Category Archives: Cyber Fraud & Data Breaches

The Critical Twenty Percent

According to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes. Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continue unabated, with organizations of all kinds losing productivity, revenue and more customers every month. ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies. As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s most sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls. And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing change. It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work. By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

• Are systems monitored for unauthorized changes in real time?
• Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations. Researchers found that these top six controls help organizations help manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and to look backward, identifying definitively the source of outages, fraud associated abnormalities or service issues. Because they have a process that tracks and records all changes to their infrastructure and their associated success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and remediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail. The organization must cultivate a ‘culture’ of change management and causality throughout, with zero tolerance for any unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all change must follow an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy. One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.
Perhaps most important for responding to changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from security incidents, and dramatically longer and less-effective resolution times. On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of a high volume of failed system changes. All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

Taken Hostage

by Rumbi Petrozzello
2019 Vice President – Central Virginia ACFE Chapter

On March 22, 2018, I flew into the Atlanta Airport and stopped by the airport’s EMS offices to request an incident report. The gentleman who greeted me at the entrance to the offices was very kind and asked me to wait while he pulled up the details of the report for me. He called over to his coworker, who was sitting in front of a computer, and asked him for help. I heard the coworker clicking on his mouse a few times and then he said that his machine didn’t seem to be working. “It hasn’t been working all morning,” he added. The gentleman then gave me a phone number to call for assistance and apologized for not being more helpful. After I called the number, got voicemail and left a message, I became concerned because I was leaving the country the next day for a week and a half and so hoped that someone would get back to me that day.

Unfortunately, no one had called me back by the time I left. When I returned, I found no voicemail. I called again and left a message. A week after that, the airport EMS Chief returned my call with apologies for the delay – their computers had been down, and he was only now able to start getting back to people. Because I had been out of the country and not really following the news, it was only after a couple of months that I put two and two together. At that point I was working on Eye on Fraud, a publication of the AICPA’s Fraud Task Force. The edition was on Ransomware and as I looked at the information concerning Atlanta, I noticed the dates and realized that the day that I flew into Atlanta and visited the EMS office was the same day that the city of Atlanta was struck by a ransomware attack that crippled the city for over a week and resulted in costs to the city exceeding $2.6 million; a lot more than the $52,000 that was demanded in ransom by the attackers. In late November, two Iranians were indicted for the Atlanta and other attacks. The Atlanta ransomware attack featured many characteristics shared by such attacks, be they on individuals, companies, or governments.

Ransomware attacks have been a problem for decades; the first such documented attack took place in 1989. At that time the malicious code was delivered to victims’ computers via floppy disk and the whole exploit was very easy for victims to reverse. 2006 saw a big uptick in ransomware attacks and, today, ransomware is big business for individual cyber criminals and for organized gangs alike, earning them about a billion dollars in 2016.

Ransomware is a form of malware (malicious software), and works in one of two general ways:

1. Crypto-ransomware encrypts hard drives or files and folders.
2. Locker-ransomware locks users out of their machines, without employing encryption.

As time has gone on, ransomware has become more complex and ransomware attacks more sophisticated. One way in which cyber criminals break into computer systems is via human engineering. This can take the form of an email with a malicious attachment or a link to a compromised website. Cyber criminals also take advantage of known weaknesses in computer operating systems. The WannaCry ransomware, which swept the globe several years ago, took advantage of a flaw in Microsoft Windows. This underscores how essential it is to provide cyber training to employees and to update this training often. Employees must be taught to always be vigilant and on the lookout for such attacks, and to maintain awareness of how such threats are constantly changing and migrating. All it takes is a single employee lapse in judgment and attention for malware to get into a business’s computer system. It’s also essential to keep computers and software up to date with the latest patches. WannaCry was successful in part because Microsoft had discontinued its support of some versions of Windows, including for Windows XP and Windows Server 2003. The amount of money companies thought they were saving by continuing to use old unsupported software was dwarfed by the cost of recovery from malware attacks specifically targeting that software.

When CFEs and forensic accountants dialogue with clients about ransomware attack scenarios, we should remind them that cyber criminals are equal opportunity offenders when it comes to such exploits. Employees should be alert to this whether they are working on an employer’s machine or on a personal one. Ransomware has now made its way into the smartphone space, so employees should be made aware that heightened vigilance should extend even to their smartphones. CFEs should additionally work with clients to fund penetration and phishing tests to determine how effective staff training has been and to highlight areas for improvement.

Both individuals and companies should have a plan on how they will deal with a possible ransomware attack. A well-thought out plan can minimize the effects of an attack and can also mean that the reaction to the attack is measured and not mounted on the basis of uncoordinated panic. For example, when LabCorp was attacked in July 2018, the company contained the spread of the malware in less than an hour. Its, therefore, doubly important that we CFEs and forensic accountants work with IT specialists to formulate an advance plan in case of a ransomware or other malware, attack.

Experts recommend that ransom should not be paid. Clients need to be made to understand that when their systems are taken hostage, they are dealing with criminals and criminals are, more often than not, not to be trusted. When the city of Leeds, Alabama, was attacked, the city paid the cyber criminals $12,000 in ransom. Despite making this payment, the hackers restored only a limited number of files. The city was then faced with the expenditure of additional funds in the attempt to recover or rebuild the remaining files. Sometimes hackers will disappear with ransom and restore nothing. In the face of this, companies and individuals should be encouraged to have back up and restoration plans. To be useful, backups must be made regularly and kept physically separate from the machine or network being protected. The recovery plan should be tested at least annually.

Ransomware exploits are not going away any time soon. Ransomware attacks are a way to get money, not only through the ransom demanded itself but also through access to other sensitive information belonging to employees and clients. Often the hacker will demand a nominal amount in ransom and sell the information stolen by access to the company’s network for a lot more.

We, as CFEs and forensic accountants, can help our client address the ballooning threat in a number of ways:

• by performing a risk assessments of clients’ systems and processes, to identify weaknesses and areas for control improvement.
• by providing staff training on security best practices. This training should be updated at least once a year; in addition to updating staff on changes, this will also serve to remind employees to be vigilant. This training must include everyone in a company, even top management and the board.
• by reminding clients to keep software up to date and to consider upgrades or total changes when an application is no longer supported. Encourage management to have software updates automated on employees’ machines.
• by working with clients to create a backup and recovery system, that features off-site backups. This program should be tested regularly, and backups should be reviewed to ensure their integrity.
• by working with IT and third-party vendors on annual penetration and social engineering testing at client locations. The third-party vendors used should be rotated ever three years.

CSO Online predicts that ransomware attacks will rise to one every 14 seconds by the end of 2019. We CFEs and forensic accountants should work with our clients to innovate effective ways to protect themselves and to mitigate the effects of the future attacks that certainly will occur. The key is to ensure that clients remain educated, vigilant and prepared.

Fraud Prevention Oriented Data Mining

One of the most useful components of our Chapter’s recently completed two-day seminar on Cyber Fraud & Data Breaches was our speaker, Cary Moore’s, observations on the fraud fighting potential of management’s creative use of data mining. For CFEs and forensic accountants, the benefits of data mining go much deeper than as just a tool to help our clients combat traditional fraud, waste and abuse. In its simplest form, data mining provides automated, continuous feedback to ensure that systems and anti-fraud related internal controls operate as intended and that transactions are processed in accordance with policies, laws and regulations. It can also provide our client managements with timely information that can permit a shift from traditional retrospective/detective activities to the proactive/preventive activities so important to today’s concept of what effective fraud prevention should be. Data mining can put the organization out front of potential fraud vulnerability problems, giving it an opportunity to act to avoid or mitigate the impact of negative events or financial irregularities.

Data mining tests can produce “red flags” that help identify the root cause of problems and allow actionable enhancements to systems, processes and internal controls that address systemic weaknesses. Applied appropriately, data mining tools enable organizations to realize important benefits, such as cost optimization, adoption of less costly business models, improved program, contract and payment management, and process hardening for fraud prevention.

In its most complex, modern form, data mining can be used to:

–Inform decision-making
–Provide predictive intelligence and trend analysis
–Support mission performance
–Improve governance capabilities, especially dynamic risk assessment
–Enhance oversight and transparency by targeting areas of highest value or fraud risk for increased scrutiny
–Reduce costs especially for areas that represent lower risk of irregularities
–Improve operating performance

Cary emphasized that leading, successful organizational implementers have tended to take a measured approach initially when embarking on a fraud prevention-oriented data mining initiative, starting small and focusing on particular “pain points” or areas of opportunity to tackle first, such as whether only eligible recipients are receiving program funds or targeting business processes that have previously experienced actual frauds. Through this approach, organizations can deliver quick wins to demonstrate an early return on investment and then build upon that success as they move to more sophisticated data mining applications.

So, according to ACFE guidance, what are the ingredients of a successful data mining program oriented toward fraud prevention? There are several steps, which should be helpful to any organization in setting up such an effort with fraud, waste, abuse identification/prevention in mind:

–Avoid problems by adopting commonly used data mining approaches and related tools.

This is essentially a cultural transformation for any organization that has either not understood the value these tools can bring or has viewed their implementation as someone else’s responsibility. Given the cyber fraud and breach related challenges faced by all types of organizations today, it should be easier for fraud examiners and forensic accountants to convince management of the need to use these tools to prevent problems and to improve the ability to focus on cost-effective means of better controlling fraud -related vulnerabilities.

–Understand the potential that data mining provides to the organization to support day to day management of fraud risk and strategic fraud prevention.

Understanding, both the value of data mining and how to use the results, is at the heart of effectively leveraging these tools. The CEO and corporate counsel can play an important educational and support role for a program that must ultimately be owned by line managers who have responsibility for their own programs and operations.

–Adopt a version of an enterprise risk management program (ERM) that includes a consideration of fraud risk.

An organization must thoroughly understand its risks and establish a risk appetite across the enterprise. In this way, it can focus on those area of highest value to the organization. An organization should take stock of its risks and ask itself fundamental questions, such as:

-What do we lose sleep over?
-What do we not want to hear about us on the evening news or read about in the print media or on a blog?
-What do we want to make sure happens and happens well?

Data mining can be an integral part of an overall program for enterprise risk management. Both are premised on establishing a risk appetite and incorporating a governance and reporting framework. This framework in turn helps ensure that day-to-day decisions are made in line with the risk appetite, and are supported by data needed to monitor, manage and alleviate risk to an acceptable level. The monitoring capabilities of data mining are fundamental to managing risk and focusing on issues of importance to the organization. The application of ERM concepts can provide a framework within which to anchor a fraud prevention program supported by effective data mining.

–Determine how your client is going to use the data mined information in managing the enterprise and safeguarding enterprise assets from fraud, waste and abuse.

Once an organization is on top of the data, using it effectively becomes paramount and should be considered as the information requirements are being developed. As Cary pointed out, getting the right data has been cited as being the top challenge by 20 percent of ACFE surveyed respondents, whereas 40 percent said the top challenge was the “lack of understanding of how to use analytics”. Developing a shared understanding so that everyone is on the same page is critical to success.

–Keep building and enhancing the application of data mining tools.

As indicated above, a tried and true approach is to begin with the lower hanging fruit, something that will get your client started and will provide an opportunity to learn on a smaller scale. The experience gained will help enable the expansion and the enhancement of data mining tools. While this may be done gradually, it should be a priority and not viewed as the “management reform initiative of the day. There should be a clear game plan for building data mining capabilities into the fiber of management’s fraud and breach prevention effort.

–Use data mining as a tool for accountability and compliance with the fraud prevention program.

It is important to hold managers accountable for not only helping institute robust data mining programs, but for the results of these programs. Has the client developed performance measures that clearly demonstrate the results of using these tools? Do they reward those managers who are in the forefront in implementing these tools? Do they make it clear to those who don’t that their resistance or hesitation are not acceptable?

–View this as a continuous process and not a “one and done” exercise.

Risks change over time. Fraudsters are always adjusting their targets and moving to exploit new and emerging weaknesses. They follow the money. Technology will continue to evolve, and it will both introduce new risks but also new opportunities and tools for management. This client management effort to protect against dangers and rectify errors is one that never ends, but also one that can pay benefits in preventing or managing cyber-attacks and breaches that far outweigh the costs if effectively and efficiently implemented.

In conclusion, the stark realities of today’s cyber related challenges at all levels of business, private and public, and the need to address ever rising service delivery expectations have raised the stakes for managing the cost of doing business and conducting the on-going war against fraud, waste and abuse. Today’s client-managers should want to be on top of problems before they become significant, and the strategic use of data mining tools can help them manage and protect their enterprises whilst saving money…a win/win opportunity for the client and for the CFE.