will be ready to supply it.  A process of digital fraud readiness features the proactive identification, collection and preservation of categories of sensitive data prior to the need of it becoming digital evidence of the system state prior to the occurrence of a fraud.  The effort to catalog the system and its data constitutes clear evidence of due diligence on the part of management  (very impressive in court) at the same time as it limits business risk by providing support for corporate legal defense, civil litigation , criminal prosecution and internal disciplinary actions.  Importantly, it can also document the impact of a crime for a related  insurance or damage claim.

So how can fraud examiners help since data is the very air we breathe?  We need to help our clients see that unless their companies have developed a detailed digital incident response plan, much potential evidence will never become available to their future fraud cases because it will never be collected or will become worthless for legal purposes because it’s been contaminated.    The process starts with determining whether our clients have applied a consistent and effective approach to managing all information security incidents, including defining the responsibilities of key corporate personnel (not just IT) and the procedures each will follow during an information security incident.   After the occurrence of an information security incident that will involve legal action of some kind, defined digital incident response procedures should detail how evidence should be collected, retained and presented to conform with the rules of evidence appropriate to the relevant jurisdiction.

It’s important that client audit trail information be available to demonstrate that the system used to preserve the incident related evidence is functioning appropriately; it can also be used to demonstrate how information progresses through the system.

As our webcast tried to make clear, to avoid the risk of legal challenges, fraud examiners and the computer forensic specialists  assisting them need to  provide the court assurance that the organization has implemented adequate security measures and performed due diligence;  the Digital Incident Response Plan and associated catalog of sensitive digital data are evidence of both.