Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

Preventing Fraud from Top to Bottom
Information Security Summit
October 31, 2014
Session 8: 2:20–3:20 PM
Dr. Eric A. Vanderburg
Director, Cyber Security
JURINNOV Ltd.
Ramana Gaddamanugu, CFE
Senior Manager, Risk and Compliance
JURINNOV Ltd.

Who are we?
Dr. Eric A. Vanderburg
Director, Cyber Security
JURINNOV Ltd.
Ramana Gaddamanugu, CFE
Senior Manager, Risk and Compliance
JURINNOV Ltd.
© 2014 Property of JurInnov Ltd. All Rights Reserved

Overview
• Fraud Risks
• Fraud Controls
• Anti-Fraud Culture
• Awareness
• Fraud Incident Response

Fraud Risks
• Facts and Figures
• Fraud factors
• Laws
• Case studies
• Addressing fraud risk

Facts and figures
• 65% of fraud cases were
discovered by tips or by an
employee accidentally stumbling
upon them during the course of
their job duties.
 Average organizational cost $5.5 million per incident
-Ponemon Institute Study, March 2012
 Financial impact of cybercrime expected to grow 10%
per year through 2016
-Gartner top predictions for 2012

Fraud factors
Pressures / Incentives:
• A situation that is so
challenging the person
cannot see any other way
out
• Personal financial pressure
• Family pressures
• Greed
• Pressure to meet goals
Rationalization:
• A way to justify in the person’s
consciousness that the act of
fraud is not so bad
• Common beliefs:
• Person is owed this
money
• Just borrowing until they
are able to pay it back
• Everyone else is doing it
Opportunity:
• The set of circumstances
that make it possible to
commit fraud

Laws
• The Ribicoff Bill
• The Computer Fraud and Abuse Act of 1986
• The Electronic Communications Privacy Act of 1986
• The Communications Decency Act of 1996
• The Sarbanes-Oxley Act of 2002 (Sox)
• The Gramm-Leach-Bliley Act (GLBA)
• The California Database Security Breach Act (2003)
• Identity Theft Enforcement and Restitution Act of 2008

Case studies
• Example 1
– Pressure
– Opportunity
– Rationalization

Case studies
• Example 2
– Pressure
– Opportunity
– Rationalization

Case studies
• Example 3
– Pressure
– Opportunity
– Rationalization

Addressing fraud risk
• Performing a fraud risk assessment
• Options for dealing with risk
– Accept
– Mitigate
– Transfer
– Avoid

Addressing risk
TRANSFER
Impact
(Probability * Loss)
Cost
ACCEPT
MITIGATE
AVOID

Fraud Controls
• Access controls
• Auditing
• Business continuity
• Application security
• Cryptography
• Security management
• Governance
• Segregation of Duties

Ways controls are executed
• Manual (performed by people)
– Examples: Authorizations, Management reviews
• Automatic (embedded in application code)
– Examples: Exception reports, Interface controls,
System access

Control categories

Access controls
• Least privilege
• Types of authentication
– What you have
– What you are
– What you know

Auditing
• Server audit logs are turned on and retained
• Proper review of logs and other data
• Personnel held accountable

Business continuity
• Key systems have
uninterruptable power
supplies
• Backups tested
regularly
• Disaster recovery plans in place
• Business continuity testing for key systems
• System maintenance as scheduled

Application security
• Security patches up to date
• Equipment firmware is up to date
• No unauthorized programs installed
• Corporate applications have up to date security
reviews
• Antivirus software installed
• Virus definitions up to date

Cryptography
• Data at rest
– Workstations
– Servers
– Backups
– Laptops
– Phones
• Data in motion (in
transit)
– VPN
– Web site access
– File transfer
– Network
communication

Encryption example

Security management
• Configuration changes
approved prior to
implementation
• Incidents handled by
incident response plans
• Media sanitized before
being reused or disposed

Governance
• Security policies and
procedures in place
• Systems have
documented security
controls
• Documented roles and
responsibilities

Segregation of Duties
• Process
• Systems
• Roles and Authority
• Oversight
• Audit

Test types
• Inquiry
– Interview staff to validate knowledge of a policy or requirement
– Inquiry alone is not a sufficient test
• Inspection
– Review sample of source documents for evidence of control execution
– Review exception reports and related documentation to identify preventive
control failures and validate for risk occurrence
– Reconcile process/system documentation to actual operation
• Observation
– Monitor personnel to validate execution of manual controls
– Observe occurrence of automated controls (e.g. popup warnings)
• Re-performing
– Enter an illegal transaction to test control operation
– Enter a valid transaction to test control operation

Anti-Fraud Culture
• Role of leadership
• Reinforcing the culture day to day
• Business integration
• Making it happen

Role of leadership
• Incenting the behavior
• Assignments and accountabilities
• Personal contribution reports
• Performance reviews
• Daily interactions with team members
• New system and process deployment

Role of leadership
• Take a quick pulse
• Demonstrate that security is critical
• Challenge assumptions of security
• Ask about the risks
• Monitor, measure, report
• Hold everyone accountable
• Reward behaviors
• Debrief projects including security focus

Reinforcing the culture:
Day to Day
• Monitoring, measuring and reporting
• Integrating with business metrics
• Weekly management meetings
• Monthly dashboard review with employees
• Quarterly goals met
• Team rewards

Business integration
Anti-fraud
Strategy
• Priorities
• Roles and
responsibilities
• Targeted capabilities
• Specific goals
(timeframe)
Business
Strategy
• Core values
• Purpose
• Capabilities
• Client promise
• Business targets
• Specific goals
• Initiatives
• Action items
• Assignments and
accountabilities

Making it happen
• Ask where are we today?
– High level survey – taking the pulse
– Assessment
• Define and communicate expectations
– Company policies
– Employee training
– Third party contract requirements

Making it happen
• Implement changes
– Workflow (make it easy)
– Technology
– Physical
• Ask how are we doing?
– Checkpoints
– Audits

Awareness
• Types of fraud
• Everyone’s responsibility
• Recognizing fraud
• Who to notify
• Whistleblowing policy

Fraud Incident Response
• Preparation
• Identification
• Containment
• Investigation
• Eradication
• Recovery

Preparation
– Document procedures for likely incidents
– Document steps for a non-specific incident
– Prepare resources
• Human
• Technical
– Is geographic diversity needed?
– Determine notification procedure
– Roles and responsibilities
– Simulation
– Review and maintenance

Identification
• Use of dormant accounts
• Log alteration
• Notification by partner or
peer
• Violation of policy
• Violation of law
• Loss of availability
• Unusual consumption of
computing resources
• Unusual network activity
• Corrupt files
• Data breach
• Reported attacks
• Activity at unexpected
times
• Unusual email traffic
• Presence of unfamiliar
files
• Execution of unknown
programs

Containment
– Assembly
– Restrict Access
– Preservation
– Notification

Investigation
– Interviewing
– Documentation
• IP address of compromised system
• Time frame
• Malicious ports
• Flow records
• Host file
– Analysis
• Event Logs
– Escalation

Eradication
• Resolution- all that data should have given you
action items. If not, look again
– List action items
– Rank in terms of risk level and time required
– Prioritize
– Coordinate and track remediation to completion
• Validation
– Confirm measures successfully remediated the
incident

Recovery
• Remediate vulnerabilities
• Restore services
• Restore data
• Restore confidence

For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115

Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

Similaire à Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014 (20)

Plus de Eric Vanderburg

Plus de Eric Vanderburg (16)

Dernier

Dernier (20)

Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014