Tag Archives: cybersecurity

Cybersecurity – Is There a Role for Fraud Examiners?

cybersecurityAt a cybersecurity fraud prevention conference, I attended recently in California one of the featured speakers addressed the difference between information security and cybersecurity and the complexity of assessing the fraud preparedness controls specifically directed against cyber fraud.  It seems the main difficulty is the lack of a standard to serve as the basis of a fraud examiner’s or auditor’s risk review. The National Institute of Standards and Technology’s (NIST) framework has become a de facto standard despite the fact that it’s more than a little light on specific details.  Though it’s not a standard, there really is nothing else at present against which to measure cybersecurity.  Moreover, the technology that must be the subject of a cybersecurity risk assessment is poorly understood and is mutating rapidly.  CFE’s, and everyone else in the assurance community, are hard pressed to keep up.

To my way of thinking, a good place to start in all this confusion is for the practicing fraud examiner to consider the fundamental difference between information security and cybersecurity, the differing nature of the threat itself.   There is simply a distinction between protecting information against misuse of all sorts (information security) and an attack by a government, a terrorist group, or a criminal enterprise that has immense resources of expertise, personnel and time, all directed at subverting one individual organization (cybersecurity).  You can protect your car with a lock and insurance but those are not the tools of choice if you see a gang of thieves armed with bricks approaching your car at a stoplight. This distinction is at the very core of assessing an organization’s preparations for addressing the risk of cyberattacks and for defending itself against them.

As is true in so many investigations, the cybersecurity element of the fraud risk assessment process begins with the objectives of the review, which leads immediately on to the questions one chooses to ask. If an auditor only wants to know “Are we secure against cyberattacks?” then the answer should be up on a billboard in letters fifty feet high: No organization should ever consider itself safe against cyber attackers. They are too powerful and pervasive for any complacency. If major television networks can be stricken, if the largest banks can be hit, if governments are not immune, then the CFE’s client organization is not secure either.  Still, all anti-fraud reviewers can ask subtle and meaningful questions of client management, specifically focused on the data and software at risk of an attack. A fraud risk assessment process specific to cybersecurity might delve into the internals of database management systems and system software, requiring the considerable skills of a CFE supported by one or more tech-savvy consultants s/he has engaged to form the assessment team. Or it might call for just asking simple questions and applying basic arithmetic.

If the fraud examiner’s concern is the theft of valuable information, the simple corrective is to make the data valueless, which is usually achieved through encryption. The CFE’s question might be, “Of all your data, what percentage is encrypted?” If the answer is 100 percent, the follow-up question is whether the data are always encrypted—at rest, in transit and in use. If it cannot be shown that all data are secured all of the time, the next step is to determine what is not protected and under what circumstances. The assessment finding would consist of a flat statement of the amount of unencrypted data susceptible to theft and a recitation of the potential value to an attacker in stealing each category of unprotected data. The readers of this blog know that data must be decrypted in order to be used and so would be quick to point out that “universal” encryption in use is, ultimately, a futile dream. There are vendors who, think otherwise, but let’s accept the fact that data will, at some time, be exposed within a computer’s memory. Is that a fault attributable to the data or to the memory and to the programs running in it? Experts say it’s the latter. In-memory attacks are fairly devious, but the solutions are not. Rebooting gets rid of them and antimalware programs that scan memory can find them. So a CFE can ask,” How often is each system rebooted?” and “Does your anti-malware software scan memory?

To the extent that software used for attacks is embedded in the programs themselves, the problem lies in a failure of malware protection or of change management. A CFE need not worry this point; according to my California presenter many auditors (and security professionals) have wrestled with this problem and not solved it either. All a CFE needs to ask is whether anyone would be able to know whether a program had been subverted. An audit of the change management process would often provide a bounty of findings, but would not answer the reviewer’s question. The solution lies in having a version of a program known to be free from flaws (such as newly released code) and an audit trail of

known changes. It’s probably beyond the talents of a typical CFE to generate a hash total using a program as data and then to apply the known changes in order to see if the version running in production matches a recalculated hash total. But it is not beyond the skills of IT expects the CFE can add to her team and for the in-house IM staff responsible keeping their employer’s programs safe. A CFE fraud risk reviewer need only find out if anyone is performing such a check. If not, the CFE can simply conclude and report to the client that no one knows for sure if the client’s programs have been penetrated or not.

Finally, a CFE might want to find out if the environment in which data are processed is even capable of being secured. Ancient software running on hardware or operating systems that have passed their end of life are probably not reliable in that regard. Here again, the CFE need only obtain lists and count. How many programs have not been maintained for, say, five years or more? Which operating systems that are no longer supported are still in use? How much equipment in the data center is more than 10 years old? All this is only a little arithmetic and common sense, not rocket science.

In conclusion, frauds associated with weakened or absent cybersecurity systems are not likely to become a less important feature of the corporate landscape over time. Instead, they are poised to become an increasingly important aspect of doing business for those who create automated applications and solutions, and for those who attempt to safeguard them on the front end and for those who investigate and prosecute crimes against them on the back end. While the ramifications of every cyber fraud prevention decision are broad and diverse, a few basic good practices can be defined which the CFE, the fraud expert, can help any client management implement:

  • Know your fraud risk and what it should be;
  • Be educated in management science and computer technology. Ensure that your education includes basic fraud prevention techniques and associated prevention controls;
  • Know your existing cyber fraud prevention decision model, including the shortcomings of those aspects of the model in current use and develop a schedule to address them;
  • Know your frauds. Understand the common fraud scenarios targeting your industry so that you can act swiftly when confronted with one of them.

We can conclude that the issues involving cybersecurity are many and complex but that CFE’s are equipped  to bring much needed, fraud related experience to any management’s table as part of the team in confronting them.

The Classification of Cyber-Crime

banner

books-6The Central Virginia Chapter of Certified Fraud Examiners (RVACFES), in cooperation with our venue partner the Virginia State Police, is initiating a series of quarterly luncheon meetings for our Chapter members and guests on various cutting edge fraud investigation topics.  We’re hoping to have the first such meeting in May or June, 2014 on the topic of cyber crime and its investigation.  To set the stage for the meeting, I thought I’d do a short post on the classification of the various types of cyber crime that a fraud examiner new to the profession might expect to encounter in actual practice.  As computer assisted crimes have escalated exponentially over the last year,  every fraud examiner needs to be aware of the risks associated with cyber crime perpetrated against a client entity of interest, and especially of those perpetrated using the entity’s own systems (as in the recent Target case).

Computer intrusion schemes.  These types of schemes include cyber-crimes or preparatory exploits perpetrated against an entity resulting, directly or indirectly,  in a quantifiable loss from an illegal or unethical act.  The area of concern most in the news of late is industrial espionage featuring the theft of customer, financial or intellectual property related data.  Some countries seem to support its citizens engaging in this type of hacking related activity against entities in other countries and some governments engage in espionage directly for what appears to be a whole host of different reasons.   Entities subject to this risk (and areas of related concern) include among others, national retail chains, aeronautics firms, space systems, armaments, energetic materials, chemical systems, biologic systems, kinetic energy systems and enterprises engaged in weapons countermeasures.  Other areas of computer intrusion include unauthorized access to information or data from an entity’s own computer systems, infecting computers with viruses and other forms of malware and infrastructure attacks such as denials of service.

–Intellectual property rights.  Intellectual property is increasingly available by electronic means, e.g., copyrighted books or materials that have been digitized.  An example of a cyber-crime involving intellectual property is the illegal use or duplication of software.  Differing international laws and customs complicate this issue; many copyright laws protect software products in one country, but not in another.  Cyber attacks originating from outside the target country are difficult to prosecute if the countries involved don’t have similar laws.

Credit card fraud.  The Association of Certified Fraud Examiners reports that some criminals, who formerly would not have been criminals or would have been traditional street criminals (engaged in localized drug sales, extortion or loan sharking), are taking advantage of readily available hacking software tools for sale on the internet, to engage in credit card theft targeting big name retailers as a means of simply earning a living.  Organized crime world-wide is increasingly turning to cyber-crime, including credit card and identity theft, online gambling, online extortion, online narcotic sales and cyber terrorism as opposed to the street basedactivities associated with the organized crime of the past.

Identity theft.  This is the cyber crime most familiar to the general public because it’s the most reported on in every category of media.  It includes the ubiquitous phishing schemes targeting every e-mail user and in every endless variation whose goal is to steal someone’s identity for the purpose of gaining unauthorized access to credit or financial assets.  I dare say every one of the readers of this blog has received a phishing e-mail in the last week.  In addition, every one of your corporate clients entities can have its identity stolen by web-site hijacking.  Cyber criminals spoof the company website of a real enterprise and using e-mail or other means, drive customers and others to the phony website where the cyber criminals captures personal and private information.

Money laundering.  Banks and certain other financial institutions have to file suspicious activity reports (SAR’s) for identified suspicious activities, originally as a result of terrorist attacks and related, subsequently imposed regulations.  Many of the identified activities that turn into Federal investigations deal with money laundering.  Money laundering  doesn’t necessarily involve computers but wire transfers are used constantly to facilitate these types of schemes.  Areas of concern include offshore money-laundering web sites, illegal or unauthorized wire transfers and similar activities.

Every fraud examiner needs to be aware of the possible cyber-crime scenarios  relevant to the fraud scheme(s) involved in whatever examination she’s currently conducting or is being asked to conduct—increasingly, investigative skills related to cyber schemes will constitute a substantial percentage of the foundation for modern fraud examination.  The specific risks and applicable cyber-crimes can be expected to vary from examination to examination but the necessity for a general knowledge of cyber-crime and how to investigate it can be expected pose an increasing challenge for the conduct of any thorough fraud examination.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

The Caveat Emptor World of Cyber Security

banner

skeleton-6Over the last five years it’s apparent that everything has changed on the internet; business activities, information technology, the communications environment as well as the threat landscape, most especially to the corporate big data of our clients (Target recently and, I’m sure, many others to come).   Retailers and hackers have become locked in a cyber arms race and retail customers are the losers.  The press and media at all levels are full of reports of government and business systems being infiltrated and thousand  of terabytes of big data stolen.  Consumer’s computers,  wireless modems and, increasingly cell phones are being compromised and it seems  the fabric of cyberspace is under attack, with even nation states demonstrating their ability to take control of the internet seemingly at will.

All of this is as a result of a number of fundamental shifts in technology and those shifts require an equally fundamental shift in attitudes toward security for concerned players at all levels.  This is because information technology has evolved for our clients from purely a means of system automation into an essential characteristic of society itself, an entity called cyberspace.  Seemingly before our eyes, the kind of quality, reliability and availability that has been traditionally associated only with power and water utilities is now absolutely essential for the protection and continued operation of the technology used to deliver all types of government and business services to its ever expanding user public.  The critical information service flows of cyberspace have become as essential to the continuity of our daily survival as water and power grid services.

Cloud computing, coupled with the internal big data on customers of retail and financial services companies enables individuals  and organizations to access application services and data from anywhere via a web interface; this is essentially an information service model of delivery with attitude.  I used to produce this blog by running Microsoft Front Page on a PC; now I use WordPress in the cloud…the economies possible through use of cloud rather than internal IT solutions will inevitably see the majority of businesses (and governments) running in the cloud.  This model substantially changes the ways in which organizations can affect and will have to securely manage both their IT functions and the security of their systems.

As fraud examiners conducting fraud risk assessments and investigating cyber based incidents, we need to be aware that the security standards employed today by the bulk of our clients (and currently arrayed to protect their constantly growing hoards of customer and financial data) were developed in a world in which computers were subject to the frauds and other criminal activities perpetrated primarily by individuals inside, and to a lesser extent, outside their organizations.  That era is now long past.  What has changed is the rapid increase in organized cyber crime through the emergence of robot networks (bot-nets) enabling network penetrations and related criminal activity to be conducted on an unprecedented global scale.  These bot-networks can be used as force multipliers to deliver massive denial of service attacks on targeted businesses, essentially cutting the victims off from the global internet.

Cyber crime is now arguably a bigger issue than illegal drugs given its potential to directly affect the lives (and livelihoods) of every customer of every business and of every citizen of every country.  Yet the growing problem in cyberspace doesn’t come from the threats alone but from the combination of threats and vulnerabilities.  As fraud professionals in the front line we need to make our clients aware that their vulnerabilities are neither more nor less than byproducts of the currently low or none existent level of quality in the personnel and products they use to provide themselves with cyber security.  The establishment and official recognition of cyber security as a profession is long overdue and recent thefts of big data from a host of companies prove it.  We are rapidly leaving the era when it was cheaper for individual companies (and governments) to pay the cost of occasional cyber breaches than to invest in adequate security (the credit card industry and the European smart card chip is a case in point).  It’s no longer acceptable for professionals, trades people, products and services that are critical to the continuing success of the vital cyber enterprise to operate on a basis of caveat emptor.

In order to assist security professionals in the fight against the ever rising tide of cyber crime, fraud examiners and other control assurance professionals need to understand for each of our client types:

–their business, the related strategic cyber objectives, the market, the stakeholders and what information (especially big data related to customers and products) the enterprise uses and shares;

–the business information flows, relationships and dependencies;

–the value of the business information in financial, strategic and operational terms;

–the impact of failure in information management-corruption, loss or disclosure-and failure in the service provided;

–what it takes to recover to a manageable position in the event of failure or cyber fraud and to understand where such a recovery is not possible (definition of loss boundary conditions).

With this type information in hand, the fraud examiner can hope to realistically assist the security professional in the definition of risk profiles and related fraud scenarios with the objective of moving toward the creation of appropriate cyber security threat counter measures; the effort is guaranteed to add value.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!