Fraud Prevention and Detection In an Automated World. Nicholas Barone, Instructor November 17 th, 2011

Transcription

1 SIFMA - IT Fraud Risk Presentation Fraud Prevention and Detection In an Automated World Nicholas Barone, Instructor November 17 th, 2011

2 What We Will Cover Identifying IT fraud risks and schemes Implementing IT fraud risk assessments Fraud Diamond - Capability -What Kind of Mind does it take Behavioral Profiles Using technology to prevent and detect fraud Utilize data analysis to detect fraud

3 What is Fraud? any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. IIA s International Professional Practices Framework (IPPF)

4 IT Fraud Risks s Access to systems or data for personal gain Changes to system programs or data for personal gain Fraudulent activity by an independent contractor or offshore programmer Conflicts of interest with suppliers or third parties Copyright infringement

5 Independent Contractor Fraud Scenario Fraud An IT consultant under contract After the company declined to offer an illegally accesses the company s IT contractor permanent employment, computer systems. he illegally accessed the company s computer systems and caused damage by impairing the integrity and availability of data. He was indicted on federal charges, a charge that carries a maximum statutory penalty of 10 years in federal prison. Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section

6 Access to systems or data for personal gain Scenario A database analyst for a major check authorization and credit card processing company, exceeds his authorized computer access. Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section Fraud The employee uses his computer access to unlawfully steal consumer information of 8.4 million individuals. The information stolen included names and addresses, bank account information, and credit and debit card information. He sold the data to telemarketers over a five year period. A U.S. District Judge sentenced him to 57 months' imprisonment i and a $3.2 million in restitution for conspiracy and computer fraud

7 Access to systems or data for personal gain Scenario An employee in the payroll department moved to a new position. Upon switching gp positions, the employee s access rights were left unchanged. Source: 2010 Insider Threat Study, US Secret Service and CERT/SEI Fraud Using the retained privileged access rights, the employee provided an associate with confidential information for 1,500 of the firm s employees, including 401k account numbers, credit card account numbers, and social security numbers, which was then used to commit over 100 cases of identity theft. The insider s actions caused over $1 million in damage to the company and its employees.

8 Changes to system programs or data for personal gain Phase Fraud Oversights Requirements Definition 195 illegitimate drivers licenses were created and sold by a police communications officer who accidentally discovers she can create them. Ill-defined authentication and role-based access control requirements. Ill-defined security requirements for automated business processes. Lack of segregation of duties. Source: 2010 Insider Threat Study, US Secret Service and CERT/SEI

9 Changes to system programs or data for personal gain Phase Fraud Oversights System Design An employee realizes there is no oversight in his company s system and business processes, so he works with organized crime to enter and profit from $20 million in fake health insurance claims. Insufficient attention to security details in automated workflow processes. Lack of consideration for security vulnerabilities posed by authorized system overrides. Source: 2010 Insider Threat Study, US Secret Service and CERT/SEI

10 Changes to system programs or data for personal gain Phase Fraud Oversights System Implementation An 18-year-old former Web developer uses backdoors he inserted into his code to access his former company s network, spam its customers, alter its applications, and ultimately put the company out of business. Lack of code reviews. Source: 2010 Insider Threat Study, US Secret Service and CERT/SEI

11 Changes to system programs or data for personal gain Phase Fraud Oversights System Maintenance A foreign currency trader covers up losses of $691 million over a five-year period by making unauthorized changes to the source code. Lack of code reviews. End-user access to source code. Source: 2010 Insider Threat Study, US Secret Service and CERT/SEI

12 Impact of Cybercrime Issues For a Typical Company Cybercrime Issues Opportunity Approach Benefits Cybercrime-related challenges: Escalating cybercrime rates and losses End-to-end d approach to risk Monitoring to detect Cybercrime Protecting integrity of computer data Maintenance of Shareholder Value Ability to respond to and investigate incidents in a timely fashion High cost of maintaining security inhouse Legal liabilities RISKS If Cybercrime issues are not addressed, companies risk: Mismanagement of Security Devices No Coverage Outside Business hours Inability to Detect a Security Breach Ineffective Response to an Attack Inability to Assess Damages Mishandle Electronic Evidence Failure to meet regulatory requirements Reduce on-going risk in a digital economy by implementing state-of-the art procedures around: prevention detection response remediation 1) Device Management (e.g., IDS) 2) 7x24 incident monitoring Incident response to remediate and minimize impact 3) Incident Response Plan/Team 4) Assessment of Monitoring, Incident Response and Forensics Forensics to investigate, remediate, and recover damages Investigative readiness 5) Information technology investigation 6) Litigation Electronic discovery evidence orders handling 7) Expert Litigation witness support testimony Secure business infrastructure Increased protection of information assets through rapid response Mitigated e-business risk Reduced security cost Protect Shareholder Value Security Staff Augmentation 12

13 Hacker Profiles Employees Contractors and Consultants Partners, Customers Temps Short-Term Long-Term Former Employees 13

14 Perpetrator t Typology Explorer Hacker Golden Parachuter Exception Proprietor Good Samaritan Machiavellian Avenger Career Thief Mole 14

15 Explorer Motivated by curiosity Rarely damages Tests abilities unauthorized access to learn more lacks good judgement re: unmarked files often picked-up by sys admin but no policy so no consequences 15

16 Hacker Prior history of hacking Needs to challenge system and authority Derives significant self-esteem from victories Generally not destructive but may need to leave mark Hacks to show-off, off, impress peers More dangerous if part of hacker peer group 16

17 Hacker Subtype: Golden Parachuters Insert logic bombs or other system booby traps, which they are uniquely qualified to diffuse, in exchange for a generous consulting fee or severance package. Rarely reported Often more cost effective for company to pay off the employee 17

18 Exception View themselves as special, deserving of extraordinary recognition Consider themselves above the rules Often deflect blame to others and have a grandiose view of their importance beneath fragile self-esteem 18

19 Hacker Subtype: Proprietor Feels he/she owns system Entitled to special privileges Hacks to protect control of system Hacks to deter rivals May create problems only he can solve 19

20 Good Samaritan Hacks episodically to fulfill duties more effectively or responsibly Doesn t see violation Ends justify means May show-off, off save-the-day hack system to fix it in emergency situation copy files to save time Makes great rationale testing security 20

21 Machiavellian Covertly hacks to advance career, increase status, damage rival, establish future business (Intl Prop) consultant steals proprietary data subordinate frames boss employees destroy rival group s network card time bomb to establish consulting job program outages to facilitate t travel 21

22 Avenger Angry act in retaliation for real or perceived wrong Revenge Associated with termination, demotion, assignment changes, perceived setbacks Any group subject to disgruntlement 22

23 Career Thief Computer is tool for criminal scheme Pure anti-social version vs. disgruntled mixed breed lack of loyalty y to employer greater identification with profession 23

24 Mole Joins organization to commit espionage for the benefit of a company or foreign government Different from Avengers, who commit espionage out of revenge 24

25 A Typology of Malicious Acts Abuse/Fraud Extortion Sabotage Espionage 25

26 IT Fraud Risk Assessment Key Elements Types of frauds Inherent risk of fraud Existing controls Control gaps Likelihood Business impact

27 IT Fraud Risk Assessment - Example Business Owner- Fraud Risks Controls Preventive or Detective Monitoring Likelihood Impact IT - CIO Access to systems or data for personal gain. (Logical Access) Access to customers' or employees' personal information (e.g., credit card information, payroll information) Access to confidential company information (e.g., financial reporting, supplier data, strategic plans) Identity management (e.g. individual user IDs, automated password complexity rules, password rotation) Access controls Authentication controls Authorization controls Access control lists Network controls Both Information security System administrators Business owners Internal auditing Medium High Copying and use of software or data for distribution Anti-virus and patch management Restricted access to software code

28 Fraud Detection Using Data Analytics Why use data analysis? Analytical techniques Types of fraud tests Analyzing full data populations Fraud detection program strategies Fraud audit program components

29 Why Data Analytics? Internal control system weaknesses Examine 100% of transactions Compare data from different applications Perform tests designed for fraud detection and control verification Automate tests in high-risk areas Maintain logs of analytics performed

30 Fraud Audit Program Components Profile of potential fraud Test transactional data Implement continuous auditing and/or monitoring Review results of data testing Respond with recommendations

31 IT Fraud Risk Assessments Diversified Data Sources

32 IT Fraud Risk Assessments Analytical techniques Calculate statistical parameters Classify to find patterns Stratify to identify unusual values Digital it analysis, to identify unlikely occurrences Duplicates testing Gaps testing to identify missing data Summing and totaling to check control totals that may be falsified Graphing to provide visual identificationof of anomalous transactions Joining or matching data between systems

33 Application of Data Analytics in Fraud Detection Accounts Payable Accounts Receivable Cash Disbursements Conflict of Interest Credit Card Management Deposits General Ledger Kickbacks Loans Materials Management Inventory Control Purchase Order Management Loans Salaries and Payroll Claims Vendor Management Insurance claims li

34 Types of Fraud Tests - Examples Type Fictitious vendors Altered invoices Tests used Run checks to uncover post office boxes used as addresses and to find any matches between vendor and employee addresses and/or phone numbers. Search for duplicates. Check for invoice i amounts not matching thi contracts t or purchase order amounts. Duplicate invoices Duplicate payments Payroll fraud Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section Review for duplicate invoice numbers, duplicate dates, and duplicate invoice amounts. Search for identical invoice numbers and payment amounts. Check whether a terminated employee is still on payroll by comparing the date of termination with the pay period covered by the paycheck, and extract all pay transactions for departure date less than the date of the current pay period.

35 Key considerations when testing for fraud 1. Build a profile of potential frauds to be tested 2. Analyze data for possible indicators of fraud 3. Automate the detection process through continuous auditing/monitoring of high-risk business functions to improve controls 4. Investigate t and drill down into emerging patterns 5. Expand scope and repeat as necessary 6. Report

36 Questions? Contact Info: Phone [email protected]