Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

Preventing Fraud from Top to Bottom

Information Security Summit

October 31, 2014Session 8: 2:20–3:20 PM

Dr. Eric A. VanderburgDirector, Cyber Security

JURINNOV Ltd.

Ramana Gaddamanugu, CFE

Senior Manager, Risk and Compliance

JURINNOV Ltd.

© 2014 Property of JurInnov Ltd. All Rights Reserved

Who are we?

Dr. Eric A. VanderburgDirector, Cyber Security

JURINNOV Ltd.

Ramana Gaddamanugu, CFE

Senior Manager, Risk and Compliance

JURINNOV Ltd.


Overview

• Fraud Risks• Fraud Controls• Anti-Fraud Culture• Awareness• Fraud Incident Response


Fraud Risks• Facts and Figures• Fraud factors• Laws• Case studies• Addressing fraud risk


Facts and figures

• 65% of fraud cases were discovered by tips or by an employee accidentally stumbling upon them during the course of their job duties.

Average organizational cost $5.5 million per incident -Ponemon Institute Study, March 2012

Financial impact of cybercrime expected to grow 10% per year through 2016 -Gartner top predictions for 2012


Opportunity

Pressure / Incentive

Fraud

Rationalization

Fraud factors

Pressures / Incentives:• A situation that is so

challenging the person cannot see any other way out

• Personal financial pressure

• Family pressures• Greed• Pressure to meet goals

Rationalization:• A way to justify in the

person’s consciousness that the act of fraud is not so bad

• Common beliefs:• Person is owed this

money• Just borrowing until

they are able to pay it back

• Everyone else is doing it

Opportunity:• The set of

circumstances that make it possible to commit fraud


Laws• The Ribicoff Bill• The Computer Fraud and Abuse Act of 1986• The Electronic Communications Privacy Act of

1986• The Communications Decency Act of 1996• The Sarbanes-Oxley Act of 2002 (Sox)• The Gramm-Leach-Bliley Act (GLBA)• The California Database Security Breach Act

(2003)• Identity Theft Enforcement and Restitution Act of

2008


Case studies• Example 1

– Pressure– Opportunity– Rationalization








Addressing fraud risk• Performing a fraud risk assessment• Options for dealing with risk

– Accept – Mitigate– Transfer– Avoid


Addressing risk

Impact (Probability * Loss)

Cost

ACCEPT

MITIGATE

TRANSFER

AVOID


Fraud Controls• Access controls• Auditing• Business continuity• Application security• Cryptography• Security management• Governance• Segregation of Duties


Ways controls are executed• Manual (performed by people)

– Examples: Authorizations, Management reviews

• Automatic (embedded in application code)– Examples: Exception reports, Interface

controls, System access


Control categories


Access controls• Least privilege• Types of authentication

– What you have– What you are– What you know


Auditing• Server audit logs are turned on and

retained • Proper review of logs and other data• Personnel held accountable


Business continuity• Key systems have

uninterruptable power supplies

• Backups tested regularly

• Disaster recovery plans in place• Business continuity testing for key

systems• System maintenance as scheduled


Application security• Security patches up to date• Equipment firmware is up to date• No unauthorized programs installed• Corporate applications have up to date

security reviews• Antivirus software installed• Virus definitions up to date


Cryptography• Data at rest

– Workstations– Servers– Backups– Laptops– Phones

• Data in motion (in transit)– VPN– Web site access– File transfer– Network

communication


Encryption example


Security management• Configuration changes

approved prior to implementation

• Incidents handled by incident response plans

• Media sanitized before being reused or disposed


Governance

• Security policies and procedures in place

• Systems have documented security controls

• Documented roles and responsibilities


Segregation of Duties• Process• Systems• Roles and Authority• Oversight• Audit


Test types• Inquiry

– Interview staff to validate knowledge of a policy or requirement– Inquiry alone is not a sufficient test

• Inspection – Review sample of source documents for evidence of control execution– Review exception reports and related documentation to identify

preventive control failures and validate for risk occurrence– Reconcile process/system documentation to actual operation

• Observation – Monitor personnel to validate execution of manual controls– Observe occurrence of automated controls (e.g. popup warnings)

• Re-performing – Enter an illegal transaction to test control operation– Enter a valid transaction to test control operation


Anti-Fraud Culture• Role of leadership• Reinforcing the culture day to day• Business integration• Making it happen


Role of leadership• Incenting the behavior• Assignments and accountabilities• Personal contribution reports• Performance reviews• Daily interactions with team members• New system and process deployment


Role of leadership• Take a quick pulse• Demonstrate that security is critical• Challenge assumptions of security• Ask about the risks • Monitor, measure, report• Hold everyone accountable• Reward behaviors• Debrief projects including security focus


Reinforcing the culture: Day to Day

• Monitoring, measuring and reporting• Integrating with business metrics• Weekly management meetings• Monthly dashboard review with employees• Quarterly goals met• Team rewards


Business integration

• Priorities• Roles and

responsibilities• Targeted

capabilities• Specific goals

(timeframe)

Anti-fraudStrategy

BusinessStrategy

• Core values• Purpose• Capabilities• Client promise• Business targets• Specific goals• Initiatives• Action items• Assignments and

accountabilities


Making it happen• Ask where are we today?

– High level survey – taking the pulse– Assessment

• Define and communicate expectations– Company policies– Employee training– Third party contract requirements


Making it happen

• Implement changes– Workflow (make it easy)– Technology– Physical

• Ask how are we doing?– Checkpoints– Audits


Awareness• Types of fraud• Everyone’s responsibility• Recognizing fraud• Who to notify• Whistleblowing policy


Fraud Incident Response• Preparation• Identification• Containment• Investigation• Eradication• Recovery


Preparation– Document procedures for likely incidents– Document steps for a non-specific incident– Prepare resources

• Human• Technical

– Is geographic diversity needed?– Determine notification procedure– Roles and responsibilities– Simulation– Review and maintenance


Identification

• Use of dormant accounts

• Log alteration• Notification by partner

or peer• Violation of policy• Violation of law• Loss of availability• Unusual consumption

of computing resources

• Unusual network activity

• Corrupt files• Data breach• Reported attacks• Activity at unexpected

times• Unusual email traffic• Presence of unfamiliar

files• Execution of unknown

programs


Containment– Assembly– Restrict Access– Preservation– Notification


Investigation– Interviewing– Documentation

• IP address of compromised system• Time frame• Malicious ports• Flow records• Host file

– Analysis• Event Logs

– Escalation


Eradication• Resolution- all that data should have given

you action items. If not, look again– List action items– Rank in terms of risk level and time

required– Prioritize– Coordinate and track remediation to

completion• Validation

– Confirm measures successfully remediated the incident


Recovery• Remediate vulnerabilities• Restore services• Restore data• Restore confidence

Questions


For assistance or additional information

• Phone: 216-664-1100• Web: www.jurinnov.com

JurInnov Ltd.The Idea Center

1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115

Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

Technology

property of jurinnov

rights reserved example

rights reserved data

rights reserved person

rights reservedlaws

computer fraud

fraud cases

fraud risks facts