Category Archives: Access Control

The Critical Twenty Percent

According to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes. Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continue unabated, with organizations of all kinds losing productivity, revenue and more customers every month. ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies. As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s most sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls. And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing change. It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work. By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

• Are systems monitored for unauthorized changes in real time?
• Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations. Researchers found that these top six controls help organizations help manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and to look backward, identifying definitively the source of outages, fraud associated abnormalities or service issues. Because they have a process that tracks and records all changes to their infrastructure and their associated success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and remediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail. The organization must cultivate a ‘culture’ of change management and causality throughout, with zero tolerance for any unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all change must follow an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy. One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.
Perhaps most important for responding to changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from security incidents, and dramatically longer and less-effective resolution times. On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of a high volume of failed system changes. All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

Regulating the Financial Data Breach

During several years of my early career, I was employed as a Manager of Operations Research by a mid-sized bank holding company. My small staff and I would endlessly discuss issues related to fraud prevention and develop techniques to keep our customer’s checking and savings accounts safe, secure and private. A never ending battle!

It was a simpler time back then technically but since a large proportion of fraud committed against banks and financial institutions today still involves the illegal use of stolen customer or bank data, some of the newest and most important laws and regulations that management assurance professionals, like CFEs, must be aware of in our practice, and with which our client banks must comply, relate to the safeguarding of confidential data both from internal theft and from breaches of the bank’s information security defenses by outside criminals.

As the ACFE tells us, there is no silver bullet for fully protecting any organization from the ever growing threat of information theft. Yet full implementation of the measures specified by required provisions of now in place federal banking regulators can at least lower the risk of a costly breach occurring. This is particularly true since the size of recent data breaches across all industries have forced Federal enforcement agencies to become increasingly active in monitoring compliance with the critical rules governing the safeguarding of customer credit card data, bank account information, Social Security numbers, and other personal identifying information. Among these key rules are the Federal Reserve Board’s Inter-agency Guidelines Establishing Information Security Standards, which define customer information as any record containing nonpublic personal information about an individual who has obtained a financial product or service from an institution that is to be used primarily for personal, family, or household purposes and who has an ongoing relationship with the institution.

Its important to realize that, under the Inter-agency Guidelines, customer information refers not only to information pertaining to people who do business with the bank (i.e., consumers); it also encompasses, for example, information about (1) an individual who applies for but does not obtain a loan; (2) an individual who guarantees a loan; (3) an employee; or (4) a prospective employee. A financial institution must also require, by contract, its own service providers who have access to consumer information to develop appropriate measures for the proper disposal of the information.

The FRB’s Guidelines are to a large extent drawn from the information protection provisions of the Gramm Leach Bliley Act (GLBA) of 1999, which repealed the Depression-era Glass-Steagall Act that substantially restricted banking activities. However, GLBA is best known for its formalization of legal standards for the protection of private customer information and for rules and requirements for organizations to safeguard such information. Since its enactment, numerous additional rules and standards have been put into place to fine-tune the measures that banks and other organizations must take to protect consumers from the identity-related crimes to which information theft inevitably leads.

Among GLBA’s most important information security provisions affecting financial institutions is the so-called Financial Privacy Rule. It requires banks to provide consumers with a privacy notice at the time the consumer relationship is established and every year thereafter.

The notice must provide details collected about the consumer, where that information is shared, how that information is used, and how it is protected. Each time the privacy notice is renewed, the consumer must be given the choice to opt out of the organization’s right to share the information with third-party entities. That means that if bank customers do not want their information sold to another company, which will in all likelihood use it for marketing purposes, they must indicate that preference to the financial institution.

CFEs should note , that most pro-privacy advocacy groups strongly object to this and other privacy related elements of GLBA because, in their view, these provisions do not provide substantive protection of consumer privacy. One major advocacy group has stated that GLBA does not protect consumers because it unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect his or her data, GLBA weakens customer power to control their financial information. The agreement’s opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to do so by their customers and, if customers neglect to respond, it gives institutions the freedom to disclose customer nonpublic personal information.

CFEs need to be aware, however, that for bank clients, regardless of how effective, or not, GLBA may be in protecting customer information, noncompliance with the Act itself is not an option. Because of the current explosion in breaches of bank information security systems, the privacy issue has to some degree been overshadowed by the urgency to physically protect customer data; for that reason, compliance with the Interagency Guidelines concerning information security is more critical than ever. The basic elements partially overlap with the preventive measures against internal bank employee abuse of the bank’s computer systems. However, they go quite a bit further by requiring banks to:

—Design an information security program to control the risks identified through a security risk assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.
—Evaluate a variety of policies, procedures, and technical controls and adopt those measures that are found to most effectively minimize the identified risks.
—Application and enforcement of access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
—Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
—Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may gain access.
—Procedures designed to ensure that customer information system modifications are consistent with the institution’s information security program.
—Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
—Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
—Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
—Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

The Inter-agency Guidelines require a financial institution to determine whether to adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this control, a financial institution also should consider the need for a firewall to safeguard confidential electronic records. If the institution maintains Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, the institution must consider whether its risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt necessary encryption measures that protect information in transit, in storage, or both. The Inter-agency Guidelines do not impose specific authentication or encryption standards, so it is advisable for CFEs to consult outside experts on the technical details applicable to your client institution’s security requirements especially when conducting after the fact fraud examinations.

The financial institution also must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, the institution should evaluate the ability, or lack thereof, of its staff to rapidly and accurately identify an intrusion. It also should assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken.

The regulatory agencies have also provided our clients with requirements for responding to information breaches. These are contained in a related document entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Incident Response Guidance). According to the Incident Response Guidance, a financial institution should develop and implement a response program as part of its information security program. The response program should address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Finally, the Inter-agency Guidelines require financial institutions to train staff to prepare and implement their information security programs. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

For example, an institution should:

—Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext spam calling.
—Provide staff members responsible for building or maintaining computer systems and local and wide area networks with adequate training, including instruction about computer security.
—Train staff to properly dispose of customer information.

Managing Disruption

Technology risks are evolving and changing so rapidly, it’s more difficult for management to assess new fraud threats and to adjust its strategies to manage and mitigate them. Applications that use disruptive technologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. CFEs and other anti-fraud professionals are struggling to stay abreast of the most recent developments and to identify anti-fraud policies, procedures and controls that add value.  Additionally, the exponential growth of computing power has enabled our client organizations to capitalize on the use of mobile devices and to leverage the ubiquity of the internet to reach their markets almost instantly.

While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for CFEs. Digitalization of data has created opportunities for knowledgeable investigators to improve their use of data analytics, use algorithms to facilitate cognitive intelligence, and to even create bot applications that perform automated fraud assessment tasks in real time. The essence of the risks and controls involved has not changed as much as the underlying technology. The new processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must continue to be enforced. However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Anti-fraud focused information security and access control processes must treat the bot as if it were a person and only allow it access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts remain faithfully performed.

Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the fraud prevention landscape. New businesses created by these technologies need to follow established governance processes and design fraud and abuse risk management and related internal controls into their business processes. As entirely new markets and products are developed, it’s important that risk managers with fraud investigation experience are involved proactively from the first. This blog has devoted several recent posts to blockchain technology.  Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology.  Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, routine contract management, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new fraud risks, which were previously being addressed by the middle man.

There are several ways CFEs can proactively help manage the effect of the fraud related aspects of disruptive technologies on their client organizations. By focusing on anti-fraud assurance, providing fraud scenario insight to management, and by demonstrating proficiency and expertise in innovative technologies, fraud examiners will be able to contribute significantly to the overall fraud prevention programs of our client organizations.

For many years organizations have been encouraged by economists to focus on what they do best. That is wise advice for the fraud examination profession, as well. By continuing to focus on governance, fraud risk, and preventative controls, CFEs can help ensure fraud prevention policies and processes are designed and operating effectively. Regardless of the nature or tempo of the changes, investigators will then be able to more effectively fulfill their mission. Moreover, proactively helping their organizations anticipate emerging fraud risks and technological changes can position fraud examiners as authorities and better prepare client organizations to better respond to disruptive events.

By aligning with the expectations of the profession’s key client stakeholders and working closely with those subject-matter experts who are implementing disruptive technologies from within and without, CFEs can remain focused on the most relevant and significant fraud prevention related issues.  For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable the CFE community to significantly affect the business agenda.  More than ever, fraud examiners must constantly pursue training to learn about recent technologies and the complex and emerging new risks being introduced into their organizations.  Additionally, chief investigators need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.  Perhaps the most important thing CFEs can do to prepare for disruptive technological innovations is to embrace and leverage new technologies in their own work. CFE investigators need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots.

All assurance professionals need to completely understand how technologies like blockchain work and how they can be used and analyzed in fraud investigations.  They must take advantage of machine learning and data analytics in their examination processes. Moreover, continuous fraud auditing should be the standard default for new review routines and real-time identification of fraud signatures and red flags should be a requirement as organizations implement new business processes.

In summary, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, few thought that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and fraudsters capitalize on the opportunities that arise. Fraud risk managers will have to assess emerging threats consistently and continuously. CFEs will need to respond to emerging threats with new and better ways to perform our investigations and engage to redesign our own processes or face disruption ourselves.

From Inside the Building

By Rumbi Petrozzello, CFE, CPA/CFF
2017 Vice-President – Central Virginia Chapter ACFE

Several months ago, I attended an ACFE session where one of the speakers had worked on the investigation of Edward Snowden. He shared that one of the ways Snowden had gained access to some of the National Security Agency (NSA) data that he downloaded was through the inadvertent assistance of his supervisor. According to this investigator, Snowden’s supervisor shared his password with Snowden, giving Snowden access to information that was beyond his subordinate’s level of authorization. In addition to this, when those security personnel reviewing downloads made by employees noticed that Snowden was downloading copious amounts of data, they approached Snowden’s supervisor to question why this might be the case. The supervisor, while acknowledging this to be true, stated that Snowden wasn’t really doing anything untoward.

At another ACFE session, a speaker shared information with us about how Chelsea Manning was able to download and remove data from a secure government facility. Manning would come to work, wearing headphones, listening to music on a Discman. Security would hear the music blasting and scan the CDs. Day after day, it was the same scenario. Manning showed up to work, music blaring.  Security staff grew so accustomed to Manning, the Discman and her CDs that when she came to work though security with a blank CD boldly labelled “LADY GAGA”, security didn’t blink. They should have because it was that CD and ones like it that she later carried home from work that contained the data she eventually shared with WikiLeaks.

Both these high-profile disasters are notable examples of the bad outcome arising from a realized internal threat. Both Snowden and Manning worked for organizations that had, and have, more rigorous security procedures and policies in place than most entities. Yet, both Snowden and Manning did not need to perform any magic tricks to sneak data out of the secure sites where the target data was held; it seems that it all it took was audacity on the one side and trust and complacency on the other.

When organizations deal with outside parties, such as vendors and customers, they tend to spend a lot of time setting up the structures and systems that will guide how the organization will interact with those vendors and customers. Generally, companies will take these systems of control seriously, if only because of the problems they will have to deal with during annual external audits if they don’t. The typical new employee will spend a lot of time learning what the steps are from the point when a customer places an order through to the point the customer’s payment is received. There will be countless training manuals to which to refer and many a reminder from co-workers who may be negatively impacted if the rooky screws up.

However, this scenario tends not to hold up when it comes to how employees typically share information and interact with each other. This is true despite the elevated risk that a rogue insider represents. Often, when we think about an insider causing harm to a company through fraudulent acts, we tend to imagine a villain, someone we could identify easily because s/he is obviously a terrible person. After all, only a terrible person could defraud their employer. In fact, as the ACFE tells us, the most successful fraudsters are the ones who gain our trust and who, therefore, don’t really have to do too much for us to hand over the keys to the kingdom. As CFEs and Forensic Accountants, we need to help those we work with understand the risks that an insider threat can represent and how to mitigate that risk. It’s important, in advising our clients, to guide them toward the creation of preventative systems of policy and procedure that they sometimes tend to view as too onerous for their employees. Excuses I often hear run along the lines of:

• “Our employees are like family here, we don’t need to have all these rules and regulations”

• “I keep a close eye on things, so I don’t have to worry about all that”

• “My staff knows what they are supposed to do; don’t worry about it.”

Now, if people can easily walk sensitive information out of locations that have documented systems and are known to be high security operations, can you imagine what they can do at your client organizations? Especially if the employer is assuming that their employees magically know what they are supposed to do? This is the point that we should be driving home with our clients. We should look to address the fact that both trust and complacency in organizations can be problems as well as assets. It’s great to be able to trust employees, but we should also talk to our clients about the fraud triangle and how one aspect of it, pressure, can happen to any staff member, even the most trusted. With that in mind, it’s important to institute controls so that, should pressure arise with an employee, there will be little opportunity open to that employee to act. Both Manning and Snowden have publicly spoken about the pressures they felt that led them to act in the way they did. The reason we even know about them today is that they had the opportunity to act on those pressures. I’ve spent time consulting with large organizations, often for months at a time. During those times, I got to chat with many members of staff, including security. On a couple of occasions, I forgot and left my building pass at home. Even though I was on a first name basis with the security staff and had spent time chatting with them about our personal lives, they still asked me for identification and looked me up in the system. I’m sure they thought I was a nice and trustworthy enough person, but they knew to follow procedures and always checked on whether I was still authorized to access the building. The important point is that they, despite knowing me, knew to check and followed through.

Examples of controls employees should be reminded to follow are:

• Don’t share your password with a fellow employee. If that employee cannot access certain information with their own password, either they are not authorized to access that information or they should speak with an administrator to gain the desired access. Sharing a password seems like a quick and easy solution when under time pressures at work, but remind employees that when they share their login information, anything that goes awry will be attributed to them.

• Always follow procedures. Someone looking for an opportunity only needs one.

• When something looks amiss, thoroughly investigate it. Even if someone tells you that all is well, verify that this is indeed the case.

• Explain to staff and management why a specific control is in place and why it’s important. If they understand why they are doing something, they are more likely to see the control as useful and to apply it.

• Schedule training on a regular basis to remind staff of the controls in place and the systems they are to follow. You may believe that staff knows what they are supposed to do, but reminding them reduces the risk of them relying on hearsay and secondhand information. Management is often surprised by what they think staff knows and what they find out the staff really knows.

It should be clear to your clients that they have control over who has access to sensitive information and when and how it leaves their control. It doesn’t take much for an insider to gain access to this information. A face you see smiling at you daily is the face of a person you can grow comfortable with and with whom you can drop your guard. However, if you already have an adequate system and effective controls in place, you take the personal out of the equation and everyone understands that we are all just doing our job.