Fraud in the Cloud 2015-09-03 - AccountantsWorld

Fraud In the Cloud: New Risks for a New Environment by @BFTCPA

9/3/2015

(c) 2015 K2 Enterprises, All RIghts Reserved 1

Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.

Fraud in the CloudNew Risks for a New Environment

Brian F. Tankersley, CPA.CITP, CGMA

Director, Strategic Relationships

K2 Enterprises, LLC

@BFTCPA


About Brian Tankersley @BFTCPACPA, CITP, CGMA with over 20 years of Accounting and Technology business experience, including public accounting, consulting, and education. Based in Farragut, Tennessee, but travel ~100,000 air miles per year

• Director, Strategic Relationships, K2 Enterprises, LLC (k2e.com) (2005‐present)

– Delivered presentations in 46 US states, Canada, and Bermuda.

• Publisher, CPATechBlog.com (2004‐present)

• Sr. Faculty Member/ East TN Lead Instructor, Becker CPA Review (1997‐2013)

• Technology Editor, The CPA Practice Advisor (CPAPracAdvisor.com)(2010‐2014)

• Selected as one of the 2011‐2014“Top 25 Thought Leaders in Public Accounting Technology” and for 2007 and 2008 “40 Under 40” by The CPA Technology Advisor/CPA Practice Advisor.

• 2012 and 2009 Outstanding Discussion Leader Award, TN Society of CPAs

• 2011 Article of the Year, Tennessee CPA Journal

• Author of numerous articles and have direct consulting experience with numerous organizations such as software vendors, CPA firms, and other professional services firms.

• [email protected] / @BFTCPA / +1(865) 684‐4707


9/3/2015



Accounting Firm Operations and Tech Survey

• Second annual groundbreaking survey of over 600 US CPA firms of all sizes on how they use technology

• Survey was taken in Q4 2014• Findings presented by Randy Johnston in a previous

AccountantsWorld webinar• 86 questions, two versions (entire survey and small

firm version)• Available at CPA Trendlines (cpatrendlines.com)• 2016 Survey will open soon; if interested, e‐mail

[email protected] to be notified when available• Survey participants receive an e‐book version of the

survey results, when published (early 2016)


10/26-10/27/2015 CCH Connections User Conference Las Vegas, NV

10/29-10/30/2015 OKSCPA Technology Conference Norman, OK

11/5-11/6/2015 Thomson Reuters Synergy Conference Kissimmee, FL

11/9-11/10/2015 NDSCPA Technology Conference Fargo, ND

11/12-11/13/2015 NVSCPA Technology Conference Las Vegas, NV

12/3-12/4/2015 WICPA Technology Conference Pewaukee, WI

12/7-12/8/2015 NCACPA Winter Techfest Greensboro, NC

12/9/2015 AZSCPA Technology Conference Phoenix, AZ

Brian’s CPE Conference Schedule, 4Q 2015


9/3/2015



Session Description

Cloud‐based applications have changed the way we work, play, and access information. The benefits and risks associated with software‐as‐a‐service (SaaS) and hosted applications are very different than traditional on‐premises information technology.

Some traditional items used in an on‐premises forensic investigation like the transaction audit trail, user access logs, and computer access logs are often difficult to obtain for cloud solutions, and may even be unavailable by the time you or your client suspect a crime.

Attendees will learn about some of the new risks associated with cloud solutions as well as some techniques which can be used to limit these risks.


Session Overview

• Selected Cloud‐Based Frauds

• Data Breaches

• Selected Issues Associated with a Cloud‐based Fraud Investigation

• Managing and Mitigating Risks


9/3/2015



SELECTED RECENT CLOUD‐BASED FRAUDS


Selected Cloud‐Based Frauds

• Phishing Attacks Target Insider Info at Public Companies

• Russian Hackers Amass > 1B Passwords – Why You Should Care

• Phishing: A Practical Example from Oak Ridge National Lab

• Online Ad Fraud Services

• How Stolen Credit Cards and Goods are Converted to Cash

• CryptoLocker and Variants


9/3/2015




FIN4’s Approach: Get Data for Insider Trading• E‐mail targeted at C‐suite,

regulatory, legal, and investor relations personnel

• Security consultants FireEyereport that FIN4 have penetrated “80 public companies and 20 banks.”

• Messages also may include:– Word/Excel/PowerPoint files

with macros which prompt the user to enter Outlook password

– Links to fake “Outlook Web Access” portals which gather credentials

• Sample message =>

Source: Ars Technica, 12/1/2014 http://bit.ly/fin4phishing


9/3/2015



Quotes from FireEye on FIN4

FireEye Threat Intelligence Manager Jen Weedon said the hackers only targeted people with access to highly insider data that could be used to profit on trades before that data was made public.

They sought data that included drafts of U.S. Securities and Exchange Commission filings, documents on merger activity, discussions of legal cases, board planning documents and medical research results, she said.

"They are pursuing sensitive information that would give them privileged insight into stock market dynamics," Weedon said.

Source: Yahoo News 12/1/2014 http://bit.ly/fin4‐finfraud


Timeline of the FIN4 Phishing Attack

Source: Ars Technica, 12/1/2014 (http://bit.ly/fin4phishing)


9/3/2015



Russian Hackers Amass > 1B Email Accounts


Russian Hackers Amass >1B E‐Mail Accounts

• Reported by Hold Security (www.holdsecurity.com) on 8/5/2014

• Attackers used program bugs and a technique called SQL Injection to extract data from websites and other online databases

• Credentials are expected to be used to send massive amounts of junk mail (spam)

– Spam may also be used in connection with phishing and spear phishing attacks, where targeted e‐mail recipients receive messages which purport to be from financial institutions to gain access to user’s accounts

– Once accounts are under hacker control, money is transferred and stolen credit card data is sold on underground markets


9/3/2015



Target of RSA attack:Defense secrets and related intellectual property

Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011:

Winter 2011 March 17 May 31 June 1April 1 May 21 June 7

• Lockheed Martin computer systemsdetect an intruder

• Company statement: “Our systemsremain secure”

• Attack on L-3 Communications reported

• Attributedto leverageof informationfrom RSA breach

• Low-level RSA staff receive email apparentlyfrom colleague

• Subject line: “2011Recruitment Plan”

• NorthropGrumman cuts off remote accessto its network

• RSA discloses attackin SEC filing and on companyweb site

• RSA official admitscompromise of entire SecureID system

• RSA website post: “Anatomyof an Attack”

• Describesexploitationof zero-day Flash vulnerability


Phishing and Spear Phishing at ORNL

• Oak Ridge National Lab

• National Security and Nuclear Weapons Research

• National Supercomputer Center

• Hacked in April 2011

• Attacked used a “spear phishing” attack

• Gained root access to key systems

• ORNL shut down its systems for two days while it responded to the crisis


9/3/2015



April 7 April 11 April 15April 12

• 573 phishing emails• 50 users clicked• 2 systems infected• 1 system with admin

privileges compromised

• ORNL notified ofsuspicious activity byDOE-CIRC, DOE-CI,and ORNL localcyber staff

• Increased activity

• Web services shut down

• Domaincontroller and Active Directorycompromised

ORNL cyber attack 4/2011



Note 1: This is NOT an ORNL mailing address.Do you know the sender? Were you expecting an email? When indoubt, delete.

Note 4: Nowhere in this email is there any specific reference to ORNL; all referencesare generic. No affiliation should raise your suspicion level.

Note 3: Hovering your mouse over these links shows thatboth point to the same destination:http:/www.ansme.com/topic/index.htmThis does not match the topic of the reference in the link orthe email.

Note 2: Always beware of general salutations!

Phishing email



9/3/2015



ORNL’sresponse

April 7 April 11 April 14 April 15 April 29

• 4 staff reported phishing email tocyber security

• Cyber security disabled embedded linkin phishing email

• Incident response team activated and began network monitoring

• Infected machine removed from network

• All other machines that clicked on email removed from network

• 2 trojaned systems exfiltrated files (~4 MB)

• Microsoft web servers shut down;ORNL disconnectedfrom Internet

• Network reconnectedto Internet withrestricted/monitored communications



ORNL continues working on cyber defenses

• Education and awareness ofsocial engineering techniques

• Limits on administrative privileges

• Segmentation of computer network architecture

• Additional monitoring andtracking tools


Userawareness

Organizational segmentation

Block outboundconnections

Internet

Least userprivileges Network flow

monitoring

Desktop logaggregation


9/3/2015



Online Ad Fraud Service Clicks on

Competitor Google Ad Links to Waste Daily Ad Budget


Target Breach of 110 million Credit Cards with POS Hacking Software

• 110 Million possible victims• Target paying for credit monitoring• Application used was called Black POS, and used a memory scraper to

extract the unencrypted magnetic stripe data from the POS device’s memory

• This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high‐priced merchandise.

Source: https://krebsonsecurity.com/2014/01/a‐first‐look‐at‐the‐target‐intrusion‐malware/


9/3/2015



Home Depot Breach

Notification

Source: E‐mail to Brian Tankersley 9/21/2014


How Stolen Credit Cards are Monetized• Perpetrators steal data from brick and mortar stores, POS breaches like Target, and other crimes/scams

• Data thieves bundle cards by bank ID and geography and sell online anonymously in underground marketplaces– Cards are valued based on the age of the data and the guaranteed validity (%)

– The geography component is needed so that the ill gotten gains can be purchased from areas near the victim’s home (avoid suspicion by credit card companies)

• Purchasers buy things online and at big box stores

• Remailers receive the goods and forward them to others


9/3/2015



Example: Services like LabelCity

Card data sold in “carding shops” like “McDumpals”

Card Data Purchasers Buy Merchandise and Sell Online or Ship

Overseas to Monetize Stolen Data

How Offshore CyberCrooks Steal and Sell Credit Card Data, Buy Goods, and Ship Them Overseas

Source: http://krebsonsecurity.com/2014/08/white‐label‐money‐laundering‐services/


Stolen Card Data Reliability Drops With Age

Source: http://krebsonsecurity.com/2014/02/fire‐sale‐on‐cards‐stolen‐in‐target‐breach/


9/3/2015



The Effects of Breach Aging on Data Value

• The early cards from the Target Breach were advertised as “100% valid” and sold for between $26.60 and $44.80 each in mid‐December 2013– Target announced the breach on 12/19/2013– A 1/21/2014 batch (+32 days) claimed an “83% valid rate”– A 1/29/2014 batch (+40 days) claimed a “70% valid rate”– A 2/6/2014 batch (+48 days) claimed a “65% valid rate”– By 2/14/2014, Krebs reports that some Target breach cards were selling for as little as $8‐$28 per card, and were boasting a “60% valid rate”

• Some non‐US Target breach cards retrieved as much as $120 per card, a significant premium over the US records

Source: http://krebsonsecurity.com/2014/02/fire‐sale‐on‐cards‐stolen‐in‐target‐breach/


“Work At Home” Scam Respondents Used to Reship Goods for Those Using Stolen Cards

Source: http://krebsonsecurity.com/2011/10/shady‐reshipping‐centers‐exposed‐part‐i/


9/3/2015



FBI Warns Enterprises About Destructive Malware

• The FBI warned U.S. businesses that hackers have used malicious software to launch destructive attacks in the United States, following a devastating cyberattack last week at Sony Pictures Entertainment.

• The five‐page, confidential "flash" warning issued to businesses late on Monday provided some technical details about the malicious software that was used in the attack, though it did not name the victim.

• The report said that the malware overrides data on hard drives of computers which can make them inoperable and shut down networks.

• It is extremely difficult and costly, if not impossible, to recover hard drives that have been attacked with the malware, according to the report, which was distributed to security professionals at U.S. companies.Source: CNBC 12/1/2014 ‐ http://www.cnbc.com/id/102213995


CryptoLockerRansomware


9/3/2015



CryptoLocker Ransomware• An example of “ransomware”, which holds data hostage• Very active in late 2013 through today• Most variants use “zero day” vulnerabilities, and are not detected by antivirus• User opens program e‐mailed to user on a local PC• Program installs itself numerous places, and then connects to a “command and

control” server run by the perps which gives the ransomware a public key which is used to encrypt all Office files, database applications, pictures, and pretty much any useful user file on a computer

• Once data is encrypted (a few hours to as long as a day or two), users are presented with an ultimatum and must pay within 72 hours or the private key (needed to unscramble the files) will be destroyed and data is gone forever


CryptoLocker Ransomware

• Hearing rumors of CPA firms which have had this infection but no one talking about this publically

• We are also hearing that firms are being targeted for reinfection by groups

• Ransoms demanded range from $300 to $5,000, depending on the version of the malware, but ransoms are going up (!)

• Users must pay in Bitcoin or anonymous wire transfers• Antivirus and anti‐spam is not detecting many variants of this threat –

and the variants seen in the wild often use “zero day” exploits• Don’t click on links in e‐mails, open files you’re not expecting, or

otherwise access messages from people with whom you’re not familiar


9/3/2015



Known Subjects of Cryptolocker Messages

USPS - Your package is available for pickup ( Parcel 173145820507 ) USPS - Missed package delivery ("USPS Express Services" <[email protected]>)

USPS - Missed package delivery FW: Invoice <random number>

ADP payroll: Account Charge Alert ACH Notification ("ADP Payroll" <*@adp.com>)

ADP Reference #09903824430 Payroll Received by IntuitImportant - attached form FW: Last Month Remit

McAfee Always On Protection Reactivation Scanned Image from a Xerox WorkCentre

Scan from a Xerox WorkCentre scanned from Xerox

Annual Form - Authorization to Use Privately Owned Vehicle on State Business Fwd: IMG01041_6706015_m.zip

My resume New Voicemail Message

Voice Message from Unknown (675-685-3476) Voice Message from Unknown Caller (344-846-4458)

Important - New Outlook Settings Scan Data

FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13] Payment Advice - Advice Ref:[GB2198767]

New contract agreement. Important Notice - Incoming Money Transfer

Notice of underreported income Notice of unreported income - Last months reports

Payment Overdue - Please respond FW: Check copy

Payroll Invoice USBANK

Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages) past due invoices

FW: Case FH74D23GST58NQS Symantec Endpoint Protection: Important System Update - requires immediate action


• Security training for users is essential• Good daily, offline backups are the key to surviving this pest• Do not use the Adobe Flash browser add-in – it is broken beyond repair• Run as a “regular” (non-administrative) user at all times• Have three antivirus solutions running, with different capabilities, all set to inform IT group

instantly if anything is detected– One on firewall (e.g. McAfee on SonicWall UTM)– One on server, but not in the clients (say MalwareBytes)– One on local clients but not on the server (say GFI Vipre)– The antivirus products selected should include at least one which is primarily “pattern/signature

based” and one which is “heuristics/behavior based”• Some organizations are having success with group policies

– Not mapping network shares, but instead using UNC addresses like \\server\sharename instead of R:\)

– Some organizations report that Applocker in Windows is helping them

Best Known Advice on CryptoWall

@BFTCPA


9/3/2015



• In EAC scams, criminal actors use social engineering or computer intrusion techniques to compromise the e-mail accounts of unsuspecting victims and then initiate funds transfers using the compromised account or a mimic account (e.g. [email protected] instead of [email protected]) – A criminal actor first gains access to a victim’s legitimate e-mail address for

reconnaissance purposes.

– The criminal actor then creates a spoofed e-mail account that closely resembles the legitimate account, but is slightly altered by adding, changing, or deleting a character

– The spoofed e-mail address is designed to mimic the legitimate e-mail in a way that is not readily apparent to the targeted individual.

E‐mail Account Compromises

Source: FBI (http://www.ic3.gov/media/2015/150827‐2.aspx), retrieved on 9/3/2015


Financial/Brokerage Services– An individual’s e-mail account is compromised by a criminal actor. The criminal actor, who is posing as the

victim, sends an e-mail to the victim’s financial institution or brokerage firm requesting a wire transfer to a person or account under the control of the criminal actor.

– An accounting firm’s e-mail account is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client.

Real Estate– A seller’s or buyer’s e-mail account is compromised through an EAC scam. The criminal actor intercepts

transactions between the two parties and alters the instructions for the transfer of funds.– A realtor’s e-mail address is used to contact an escrow company to redirect commission proceeds to a bank

account associated with the criminal actor.Legal

– A criminal actor compromises an attorney’s e-mail account, which results in the exposure of client bank account numbers, e-mail addresses, signatures, and confidential information related to pending legal transactions.

– The attorney’s compromised e-mail account is used to send overlaid wire instructions to a client.– A criminal actor compromises a client’s e-mail account and uses it to request wire transfers from trust fund

and escrow accounts managed by the firm.

E‐Mail Account Compromises



9/3/2015



• Do not open e-mail messages or attachments from unknown individuals.

• Be cautious of clicking links within e-mails from unknown individuals.

• Be aware of small changes in e-mail addresses that mimic legitimate e-mail addresses.

• Question any changes to wire transfer instructions by contacting the associated parties through a known avenue.

• Have a dual step process in place for wire transfers. This can include verbal communication using a telephone number known by both parties.

• Know your customer. Be aware of your client’s typical wire transfer activity and question any variations.

E‐Mail Account Compromises



DATA BREACHES


9/3/2015




PA CPA Firm Loses 30K SSN’s, Insurer Not Required to Defend Him

• Staff person’s homeowners insurance didn’t cover loss costs due to exclusion for business‐related losses

• Many CPA firm insurance carriers writing exclusions into malpractice policies which deny losses associated with data breaches unless a special, separately priced “cyber insurance” rider is added

• What about your policy?


9/3/2015



Breaches Happen to Big Firms, Too

• Ernst & Young, LLP & Regions Financial / Regions Bank

• 401(k) audit staff overnighted USB drive to another office

• Included both the drive and the written decryption password

• Over 20,000 employees likely affected by this breach


US Accounting Firms Targeted by Cybercriminals

• $6 million dollar fraudulent tax return scheme

• Four major US CPA firms

• Stole 2011 returns for over 1,000 clients in 2012

• Indicted in 2013

• Pled guilty in July 2015


9/3/2015



IRS Security Issue Leads to Breach, Litigation

• IRS reported a breach in its “Get Transcript” application affecting 330,000 taxpayers

• IRS provided credit monitoring and ID protection PINS

• Group of law firms still pursuing a class action against IRS


Consider the Following• The large breaches just discussed will cost these companies millions and perhaps

billions. Consumers have not been burned by these fires, just the companies who dropped the ball.

• In 2008, the underground market for data was flooded with more than 360 million stolen personal records, compared to just 3.8 million in 2010. That is 99% decline in the number of stolen credit cards in the wild in 2 years.

• Reported/known client data breaches by AccountantsWorld, CCH Wolters Kluwer, Thomson Reuters Tax and Accounting, and Intuit Tax divisions combined – ZERO!!

• Conclusion: We are learning and the cost is being paid almost completely by those service providers who drop the ball.


9/3/2015



Creating a Data Breach Response Plan

• Probably should be part of your business continuity/emergency management plan

• One source is your insurance company’s loss prevention department.

• Rapidly evolving field, AICPA has a somewhat dated template at bit.ly/cpaplan

• Online Trust Alliance has a PDF guide at bit.ly/ota13dbg

• Many good resources from American Bar Association, but they run $75‐$150 each


SELECTED ISSUES ASSOCIATED WITH A CLOUD‐BASED FRAUD INVESTIGATION


9/3/2015



Selected Issues Associated With a Cloud‐Based Fraud Investigation

• Law Enforcement Issues

• Jurisdictional Issues

• Cloud Provider Issues

• Example: Cloud Accounting Applications

• The Stored Communications Act

(18 USC 2701‐2712)


Law Enforcement Issues

• Many pitfalls associated with forensics related to cloud data– Traditional techniques used to preserve data against spoliation are not applicable

– Many evidence handling issues are unsettled case law– Appropriate jurisdiction for courts is unclear and unsettled– The cloud application’s EULA may not require the provider to cooperate with an investigation

• Issues also exist with prosecutors and attorneys– Templates for subpoenas and search warrants for cloud data are constantly evolving

– The demand for forensic investigation resources outstrips the supply of available talent in most jurisdictions


9/3/2015



Law Enforcement Issues

Many pitfalls are associated with forensic analysis of cloud‐based data and applications

– Traditional techniques used to preserve data against spoliation are not applicable

– Many evidence handling issues are unsettled case law

– Appropriate jurisdiction for courts is unclear and unsettled

– The cloud application’s EULA may not require the provider to cooperate with an investigation

– Lack of tested and certified forensic analysis tools


Jurisdictional Issues

• Jurisdiction is often an unsettled matter, since there is not a “physical presence”

• The courts with authority over the investigation can be influenced by factors such as:– The nature of the crime or matter– HQ location for the cloud service– HQ location for the user organization– Jurisdiction where the product was actually used– Location of the primary data center which holds the information requested– Site where the crime is alleged to have occurred– The jurisdiction for resolution of legal disputes in the EULA– The suitability of each district for accurate fact finding


9/3/2015



Cloud Provider Issues

• Isolating data to a single physical server in most cloud computing environments will be impossible

• Time zone differences in logs may create ussyes• Lack of fully vetted protocols by provider for retrieving, cataloging, storing,

retrieving, and reporting on cloud data may create significant uncertainty surrounding the admissibility and integrity of digital evidence

• May not be able to preserve data against spoliation• Audit trail logs and IP address logs may not be available• Tools for analyzing data may not be available• The fraud may utilize so many systems, services, and data centers that proving

the link between the alleged perpetrator and the data stored in the service may be impossible


Example: Cloud Accounting Applications

• Tools like Xero, Kashoo, QuickBooks Online, and Sage One may not keep adequate records to reconstruct events

• In a 2014 review of cloud accounting applications, I discovered that a majority of cloud‐based applications did not have customer‐facing audit trail reports

• Some applications do not support multiple users and configurable permissions so the logs can contain meaningful information

• As of August 6, 2014, I am not aware of any entry level cloud applications targeted at the US which offer two‐factor authentication– 2FA is available in Google, FaceBook, SalesForce, Microsoft Office 365, and many other cloud‐based solutions


9/3/2015




• Fewer reports, and very limited options exist for customizing reports in most cloud accounting applications

• The security controls in most applications limit the ability of companies to limit the access granted to users on a granular basis

• Providers have made it hard to export data from many applications in an effort to keep users within their applications

• ISP’s may not have IP address logs for more than a few weeks back, leaving key periods under investigation without direct linkage to the activity



• Preserving data against spoliation may also stop users from processing transactions for a period of time

• Some cloud‐based solutions are rumored to charge companies a significant fee to get their data in a digital format if they exit the application


9/3/2015



The “Jury Duty” Factor

• Many cloud applications utilize multiple data centers when processing transactions• Plaintiff/Prosecution will have to explain to judge and jury the timeline of what

occurred, and will also have to explain how this was reconstructed based on data obtained from the cloud provider

• Many jurors may not have the attention span or tech background to understand key concepts in the operation of a modern data center– Server and application virtualization– Hypervisors– Single tenant vs. multi‐tenant architectures

• Opposing counsel may use the complexity of the computing environment to create reasonable doubt in the minds of jurors ‐ in spite of overwhelming evidence


The Stored Communications Act

• 18 USC 2701‐12, included in Title II of the Electronic Communications Privacy Act of 1986– “a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service” – 18 USC 2702

• While a search warrant and probable cause are required to search one’s home, under the third party doctrine only a subpoena and prior notice (a much lower hurdle than probable cause) are needed to compel an ISP to disclose the contents of an email or of files stored on a server


9/3/2015




• Categories of Information– Basic user and session information

– Usage logs for the customer

– Contents of the user’s account

• Electronic Communication Service (ECS): “Any service which provides to users thereof the ability to send or receive wire or electronic communications”

• Remote Computing Service (RCS): “The provision to the public of computer storage or processing services by means of an electronic communications system



• Providers can be compelled to produce information under SCA using five different mechanisms:– A subpoena– A subpoena with prior notice to the subscriber or customer– A §2703(d) Court Order– A §2703(d) Court Order with prior notice to the subscriber or customer– A search warrant

• 18 USC 2701 may prohibit a provider from disclosing user content in response to a civil subpoena, although different rules may apply depending on whether the service is an Electronic Communications Service or a Remote Computing Service


9/3/2015



MANAGING AND MITIGATING RISKS


What Can You Do To Mitigate Risks?

• Use password management software

– LastPass, Roboform, KeePass

• Use strong, unique passwords on every website

– Password management software needed to store/enter securely

• Consider using a different username for “more secure” accounts.

– If my username is “btankersley” on many websites, I might create a random username like “VL4ZV3” for more sensitive sites

– Don’t reuse these usernames – make them unique to each website

• Use two factor authentication whenever possible


9/3/2015



What Can You Do To Mitigate Risks?

• Use spam filtering, anti‐malware software, and network‐based group policy settings to filter out known bad items from your e‐mail

• Do not click on links in e‐mail – enter the sites using your web browser

• Review your credit card statements for unusual activity online– Also review the printed statements you receive every month to confirm that there are no unusual charges

• Don’t give out your private info (SSN, credit card data, etc.) in a public place like an airport

• Cover your hand when entering your ATM PIN, and avoid strange looking ATMs


Assess Your Organizational Risk

• Work under the assumption that you’ve already been hacked

• Identify your legal/regulatory requirements and organizational objectives

• Inventory the types of confidential data stored in your organization

• Identify the key controls which protect each type of data

• Assess the identified risks, and document the likelihood and expected damages related to a breach for each type of confidential data

• Adjust your procedures and related controls to provide your desired level of control in response to the identified risks


9/3/2015



Thank You

If you have questions, please e‐mail [email protected] or reach out to @BFTCPA on Twitter or submit a comment to my blog at CPATechBlog.com.


CLOUD SECURITY CERTIFICATIONSAppendix I:


9/3/2015



Better Physical Security • Verizon’s NAP of the Americas (Tier IV Data Center)

• Command Center manned by armed security personnel 24 hours a day, 7 days a week, 365 days a year.

• Security personnel monitor

– all security cameras

– guard building entrance and exit access points

– control key card access to elevators, floors and roof areas.

• In addition, environmental sensors notify tenants and mobilize rescue in case of

emergency.


Redundancy in a Tier IV DataCenter like NAP of the Americas

• 750,000 square foot, purpose‐built datacenter

• Tier IV facility with N+2 power and cooling infrastructure

• Equipment floors 32 feet above sea level

• Roof slope designed to aid in drainage of floodwater in excess of 100‐year storm intensity assisted by 18 rooftop drains

• Designed to withstand a Category 5 hurricane with approximately 19 million pounds of concrete roof ballast

• 7 inch thick steel reinforced concrete exterior panels

• The building is outside FEMA 500‐year designated flood zone


9/3/2015



Redundancy in Data Centers

Component Tier I Tier II Tier III Tier IV

Internet Yes Yes Yes Yes

External power Yes Yes Yes Yes

Internal Power No No Yes* Yes

Internal NetworkingNo No Yes*

Yes

Cooling Equipment No No No Yes

Expected Reliability 99.6% 99.7% 99.982% 99.995%

Expected Downtime 1‐2 days a year

1 day/yr(1/2 hr/wk)

<1 hr/yr(1/2 min/mo)

30 min/yr

* Although redundant, configuration is not required to be fault tolerant, which may result in equipment damage in an unplanned emergency.

Source: Created from data published by Volico (http://bit.ly/dctiers, retrieved 12/9/2012)


Third Party Attestations on Data Centers and Cloud Providers

• SSAE No. 16, Reporting on Controls at a Service Organization, replaces SAS No. 70.

• Under SSAE No. 16 auditors issue Service Organization Control (SOC) reports. These are internal control reports on service organizations.

• There are SOC 1, SOC 2, and SOC 3 reports.


9/3/2015



AICPA SOC 1 Reports

• SOC 1 reports focus solely on a service organization’s internal controls over financial reporting that are relevant to the user organization’s financial reporting.

• Distribution and use of these reports is restricted to management of the service organization, the user entities and their auditors.

• There are both Type 1 and Type 2 reporting options for SOC 1 reports.


Type 1 vs. Type 2 SOC Reports

• Both SOC 1 reports and SOC 2 reports can be either Type 1 or Type 2 reports.

• There is only one type of SOC 3 report.

• Type 1 reports:

– The auditor tests controls and provides an opinion on the effectiveness of the design of those controls.

– The report also describes the internal controls.

• Type 2 reports:

– Auditor tests the effectiveness of the controls over a specific period of time.


9/3/2015



AICPA SOC 2 Reports

• SOC 2 reports specifically address one or more of the following five key system attributes:– Security– Availability– Processing Integrity– Confidentiality– Privacy

• Can include a detailed description of the tests performed• Distribution is generally limited to customers, regulators and others that have an understanding of the service organization and its related controls.


AICPA SOC 3 Report

• A SOC 3 report is a general‐use report on whether the system achieved the trust services criteria (security, privacy, confidentiality, processing integrity and availability)

• Tests the controls that are in place during a defined period of time

• Permits the service organization to use the SOC 3 seal on its website


9/3/2015



ISO 27001 Certification

• ISO 27001 is an Information Security Management System (ISMS) standard published by the International Organization for Standardization (ISO).

• It requires:

– Systematic examination of security risk

– Design and implementation of comprehensive security controls

– Adoption of process to see that controls continue to meet standards


CLOUD BENEFITS, RISKS, AND STANDARDSAppendix II


9/3/2015



Cloud Solution Approaches

1. On‐Premise – Traditional / Private

2. Hosted in Data Center

3. SaaS – Browser based

4. Hybrid – a combination of any of the other methods

Applications with add‐ons SECURITY ACCESSSECURITY ACCESS

APP INTEGRATIONAPP INTEGRATION

LOGGING/AUDIT TRAILLOGGING/AUDIT TRAIL

DATABASEDATABASE

USER AUTHENTICATIONUSER AUTHENTICATION

SaaS “Chunk”


Cloud Benefits

• Overcome local IT knowledge deficiencies

• Backup and Business Continuity/Disaster Recovery burden shifted

• Ability to work anywhere, anytime, any device enhanced

• Infrastructure capital costs minimized

• Client OS agnostic


9/3/2015



Cloud Benefits– Cont’d

• Less power consumption

• Less maintenance at desktop level

– Thin clients are absolutely an option

• Capital requirements at desktop level reduced (5‐7 year vs. 3‐4 year life)


Cloud Risks

• Down time/outages

• Speed beyond your control

• Somewhat linear costs and costs escalate/ reduce with user counts.

– Not always a cheaper model – often more expensive when business‐grade services are used

• Patriot Act Section 215 (replaced by USA FREEDOM Act) used to access data without notification or subpoena

• Local infrastructure (firewalls, switches, cabling, computers still needed, maintenance)


9/3/2015



Cloud Risks – Cont’d

• In the case of hosting by vendors, they only support their applications (Thomson/CCH/Intacct/ NetSuite). May be behind on software versions (Office/Citrix)

• It is often difficult to get data back when you want to change

– Plan and test your exit before you are locked into a contract

• If your Cloud vendor is not performing for you

– very difficult to change, requires you to implement a new product to fire them.

– If your managed service provider or your on premise network fails, you find a new vendor and continue


Cloud Risks – Cont’d

• More complexity in problem resolution – Premise issues, Internet issues (bandwidth and connectivity), and hosting issues

– Most hosting companies won’t let you troubleshoot issues on their end– When you want them to do something you must turn in a work request and wait

• If Internet connectivity is down – no one in office works

• Unless dealing with someone with expertise in your profession, like Cetrom or NMGI for CPA firms – you will not have quality application support


9/3/2015



Cloud Data Center Advantages

• Redundant communication lines

• Generators for backup power

• SLA (service level agreements) of 99.999%

• Physical security and control

• Command centers

• SOC/SSAE 16 certifications (often inherited)

• Probable BC/DR preparedness


Cloud Shortcomings

• Speed

• Integration

• Integrity

• Security of data

• Control

• Reliability

• Lack of sophistication

• Governance


9/3/2015



Public Cloud Vs. Private CloudWhat Technologies Have Made This Possible?

• Public Cloud (Hosted)

– Cheap, unmetered Internet access (at risk with Net Neutrality gone)

– Virtualization

– Dot com bust made for data center bargains

– Less expensive model for vendors

– Very large scale SANs

– Increased server power

• Private Cloud– Citrix XenDesktop, or VMware View

– Lower Priced Storage Area Networks (SANs)

– Backup Appliances for Business Continuity/DR and off‐site capabilities

• SaaS– Better development tools

– Faster centralized computers

Documents

Fraud in the Cloud 2015-09-03 - AccountantsWorld