preventing fraud from top to bottom - vanderburg, gaddamanugu - information security summit 2014
DESCRIPTION
Preventing Fraud from Top to Bottom was presented at the Information Security Summit in 2014 by Dr. Eric Vanderburg and Ramana Gaddamanugu.TRANSCRIPT
![Page 1: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/1.jpg)
Preventing Fraud from Top to Bottom
Information Security Summit
October 31, 2014Session 8: 2:20–3:20 PM
Dr. Eric A. VanderburgDirector, Cyber Security
JURINNOV Ltd.
Ramana Gaddamanugu, CFE
Senior Manager, Risk and Compliance
JURINNOV Ltd.
![Page 2: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/2.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Who are we?
Dr. Eric A. VanderburgDirector, Cyber Security
JURINNOV Ltd.
Ramana Gaddamanugu, CFE
Senior Manager, Risk and Compliance
JURINNOV Ltd.
![Page 3: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/3.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Overview
• Fraud Risks• Fraud Controls• Anti-Fraud Culture• Awareness• Fraud Incident Response
![Page 4: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/4.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Fraud Risks• Facts and Figures• Fraud factors• Laws• Case studies• Addressing fraud risk
![Page 5: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/5.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Facts and figures
• 65% of fraud cases were discovered by tips or by an employee accidentally stumbling upon them during the course of their job duties.
Average organizational cost $5.5 million per incident -Ponemon Institute Study, March 2012
Financial impact of cybercrime expected to grow 10% per year through 2016 -Gartner top predictions for 2012
![Page 6: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/6.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Opportunity
Pressure / Incentive
Fraud
Rationalization
Fraud factors
Pressures / Incentives:• A situation that is so
challenging the person cannot see any other way out
• Personal financial pressure
• Family pressures• Greed• Pressure to meet goals
Rationalization:• A way to justify in the
person’s consciousness that the act of fraud is not so bad
• Common beliefs:• Person is owed this
money• Just borrowing until
they are able to pay it back
• Everyone else is doing it
Opportunity:• The set of
circumstances that make it possible to commit fraud
![Page 7: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/7.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Laws• The Ribicoff Bill• The Computer Fraud and Abuse Act of 1986• The Electronic Communications Privacy Act of
1986• The Communications Decency Act of 1996• The Sarbanes-Oxley Act of 2002 (Sox)• The Gramm-Leach-Bliley Act (GLBA)• The California Database Security Breach Act
(2003)• Identity Theft Enforcement and Restitution Act of
2008
![Page 8: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/8.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Case studies• Example 1
– Pressure– Opportunity– Rationalization
![Page 9: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/9.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Case studies• Example 2
– Pressure– Opportunity– Rationalization
![Page 10: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/10.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Case studies• Example 3
– Pressure– Opportunity– Rationalization
![Page 11: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/11.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Addressing fraud risk• Performing a fraud risk assessment• Options for dealing with risk
– Accept – Mitigate– Transfer– Avoid
![Page 12: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/12.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Addressing risk
Impact (Probability * Loss)
Cost
ACCEPT
MITIGATE
TRANSFER
AVOID
![Page 13: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/13.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Fraud Controls• Access controls• Auditing• Business continuity• Application security• Cryptography• Security management• Governance• Segregation of Duties
![Page 14: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/14.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Ways controls are executed• Manual (performed by people)
– Examples: Authorizations, Management reviews
• Automatic (embedded in application code)– Examples: Exception reports, Interface
controls, System access
![Page 15: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/15.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Control categories
![Page 16: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/16.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Access controls• Least privilege• Types of authentication
– What you have– What you are– What you know
![Page 17: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/17.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Auditing• Server audit logs are turned on and
retained • Proper review of logs and other data• Personnel held accountable
![Page 18: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/18.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Business continuity• Key systems have
uninterruptable power supplies
• Backups tested regularly
• Disaster recovery plans in place• Business continuity testing for key
systems• System maintenance as scheduled
![Page 19: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/19.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Application security• Security patches up to date• Equipment firmware is up to date• No unauthorized programs installed• Corporate applications have up to date
security reviews• Antivirus software installed• Virus definitions up to date
![Page 20: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/20.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Cryptography• Data at rest
– Workstations– Servers– Backups– Laptops– Phones
• Data in motion (in transit)– VPN– Web site access– File transfer– Network
communication
![Page 21: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/21.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Encryption example
![Page 22: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/22.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Security management• Configuration changes
approved prior to implementation
• Incidents handled by incident response plans
• Media sanitized before being reused or disposed
![Page 23: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/23.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Governance
• Security policies and procedures in place
• Systems have documented security controls
• Documented roles and responsibilities
![Page 24: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/24.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Segregation of Duties• Process• Systems• Roles and Authority• Oversight• Audit
![Page 25: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/25.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Test types• Inquiry
– Interview staff to validate knowledge of a policy or requirement– Inquiry alone is not a sufficient test
• Inspection – Review sample of source documents for evidence of control execution– Review exception reports and related documentation to identify
preventive control failures and validate for risk occurrence– Reconcile process/system documentation to actual operation
• Observation – Monitor personnel to validate execution of manual controls– Observe occurrence of automated controls (e.g. popup warnings)
• Re-performing – Enter an illegal transaction to test control operation– Enter a valid transaction to test control operation
![Page 26: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/26.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Anti-Fraud Culture• Role of leadership• Reinforcing the culture day to day• Business integration• Making it happen
![Page 27: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/27.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Role of leadership• Incenting the behavior• Assignments and accountabilities• Personal contribution reports• Performance reviews• Daily interactions with team members• New system and process deployment
![Page 28: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/28.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Role of leadership• Take a quick pulse• Demonstrate that security is critical• Challenge assumptions of security• Ask about the risks • Monitor, measure, report• Hold everyone accountable• Reward behaviors• Debrief projects including security focus
![Page 29: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/29.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Reinforcing the culture: Day to Day
• Monitoring, measuring and reporting• Integrating with business metrics• Weekly management meetings• Monthly dashboard review with employees• Quarterly goals met• Team rewards
![Page 30: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/30.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Business integration
• Priorities• Roles and
responsibilities• Targeted
capabilities• Specific goals
(timeframe)
Anti-fraudStrategy
BusinessStrategy
• Core values• Purpose• Capabilities• Client promise• Business targets• Specific goals• Initiatives• Action items• Assignments and
accountabilities
![Page 31: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/31.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Making it happen• Ask where are we today?
– High level survey – taking the pulse– Assessment
• Define and communicate expectations– Company policies– Employee training– Third party contract requirements
![Page 32: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/32.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Making it happen
• Implement changes– Workflow (make it easy)– Technology– Physical
• Ask how are we doing?– Checkpoints– Audits
![Page 33: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/33.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Awareness• Types of fraud• Everyone’s responsibility• Recognizing fraud• Who to notify• Whistleblowing policy
![Page 34: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/34.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Fraud Incident Response• Preparation• Identification• Containment• Investigation• Eradication• Recovery
![Page 35: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/35.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Preparation– Document procedures for likely incidents– Document steps for a non-specific incident– Prepare resources
• Human• Technical
– Is geographic diversity needed?– Determine notification procedure– Roles and responsibilities– Simulation– Review and maintenance
![Page 36: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/36.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Identification
• Use of dormant accounts
• Log alteration• Notification by partner
or peer• Violation of policy• Violation of law• Loss of availability• Unusual consumption
of computing resources
• Unusual network activity
• Corrupt files• Data breach• Reported attacks• Activity at unexpected
times• Unusual email traffic• Presence of unfamiliar
files• Execution of unknown
programs
![Page 37: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/37.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Containment– Assembly– Restrict Access– Preservation– Notification
![Page 38: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/38.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Investigation– Interviewing– Documentation
• IP address of compromised system• Time frame• Malicious ports• Flow records• Host file
– Analysis• Event Logs
– Escalation
![Page 39: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/39.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Eradication• Resolution- all that data should have given
you action items. If not, look again– List action items– Rank in terms of risk level and time
required– Prioritize– Coordinate and track remediation to
completion• Validation
– Confirm measures successfully remediated the incident
![Page 40: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/40.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Recovery• Remediate vulnerabilities• Restore services• Restore data• Restore confidence
![Page 41: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/41.jpg)
Questions
![Page 42: Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052621/55838f87d8b42a9e528b4c42/html5/thumbnails/42.jpg)
© 2014 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100• Web: www.jurinnov.com
JurInnov Ltd.The Idea Center
1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115