2. Bios
Chris Mitchell -MBA, CIA, CISA, CCSA
Experience
Chris has over 18 years of risk management, finance, and IT consulting experience. He
has held the titles of Internal Audit Director, Senior Program Manager, and Managing
Consultant at various companies in industries including financial services,
telecommunications, software development, manufacturing, and government. Chris’
practice focuses on assisting clients with 404 implementations, Type I & II SSAE 16
engagements,leadinginternalauditteams,andmakingcost-effectiverecommendations
to enhance internal controls, maximize efficiency, and minimize exposure to loss and
regulatoryrisk.
Education
B.B.A. from University of Texas at San Antonio
MBA from TouroUniversity
2
3. About Whitley Penn LLP
Established in 1983, Whitley Penn Services Offered:
has become one of the region's most Assurance and Advisory
distinguished accounting firms by
providing exceptional service that Business Process
reaches far beyond traditional Improvement
accounting Business Valuation Services
Employee Benefit Plans
Today, with offices in Dallas, Fort Litigation and Forensic
Worth, and Houston, 37 partners,
approximately 280 exceptional Services
employees, and a worldwide Risk Advisory
network affiliation via Nexia Tax and Consulting
International, we are strategically
positioned to grow and excel in the Virtual Back Office
future
5
4. Whitley Penn LLP – Risk Advisory Services
Service Areas:
– IT Audits and Consulting
– IT and Business Risk Assessments
– Internal Audit Services
– Service Organization Control (SOC) Reports – 1, 2, & 3
– Surprise Examinations for Registered Investment Advisors
– Sarbanes-Oxley Compliance and Maintenance
– Enterprise Risk Management Implementation and
Maintenance
6
5. Agenda
Common Facts
IT Fraud Statistics
Common Anti-Fraud Controls
Client Scenarios
Information Technology Best Practices
Cyber Warfare
Questions
1
6. Common Facts
• Estimated loss of 5% of revenue , of which 1-2% is caused by lack o f IT controls within an
organization
• Corruption and Billing schemes pose the greatest risk to an organization. These schemes
take place based on the data that is fed into systems and how a lack of access, approval
controls,andmanagementoversightwouldleadtosuchschemes
• Most common victims:
– Banking & financial services
– Government & public administration
– Manufacturing sectors
• Anti-fraud controls correlate to significant decreases in the cost and duration of
occupationalfraudschemes
References:
7 ACFE – 2012 Report to the Nations
7. IT Fraud Statistics – Top 3 Business Departments
8 References:
ACFE – 2012 Report to the Nations
8. IT Fraud Statistics Breakdown
• Accounting: User access to accounting systems / functions and
modules should be segregated based onjob responsibilities
• Executive/Upper Management: Management oversight plays a vital
role in making sure that appropriate controls are in place within an
organization. It is advised that management conduct periodic reviews
ofthese controls tomake sure that it isworking as stated
9
9. Fraud Statistics – Trusted Business Partners
Trusted Business Partner
Non-TBP Insider
Organizational Individual
Type of Position
Technical 45% 80% 39%
Nontechnical 55% 20% 61%
Authorized Access
Authorized Access 44% 36% 48%
Unauthorized Access 26% 36% 23%
Location
On-Site 81% 60% 73%
Remote Access 19% 40% 27%
Employment Status
Current 90% 69% 76%
Former 10% 31% 24%
Type of Insider Crime
Fraud 64% 23% 54%
Theft of Intellectual Property 28% 18% 19%
Sabotage 8% 59% 27%
References:
Software Engineering Institute, Carnegie Mellon. "Spotlight On: Insider Threat from Trusted
10 Business Partners, Version 2: Updated and Revised". Computer Emergency Response Team
(CERT) website. 2012 http://www.cert.org/archive/pdf/TrustedBusinessPartners1012.pdf
13. Client Scenarios
• Following are several client scenarios that we have either
encountered or obtained through credible references
• Picture these happening at your company or client
• Think of possible controls to mitigate weaknesses
• Brief description of Scenarios:
– #1pertains to3rd party vendors &compliance
– #2pertains tological access control usage
– #3pertains tochange management controls
– #4pertains togeneral IT operations
14
14. Scenario #1
Clueless, Inc. requested to have a General Controls Review (GCR) conducted as part of
their annual audit. During planning and fieldwork , it was noted that they had
outsourced all IT work to a third party consultant, and the following issues were
identified:
• TherewasnovalidcontractbetweenClueless,Inc.andthethirdpartyconsultant;
• TherewasnoformalITpurchasingapprovalprocess;and
• Clueless, Inc.’sIT liaisonwasmarriedtotheconsultant
Clueless, Inc. was implementing a third party web application to support their
business. The consultant recommended that they install a Citrix solution to secure
the web application at a cost of just under $1 million. No other organizations using
thethirdparty’swebapplicationswereusingCitrixoracomparablesolutiontosecure
thewebapplication
15
15. Clueless, Inc. Control Recommendations
Preventative Controls
– Contract / SLA management
– Conflict of Interest Compliance
– Purchase approval process
– Qualified staff performing oversight
Detective Controls
– Contract/SLA performance reviews
16
16. Bios
Naveen Krishnan –CRISC
Experience
Naveen has over six years of IT audit experience focused on public and private sectors
pertaining to Oil and Gas, Technology, Manufacturing, and Healthcare industry. He has
led multiple SOX 404 engagements and has assisted numerous clients with Type I and II
SSAE16 examinations. He joined Whitley Penn in June 2011 to help build the risk
practiceandsincethenhassuccessfullyrecruitedanddevelopedacoreteamengagedto
deliverqualityworkandestablishrelationshipswithclients.
Education
Bachelors in Management Information Systems (MIS)
Louisiana State University
3
17. Scenario #2
Free For All, LLC , an online retailer, requested to have a GRC and analysis of third party
service providers/consultants to evaluate the feasibility of continuing operations. The
company was owned by a wealthy individual who had little involvement in the planning or
operationsofthecompany. Thefollowingissueswereidentified:
• Thecompanyhadestablishedacontractwithathirdpartydeveloperrequiring$30,000
worth of development work to be done each month, regardless of need. The business
owneralsoownedacompanythatdevelopedonlineretailwebsitesforanichemarket,
butthisresourcewasnotleveragedforFreeForAll,LLC
• Thecompanyhadestablishedacontractwithathirdpartymarketingfirmthatrequired
$25,000worthofmarketingworkbedoneeachmonth,regardlessofneed.
• ThefirstactoftheCEOwastohirehiswifeasCFO
• The CEO awarded himself a $100,000/year raise and doubled the salary of the Office
Manager
• TheCompanyhadapproximately $100,000inrevenuefortheyear
17
18. Free For All, LLC Control Recommendations
Preventative Controls
– Contract / SLA management
– Conflict of Interest Compliance
– Qualified staff performing oversight
Detective Controls
– Contract/SLA performance reviews
18
19. Scenario #3
AnITManageratHornswoggled,LLP carriedouta fraudschemethatlastedtwo
years before being detected. The manager was able to gain access to multiple
accounts,allowingthemto submitandapprovepurchaseordersandpayments.
The manager was also able to bypass a system control that notified the AP
managerandsecuritywhenavendor’saddresswasaddedormodified
To enable this fraud, the IT manager modified a single line of code in a program
that synchronized passwords between the production and test environments,
which provided them with all user account passwords in clear text. The IT
manageralso modifiedasinglelineofcodeinanotherprogramthatnotifiedthe
AP manager and security when a vendor address was added or modified,
allowingittobeturnedoffatwill
References:
Software Engineering Institute, Carnegie Mellon. "Spotlight On: Programming Techniques
19 Used as an Insider Attack Tool". Computer Emergency Response Team (CERT) website.
2008 http://www.cert.org/archive/pdf/insiderthreat_programmers_1208.pdf
20. Hornswoggled , LLP Control Recommendations
Preventative Controls
– Segregation of Duties
– Change management controls must apply to all systems that
underlie significant applications and controls
– Code and System Architecture Reviews
Detective Controls
– Change detection
– Review usage of critical system functions
20
21. Scenario #4
Duped Brokerage, Inc. began receiving reports of fraudulent trades from clients.
Upon investigation it was determined that their trading web application had been
breached and a hacker had obtained access to all client accounts. The hacker used
the victim’s account to make fraudulent trades that benefited his own market
positions
References:
Association of Certified Fraud Examiners. “Internet Transactions at Risk – New Solutions
21 Are Needed”. Robert D Peterson 2000 http://www.acfe.com/article.aspx?id=4294968466
22. Duped Brokerage, Inc. Control Recommendations
Preventative Controls
– Vulnerability management and penetration testing
– Secure software development methodology
– Service provider change management and logical access
Detective Controls
– Change detection
22
23. IT Process Summary
• Logical Access
– Principle of least privilege and Segregation of Duties
– Sufficient logging
– Strong authentication
– Special considerations for privileged accounts
• Change Management
– Segregation of Duties
– Change management scope
– Change detection / Configuration Management
• IT Operations
– Protect backup media from tampering
– Restrict and monitor removable storage device and data transfer usage
• Security
– Vulnerability management and penetration testing
– Secure software development methodology
23
24. Information Technology Best Practices
• Consider threats from insiders and • Knowyourassets
business partners in enterprise-wide • Implement strict password and
riskassessments account management policies and
• Clearly document and consistently practices
enforcepoliciesandcontrols • Enforce separation of duties and least
• Incorporate insider threat awareness privilege
into periodic security training for all • Define explicit security agreements
employees for any cloud services, especially
• Beginning with the hiring process, access restrictions and monitoring
monitor and respond to suspicious or capabilities
disruptivebehavior
References:
Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to
24 Mitigating Insider Threats". Computer Emergency Response Team (CERT)
website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
25. Information Technology Best Practices (continued)
• Institute stringent access controls and • Monitor and control remote access
monitoring policies on privileged from all end points, including mobile
users devices
• Institutionalize system change • Develop a comprehensive employee
controls terminationprocedure
• Use a log correlation engine or • Implement secure backup and
security information and event recoveryprocesses
management (SIEM) system to log, • Develop a formalized insider threat
monitor,andauditemployeeactions program
• Establish a baseline of normal • Close the doors to unauthorized data
networkbehavior exfiltration
References:
Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to
25 Mitigating Insider Threats". Computer Emergency Response Team (CERT)
website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
26. Bios
Jarrett Kolthoff–President/CEO SpearTip, LLC
Experience
Jarrett Kolthoff, President/CEO of SpearTip, LLC, has over 19 years of experience in the
InformationSecurityfield. AsaformerSpecialAgent–U.S.ArmyCounterintelligence,he
has experience in cyber investigations, counterintelligence, and fusion cell analysis that
assist SpearTip’s clients to identify, assess, neutralize, and exploit the threats leveled
against their corporation. His civil case work has included investigations in anti-trust
lawsuits, embezzlement, collusion, theft of intellectual property, and corporate
espionage. Mr. Kolthoff has led assignments throughout the United States with both
nationalandinternationalcorporations.
Education
Rockhurst University, Bachelor (Political Science & Economics)
U.S. Army, Counterintelligence Agent
Troy State University, Masters (International Relations)
4
27. Cyber Warfare – New Types of Soldiers
• Taking on new missions
– Theft of processing power
– Theft of customer data and financial information
– Theft of Research
– Destruction of research data
• Using active memory manipulation to foil static analysis and avoid
signature based AV solutions
• In some cases, being used in conjunction with human operatives in the
theft of company IP
26
28. Cyber Warfare (continued)
Plan For the “When”, Not the “If”
• Cyber Counterespionage
• Fusion Cell Analysis
• CyberStrike:
̶ Identify
̶ Assess
̶ Neutralize
̶ Exploit
27
29. Engagement Strategies
• Passively Monitoring Known ‘Bad Actors’ and Crime Servers for:
– ClientIPAddress
– ClientDomainName
– ConspiracytoAttack
• Monitoring Multiple Data feeds to include:
– InternetRelayChat(IRC)Communications
– Logfiles
– OpenSourceIntelligence(OSINT)
• The more network security, attack vector, and threat trending
knowledge an enterprise can harvest, the more secure the enterprise
28
30. Engagement Strategies (continued)
Fusion Cell Analysis
Government HUMINT Civilian Cases
Human Collection Efforts
Cases
OSINT
Open Source Intelligence
Threat Predictive
Profiling Posting Trends
Exploits
Malware Analysis
Known Threats IRC
Internet Relay Chat
29
The Association of Certified Fraud Examiners (ACFE) performs regular in-depth surveys in relation to occupational fraud. According to there 2012 Report to the Nations:
In these 3 areas there is a common theme noted of corruption and billing.Are we prepared to discuss corruption and billing in more depth? This seems a bit generic and it may help to have some examples in mind and how a lack of IT controls pose a greater fraud risk to these two areas.
The Computer Emergency Response Team at Carnegie Mellon’s Software Engineering Institute maintains an insider threat database, containing cases that specifically include incidents of IT sabotage, fraud, and theft of intellectual property. In 2012 they conducted a study of threats from trusted business partners. Of the 578 cases in the insider threat database, 50 cases involved contractors, consultants, and temporary employees and an additional 25 cases involved trusted business partners in an organizational relationship with the victim organizations.This tablecompares the type of position (technical vs nontechnical), authorized access, location, employment status, and type of crime for trusted business partners with an organizational relationship and trusted business partners with an individual relationship, representing the previously mentioned 75 cases. Also shown are the numbers from the remaining cases of “typical insider fraud”.There was not data for all presented variables for all data points, which is why the numbers may not add up in each category.
The 16 most commonly noted anti-fraud controls include:
Client situation explains how important compliance is for any organization.
The consultant/developer actually offered to perform the work for $20,000/month, but the CEO insisted on $30,000.The company’s website was completely rebuilt three separate times in the year it was in operation.Internal IT staff at Free For All LLC were not utilized for development purposes, despite having development skills in house. The internal staff were largely concerned with documentation during the first year of operation. The level of documentation of policies, procedures, and processes was more thorough than is typically seen in much larger and more mature organizations.
If a critical system function should alert relevant personnel when it is used, would you be able to detect that it was turned off? If no notifications were ever received, do you review the function usage to verify that it was not used?
In order for segregation of duties to be effective in this instance, the software change control system must enforce the approval of changes from individuals that do not have access to move changes into production. Strong access controls must be in place in the change control system to prevent approval through unauthorized access to accounts.Change detection systems can identify when changes have occurred, so that those changes can be reviewed against approved changes. Effective change detection controls can enable organizations to know that no unauthorized changes have occurred rather than simply having faith that none of occurred.Does your service organization have effective controls to prevent/detect unauthorized changes by individuals with access to make changes to the production environment?
Loosely based on ACFE article.Web applications present a significant opportunity for hackers. A variety of methods can be used to gain unauthorized access to web applications. In this incident the attacker was able to hijack the company’s Domain Name Servers using social engineering. He then redirected users to a malicious copy of the site that captured their credentials before passing them back to the to the company’s web application. There are a wide variety of methods that an attacker could use steal authentication data and/or gain control of a system. An attacker could also leverage SQL injection, in which the hacker will attempt to insert malicious database commands into user inputs in the application. If the application does not properly cleanse these inputs, then the application could execute malicious commands the that result in the disclosure of sensitive information. A hacker could also hijack the session of active users, bypassing authentication, and gaining access to their accounts if session management is not securely implemented in the application. If the web application is not properly coded, an attacker could embed the site in a frame hosted on their own site. The attacker could then use spear phishing techniques to trick users into accessing the web application this their malicious site, capturing credentials in the process.
When web applications are used to support financially significant business functions organizations should strongly consider performing routine vulnerability scans and penetration tests of the application, particularly if the web application is publicly accessible.Following a secure software development methodology can help an organization avoid common security pitfalls when developing web applications internally.Logical access and change management controls must extend to the service provider organizations. In the case of Duped Brokerage, the hacker was able to gain control of the company’s DNS by convincing their domain registrar to give them access to their records. While most of the infrastructure for web applications can be managed internally, some components, such as a domain registrar, must be performed by an authorized third party service organization in the overwhelming majority of cases. It is critical that organizations be alerted to any changes to domain registration and domain records. Detecting these changes at the third party organization can be quite difficult unless the third party provides this functionality.
Identifying the configuration items that impact the availability, integrity, and/or confidentiality of significant systems and data and changes to those configuration items is critical for the effective management of changes. Configuration management is one of the most difficult IT management processes because many systems and applications are not designed to easily allow detection of changes to configuration items. This is not to even mention the difficulty in identify every configuration item that could potentially impact the availability, integrity, and/or confidentiality of significant systems. However, organizations that have effective configuration management processes are capable of managing changes in a more effective manner.It is important that Internal Audit work with IT to find a common ground on IT processes and controls. COBIT is aligned with a number of complementary IT management frameworks that can provide a common language for IT and internal audit when talking about IT processes and controls. These frameworks include, but are not limited to, the IT Infrastructure Library (ITIL) v3, International Organization for Standardization (ISO) management standards, and Val IT.