SlideShare une entreprise Scribd logo

A Lack of IT Controls= Fraud Opportunities

Télécharger en tant que PPTX, PDF
W
WhitleyPenn

fraud risks associated with business processes stems from a lack of IT controls

Business
1  sur  31
“A Lack of IT Controls = Fraud Opportunities”
Bios Chris Mitchell -MBA, CIA, CISA, CCSA Experience Chris has over 18 years of risk management, finance, and IT consulting experience. He has held the titles of Internal Audit Director, Senior Program Manager, and Managing Consultant at various companies in industries including financial services, telecommunications, software development, manufacturing, and government. Chris’ practice focuses on assisting clients with 404 implementations, Type I & II SSAE 16 engagements,leadinginternalauditteams,andmakingcost-effectiverecommendations to enhance internal controls, maximize efficiency, and minimize exposure to loss and regulatoryrisk. Education B.B.A. from University of Texas at San Antonio MBA from TouroUniversity 2
About Whitley Penn LLP Established in 1983, Whitley Penn Services Offered: has become one of the region's most  Assurance and Advisory distinguished accounting firms by providing exceptional service that  Business Process reaches far beyond traditional Improvement accounting  Business Valuation Services  Employee Benefit Plans Today, with offices in Dallas, Fort  Litigation and Forensic Worth, and Houston, 37 partners, approximately 280 exceptional Services employees, and a worldwide  Risk Advisory network affiliation via Nexia  Tax and Consulting International, we are strategically positioned to grow and excel in the  Virtual Back Office future 5
Whitley Penn LLP – Risk Advisory Services  Service Areas: – IT Audits and Consulting – IT and Business Risk Assessments – Internal Audit Services – Service Organization Control (SOC) Reports – 1, 2, & 3 – Surprise Examinations for Registered Investment Advisors – Sarbanes-Oxley Compliance and Maintenance – Enterprise Risk Management Implementation and Maintenance 6
Agenda  Common Facts  IT Fraud Statistics  Common Anti-Fraud Controls  Client Scenarios  Information Technology Best Practices  Cyber Warfare  Questions 1
Common Facts • Estimated loss of 5% of revenue , of which 1-2% is caused by lack o f IT controls within an organization • Corruption and Billing schemes pose the greatest risk to an organization. These schemes take place based on the data that is fed into systems and how a lack of access, approval controls,andmanagementoversightwouldleadtosuchschemes • Most common victims: – Banking & financial services – Government & public administration – Manufacturing sectors • Anti-fraud controls correlate to significant decreases in the cost and duration of occupationalfraudschemes References: 7 ACFE – 2012 Report to the Nations
IT Fraud Statistics – Top 3 Business Departments 8 References: ACFE – 2012 Report to the Nations
IT Fraud Statistics Breakdown • Accounting: User access to accounting systems / functions and modules should be segregated based onjob responsibilities • Executive/Upper Management: Management oversight plays a vital role in making sure that appropriate controls are in place within an organization. It is advised that management conduct periodic reviews ofthese controls tomake sure that it isworking as stated 9
Fraud Statistics – Trusted Business Partners Trusted Business Partner Non-TBP Insider Organizational Individual Type of Position Technical 45% 80% 39% Nontechnical 55% 20% 61% Authorized Access Authorized Access 44% 36% 48% Unauthorized Access 26% 36% 23% Location On-Site 81% 60% 73% Remote Access 19% 40% 27% Employment Status Current 90% 69% 76% Former 10% 31% 24% Type of Insider Crime Fraud 64% 23% 54% Theft of Intellectual Property 28% 18% 19% Sabotage 8% 59% 27% References: Software Engineering Institute, Carnegie Mellon. "Spotlight On: Insider Threat from Trusted 10 Business Partners, Version 2: Updated and Revised". Computer Emergency Response Team (CERT) website. 2012 http://www.cert.org/archive/pdf/TrustedBusinessPartners1012.pdf
Common Anti-Fraud Controls 11 References: ACFE – 2012 Report to the Nations
Common Anti-Fraud Controls (continued) References: 12 ACFE – 2012 Report to the Nations
Common Anti-Fraud Controls (continued) References: 13 ACFE – 2012 Report to the Nations
Client Scenarios • Following are several client scenarios that we have either encountered or obtained through credible references • Picture these happening at your company or client • Think of possible controls to mitigate weaknesses • Brief description of Scenarios: – #1pertains to3rd party vendors &compliance – #2pertains tological access control usage – #3pertains tochange management controls – #4pertains togeneral IT operations 14
Scenario #1 Clueless, Inc. requested to have a General Controls Review (GCR) conducted as part of their annual audit. During planning and fieldwork , it was noted that they had outsourced all IT work to a third party consultant, and the following issues were identified: • TherewasnovalidcontractbetweenClueless,Inc.andthethirdpartyconsultant; • TherewasnoformalITpurchasingapprovalprocess;and • Clueless, Inc.’sIT liaisonwasmarriedtotheconsultant Clueless, Inc. was implementing a third party web application to support their business. The consultant recommended that they install a Citrix solution to secure the web application at a cost of just under $1 million. No other organizations using thethirdparty’swebapplicationswereusingCitrixoracomparablesolutiontosecure thewebapplication 15
Clueless, Inc. Control Recommendations Preventative Controls – Contract / SLA management – Conflict of Interest Compliance – Purchase approval process – Qualified staff performing oversight Detective Controls – Contract/SLA performance reviews 16
Bios Naveen Krishnan –CRISC Experience Naveen has over six years of IT audit experience focused on public and private sectors pertaining to Oil and Gas, Technology, Manufacturing, and Healthcare industry. He has led multiple SOX 404 engagements and has assisted numerous clients with Type I and II SSAE16 examinations. He joined Whitley Penn in June 2011 to help build the risk practiceandsincethenhassuccessfullyrecruitedanddevelopedacoreteamengagedto deliverqualityworkandestablishrelationshipswithclients. Education Bachelors in Management Information Systems (MIS) Louisiana State University 3
Scenario #2 Free For All, LLC , an online retailer, requested to have a GRC and analysis of third party service providers/consultants to evaluate the feasibility of continuing operations. The company was owned by a wealthy individual who had little involvement in the planning or operationsofthecompany. Thefollowingissueswereidentified: • Thecompanyhadestablishedacontractwithathirdpartydeveloperrequiring$30,000 worth of development work to be done each month, regardless of need. The business owneralsoownedacompanythatdevelopedonlineretailwebsitesforanichemarket, butthisresourcewasnotleveragedforFreeForAll,LLC • Thecompanyhadestablishedacontractwithathirdpartymarketingfirmthatrequired $25,000worthofmarketingworkbedoneeachmonth,regardlessofneed. • ThefirstactoftheCEOwastohirehiswifeasCFO • The CEO awarded himself a $100,000/year raise and doubled the salary of the Office Manager • TheCompanyhadapproximately $100,000inrevenuefortheyear 17
Free For All, LLC Control Recommendations Preventative Controls – Contract / SLA management – Conflict of Interest Compliance – Qualified staff performing oversight Detective Controls – Contract/SLA performance reviews 18
Scenario #3 AnITManageratHornswoggled,LLP carriedouta fraudschemethatlastedtwo years before being detected. The manager was able to gain access to multiple accounts,allowingthemto submitandapprovepurchaseordersandpayments. The manager was also able to bypass a system control that notified the AP managerandsecuritywhenavendor’saddresswasaddedormodified To enable this fraud, the IT manager modified a single line of code in a program that synchronized passwords between the production and test environments, which provided them with all user account passwords in clear text. The IT manageralso modifiedasinglelineofcodeinanotherprogramthatnotifiedthe AP manager and security when a vendor address was added or modified, allowingittobeturnedoffatwill References: Software Engineering Institute, Carnegie Mellon. "Spotlight On: Programming Techniques 19 Used as an Insider Attack Tool". Computer Emergency Response Team (CERT) website. 2008 http://www.cert.org/archive/pdf/insiderthreat_programmers_1208.pdf
Hornswoggled , LLP Control Recommendations Preventative Controls – Segregation of Duties – Change management controls must apply to all systems that underlie significant applications and controls – Code and System Architecture Reviews Detective Controls – Change detection – Review usage of critical system functions 20
Scenario #4 Duped Brokerage, Inc. began receiving reports of fraudulent trades from clients. Upon investigation it was determined that their trading web application had been breached and a hacker had obtained access to all client accounts. The hacker used the victim’s account to make fraudulent trades that benefited his own market positions References: Association of Certified Fraud Examiners. “Internet Transactions at Risk – New Solutions 21 Are Needed”. Robert D Peterson 2000 http://www.acfe.com/article.aspx?id=4294968466
Duped Brokerage, Inc. Control Recommendations Preventative Controls – Vulnerability management and penetration testing – Secure software development methodology – Service provider change management and logical access Detective Controls – Change detection 22
IT Process Summary • Logical Access – Principle of least privilege and Segregation of Duties – Sufficient logging – Strong authentication – Special considerations for privileged accounts • Change Management – Segregation of Duties – Change management scope – Change detection / Configuration Management • IT Operations – Protect backup media from tampering – Restrict and monitor removable storage device and data transfer usage • Security – Vulnerability management and penetration testing – Secure software development methodology 23
Information Technology Best Practices • Consider threats from insiders and • Knowyourassets business partners in enterprise-wide • Implement strict password and riskassessments account management policies and • Clearly document and consistently practices enforcepoliciesandcontrols • Enforce separation of duties and least • Incorporate insider threat awareness privilege into periodic security training for all • Define explicit security agreements employees for any cloud services, especially • Beginning with the hiring process, access restrictions and monitoring monitor and respond to suspicious or capabilities disruptivebehavior References: Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to 24 Mitigating Insider Threats". Computer Emergency Response Team (CERT) website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
Information Technology Best Practices (continued) • Institute stringent access controls and • Monitor and control remote access monitoring policies on privileged from all end points, including mobile users devices • Institutionalize system change • Develop a comprehensive employee controls terminationprocedure • Use a log correlation engine or • Implement secure backup and security information and event recoveryprocesses management (SIEM) system to log, • Develop a formalized insider threat monitor,andauditemployeeactions program • Establish a baseline of normal • Close the doors to unauthorized data networkbehavior exfiltration References: Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to 25 Mitigating Insider Threats". Computer Emergency Response Team (CERT) website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
Bios Jarrett Kolthoff–President/CEO SpearTip, LLC Experience Jarrett Kolthoff, President/CEO of SpearTip, LLC, has over 19 years of experience in the InformationSecurityfield. AsaformerSpecialAgent–U.S.ArmyCounterintelligence,he has experience in cyber investigations, counterintelligence, and fusion cell analysis that assist SpearTip’s clients to identify, assess, neutralize, and exploit the threats leveled against their corporation. His civil case work has included investigations in anti-trust lawsuits, embezzlement, collusion, theft of intellectual property, and corporate espionage. Mr. Kolthoff has led assignments throughout the United States with both nationalandinternationalcorporations. Education Rockhurst University, Bachelor (Political Science & Economics) U.S. Army, Counterintelligence Agent Troy State University, Masters (International Relations) 4
Cyber Warfare – New Types of Soldiers • Taking on new missions – Theft of processing power – Theft of customer data and financial information – Theft of Research – Destruction of research data • Using active memory manipulation to foil static analysis and avoid signature based AV solutions • In some cases, being used in conjunction with human operatives in the theft of company IP 26
Cyber Warfare (continued) Plan For the “When”, Not the “If” • Cyber Counterespionage • Fusion Cell Analysis • CyberStrike: ̶ Identify ̶ Assess ̶ Neutralize ̶ Exploit 27
Engagement Strategies • Passively Monitoring Known ‘Bad Actors’ and Crime Servers for: – ClientIPAddress – ClientDomainName – ConspiracytoAttack • Monitoring Multiple Data feeds to include: – InternetRelayChat(IRC)Communications – Logfiles – OpenSourceIntelligence(OSINT) • The more network security, attack vector, and threat trending knowledge an enterprise can harvest, the more secure the enterprise 28
Engagement Strategies (continued) Fusion Cell Analysis Government HUMINT Civilian Cases Human Collection Efforts Cases OSINT Open Source Intelligence Threat Predictive Profiling Posting Trends Exploits Malware Analysis Known Threats IRC Internet Relay Chat 29
Questions

Recommandé

Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security
Strategic Treasurer
 
SAS Fraud Framework for Insurance
SAS Fraud Framework for InsuranceSAS Fraud Framework for Insurance
SAS Fraud Framework for Insurance
stuartdrose
 
Enterprise Fraud Management
Enterprise Fraud ManagementEnterprise Fraud Management
Enterprise Fraud Management
Manish Desai
 
SAS for Claims Fraud
SAS for Claims FraudSAS for Claims Fraud
SAS for Claims Fraud
stuartdrose
 
Falcon debit credit_2909_ps
Falcon debit credit_2909_psFalcon debit credit_2909_ps
Falcon debit credit_2909_ps
kazemita
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to Adapt
Capgemini
 
Vc us v4.0
Vc us v4.0Vc us v4.0
Vc us v4.0
FixNix Inc.,
 
Using Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditUsing Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic Audit
FraudBusters
 

Recommandé

Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security
Strategic Treasurer
 
SAS Fraud Framework for Insurance
SAS Fraud Framework for InsuranceSAS Fraud Framework for Insurance
SAS Fraud Framework for Insurance
stuartdrose
 
Enterprise Fraud Management
Enterprise Fraud ManagementEnterprise Fraud Management
Enterprise Fraud Management
Manish Desai
 
SAS for Claims Fraud
SAS for Claims FraudSAS for Claims Fraud
SAS for Claims Fraud
stuartdrose
 
Falcon debit credit_2909_ps
Falcon debit credit_2909_psFalcon debit credit_2909_ps
Falcon debit credit_2909_ps
kazemita
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to Adapt
Capgemini
 
Vc us v4.0
Vc us v4.0Vc us v4.0
Vc us v4.0
FixNix Inc.,
 
Using Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic AuditUsing Data Analytics to Conduct a Forensic Audit
Using Data Analytics to Conduct a Forensic Audit
FraudBusters
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009
Northwest Card Association
 
Lets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNixLets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNix
FixNix Inc.,
 
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
Detecting and Auditing for Fraud in Financial Statements Using Data AnalysisDetecting and Auditing for Fraud in Financial Statements Using Data Analysis
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
FraudBusters
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data AnalysisRecognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
FraudBusters
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
Enterprise Management Associates
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer Experience
TransUnion
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Ways to Beat Vendor and Procurement Fraudsters Using Data Analysis
Ways to Beat Vendor and Procurement Fraudsters Using Data AnalysisWays to Beat Vendor and Procurement Fraudsters Using Data Analysis
Ways to Beat Vendor and Procurement Fraudsters Using Data Analysis
FraudBusters
 
The State of Corporate Fraud, Survey 2018
The State of Corporate Fraud, Survey 2018The State of Corporate Fraud, Survey 2018
The State of Corporate Fraud, Survey 2018
aakash malhotra
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
Behavioral Analytics for Preventing Fraud Today and Tomorrow
Behavioral Analytics for Preventing Fraud Today and TomorrowBehavioral Analytics for Preventing Fraud Today and Tomorrow
Behavioral Analytics for Preventing Fraud Today and Tomorrow
Guardian Analytics
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Enterprise Management Associates
 
Fraud Detection presentation
Fraud Detection presentationFraud Detection presentation
Fraud Detection presentation
Hernan Huwyler
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
Joan Weber
 
Meningkatkan peran audit internal fungsi peran digital
Meningkatkan peran audit internal fungsi peran digital Meningkatkan peran audit internal fungsi peran digital
Meningkatkan peran audit internal fungsi peran digital
Dr .Maizar Radjin, SE., M.Ak., QIA., QRMA, CRGP
 
B2B outsourcing in the Middle East
B2B outsourcing in the Middle EastB2B outsourcing in the Middle East
B2B outsourcing in the Middle East
The Internet Show ME 2011
 
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud SolutionsFortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Perficient, Inc.
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
Stacy Willis
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
TransUnion
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
Carter Schoenberg
 

Contenu connexe

Tendances

Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
Detecting and Auditing for Fraud in Financial Statements Using Data AnalysisDetecting and Auditing for Fraud in Financial Statements Using Data Analysis
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
FraudBusters
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data AnalysisRecognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
FraudBusters
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
Ways to Beat Vendor and Procurement Fraudsters Using Data Analysis
Ways to Beat Vendor and Procurement Fraudsters Using Data AnalysisWays to Beat Vendor and Procurement Fraudsters Using Data Analysis
Ways to Beat Vendor and Procurement Fraudsters Using Data Analysis
FraudBusters
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 

Tendances (16)

Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009
 
Lets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNixLets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNix
 
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
Detecting and Auditing for Fraud in Financial Statements Using Data AnalysisDetecting and Auditing for Fraud in Financial Statements Using Data Analysis
Detecting and Auditing for Fraud in Financial Statements Using Data Analysis
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data AnalysisRecognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer Experience
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Ways to Beat Vendor and Procurement Fraudsters Using Data Analysis
Ways to Beat Vendor and Procurement Fraudsters Using Data AnalysisWays to Beat Vendor and Procurement Fraudsters Using Data Analysis
Ways to Beat Vendor and Procurement Fraudsters Using Data Analysis
 
The State of Corporate Fraud, Survey 2018
The State of Corporate Fraud, Survey 2018The State of Corporate Fraud, Survey 2018
The State of Corporate Fraud, Survey 2018
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
Behavioral Analytics for Preventing Fraud Today and Tomorrow
Behavioral Analytics for Preventing Fraud Today and TomorrowBehavioral Analytics for Preventing Fraud Today and Tomorrow
Behavioral Analytics for Preventing Fraud Today and Tomorrow
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
 
Fraud Detection presentation
Fraud Detection presentationFraud Detection presentation
Fraud Detection presentation
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
 

Similaire à A Lack of IT Controls= Fraud Opportunities

Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud SolutionsFortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Perficient, Inc.
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
TransUnion
 
CIO Agenda 2015 - Flipping Into Digital Leadership
CIO Agenda 2015 - Flipping Into Digital LeadershipCIO Agenda 2015 - Flipping Into Digital Leadership
CIO Agenda 2015 - Flipping Into Digital Leadership
Derek Mulrey
 

Similaire à A Lack of IT Controls= Fraud Opportunities (20)

Meningkatkan peran audit internal fungsi peran digital
Meningkatkan peran audit internal fungsi peran digital Meningkatkan peran audit internal fungsi peran digital
Meningkatkan peran audit internal fungsi peran digital
 
B2B outsourcing in the Middle East
B2B outsourcing in the Middle EastB2B outsourcing in the Middle East
B2B outsourcing in the Middle East
 
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud SolutionsFortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
 
Insur Tech Adelaide slides
Insur Tech Adelaide slidesInsur Tech Adelaide slides
Insur Tech Adelaide slides
 
Quality 2020 virtual roundtable
Quality 2020 virtual roundtableQuality 2020 virtual roundtable
Quality 2020 virtual roundtable
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
3 Ways Covid-19 Changed Shared Services and how to Prepare for What's Next
3 Ways Covid-19 Changed Shared Services and how to Prepare for What's Next3 Ways Covid-19 Changed Shared Services and how to Prepare for What's Next
3 Ways Covid-19 Changed Shared Services and how to Prepare for What's Next
 
CIO Agenda 2015 - Flipping Into Digital Leadership
CIO Agenda 2015 - Flipping Into Digital LeadershipCIO Agenda 2015 - Flipping Into Digital Leadership
CIO Agenda 2015 - Flipping Into Digital Leadership
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
How to Get Proactive about your Vendor Master Data: 4 tips for success
How to Get Proactive about your Vendor Master Data: 4 tips for successHow to Get Proactive about your Vendor Master Data: 4 tips for success
How to Get Proactive about your Vendor Master Data: 4 tips for success
 
Digital Readiness and the Pandemic: Assessing the Impact
Digital Readiness and the Pandemic: Assessing the ImpactDigital Readiness and the Pandemic: Assessing the Impact
Digital Readiness and the Pandemic: Assessing the Impact
 
Compliance & Identity access management
Compliance & Identity access management Compliance & Identity access management
Compliance & Identity access management
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
Addressing Fraud Risk Management with Facts
Addressing Fraud Risk Management with FactsAddressing Fraud Risk Management with Facts
Addressing Fraud Risk Management with Facts
 
Setting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineSetting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud Hotline
 

Dernier

The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
dlhescort
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 

Dernier (20)

The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 

A Lack of IT Controls= Fraud Opportunities

  • 1. “A Lack of IT Controls = Fraud Opportunities”
  • 2. Bios Chris Mitchell -MBA, CIA, CISA, CCSA Experience Chris has over 18 years of risk management, finance, and IT consulting experience. He has held the titles of Internal Audit Director, Senior Program Manager, and Managing Consultant at various companies in industries including financial services, telecommunications, software development, manufacturing, and government. Chris’ practice focuses on assisting clients with 404 implementations, Type I & II SSAE 16 engagements,leadinginternalauditteams,andmakingcost-effectiverecommendations to enhance internal controls, maximize efficiency, and minimize exposure to loss and regulatoryrisk. Education B.B.A. from University of Texas at San Antonio MBA from TouroUniversity 2
  • 3. About Whitley Penn LLP Established in 1983, Whitley Penn Services Offered: has become one of the region's most  Assurance and Advisory distinguished accounting firms by providing exceptional service that  Business Process reaches far beyond traditional Improvement accounting  Business Valuation Services  Employee Benefit Plans Today, with offices in Dallas, Fort  Litigation and Forensic Worth, and Houston, 37 partners, approximately 280 exceptional Services employees, and a worldwide  Risk Advisory network affiliation via Nexia  Tax and Consulting International, we are strategically positioned to grow and excel in the  Virtual Back Office future 5
  • 4. Whitley Penn LLP – Risk Advisory Services  Service Areas: – IT Audits and Consulting – IT and Business Risk Assessments – Internal Audit Services – Service Organization Control (SOC) Reports – 1, 2, & 3 – Surprise Examinations for Registered Investment Advisors – Sarbanes-Oxley Compliance and Maintenance – Enterprise Risk Management Implementation and Maintenance 6
  • 5. Agenda  Common Facts  IT Fraud Statistics  Common Anti-Fraud Controls  Client Scenarios  Information Technology Best Practices  Cyber Warfare  Questions 1
  • 6. Common Facts • Estimated loss of 5% of revenue , of which 1-2% is caused by lack o f IT controls within an organization • Corruption and Billing schemes pose the greatest risk to an organization. These schemes take place based on the data that is fed into systems and how a lack of access, approval controls,andmanagementoversightwouldleadtosuchschemes • Most common victims: – Banking & financial services – Government & public administration – Manufacturing sectors • Anti-fraud controls correlate to significant decreases in the cost and duration of occupationalfraudschemes References: 7 ACFE – 2012 Report to the Nations
  • 7. IT Fraud Statistics – Top 3 Business Departments 8 References: ACFE – 2012 Report to the Nations
  • 8. IT Fraud Statistics Breakdown • Accounting: User access to accounting systems / functions and modules should be segregated based onjob responsibilities • Executive/Upper Management: Management oversight plays a vital role in making sure that appropriate controls are in place within an organization. It is advised that management conduct periodic reviews ofthese controls tomake sure that it isworking as stated 9
  • 9. Fraud Statistics – Trusted Business Partners Trusted Business Partner Non-TBP Insider Organizational Individual Type of Position Technical 45% 80% 39% Nontechnical 55% 20% 61% Authorized Access Authorized Access 44% 36% 48% Unauthorized Access 26% 36% 23% Location On-Site 81% 60% 73% Remote Access 19% 40% 27% Employment Status Current 90% 69% 76% Former 10% 31% 24% Type of Insider Crime Fraud 64% 23% 54% Theft of Intellectual Property 28% 18% 19% Sabotage 8% 59% 27% References: Software Engineering Institute, Carnegie Mellon. "Spotlight On: Insider Threat from Trusted 10 Business Partners, Version 2: Updated and Revised". Computer Emergency Response Team (CERT) website. 2012 http://www.cert.org/archive/pdf/TrustedBusinessPartners1012.pdf
  • 10. Common Anti-Fraud Controls 11 References: ACFE – 2012 Report to the Nations
  • 11. Common Anti-Fraud Controls (continued) References: 12 ACFE – 2012 Report to the Nations
  • 12. Common Anti-Fraud Controls (continued) References: 13 ACFE – 2012 Report to the Nations
  • 13. Client Scenarios • Following are several client scenarios that we have either encountered or obtained through credible references • Picture these happening at your company or client • Think of possible controls to mitigate weaknesses • Brief description of Scenarios: – #1pertains to3rd party vendors &compliance – #2pertains tological access control usage – #3pertains tochange management controls – #4pertains togeneral IT operations 14
  • 14. Scenario #1 Clueless, Inc. requested to have a General Controls Review (GCR) conducted as part of their annual audit. During planning and fieldwork , it was noted that they had outsourced all IT work to a third party consultant, and the following issues were identified: • TherewasnovalidcontractbetweenClueless,Inc.andthethirdpartyconsultant; • TherewasnoformalITpurchasingapprovalprocess;and • Clueless, Inc.’sIT liaisonwasmarriedtotheconsultant Clueless, Inc. was implementing a third party web application to support their business. The consultant recommended that they install a Citrix solution to secure the web application at a cost of just under $1 million. No other organizations using thethirdparty’swebapplicationswereusingCitrixoracomparablesolutiontosecure thewebapplication 15
  • 15. Clueless, Inc. Control Recommendations Preventative Controls – Contract / SLA management – Conflict of Interest Compliance – Purchase approval process – Qualified staff performing oversight Detective Controls – Contract/SLA performance reviews 16
  • 16. Bios Naveen Krishnan –CRISC Experience Naveen has over six years of IT audit experience focused on public and private sectors pertaining to Oil and Gas, Technology, Manufacturing, and Healthcare industry. He has led multiple SOX 404 engagements and has assisted numerous clients with Type I and II SSAE16 examinations. He joined Whitley Penn in June 2011 to help build the risk practiceandsincethenhassuccessfullyrecruitedanddevelopedacoreteamengagedto deliverqualityworkandestablishrelationshipswithclients. Education Bachelors in Management Information Systems (MIS) Louisiana State University 3
  • 17. Scenario #2 Free For All, LLC , an online retailer, requested to have a GRC and analysis of third party service providers/consultants to evaluate the feasibility of continuing operations. The company was owned by a wealthy individual who had little involvement in the planning or operationsofthecompany. Thefollowingissueswereidentified: • Thecompanyhadestablishedacontractwithathirdpartydeveloperrequiring$30,000 worth of development work to be done each month, regardless of need. The business owneralsoownedacompanythatdevelopedonlineretailwebsitesforanichemarket, butthisresourcewasnotleveragedforFreeForAll,LLC • Thecompanyhadestablishedacontractwithathirdpartymarketingfirmthatrequired $25,000worthofmarketingworkbedoneeachmonth,regardlessofneed. • ThefirstactoftheCEOwastohirehiswifeasCFO • The CEO awarded himself a $100,000/year raise and doubled the salary of the Office Manager • TheCompanyhadapproximately $100,000inrevenuefortheyear 17
  • 18. Free For All, LLC Control Recommendations Preventative Controls – Contract / SLA management – Conflict of Interest Compliance – Qualified staff performing oversight Detective Controls – Contract/SLA performance reviews 18
  • 19. Scenario #3 AnITManageratHornswoggled,LLP carriedouta fraudschemethatlastedtwo years before being detected. The manager was able to gain access to multiple accounts,allowingthemto submitandapprovepurchaseordersandpayments. The manager was also able to bypass a system control that notified the AP managerandsecuritywhenavendor’saddresswasaddedormodified To enable this fraud, the IT manager modified a single line of code in a program that synchronized passwords between the production and test environments, which provided them with all user account passwords in clear text. The IT manageralso modifiedasinglelineofcodeinanotherprogramthatnotifiedthe AP manager and security when a vendor address was added or modified, allowingittobeturnedoffatwill References: Software Engineering Institute, Carnegie Mellon. "Spotlight On: Programming Techniques 19 Used as an Insider Attack Tool". Computer Emergency Response Team (CERT) website. 2008 http://www.cert.org/archive/pdf/insiderthreat_programmers_1208.pdf
  • 20. Hornswoggled , LLP Control Recommendations Preventative Controls – Segregation of Duties – Change management controls must apply to all systems that underlie significant applications and controls – Code and System Architecture Reviews Detective Controls – Change detection – Review usage of critical system functions 20
  • 21. Scenario #4 Duped Brokerage, Inc. began receiving reports of fraudulent trades from clients. Upon investigation it was determined that their trading web application had been breached and a hacker had obtained access to all client accounts. The hacker used the victim’s account to make fraudulent trades that benefited his own market positions References: Association of Certified Fraud Examiners. “Internet Transactions at Risk – New Solutions 21 Are Needed”. Robert D Peterson 2000 http://www.acfe.com/article.aspx?id=4294968466
  • 22. Duped Brokerage, Inc. Control Recommendations Preventative Controls – Vulnerability management and penetration testing – Secure software development methodology – Service provider change management and logical access Detective Controls – Change detection 22
  • 23. IT Process Summary • Logical Access – Principle of least privilege and Segregation of Duties – Sufficient logging – Strong authentication – Special considerations for privileged accounts • Change Management – Segregation of Duties – Change management scope – Change detection / Configuration Management • IT Operations – Protect backup media from tampering – Restrict and monitor removable storage device and data transfer usage • Security – Vulnerability management and penetration testing – Secure software development methodology 23
  • 24. Information Technology Best Practices • Consider threats from insiders and • Knowyourassets business partners in enterprise-wide • Implement strict password and riskassessments account management policies and • Clearly document and consistently practices enforcepoliciesandcontrols • Enforce separation of duties and least • Incorporate insider threat awareness privilege into periodic security training for all • Define explicit security agreements employees for any cloud services, especially • Beginning with the hiring process, access restrictions and monitoring monitor and respond to suspicious or capabilities disruptivebehavior References: Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to 24 Mitigating Insider Threats". Computer Emergency Response Team (CERT) website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
  • 25. Information Technology Best Practices (continued) • Institute stringent access controls and • Monitor and control remote access monitoring policies on privileged from all end points, including mobile users devices • Institutionalize system change • Develop a comprehensive employee controls terminationprocedure • Use a log correlation engine or • Implement secure backup and security information and event recoveryprocesses management (SIEM) system to log, • Develop a formalized insider threat monitor,andauditemployeeactions program • Establish a baseline of normal • Close the doors to unauthorized data networkbehavior exfiltration References: Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to 25 Mitigating Insider Threats". Computer Emergency Response Team (CERT) website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
  • 26. Bios Jarrett Kolthoff–President/CEO SpearTip, LLC Experience Jarrett Kolthoff, President/CEO of SpearTip, LLC, has over 19 years of experience in the InformationSecurityfield. AsaformerSpecialAgent–U.S.ArmyCounterintelligence,he has experience in cyber investigations, counterintelligence, and fusion cell analysis that assist SpearTip’s clients to identify, assess, neutralize, and exploit the threats leveled against their corporation. His civil case work has included investigations in anti-trust lawsuits, embezzlement, collusion, theft of intellectual property, and corporate espionage. Mr. Kolthoff has led assignments throughout the United States with both nationalandinternationalcorporations. Education Rockhurst University, Bachelor (Political Science & Economics) U.S. Army, Counterintelligence Agent Troy State University, Masters (International Relations) 4
  • 27. Cyber Warfare – New Types of Soldiers • Taking on new missions – Theft of processing power – Theft of customer data and financial information – Theft of Research – Destruction of research data • Using active memory manipulation to foil static analysis and avoid signature based AV solutions • In some cases, being used in conjunction with human operatives in the theft of company IP 26
  • 28. Cyber Warfare (continued) Plan For the “When”, Not the “If” • Cyber Counterespionage • Fusion Cell Analysis • CyberStrike: ̶ Identify ̶ Assess ̶ Neutralize ̶ Exploit 27
  • 29. Engagement Strategies • Passively Monitoring Known ‘Bad Actors’ and Crime Servers for: – ClientIPAddress – ClientDomainName – ConspiracytoAttack • Monitoring Multiple Data feeds to include: – InternetRelayChat(IRC)Communications – Logfiles – OpenSourceIntelligence(OSINT) • The more network security, attack vector, and threat trending knowledge an enterprise can harvest, the more secure the enterprise 28
  • 30. Engagement Strategies (continued) Fusion Cell Analysis Government HUMINT Civilian Cases Human Collection Efforts Cases OSINT Open Source Intelligence Threat Predictive Profiling Posting Trends Exploits Malware Analysis Known Threats IRC Internet Relay Chat 29

Notes de l'éditeur

  1. The Association of Certified Fraud Examiners (ACFE) performs regular in-depth surveys in relation to occupational fraud. According to there 2012 Report to the Nations:
  2. In these 3 areas there is a common theme noted of corruption and billing.Are we prepared to discuss corruption and billing in more depth? This seems a bit generic and it may help to have some examples in mind and how a lack of IT controls pose a greater fraud risk to these two areas.
  3. The Computer Emergency Response Team at Carnegie Mellon’s Software Engineering Institute maintains an insider threat database, containing cases that specifically include incidents of IT sabotage, fraud, and theft of intellectual property. In 2012 they conducted a study of threats from trusted business partners. Of the 578 cases in the insider threat database, 50 cases involved contractors, consultants, and temporary employees and an additional 25 cases involved trusted business partners in an organizational relationship with the victim organizations.This tablecompares the type of position (technical vs nontechnical), authorized access, location, employment status, and type of crime for trusted business partners with an organizational relationship and trusted business partners with an individual relationship, representing the previously mentioned 75 cases. Also shown are the numbers from the remaining cases of “typical insider fraud”.There was not data for all presented variables for all data points, which is why the numbers may not add up in each category.
  4. The 16 most commonly noted anti-fraud controls include:
  5. Client situation explains how important compliance is for any organization.
  6. The consultant/developer actually offered to perform the work for $20,000/month, but the CEO insisted on $30,000.The company’s website was completely rebuilt three separate times in the year it was in operation.Internal IT staff at Free For All LLC were not utilized for development purposes, despite having development skills in house. The internal staff were largely concerned with documentation during the first year of operation. The level of documentation of policies, procedures, and processes was more thorough than is typically seen in much larger and more mature organizations.
  7. If a critical system function should alert relevant personnel when it is used, would you be able to detect that it was turned off? If no notifications were ever received, do you review the function usage to verify that it was not used?
  8. In order for segregation of duties to be effective in this instance, the software change control system must enforce the approval of changes from individuals that do not have access to move changes into production. Strong access controls must be in place in the change control system to prevent approval through unauthorized access to accounts.Change detection systems can identify when changes have occurred, so that those changes can be reviewed against approved changes. Effective change detection controls can enable organizations to know that no unauthorized changes have occurred rather than simply having faith that none of occurred.Does your service organization have effective controls to prevent/detect unauthorized changes by individuals with access to make changes to the production environment?
  9. Loosely based on ACFE article.Web applications present a significant opportunity for hackers. A variety of methods can be used to gain unauthorized access to web applications. In this incident the attacker was able to hijack the company’s Domain Name Servers using social engineering. He then redirected users to a malicious copy of the site that captured their credentials before passing them back to the to the company’s web application. There are a wide variety of methods that an attacker could use steal authentication data and/or gain control of a system. An attacker could also leverage SQL injection, in which the hacker will attempt to insert malicious database commands into user inputs in the application. If the application does not properly cleanse these inputs, then the application could execute malicious commands the that result in the disclosure of sensitive information. A hacker could also hijack the session of active users, bypassing authentication, and gaining access to their accounts if session management is not securely implemented in the application. If the web application is not properly coded, an attacker could embed the site in a frame hosted on their own site. The attacker could then use spear phishing techniques to trick users into accessing the web application this their malicious site, capturing credentials in the process.
  10. When web applications are used to support financially significant business functions organizations should strongly consider performing routine vulnerability scans and penetration tests of the application, particularly if the web application is publicly accessible.Following a secure software development methodology can help an organization avoid common security pitfalls when developing web applications internally.Logical access and change management controls must extend to the service provider organizations. In the case of Duped Brokerage, the hacker was able to gain control of the company’s DNS by convincing their domain registrar to give them access to their records. While most of the infrastructure for web applications can be managed internally, some components, such as a domain registrar, must be performed by an authorized third party service organization in the overwhelming majority of cases. It is critical that organizations be alerted to any changes to domain registration and domain records. Detecting these changes at the third party organization can be quite difficult unless the third party provides this functionality.
  11. Identifying the configuration items that impact the availability, integrity, and/or confidentiality of significant systems and data and changes to those configuration items is critical for the effective management of changes. Configuration management is one of the most difficult IT management processes because many systems and applications are not designed to easily allow detection of changes to configuration items. This is not to even mention the difficulty in identify every configuration item that could potentially impact the availability, integrity, and/or confidentiality of significant systems. However, organizations that have effective configuration management processes are capable of managing changes in a more effective manner.It is important that Internal Audit work with IT to find a common ground on IT processes and controls. COBIT is aligned with a number of complementary IT management frameworks that can provide a common language for IT and internal audit when talking about IT processes and controls. These frameworks include, but are not limited to, the IT Infrastructure Library (ITIL) v3, International Organization for Standardization (ISO) management standards, and Val IT.