Embed Size (px)
Citation preview
“A Lack of IT Controls = Fraud Opportunities”
Chris Mitchell - MBA, CIA, CISA, CCSA
Experience
Chris has over 18 years of risk management, finance, and IT consulting experience. He has held the titles of Internal Audit Director, Senior Program Manager, and Managing Consultant at various companies in industries including financial services, telecommunications, software development, manufacturing, and government. Chris’ practice focuses on assisting clients with 404 implementations, Type I & II SSAE 16 engagements, leading internal audit teams, and making cost-effective recommendations to enhance internal controls, maximize efficiency, and minimize exposure to loss and regulatory risk.
EducationB.B.A. from University of Texas at San AntonioMBA from Touro University
Bios
2
Established in 1983, Whitley Penn has become one of the region's most distinguished accounting firms by providing exceptional service that reaches far beyond traditional accounting
Today, with offices in Dallas, Fort Worth, and Houston, 37 partners, approximately 280 exceptional employees, and a worldwide network affiliation via Nexia International, we are strategically positioned to grow and excel in the future
Services Offered: Assurance and Advisory Business Process Improvement Business Valuation Services Employee Benefit Plans Litigation and Forensic Services Risk Advisory Tax and Consulting Virtual Back Office
About Whitley Penn LLP
5
Service Areas:– IT Audits and Consulting – IT and Business Risk Assessments – Internal Audit Services – Service Organization Control (SOC) Reports – 1, 2, & 3– Surprise Examinations for Registered Investment Advisors – Sarbanes-Oxley Compliance and Maintenance – Enterprise Risk Management Implementation and
Maintenance6
Whitley Penn LLP – Risk Advisory Services
Common Facts IT Fraud Statistics Common Anti-Fraud Controls Client Scenarios Information Technology Best Practices Cyber Warfare Questions
1
Agenda
Common Facts
• Estimated loss of 5% of revenue , of which 1-2% is caused by lack o f IT controls within an organization
• Corruption and Billing schemes pose the greatest risk to an organization. These schemes take place based on the data that is fed into systems and how a lack of access, approval controls, and management oversight would lead to such schemes
• Most common victims:
– Banking & financial services
– Government & public administration
– Manufacturing sectors
• Anti-fraud controls correlate to significant decreases in the cost and duration of occupational fraud schemes
7References:ACFE – 2012 Report to the Nations
8
IT Fraud Statistics – Top 3 Business Departments
References:ACFE – 2012 Report to the Nations
• Accounting: User access to accounting systems / functions and modules should be segregated based on job responsibilities
• Executive/Upper Management: Management oversight plays a vital role in making sure that appropriate controls are in place within an organization. It is advised that management conduct periodic reviews of these controls to make sure that it is working as stated
IT Fraud Statistics Breakdown
9
10
Fraud Statistics – Trusted Business Partners
References:Software Engineering Institute, Carnegie Mellon. "Spotlight On: Insider Threat from Trusted Business Partners, Version 2: Updated and Revised". Computer Emergency Response Team (CERT) website. 2012 http://www.cert.org/archive/pdf/TrustedBusinessPartners1012.pdf
Trusted Business PartnerNon-TBP Insider
Organizational IndividualType of Position Technical 45% 80% 39%Nontechnical 55% 20% 61%Authorized Access Authorized Access 44% 36% 48%Unauthorized Access 26% 36% 23%Location On-Site 81% 60% 73%Remote Access 19% 40% 27%Employment Status Current 90% 69% 76%Former 10% 31% 24%Type of Insider Crime Fraud 64% 23% 54%Theft of Intellectual Property 28% 18% 19%Sabotage 8% 59% 27%
11
Common Anti-Fraud Controls
References:ACFE – 2012 Report to the Nations
Common Anti-Fraud Controls (continued)
12References:ACFE – 2012 Report to the Nations
Common Anti-Fraud Controls (continued)
13References:ACFE – 2012 Report to the Nations
Client Scenarios
• Following are several client scenarios that we have either encountered or obtained through credible references
• Picture these happening at your company or client• Think of possible controls to mitigate weaknesses• Brief description of Scenarios:
– #1 pertains to 3rd party vendors & compliance– #2 pertains to logical access control usage– #3 pertains to change management controls– #4 pertains to general IT operations
14
15
Scenario #1
Clueless, Inc. requested to have a General Controls Review (GCR) conducted as part of their annual audit. During planning and fieldwork , it was noted that they had outsourced all IT work to a third party consultant, and the following issues were identified:• There was no valid contract between Clueless , Inc. and the third party consultant;• There was no formal IT purchasing approval process; and• Clueless, Inc.’s IT liaison was married to the consultantClueless, Inc. was implementing a third party web application to support their business. The consultant recommended that they install a Citrix solution to secure the web application at a cost of just under $1 million. No other organizations using the third party’s web applications were using Citrix or a comparable solution to secure the web application
16
Clueless, Inc. Control Recommendations
Preventative Controls– Contract / SLA management– Conflict of Interest Compliance– Purchase approval process– Qualified staff performing oversight
Detective Controls– Contract/SLA performance reviews
Naveen Krishnan – CRISC
ExperienceNaveen has over six years of IT audit experience focused on public and private sectors pertaining to Oil and Gas, Technology, Manufacturing, and Healthcare industry. He has led multiple SOX 404 engagements and has assisted numerous clients with Type I and II SSAE16 examinations. He joined Whitley Penn in June 2011 to help build the risk practice and since then has successfully recruited and developed a core team engaged to deliver quality work and establish relationships with clients.
EducationBachelors in Management Information Systems (MIS)Louisiana State University
Bios
3
Free For All, LLC , an online retailer, requested to have a GRC and analysis of third party service providers/consultants to evaluate the feasibility of continuing operations. The company was owned by a wealthy individual who had little involvement in the planning or operations of the company. The following issues were identified:• The company had established a contract with a third party developer requiring $30,000
worth of development work to be done each month, regardless of need. The business owner also owned a company that developed online retail websites for a niche market, but this resource was not leveraged for Free For All, LLC
• The company had established a contract with a third party marketing firm that required $25,000 worth of marketing work be done each month, regardless of need.
• The first act of the CEO was to hire his wife as CFO• The CEO awarded himself a $100,000/year raise and doubled the salary of the Office
Manager• The Company had approximately $100,000 in revenue for the year
Scenario #2
17
Preventative Controls– Contract / SLA management– Conflict of Interest Compliance– Qualified staff performing oversight
Detective Controls– Contract/SLA performance reviews
Free For All, LLC Control Recommendations
18
19
Scenario #3
An IT Manager at Hornswoggled, LLP carried out a fraud scheme that lasted two years before being detected. The manager was able to gain access to multiple accounts, allowing them to submit and approve purchase orders and payments. The manager was also able to bypass a system control that notified the AP manager and security when a vendor’s address was added or modified
To enable this fraud, the IT manager modified a single line of code in a program that synchronized passwords between the production and test environments, which provided them with all user account passwords in clear text. The IT manager also modified a single line of code in another program that notified the AP manager and security when a vendor address was added or modified, allowing it to be turned off at will
References:Software Engineering Institute, Carnegie Mellon. "Spotlight On: Programming Techniques Used as an Insider Attack Tool". Computer Emergency Response Team (CERT) website. 2008 http://www.cert.org/archive/pdf/insiderthreat_programmers_1208.pdf
20
Hornswoggled , LLP Control Recommendations
Preventative Controls– Segregation of Duties– Change management controls must apply to all systems that
underlie significant applications and controls– Code and System Architecture Reviews
Detective Controls– Change detection– Review usage of critical system functions
Duped Brokerage, Inc. began receiving reports of fraudulent trades from clients. Upon investigation it was determined that their trading web application had been breached and a hacker had obtained access to all client accounts. The hacker used the victim’s account to make fraudulent trades that benefited his own market positions
Scenario #4
21
References:Association of Certified Fraud Examiners. “Internet Transactions at Risk – New Solutions Are Needed”. Robert D Peterson 2000 http://www.acfe.com/article.aspx?id=4294968466
Preventative Controls– Vulnerability management and penetration testing– Secure software development methodology– Service provider change management and logical access
Detective Controls– Change detection
Duped Brokerage, Inc. Control Recommendations
22
23
IT Process Summary
• Logical Access– Principle of least privilege and Segregation of Duties– Sufficient logging– Strong authentication– Special considerations for privileged accounts
• Change Management– Segregation of Duties– Change management scope– Change detection / Configuration Management
• IT Operations– Protect backup media from tampering– Restrict and monitor removable storage device and data transfer usage
• Security– Vulnerability management and penetration testing– Secure software development methodology
• Consider threats from insiders and business partners in enterprise-wide risk assessments
• Clearly document and consistently enforce policies and controls
• Incorporate insider threat awareness into periodic security training for all employees
• Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior
• Know your assets• Implement strict password and
account management policies and practices
• Enforce separation of duties and least privilege
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities
Information Technology Best Practices
24
References:Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to Mitigating Insider Threats". Computer Emergency Response Team (CERT) website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
• Institute stringent access controls and monitoring policies on privileged users
• Institutionalize system change controls
• Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
• Establish a baseline of normal network behavior
• Monitor and control remote access from all end points, including mobile devices
• Develop a comprehensive employee termination procedure
• Implement secure backup and recovery processes
• Develop a formalized insider threat program
• Close the doors to unauthorized data exfiltration
Information Technology Best Practices (continued)
25
References:Software Engineering Institute, Carnegie Mellon. “Common Sense Guide to Mitigating Insider Threats". Computer Emergency Response Team (CERT) website. 2012 http://www.sei.cmu.edu/reports/12tr012.pdf
Jarrett Kolthoff– President/CEO SpearTip, LLC
ExperienceJarrett Kolthoff, President/CEO of SpearTip, LLC, has over 19 years of experience in the Information Security field. As a former Special Agent – U.S. Army Counterintelligence, he has experience in cyber investigations, counterintelligence, and fusion cell analysis that assist SpearTip’s clients to identify, assess, neutralize, and exploit the threats leveled against their corporation. His civil case work has included investigations in anti-trust lawsuits, embezzlement, collusion, theft of intellectual property, and corporate espionage. Mr. Kolthoff has led assignments throughout the United States with both national and international corporations.
EducationRockhurst University, Bachelor (Political Science & Economics)U.S. Army, Counterintelligence AgentTroy State University, Masters (International Relations)
Bios
4
• Taking on new missions– Theft of processing power– Theft of customer data and financial information– Theft of Research– Destruction of research data
• Using active memory manipulation to foil static analysis and avoid signature based AV solutions
• In some cases, being used in conjunction with human operatives in the theft of company IP
Cyber Warfare – New Types of Soldiers
26
Cyber Warfare (continued)
27
Plan For the “When”, Not the “If”• Cyber Counterespionage
• Fusion Cell Analysis
• CyberStrike:̶X Identify̶X Assess̶X Neutralize̶X Exploit
• Passively Monitoring Known ‘Bad Actors’ and Crime Servers for:– Client IP Address– Client Domain Name– Conspiracy to Attack
• Monitoring Multiple Data feeds to include:– Internet Relay Chat (IRC) Communications– Log files– Open Source Intelligence (OSINT)
• The more network security, attack vector, and threat trending knowledge an enterprise can harvest, the more secure the enterprise
Engagement Strategies
28
Fusion Cell Analysis
Engagement Strategies (continued)
29
HUMINTHuman Collection Efforts
PredictiveTrends
IRCInternet Relay Chat
Malware Analysis
GovernmentCases
ThreatProfiling
OSINTOpen Source Intelligence
Known Threats
Civilian Cases
PostingExploits
Questions
