Preventing Fraud from Top to Bottom
Information Security Summit
October 31, 2014
Session 8: 2:20–3:20 PM
Dr. Eric A. V...
Who are we?
Dr. Eric A. Vanderburg
Director, Cyber Security
JURINNOV Ltd.
Ramana Gaddamanugu, CFE
Senior Manager, Ris...
© 2014 Property of JurInnov Ltd. All Rights Reserved
Overview
• Fraud Risks
• Fraud Controls
• Anti-Fraud Culture
• A...
Fraud Risks
• Facts and Figures
• Fraud factors
• Laws
• Case studies
• Addressing fraud risk
© 2014 Property of Jur...
Facts and figures
• 65% of fraud cases were
discovered by tips or by an
employee accidentally stumbling
upon them duri...
Fraud factors
Pressures / Incentives:
• A situation that is so
challenging the person
cannot see any other way
out
•...
© 2014 Property of JurInnov Ltd. All Rights Reserved
Laws
• The Ribicoff Bill
• The Computer Fraud and Abuse Act of 198...
Case studies
© 2014 Property of JurInnov Ltd. All Rights Reserved
• Example 1
– Pressure
– Opportunity
– Rationalizat...
Case studies
© 2014 Property of JurInnov Ltd. All Rights Reserved
• Example 2
– Pressure
– Opportunity
– Rationalizat...
Case studies
© 2014 Property of JurInnov Ltd. All Rights Reserved
• Example 3
– Pressure
– Opportunity
– Rationalizat...
Addressing fraud risk
• Performing a fraud risk assessment
• Options for dealing with risk
© 2014 Property of JurInnov ...
Addressing risk
TRANSFER
Impact
(Probability * Loss)
© 2014 Property of JurInnov Ltd. All Rights Reserved
Cost
ACCEP...
Fraud Controls
• Access controls
• Auditing
• Business continuity
• Application security
• Cryptography
• Security m...
Ways controls are executed
• Manual (performed by people)
– Examples: Authorizations, Management reviews
• Automatic (e...
Control categories
© 2014 Property of JurInnov Ltd. All Rights Reserved
Access controls
• Least privilege
• Types of authentication
– What you have
– What you are
– What you know
© 2014 Pr...
© 2014 Property of JurInnov Ltd. All Rights Reserved
Auditing
• Server audit logs are turned on and retained
• Proper r...
Business continuity
• Key systems have
uninterruptable power
supplies
• Backups tested
regularly
• Disaster recovery...
Application security
• Security patches up to date
• Equipment firmware is up to date
• No unauthorized programs instal...
Cryptography
© 2014 Property of JurInnov Ltd. All Rights Reserved
• Data at rest
– Workstations
– Servers
– Backups
...
Encryption example
© 2014 Property of JurInnov Ltd. All Rights Reserved
Security management
• Configuration changes
approved prior to
implementation
• Incidents handled by
incident response...
Governance
• Security policies and
procedures in place
• Systems have
documented security
controls
• Documented role...
Segregation of Duties
• Process
• Systems
• Roles and Authority
• Oversight
• Audit
© 2014 Property of JurInnov Ltd....
Test types
© 2014 Property of JurInnov Ltd. All Rights Reserved
• Inquiry
– Interview staff to validate knowledge of a ...
Anti-Fraud Culture
• Role of leadership
• Reinforcing the culture day to day
• Business integration
• Making it happen...
Role of leadership
• Incenting the behavior
• Assignments and accountabilities
• Personal contribution reports
• Perfo...
Role of leadership
• Take a quick pulse
• Demonstrate that security is critical
• Challenge assumptions of security
• ...
Reinforcing the culture:
Day to Day
• Monitoring, measuring and reporting
• Integrating with business metrics
• Weekly...
Business integration
Anti-fraud
Strategy
• Priorities
• Roles and
responsibilities
• Targeted capabilities
• Specif...
Making it happen
• Ask where are we today?
– High level survey – taking the pulse
– Assessment
• Define and communicat...
Making it happen
• Implement changes
– Workflow (make it easy)
– Technology
– Physical
• Ask how are we doing?
– Che...
Awareness
• Types of fraud
• Everyone’s responsibility
• Recognizing fraud
• Who to notify
• Whistleblowing policy
©...
Fraud Incident Response
• Preparation
• Identification
• Containment
• Investigation
• Eradication
• Recovery
© 201...
Preparation
– Document procedures for likely incidents
– Document steps for a non-specific incident
– Prepare resources...
Identification
• Use of dormant accounts
• Log alteration
• Notification by partner or
© 2014 Property of JurInnov Ltd...
Containment
– Assembly
– Restrict Access
– Preservation
– Notification
© 2014 Property of JurInnov Ltd. All Rights Re...
Investigation
– Interviewing
– Documentation
• IP address of compromised system
• Time frame
• Malicious ports
• Flo...
Eradication
• Resolution- all that data should have given you
action items. If not, look again
– List action items
– R...
© 2014 Property of JurInnov Ltd. All Rights Reserved
Recovery
• Remediate vulnerabilities
• Restore services
• Restore...
Questions
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
JurInnov Ltd.
The Idea Center
...
of 42

Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

Preventing Fraud from Top to Bottom was presented at the Information Security Summit in 2014 by Dr. Eric Vanderburg and Ramana Gaddamanugu.
Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

  • 1. Preventing Fraud from Top to Bottom Information Security Summit October 31, 2014 Session 8: 2:20–3:20 PM Dr. Eric A. Vanderburg Director, Cyber Security JURINNOV Ltd. Ramana Gaddamanugu, CFE Senior Manager, Risk and Compliance JURINNOV Ltd.
  • 2. Who are we? Dr. Eric A. Vanderburg Director, Cyber Security JURINNOV Ltd. Ramana Gaddamanugu, CFE Senior Manager, Risk and Compliance JURINNOV Ltd. © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 3. © 2014 Property of JurInnov Ltd. All Rights Reserved Overview • Fraud Risks • Fraud Controls • Anti-Fraud Culture • Awareness • Fraud Incident Response
  • 4. Fraud Risks • Facts and Figures • Fraud factors • Laws • Case studies • Addressing fraud risk © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 5. Facts and figures • 65% of fraud cases were discovered by tips or by an employee accidentally stumbling upon them during the course of their job duties.  Average organizational cost $5.5 million per incident -Ponemon Institute Study, March 2012  Financial impact of cybercrime expected to grow 10% per year through 2016 -Gartner top predictions for 2012 © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 6. Fraud factors Pressures / Incentives: • A situation that is so challenging the person cannot see any other way out • Personal financial pressure • Family pressures • Greed • Pressure to meet goals Rationalization: • A way to justify in the person’s consciousness that the act of fraud is not so bad • Common beliefs: © 2014 Property of JurInnov Ltd. All Rights Reserved • Person is owed this money • Just borrowing until they are able to pay it back • Everyone else is doing it Opportunity: • The set of circumstances that make it possible to commit fraud
  • 7. © 2014 Property of JurInnov Ltd. All Rights Reserved Laws • The Ribicoff Bill • The Computer Fraud and Abuse Act of 1986 • The Electronic Communications Privacy Act of 1986 • The Communications Decency Act of 1996 • The Sarbanes-Oxley Act of 2002 (Sox) • The Gramm-Leach-Bliley Act (GLBA) • The California Database Security Breach Act (2003) • Identity Theft Enforcement and Restitution Act of 2008
  • 8. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 1 – Pressure – Opportunity – Rationalization
  • 9. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 2 – Pressure – Opportunity – Rationalization
  • 10. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 3 – Pressure – Opportunity – Rationalization
  • 11. Addressing fraud risk • Performing a fraud risk assessment • Options for dealing with risk © 2014 Property of JurInnov Ltd. All Rights Reserved – Accept – Mitigate – Transfer – Avoid
  • 12. Addressing risk TRANSFER Impact (Probability * Loss) © 2014 Property of JurInnov Ltd. All Rights Reserved Cost ACCEPT MITIGATE AVOID
  • 13. Fraud Controls • Access controls • Auditing • Business continuity • Application security • Cryptography • Security management • Governance • Segregation of Duties © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 14. Ways controls are executed • Manual (performed by people) – Examples: Authorizations, Management reviews • Automatic (embedded in application code) – Examples: Exception reports, Interface controls, System access © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 15. Control categories © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 16. Access controls • Least privilege • Types of authentication – What you have – What you are – What you know © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 17. © 2014 Property of JurInnov Ltd. All Rights Reserved Auditing • Server audit logs are turned on and retained • Proper review of logs and other data • Personnel held accountable
  • 18. Business continuity • Key systems have uninterruptable power supplies • Backups tested regularly • Disaster recovery plans in place • Business continuity testing for key systems • System maintenance as scheduled © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 19. Application security • Security patches up to date • Equipment firmware is up to date • No unauthorized programs installed • Corporate applications have up to date security reviews • Antivirus software installed • Virus definitions up to date © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 20. Cryptography © 2014 Property of JurInnov Ltd. All Rights Reserved • Data at rest – Workstations – Servers – Backups – Laptops – Phones • Data in motion (in transit) – VPN – Web site access – File transfer – Network communication
  • 21. Encryption example © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 22. Security management • Configuration changes approved prior to implementation • Incidents handled by incident response plans • Media sanitized before being reused or disposed © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 23. Governance • Security policies and procedures in place • Systems have documented security controls • Documented roles and responsibilities © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 24. Segregation of Duties • Process • Systems • Roles and Authority • Oversight • Audit © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 25. Test types © 2014 Property of JurInnov Ltd. All Rights Reserved • Inquiry – Interview staff to validate knowledge of a policy or requirement – Inquiry alone is not a sufficient test • Inspection – Review sample of source documents for evidence of control execution – Review exception reports and related documentation to identify preventive control failures and validate for risk occurrence – Reconcile process/system documentation to actual operation • Observation – Monitor personnel to validate execution of manual controls – Observe occurrence of automated controls (e.g. popup warnings) • Re-performing – Enter an illegal transaction to test control operation – Enter a valid transaction to test control operation
  • 26. Anti-Fraud Culture • Role of leadership • Reinforcing the culture day to day • Business integration • Making it happen © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 27. Role of leadership • Incenting the behavior • Assignments and accountabilities • Personal contribution reports • Performance reviews • Daily interactions with team members • New system and process deployment © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 28. Role of leadership • Take a quick pulse • Demonstrate that security is critical • Challenge assumptions of security • Ask about the risks • Monitor, measure, report • Hold everyone accountable • Reward behaviors • Debrief projects including security focus © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 29. Reinforcing the culture: Day to Day • Monitoring, measuring and reporting • Integrating with business metrics • Weekly management meetings • Monthly dashboard review with employees • Quarterly goals met • Team rewards © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 30. Business integration Anti-fraud Strategy • Priorities • Roles and responsibilities • Targeted capabilities • Specific goals (timeframe) © 2014 Property of JurInnov Ltd. All Rights Reserved Business Strategy • Core values • Purpose • Capabilities • Client promise • Business targets • Specific goals • Initiatives • Action items • Assignments and accountabilities
  • 31. Making it happen • Ask where are we today? – High level survey – taking the pulse – Assessment • Define and communicate expectations – Company policies – Employee training – Third party contract requirements © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 32. Making it happen • Implement changes – Workflow (make it easy) – Technology – Physical • Ask how are we doing? – Checkpoints – Audits © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 33. Awareness • Types of fraud • Everyone’s responsibility • Recognizing fraud • Who to notify • Whistleblowing policy © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 34. Fraud Incident Response • Preparation • Identification • Containment • Investigation • Eradication • Recovery © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 35. Preparation – Document procedures for likely incidents – Document steps for a non-specific incident – Prepare resources © 2014 Property of JurInnov Ltd. All Rights Reserved • Human • Technical – Is geographic diversity needed? – Determine notification procedure – Roles and responsibilities – Simulation – Review and maintenance
  • 36. Identification • Use of dormant accounts • Log alteration • Notification by partner or © 2014 Property of JurInnov Ltd. All Rights Reserved peer • Violation of policy • Violation of law • Loss of availability • Unusual consumption of computing resources • Unusual network activity • Corrupt files • Data breach • Reported attacks • Activity at unexpected times • Unusual email traffic • Presence of unfamiliar files • Execution of unknown programs
  • 37. Containment – Assembly – Restrict Access – Preservation – Notification © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 38. Investigation – Interviewing – Documentation • IP address of compromised system • Time frame • Malicious ports • Flow records • Host file © 2014 Property of JurInnov Ltd. All Rights Reserved – Analysis • Event Logs – Escalation
  • 39. Eradication • Resolution- all that data should have given you action items. If not, look again – List action items – Rank in terms of risk level and time required – Prioritize – Coordinate and track remediation to completion © 2014 Property of JurInnov Ltd. All Rights Reserved • Validation – Confirm measures successfully remediated the incident
  • 40. © 2014 Property of JurInnov Ltd. All Rights Reserved Recovery • Remediate vulnerabilities • Restore services • Restore data • Restore confidence
  • 41. Questions
  • 42. For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115 © 2014 Property of JurInnov Ltd. All Rights Reserved

Related Documents