Category Archives: Cyber-Security

Analytic Reinforcements

Rumbi’s post of last week on ransomware got me thinking on a long drive back from Washington about what an excellent tool the AICPA’s new Cybersecurity Risk Management Reporting Framework is, not only for CPAs but for CFEs as well as for all our client organizations. As the seemingly relentless wave of cyberattacks continues with no sign of let up, organizations are under intense pressure from key stakeholders and regulators to implement and enhance their cyber security and fraud prevention programs to protect customers, employees and all the types of valuable information in their possession.

According to research from the ACFE, the average total cost per company, per event of a data breach is $3.62 million. Initial damage estimates of a single breach, while often staggering, may not take into account less obvious and often undetectable threats such as the theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These effects can knock on for years and have devastating financial, operational and brand impact ramifications.

Given the present broad regulatory pressures to tighten cyber security controls and the visibility surrounding cyberrisk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by our various governing bodies. One of the more prominent is a regulation by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on an entity’s risk assessment, the NYDFS law has specific requirements around data encryption and including data protection and retention, third-party information security, application security, incident response and breach notification, board reporting, and required annual re-certifications.

However, organizations continue to report to the ACFE regarding their struggle to systematically report to stakeholders on the overall effectiveness of their cyber security risk management programs. In response, the AICPA in April of last year released a new cyber security risk management reporting framework intended to help organizations expand cyberrisk reporting to a broad range of internal and external users, to include management and the board of directors. The AICPA’s new reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about the state of an organization’s cyberrisk management program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s basic cyber security objectives and in developing and maintaining controls within the entity’s cyber security risk management program irregardless of whether the standard is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for standardization (ISO)’s ISO 27001/2 and related frameworks, or even an internally developed framework based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered by CFEs as a leading practice that provides management, boards and other key stakeholders with clear insight into the current state of an organization’s cyber security program while identifying gaps or pitfalls that leave organizations vulnerable to cyber fraud and other intrusions.

What stakeholders might benefit from a client organization’s cyber security risk management examination report? Clearly, we CFEs as we go about our routine fraud risk assessments; but such a report, most importantly, can be vital in helping an organization’s board of directors establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators. By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyberrisk management and fraud prevention programs and drive more effective decision making. Active involvement and oversight from the board can help ensure that an organization is paying adequate attention to cyberrisk management and displaying due diligence. The board can help shape expectations for reporting on cyberthreats while also advocating for greater transparency and assurance around the effectiveness of the program.

The cyber security risk management report in its initial and follow-up iterations can be invaluable in providing overview guidance to CFEs and forensic accountants in targeting both fraud prevention and fraud detection/investigative analytics. We know from our ACFE training that data analytics need to be fully integrated into the investigative process. Ensuring that data analytics are embedded in the detection/investigative process requires support from all levels, starting with the managing CFE. It will be an easier, more coherent process for management to support such a process if management is already supporting cyber security risk management reporting. Management will also have an easier time reinforcing the use of analytics generally, although the data analytics function supporting fraud examination will still have to market its services, team leaders will still be challenged by management, and team members will still have to be trained to effectively employ the newer analytical tools.

The presence of a robust cyber security risk management reporting process should also prove of assistance to the lead CFE in establishing goals for the implementation and use of data analytics in every investigation, and these goals should be communicated to the entire investigative team. It should be made clear to every level of the client organization that data analytics will support the investigative planning process for every detected fraud. The identification of business processes, IT systems, data sources, and potential analytic routines should be discussed and considered not only during planning, but also throughout every stage of the entire investigative engagement. Key in obtaining the buy-in of all is to include investigative team members in identifying areas or tests that the analytics group will target in support of the field work. Initially, it will be important to highlight success stories and educate managers and team leaders about what is possible. Improving on the traditional investigative approach of document review, interviewing, transaction review, etc. investigators can benefit from the implementation of data analytics to allow for more precise identification of the control deficiencies, instances of noncompliance with policies and procedures, and mis-assessment of areas of high risk that contributed to the development of the fraud in the first place. These same analytics can then be used to ensure that appropriate post-fraud management follow-up has occurred by elevating the identified deficiencies to the cyber security risk management reporting process and by implementing enhanced fraud prevention procedures in areas of higher fraud risk. This process would be especially useful in responding to and following up data breaches.

Once patterns are gathered and centralized, analytics can be employed to measure the frequency of occurrence, the bit sizes, the quantity of files executed and average time of use. The math involved allows an examiner to grasp the big picture. Individuals, including examiners, are normally overwhelmed by the sheer volume of information, but automation of pattern recognizing techniques makes big data a tractable investigative resource. The larger the sample size, the easier it is to determine patterns of normal and abnormal behavior. Network haystacks are bombarded by algorithms that can notify the CFE information archeologist about the probes of an insider threat for example.

Without analytics, enterprise-level fraud examination and risk assessment is a diminished discipline, limited in scope and effectiveness. Without an educated investigative workforce, armed with a programing language for automation and an accompanying data-mining philosophy and skill set, the control needs of management leaders at the enterprise level will go unmet; leaders will not have the data needed for fraud prevention on a large scale nor a workforce that is capable of getting them that data in the emergency following a breach or penetration.

The beauty of analytics, from a security and fraud prevention perspective, is that it allows the investigative efforts of the CFE to align with the critical functions of corporate business. It can be used to discover recurring risks, incidents and common trends that might otherwise have been missed. Establishing numerical baselines on quantified data can supplement a normal investigator’s tasks and enhance the auditor’s ability to see beneath the surface of what is presented in an examination. Good communication of analyzed data gives decision makers a better view of their systems through a holistic approach, which can aid in the creation of enterprise-level goals. Analytics and data mining always add dimension and depth to the CFE’s examination process at the enterprise level and dovetail with and are supported beautifully by the AICPA’s cyber security risk management reporting initiative.

CFEs should encourage the staffs of client analytics support functions to possess …

–understanding of the employing enterprise’s data concepts (data elements, record types, database types, and data file formats).
–understanding of logical and physical database structures.
–the ability to communicate effectively with IT and related functions to achieve efficient data acquisition and analysis.
–the ability to perform ad hoc data analysis as required to meet specific fraud examiner and fraud prevention objectives.
–the ability to design, build, and maintain well-documented, ongoing automated data analysis routines.
–the ability to provide consultative assistance to others who are involved in the application of analytics.

Taken Hostage

by Rumbi Petrozzello
2019 Vice President – Central Virginia ACFE Chapter

On March 22, 2018, I flew into the Atlanta Airport and stopped by the airport’s EMS offices to request an incident report. The gentleman who greeted me at the entrance to the offices was very kind and asked me to wait while he pulled up the details of the report for me. He called over to his coworker, who was sitting in front of a computer, and asked him for help. I heard the coworker clicking on his mouse a few times and then he said that his machine didn’t seem to be working. “It hasn’t been working all morning,” he added. The gentleman then gave me a phone number to call for assistance and apologized for not being more helpful. After I called the number, got voicemail and left a message, I became concerned because I was leaving the country the next day for a week and a half and so hoped that someone would get back to me that day.

Unfortunately, no one had called me back by the time I left. When I returned, I found no voicemail. I called again and left a message. A week after that, the airport EMS Chief returned my call with apologies for the delay – their computers had been down, and he was only now able to start getting back to people. Because I had been out of the country and not really following the news, it was only after a couple of months that I put two and two together. At that point I was working on Eye on Fraud, a publication of the AICPA’s Fraud Task Force. The edition was on Ransomware and as I looked at the information concerning Atlanta, I noticed the dates and realized that the day that I flew into Atlanta and visited the EMS office was the same day that the city of Atlanta was struck by a ransomware attack that crippled the city for over a week and resulted in costs to the city exceeding $2.6 million; a lot more than the $52,000 that was demanded in ransom by the attackers. In late November, two Iranians were indicted for the Atlanta and other attacks. The Atlanta ransomware attack featured many characteristics shared by such attacks, be they on individuals, companies, or governments.

Ransomware attacks have been a problem for decades; the first such documented attack took place in 1989. At that time the malicious code was delivered to victims’ computers via floppy disk and the whole exploit was very easy for victims to reverse. 2006 saw a big uptick in ransomware attacks and, today, ransomware is big business for individual cyber criminals and for organized gangs alike, earning them about a billion dollars in 2016.

Ransomware is a form of malware (malicious software), and works in one of two general ways:

1. Crypto-ransomware encrypts hard drives or files and folders.
2. Locker-ransomware locks users out of their machines, without employing encryption.

As time has gone on, ransomware has become more complex and ransomware attacks more sophisticated. One way in which cyber criminals break into computer systems is via human engineering. This can take the form of an email with a malicious attachment or a link to a compromised website. Cyber criminals also take advantage of known weaknesses in computer operating systems. The WannaCry ransomware, which swept the globe several years ago, took advantage of a flaw in Microsoft Windows. This underscores how essential it is to provide cyber training to employees and to update this training often. Employees must be taught to always be vigilant and on the lookout for such attacks, and to maintain awareness of how such threats are constantly changing and migrating. All it takes is a single employee lapse in judgment and attention for malware to get into a business’s computer system. It’s also essential to keep computers and software up to date with the latest patches. WannaCry was successful in part because Microsoft had discontinued its support of some versions of Windows, including for Windows XP and Windows Server 2003. The amount of money companies thought they were saving by continuing to use old unsupported software was dwarfed by the cost of recovery from malware attacks specifically targeting that software.

When CFEs and forensic accountants dialogue with clients about ransomware attack scenarios, we should remind them that cyber criminals are equal opportunity offenders when it comes to such exploits. Employees should be alert to this whether they are working on an employer’s machine or on a personal one. Ransomware has now made its way into the smartphone space, so employees should be made aware that heightened vigilance should extend even to their smartphones. CFEs should additionally work with clients to fund penetration and phishing tests to determine how effective staff training has been and to highlight areas for improvement.

Both individuals and companies should have a plan on how they will deal with a possible ransomware attack. A well-thought out plan can minimize the effects of an attack and can also mean that the reaction to the attack is measured and not mounted on the basis of uncoordinated panic. For example, when LabCorp was attacked in July 2018, the company contained the spread of the malware in less than an hour. Its, therefore, doubly important that we CFEs and forensic accountants work with IT specialists to formulate an advance plan in case of a ransomware or other malware, attack.

Experts recommend that ransom should not be paid. Clients need to be made to understand that when their systems are taken hostage, they are dealing with criminals and criminals are, more often than not, not to be trusted. When the city of Leeds, Alabama, was attacked, the city paid the cyber criminals $12,000 in ransom. Despite making this payment, the hackers restored only a limited number of files. The city was then faced with the expenditure of additional funds in the attempt to recover or rebuild the remaining files. Sometimes hackers will disappear with ransom and restore nothing. In the face of this, companies and individuals should be encouraged to have back up and restoration plans. To be useful, backups must be made regularly and kept physically separate from the machine or network being protected. The recovery plan should be tested at least annually.

Ransomware exploits are not going away any time soon. Ransomware attacks are a way to get money, not only through the ransom demanded itself but also through access to other sensitive information belonging to employees and clients. Often the hacker will demand a nominal amount in ransom and sell the information stolen by access to the company’s network for a lot more.

We, as CFEs and forensic accountants, can help our client address the ballooning threat in a number of ways:

• by performing a risk assessments of clients’ systems and processes, to identify weaknesses and areas for control improvement.
• by providing staff training on security best practices. This training should be updated at least once a year; in addition to updating staff on changes, this will also serve to remind employees to be vigilant. This training must include everyone in a company, even top management and the board.
• by reminding clients to keep software up to date and to consider upgrades or total changes when an application is no longer supported. Encourage management to have software updates automated on employees’ machines.
• by working with clients to create a backup and recovery system, that features off-site backups. This program should be tested regularly, and backups should be reviewed to ensure their integrity.
• by working with IT and third-party vendors on annual penetration and social engineering testing at client locations. The third-party vendors used should be rotated ever three years.

CSO Online predicts that ransomware attacks will rise to one every 14 seconds by the end of 2019. We CFEs and forensic accountants should work with our clients to innovate effective ways to protect themselves and to mitigate the effects of the future attacks that certainly will occur. The key is to ensure that clients remain educated, vigilant and prepared.

Targeting the Blockchain

Both the blockchain and its digital engineering support structures underlying the digital currencies that are fast becoming the financial and transactional media of choice for the nefarious, are now increasingly finding themselves under various modes of fraudster attack.

Bitcoins, the most familiar blockchain application, were invented in 2009 by a mysterious person (or group of people) using the alias Satoshi Nakamoto, and the coins are created or ‘mined’ by solving increasingly difficult mathematical equations, requiring extensive computing power. The system is designed to ensure no more than twenty-one million Bitcoins are ever generated, thereby preventing a central authority from flooding the market with new Bitcoins. Most Bitcoins are purchased on third-party exchanges with traditional currencies, such as dollars or euros, or with credit cards. The exchange rates against the dollar for Bitcoin fluctuate wildly and have ranged from fifty cents per coin around the time of its introduction to over $1,240 in 2013 to around $600 today.

The whole point of using a blockchain is to let people, in particular, people who don’t trust one another, share valuable data in a secure, tamper-proof way. That’s because blockchains store data using sophisticated math and innovative software rules that are extremely difficult for attackers to manipulate. But as cases like the Mount Gox Bitcoin hack demonstrate, the security of even the best designed blockchain and associated support systems can fail in places where the fancy math and software rules come into contact with humans; humans who are skilled fraudsters, in the real world, where things quickly get messy. For CFEs to understand why, start with what makes blockchains “secure” in principle. Bitcoin is a good example. In Bitcoin’s blockchain, the shared data is the history of every Bitcoin transaction ever made: it’s a plain old accounting ledger. The ledger is stored in multiple copies on a network of computers, called “nodes:’ Each time someone submits a transaction to the ledger, the nodes check to make sure the transaction is valid, that whoever spent a bitcoin had a bitcoin to spend. A subset of the nodes competes to package valid transactions into “blocks” and add them to a chain of previous blocks. The owners of these nodes are called miners. Miners who successfully add new blocks to the chain earn bitcoins as a reward.

What makes this system theoretically tamperproof is two things: a cryptographic fingerprint unique to each block, and a consensus protocol, the process by which the nodes in the network agree on a shared history. The fingerprint, called a hash, takes a lot of computing time and energy to generate initially. It thus serves as proof that the miner who added the block to the blockchain did the computational work to earn a bitcoin reward (for this reason, Bitcoin is said to employ a proof-of-work protocol). It also serves as a kind of seal, since altering the block would require generating a new hash. Verifying whether or not the hash matches its block, however, is easy, and once the nodes have done so they update their respective copies of the blockchain with the new block. This is the consensus protocol.

The final security element is that the hashes also serve as the links in the blockchain: each block includes the previous block’s unique hash. So, if you want to change an entry in the ledger retroactively, you have to calculate a new hash not only for the block it’s in but also for every subsequent block. And you have to do this faster than the other nodes can add new blocks to the chain. Consequently, unless you have computers that are more powerful than the rest of the nodes combined (and even then, success isn’t guaranteed), any blocks you add will conflict with existing ones, and the other nodes will automatically reject your alterations. This is what makes the blockchain tamperproof, or immutable.

The reality, as experts are increasingly pointing out, is that implementing blockchain theory in actual practice is difficult. The mere fact that a system works like Bitcoin, as many copycat cryptocurrencies do, doesn’t mean it’s just as secure as Bitcoin. Even when developers use tried and true cryptographic tools, it’s easy to accidentally put them together in ways that are not secure. Bitcoin has been around the longest, so it’s just the most thoroughly battle-tested.

As the ACFE and others have indicated, fraudsters have also found creative ways to cheat. Its been shown that there is a way to subvert a blockchain even if you have less than half the mining power of the other miners. The details are somewhat technical, but essentially a “selfish miner” can gain an unfair advantage by fooling other nodes into wasting time on already-solved crypto-puzzles.

The point is that no matter how tamperproof a blockchain protocol is, it does not exist in a vacuum. The cryptocurrency hacks driving recent headlines are usually failures at places where blockchain systems connect with the real world, for example, in software clients and third-party applications. Hackers can, for instance, break into hot wallets, internet-connected applications for storing the private cryptographic keys that anyone who owns cryptocurrency requires in order to spend it. Wallets owned by online cryptocurrency exchanges have become prime targets. Many exchanges claim they keep most of their users’ money in cold hardware wallets, storage devices disconnected from the internet. But as the recent heist of more than $500 million worth of cryptocurrency from a Japan based exchange showed, that’s not always the case.

Perhaps the most complicated touchpoints between blockchains and the real world are smart contracts, which are computer programs stored in certain kinds of blockchain that can automate financial and other contract related business transactions. Several years ago, hackers exploited an unforeseen quirk in a smart contract written on Ethereum’s blockchain to steal 3.6 million Ether, worth around $80 million at the time from a new kind of blockchain-based investment fund. Since the investment fund’s code lived on the blockchain, the Ethereum community had to push a controversial software upgrade called a hard fork to get the money back, essentially creating a new version of history in which the money was never stolen. According to a number of experts, researchers are scrambling to develop other methods for ensuring that smart contracts won’t malfunction.

An important supposed security guarantee of a blockchain system is decentralization. If copies of the blockchain are kept on a large and widely distributed network of nodes, there’s no one weak point to attack, and it’s hard for anyone to build up enough computing power to subvert the network. But recent reports in the trade press indicate that neither Bitcoin nor Ethereum is as decentralized as the public has been led to believe. The reports indicate that the top four bitcoin-mining operations had more than 53 percent of the system’s average mining capacity per week. By the same measure, three Ethereum miners accounted for 61 percent of Ethereum transactions.

Some experts say alternative consensus protocols, perhaps ones that don’t rely on mining, could be more secure. But this hypothesis hasn’t been tested at a large scale, and new protocols would likely have their own security problems. Others see potential in blockchains that require permission to join, unlike in Bitcoin’s case, where anyone who downloads the software can join the network.

Such consensus systems are anathema to the antihierarchical ethos of cryptocurrencies, but the approach appeals to financial and other institutions looking to exploit the advantages of a shared cryptographic database. Permissioned systems, however, raise their own questions. Who has the authority to grant permission? How will the system ensure that the validators are who they say they are? A permissioned system may make its owners feel more secure, but it really just gives them more control, which means they can make changes whether or not other network participants agree, something true believers would see as violating the very idea of blockchain.

So, in the end, for CFEs, the word ‘secure’ ends up being very hard to define in the context of blockchains. Secure from whom? Secure for what?

A final thought for CFEs and forensic accountants. There are no real names stored on the Bitcoin blockchain, but it records every transaction made by your user client; every time the currency is used the user risks exposing information that can tie his or her identity to those actions. It is known from documents leaked by Edward Snowden that the US National Security Agency has sought ways of connecting activity on the Bitcoin blockchain to people in the physical world. Should governments seek to create and enforce blacklists, they will find that the power to decide which transactions to honor may lie in the hands of just a few Bitcoin miners.

Fraud Prevention Oriented Data Mining

One of the most useful components of our Chapter’s recently completed two-day seminar on Cyber Fraud & Data Breaches was our speaker, Cary Moore’s, observations on the fraud fighting potential of management’s creative use of data mining. For CFEs and forensic accountants, the benefits of data mining go much deeper than as just a tool to help our clients combat traditional fraud, waste and abuse. In its simplest form, data mining provides automated, continuous feedback to ensure that systems and anti-fraud related internal controls operate as intended and that transactions are processed in accordance with policies, laws and regulations. It can also provide our client managements with timely information that can permit a shift from traditional retrospective/detective activities to the proactive/preventive activities so important to today’s concept of what effective fraud prevention should be. Data mining can put the organization out front of potential fraud vulnerability problems, giving it an opportunity to act to avoid or mitigate the impact of negative events or financial irregularities.

Data mining tests can produce “red flags” that help identify the root cause of problems and allow actionable enhancements to systems, processes and internal controls that address systemic weaknesses. Applied appropriately, data mining tools enable organizations to realize important benefits, such as cost optimization, adoption of less costly business models, improved program, contract and payment management, and process hardening for fraud prevention.

In its most complex, modern form, data mining can be used to:

–Inform decision-making
–Provide predictive intelligence and trend analysis
–Support mission performance
–Improve governance capabilities, especially dynamic risk assessment
–Enhance oversight and transparency by targeting areas of highest value or fraud risk for increased scrutiny
–Reduce costs especially for areas that represent lower risk of irregularities
–Improve operating performance

Cary emphasized that leading, successful organizational implementers have tended to take a measured approach initially when embarking on a fraud prevention-oriented data mining initiative, starting small and focusing on particular “pain points” or areas of opportunity to tackle first, such as whether only eligible recipients are receiving program funds or targeting business processes that have previously experienced actual frauds. Through this approach, organizations can deliver quick wins to demonstrate an early return on investment and then build upon that success as they move to more sophisticated data mining applications.

So, according to ACFE guidance, what are the ingredients of a successful data mining program oriented toward fraud prevention? There are several steps, which should be helpful to any organization in setting up such an effort with fraud, waste, abuse identification/prevention in mind:

–Avoid problems by adopting commonly used data mining approaches and related tools.

This is essentially a cultural transformation for any organization that has either not understood the value these tools can bring or has viewed their implementation as someone else’s responsibility. Given the cyber fraud and breach related challenges faced by all types of organizations today, it should be easier for fraud examiners and forensic accountants to convince management of the need to use these tools to prevent problems and to improve the ability to focus on cost-effective means of better controlling fraud -related vulnerabilities.

–Understand the potential that data mining provides to the organization to support day to day management of fraud risk and strategic fraud prevention.

Understanding, both the value of data mining and how to use the results, is at the heart of effectively leveraging these tools. The CEO and corporate counsel can play an important educational and support role for a program that must ultimately be owned by line managers who have responsibility for their own programs and operations.

–Adopt a version of an enterprise risk management program (ERM) that includes a consideration of fraud risk.

An organization must thoroughly understand its risks and establish a risk appetite across the enterprise. In this way, it can focus on those area of highest value to the organization. An organization should take stock of its risks and ask itself fundamental questions, such as:

-What do we lose sleep over?
-What do we not want to hear about us on the evening news or read about in the print media or on a blog?
-What do we want to make sure happens and happens well?

Data mining can be an integral part of an overall program for enterprise risk management. Both are premised on establishing a risk appetite and incorporating a governance and reporting framework. This framework in turn helps ensure that day-to-day decisions are made in line with the risk appetite, and are supported by data needed to monitor, manage and alleviate risk to an acceptable level. The monitoring capabilities of data mining are fundamental to managing risk and focusing on issues of importance to the organization. The application of ERM concepts can provide a framework within which to anchor a fraud prevention program supported by effective data mining.

–Determine how your client is going to use the data mined information in managing the enterprise and safeguarding enterprise assets from fraud, waste and abuse.

Once an organization is on top of the data, using it effectively becomes paramount and should be considered as the information requirements are being developed. As Cary pointed out, getting the right data has been cited as being the top challenge by 20 percent of ACFE surveyed respondents, whereas 40 percent said the top challenge was the “lack of understanding of how to use analytics”. Developing a shared understanding so that everyone is on the same page is critical to success.

–Keep building and enhancing the application of data mining tools.

As indicated above, a tried and true approach is to begin with the lower hanging fruit, something that will get your client started and will provide an opportunity to learn on a smaller scale. The experience gained will help enable the expansion and the enhancement of data mining tools. While this may be done gradually, it should be a priority and not viewed as the “management reform initiative of the day. There should be a clear game plan for building data mining capabilities into the fiber of management’s fraud and breach prevention effort.

–Use data mining as a tool for accountability and compliance with the fraud prevention program.

It is important to hold managers accountable for not only helping institute robust data mining programs, but for the results of these programs. Has the client developed performance measures that clearly demonstrate the results of using these tools? Do they reward those managers who are in the forefront in implementing these tools? Do they make it clear to those who don’t that their resistance or hesitation are not acceptable?

–View this as a continuous process and not a “one and done” exercise.

Risks change over time. Fraudsters are always adjusting their targets and moving to exploit new and emerging weaknesses. They follow the money. Technology will continue to evolve, and it will both introduce new risks but also new opportunities and tools for management. This client management effort to protect against dangers and rectify errors is one that never ends, but also one that can pay benefits in preventing or managing cyber-attacks and breaches that far outweigh the costs if effectively and efficiently implemented.

In conclusion, the stark realities of today’s cyber related challenges at all levels of business, private and public, and the need to address ever rising service delivery expectations have raised the stakes for managing the cost of doing business and conducting the on-going war against fraud, waste and abuse. Today’s client-managers should want to be on top of problems before they become significant, and the strategic use of data mining tools can help them manage and protect their enterprises whilst saving money…a win/win opportunity for the client and for the CFE.

Every Seat Taken!

Our Chapter’s thanks to all our attendees and to our partners, the Virginia State Police and national ACFE for the unqualified success of our May training event, Cyberfraud and Data Breaches! Our speaker, Cary Moore, CFE, CISSP, conducted a fully interactive, two-day session on one of the most challenging and relevant topics confronting practicing fraud examiners and forensic accountants today.

The event examined the potential avenues of data loss and guided attendees through the crucial strategies needed to mitigate the threat of malicious data theft and the risk of inadvertent data loss, recognizing that information is a valuable asset, and that management must take proactive steps to protect the organization’s intellectual property. As Cary forcefully pointed out, the worth of businesses is no longer based solely on tangible assets and revenue-making potential; the information the organization develops, stores, and collects accounts for a large share of its value.

A data breach occurs when there is a loss or theft of, or unauthorized access to, proprietary information that could result in compromising the data. It is essential that management understand the crisis its organization might face if its information is lost or stolen. Data breaches incur not only high financial costs but can also have a lasting negative effect on an organization’s brand and reputation.

Protecting information assets is especially important because the threats to such assets are on the rise, and the cost of a data breach increases with the number of compromised records. According to a 2017 study by the Ponemon Institute, data breaches involving fewer than 10,000 records caused an average loss of $1.9 million, while beaches with more than 50,000 compromised records caused an average loss of $6.3 million. However, before determining how to protect information assets, it is important to understand the nature of these assets and the many methods by which they can be breached.

Intellectual property is a catchall phrase for knowledge-based assets and capital, but it’s helpful to think of it as intangible proprietary information. Intellectual property (IP) is protected by law. IP law grants certain exclusive rights to owners of a variety of intangible assets. These rights incentivize individuals, company leaders, and investors to allocate the requisite resources to research, develop, and market original technology and creative works.

A trade secret is any idea or information that gives its owner an advantage over its competitors. Trade secrets are particularly susceptible to theft because they provide a competitive advantage. What constitutes a trade secret, however, depends on the organization, industry, and jurisdiction, but generally, to be classified as a trade secret, information must:

• Be secret: The information is not generally known to the relevant portion of the public.
• Confer some sort of economic benefit on its holder: The idea or information must give its owner an advantage over its competitors. The benefit conferred from the information, however, must stem from not being generally known, not just from the value of the information itself. The best test for determining what is confidential information is to determine whether the information would provide an advantage to the competition.
• Be the subject of reasonable efforts to maintain its secrecy: The owner must take reasonable steps to protect its trade secrets from disclosure. That is, a piece of information will not receive protection as a trade secret if the owner does not take adequate steps to protect it from disclosure.

Cary presented in-depth information on the various types of threats to data security including:

–Insiders
–Hackers
–Competitors
–Organized criminal groups
–Government-sponsored groups

Protecting proprietary information is a timely issue, but it is difficult. The event presented a list of common challenges faced when protecting information assets:

–Proprietary information is among the most valuable commodities, and attackers are doing everything in their power to steal as much of this information as possible.
–The risk of data breaches for organizations is high.
–New and emerging technologies create new risks and vulnerabilities.
— IT environments are becoming increasingly complex, making the management of them more expensive, difficult, and time consuming.
–There is a wider range of devices and access points, so businesses must proactively seek ways to combat the effects of this complexity.
–The rise in portable devices is creating more opportunities for data to “leak” from the business.
–The rise in Bring Your Own Device (BYOD) initiatives is generating new operational challenges and security problems.
–The rapidly expanding Internet of Things (IoT) has significantly increased the number of network connected things (e.g., HVAC systems, MRI machines, coffeemakers) that pose data security threats, many of which were inconceivable only a short time ago.
–The number of threats to corporate IT systems is on the rise.
–Malware is becoming more sophisticated.
–There is an increasing number of laws in this area, making information security an urgent priority.

Cary covered the entire gamut of challenges related to cyber fraud and data breaches ranging from legal issues, corporate espionage, social engineering, the use of social media, the bring-your-own-devices phenomenon, and the impact of cloud computing. The remaining portion of the event was devoted to addressing how enterprises can effectively respond when confronted by the challenges posed by these issues including breach response team building and breach prevention techniques like conducting security risk assessments, staff awareness training and the incident response plan.

When an organization experiences a data breach, management must respond in an appropriate and timely manner. During the initial response, time is critical. To help ensure that an organization responds to data breaches timely and efficiently, management should have an incident response plan in place that outlines how to respond to such issues. Timely responses can help prevent further data loss, fines, and customer backlash. An incident response plan outlines the actions an organization will take when data breaches occur. More specifically, a response plan should guide the necessary action when a data breach is reported or identified. Because every breach is different, a response plan should not outline how an organization should respond in every instance. Instead, a response plan should help the organization manage its response and create an environment to minimize risk and maximize the potential for success. In short, a response plan should describe the plan fundamentals that the organization can deploy on short notice.

Again, our sincere thanks go out to all involved in the success of this most worthwhile training event!

Cyberfraud & Data Breaches – May 2018 Training Event

On May 16th and 17th, our Chapter, supported by our partners, national ACFE and the Virginia State Police, will present our sixteenth Spring training event, this time on the subject of CYBERFRAUD AND DATA BREACHES.  Our presenter will be CARY E. MOORE, CFE, CISSP, MBA; ACFE Presenter Board member and internationally renowned author and authority on every aspect of cybercrime.  CLICK HERE  to see an outline of the training, the agenda and Cary’s bio.  If you decide to do so, you may REGISTER HERE.  Attendees will receive 16 CPE credits, and a printed manual of over 300 pages detailing every subject covered in the training.  In addition, as a door prize, we will be awarding, by drawing, a printed copy of the 2017 Fraud Examiners Manual, a $200 value!

As the relentless wave of cyberattacks continues, all our client organizations are under intense pressure from key stakeholders and regulators to implement and enhance their anti-fraud programs to protect customers, employees and the valuable information in their possession. According to research from IBM Security and the Ponemon Institute, the average total cost per company, per event of a data breach is US $3.62 million. Initial damage estimates of a single breach, while often staggering, may not consider less obvious and often undetectable threats such as theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These knock-on effects can last for years and have devastating financial, operational and brand ramifications.

Given the broad regulatory pressures to tighten anti-fraud cyber security controls and the visibility surrounding cyber risk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by various governing bodies of which CFEs need to be aware. One of the more prominent is a regulation issued by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on the entity’s risk assessment, the NYDFS law has specific requirements around data encryption, protection and retention, third party information security, application security, incident response and breach. notification, board reporting, and annual certifications.

However, organizations continue to struggle to report on the overall effectiveness of their cyber security risk management and anti-fraud programs. The American Institute of Certified Public Accountants (AICPA) has released a cyber security risk management reporting framework intended to help organizations expand cyber risk reporting to a broad range of internal and external users, including the C-suite and the board of directors (BoD). The AICPA’s reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about an organization’s cyber risk management  program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s cyber security objectives and developing and maintaining controls within the entity’s cyber security risk management program, whether it is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for Standardization (ISO)’s ISO 27001/2 and related frameworks, or internally developed frameworks based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered a leading practice that provides the C-suite, boards and other key stakeholders clear insight into an organization’s cyber security program and identifies gaps or pitfalls that leave organizations vulnerable.

Cyber security risk management examination reports are vital to the fraud control program of any organization doing business on-line.  Such reports help an organization’s BoD establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators. By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyber risk management programs and drive more effective decision making. Active involvement and oversight from the BoD can help ensure that an organization is paying adequate attention to cyber risk management. The board can help shape expectations for reporting on cyber threats and fraud attempts while also advocating for greater transparency and assurance around the effectiveness of the program.

Organizations that choose to utilize the AICPA’s cyber security attestation reporting framework and perform an examination of their cyber security program may be better positioned to gain competitive advantage and enhance their brand in the marketplace. For example, an outsource retail service provider (OSP) that can provide evidence that a well-developed and sound cyber security risk management program is in place in its organization can proactively provide the report to current and potential customers, evidencing that it has implemented appropriate controls to protect the sensitive IT assets and valuable data over which it maintains access. At the same time, current and potential retailor customers of an OSP want the third parties with whom they engage to also place a high level of importance on cyber security. Requiring a cyber security examination report as part of the selection criteria would offer transparency into  outsourcers’ cyber security programs and could be a determining factor in the selection process.

The value of addressing cyber security related fraud concerns and questions by CFEs before regulatory mandates are established or a crisis occurs is quite clear. The knowledgeable CFE can help our client organizations view the new cyber security attestation reporting frameworks as an opportunity to enhance their existing cyber security and anti-fraud programs and gain competitive advantage. The attestation reporting frameworks address the needs of a variety of key stakeholder groups and, in turn, limit the communication and compliance burden. CFE client organizations that view the cyber security reporting landscape as an opportunity can use it to lead, navigate and disrupt in today’s rapidly evolving cyber risk environment.

Please decide to join us for our May Training Event on this vital and timely topic!  YOU MAY REGISTER 0N-LINE HERE.  You can pay with PayPal (you don’t need a PayPal account; you can use any credit card) or just print an invoice and submit your payment by snail mail!

The Anti-Fraud Blockchain

Blockchain technology, the series of interlocking algorithms powering digital currencies like BitCoin, is emerging as a potent fraud prevention tool.  As every CFE knows, technology is enabling new forms of money and contracting, and the growing digital economy holds great promise to provide a full range of new financial tools, especially to the world’s poor and unbanked. These emerging virtual currencies and financial techniques are often anonymous, and none have received quite as much press as Bitcoin, the decentralized peer-to-peer digital form of money.

Bitcoins were invented in 2009 by a mysterious person (or group of people) using the alias Satoshi Nakamoto, and the coins are created or “mined” by solving increasingly difficult mathematical equations, requiring extensive computing power. The system is designed to ensure no more than twenty-one million Bitcoins are ever generated, thereby preventing a central authority from flooding the market with new Bitcoins. Most people purchase Bitcoins on third-party exchanges with traditional currencies, such as dollars or euros, or with credit cards. The exchange rates against the dollar for Bitcoin fluctuate wildly and have ranged from fifty cents per coin around the time of its introduction to over $16,0000 in December 2017. People can send Bitcoins, or percentages of bitcoin, to each other using computers or mobile apps, where coins are stored in digital wallets. Bitcoins can be directly exchanged between users anywhere in the world using unique alphanumeric identifiers, akin to e-mail addresses, and there are no transaction fees in the basic system, absent intermediaries.

Anytime a purchase takes place, it is recorded in a public ledger known as the “blockchain,” which ensures no duplicate transactions are permitted. Crypto currencies are called such because they use cryptography to regulate the creation and transfer of money, rather than relying on central authorities. Bitcoin acceptance continues to grow rapidly, and it is possible to use Bitcoins to buy cupcakes in San Francisco, cocktails in Manhattan, and a Subway sandwich in Allentown.

Because Bitcoin can be spent online without the need for a bank account and no ID is required to buy and sell the crypto currency, it provides a convenient system for anonymous, or more precisely pseudonymous, transactions, where a user’s true name is hidden. Though Bitcoin, like all forms of money, can be used for both legal and illegal purposes, its encryption techniques and relative anonymity make it strongly attractive to fraudsters and criminals of all kinds. Because funds are not stored in a central location, accounts cannot readily be seized or frozen by police, and tracing the transactions recorded in the blockchain is significantly more complex than serving a subpoena on a local bank operating within traditionally regulated financial networks. As a result, nearly all the so-called Dark Web’s illicit commerce is facilitated through alternative currency systems. People do not send paper checks or use credit cards in their own names to buy meth and pornography. Rather, they turn to anonymous digital and virtual forms of money such as Bitcoin.

A blockchain is, essentially, a way of moving information between parties over the Internet and storing that information and its transaction history on a disparate network of computers. Bitcoin, and all the other digital currencies, operates on a blockchain: as transactions are aggregated into blocks, each block is assigned a unique cryptographic signature called a “hash.” Once the validating cryptographic puzzle for the latest block has been solved by a coin mining computer, three things happen: the result is timestamped, the new block is linked irrevocably to the blocks before and after it by its unique hash, and the block and its hash are posted to all the other computers that were attempting to solve the puzzle involved in the mining process for new coins. This decentralized network of computers is the repository of the immutable ledger of bitcoin transactions.  If you wanted to steal a bitcoin, you’d have to rewrite the coin’s entire history on the blockchain in broad daylight.

While bitcoin and other digital currencies operate on a blockchain, they are not the blockchain itself. It’s an insight of many computer scientists that in addition to exchanging digital money, the blockchain can be used to facilitate transactions of other kinds of digitized data, such as property registrations, birth certificates, medical records, and bills of lading. Because the blockchain is decentralized and its ledger immutable, all these types of transactions would be protected from hacking; and because the blockchain is a peer-to-peer system that lets people and businesses interact directly with each other, it is inherently more efficient and  cheaper than current systems that are burdened with middlemen such as lawyers and regulators.

A CFE’s client company that aims to reduce drug counterfeiting could have its CFE investigator use the blockchain to follow pharmaceuticals from provenance to purchase. Another could use it to do something similar with high-end sneakers. Yet another, a medical marijuana producer, could create a blockchain that registers everything that has happened to a cannabis product, from seed to sale, letting consumers, retailers and government regulators know where everything came from and where it went. The same thing can be done with any normal crop so, in the same way that a consumer would want to know where the corn on her table came from, or the apple that she had at lunch originated, all stake holders involved in the medical marijuana enterprise would know where any batch of product originated and who touched it all along the way.

While a blockchain is not a full-on solution to fraud or hacking, its decentralized infrastructure ensures that there are no “honeypots” of data available, like financial or medical records on isolated company servers, for criminals to exploit. Still, touting a bitcoin-derived technology as an answer to cybercrime may seem a stretch considering the high-profile, and lucrative, thefts of cryptocurrency over the past few years. Its estimated that as of March 2015, a full third of  all Bitcoin exchanges, (where people store their bitcoin), up to then had been hacked, and nearly half had closed. There was, most famously, the 2014 pilferage of Mt. Gox, a Japanese based digital coin exchange, in which 850,000 bitcoins worth $460,000,000 disappeared. Two years later another exchange, Bitfinex, was hacked and around $60 million in bitcoin was taken; the company’s solution was to spread the loss to all its customers, including those whose accounts had not been drained.

Unlike money kept in a bank, cryptocurrencies are uninsured and unregulated. That is one of the consequences of a monetary system that exists, intentionally, beyond government control or oversight. It may be small consolation to those who were affected by these thefts that the bitcoin network itself and the blockchain has never been breached, which perhaps proves the immunity of the blockchain to hacking.

This security of the blockchain itself demonstrates how smart contracts can be written and stored on it. These are covenants, written in code, that specify the terms of an agreement. They are smart because as soon as its terms are met, the contract executes automatically, without human intervention. Once triggered, it can’t be amended, tampered with, or impeded. This is programmable money. Such smart contracts are a tool with the potential to change how business in done. The concept, as with digital currencies, is based on computers synced together. Now imagine that rather than syncing a transaction, software is synced. Every machine in the network runs the same small program. It could be something simple, like a loan: A sends B some money, and B’s account automatically pays it back, with interest, a few days later. All parties agree to these terms, and it’s locked in using the smart contract. The parties have achieved programmable money!

There is no doubt that smart contracts and the blockchain itself will augment the trend toward automation, though it is automation through lines of code, not robotics. For businesses looking to cut costs and reduce fraud, this is one of the main attractions of blockchain technology. The challenge is that, if contracts are automated, what will happen to traditional firm control structures, processes, and intermediaries like lawyers and accountants? And what about managers? Their roles would all radically change. Most blockchain advocates imagine them changing so radically as to disappear altogether, taking with them many of the costs currently associated with doing business. According to a recent report in the trade press, the blockchain could reduce banks’ infrastructure costs attributable to cross-border payments, securities trading, and regulatory compliance by $15-20 billion per annum by 2022.  Whereas most technologies tend to automate workers on the periphery, blockchain automates away the center. Instead of putting the taxi driver out of a job, blockchain puts Uber out of a job and lets the taxi drivers work with the customer directly.

Whether blockchain technology will be a revolution for good or one that continues what has come to seem technology’s inexorable, crushing ascendance will be determined not only by where it is deployed, but how. The blockchain could be used by NGOs to eliminate corruption in the distribution of foreign aid by enabling funds to move directly from giver to receiver. It is also a way for banks to operate without external oversight, encouraging other kinds of corruption. Either way, we as CFEs would be wise to remember that technology is never neutral. It is always endowed with the values of its creators. In the case of the blockchain and crypto-currency, those values are libertarian and mechanistic; trust resides in algorithmic rules, while the rules of the state and other regulatory bodies are often viewed with suspicion and hostility.

Threat Assessment & Cyber Security

One rainy Richmond evening last week I attended the monthly dinner meeting of one of the professional organizations of which I’m a member.  Our guest speaker’s presentation was outstanding and, in my opinion, well worth sharing with fellow CFE’s especially as we find more and more of our client’s grappling with the reality of  ever-evolving cyber threats.

Our speaker started by indicating that, according to a wide spectrum of current thinking, technology issues in isolation should be but one facet of the overall cyber defense strategy of any enterprise. A holistic view on people, process and technology is required in any organization that wants to make its chosen defense strategy successful and, to be most successful, that strategy needs to be supplemented with a good dose of common sense creative thinking. That creative thinking proved to be the main subject of her talk.

Ironically, the sheer size, complexity and geopolitical diversity of the modern-day enterprise can constitute an inherent obstacle for its goal of achieving business objectives in a secured environment.  The source of the problem is not simply the cyber threats themselves, but threat agents. The term “threat agent,” from the Open Web Application Security Project (OWASP), is used to indicate an individual or group that can manifest a threat. Threat agents are represented by the phenomena of:

–Hacktivism;
–Corporate Espionage;
–Government Actors;
–Terrorists;
–Common Criminals (individual and organized).

Irrespective of the type of threat, the threat agent takes advantage of an identified vulnerability and exploits it in the attempt to negatively impact the value the individual business has at risk. The attempt to execute the threat in combination with the vulnerability is called hacking. When this attempt is successful, and the threat agent can negatively impact the value at risk, it can be concluded that the vulnerability was successfully exploited. So, essentially, enterprises are trying to defend against hacking and, more importantly, against the threat agent that is the hacker in his or her many guises. The ACFE identifies hacking as the single activity that has resulted in the greatest number of cyber breaches in the past decade.

While there is no one-size-fits-all standard to build and run a sustainable security defense in a generic enterprise context, most companies currently deploy something resembling the individual components of the following general framework:

–Business Drivers and Objectives;
–A Risk Strategy;
–Policies and Standards;
–Risk Identification and Asset Profiling;
–People, Process, Technology;
–Security Operations and Capabilities;
–Compliance Monitoring and Reporting.

Most IT risk and security professionals would be able to identify this framework and agree with the assertion that it’s a sustainable approach to managing an enterprise’s security landscape. Our speaker pointed out, however, that in her opinion, if the current framework were indeed working as intended, the number of security incidents would be expected to show a downward trend as most threats would fail to manifest into full-blown incidents. They could then be routinely identified by enterprises as known security problems and dealt with by the procedures operative in day-to-day security operations. Unfortunately for the existing framework, however, recent security surveys conducted by numerous organizations and trade groups clearly show an upward trend of rising security incidents and breaches (as every reader of daily press reports well knows).

The rising tide of security incidents and breaches is not surprising since the trade press also reports an average of 35 new, major security failures on each and every day of the year.  Couple this fact with the ease of execution and ready availability of exploit kits on the Dark Web and the threat grows in both probability of exploitation and magnitude of impact. With speed and intensity, each threat strikes the security structure of an enterprise and whittles away at its management credibility to deal with the threat under the routine, daily operational regimen presently defined. Hence, most affected enterprises endure a growing trend of negative security incidents experienced and reported.

During the last several years, in response to all this, many firms have responded by experimenting with a new approach to the existing paradigm. These organizations have implemented emergency response teams to respond to cyber-threats and incidents. These teams are a novel addition to the existing control structure and have two main functions: real-time response to security incidents and the collection of concurrent internal and external security intelligence to feed predictive analysis. Being able to respond to security incidents via a dedicated response team boosts the capacity of the operational organization to contain and recover from attacks. Responding to incidents, however efficiently, is, in any case, a reactive approach to deal with cyber-threats but isn’t the whole story. This is where cyber-threat intelligence comes into play. Threat intelligence is a more proactive means of enabling an organization to predict incidents. However, this approach also has a downside. The influx of a great deal of intelligence information may limit the ability of the company to render it actionable on a timely basis.

Cyber threat assessments are an effective means to tame what can be this overwhelming influx of intelligence information. Cyber threat assessment is currently recognized in the industry as red teaming, which is the practice of viewing a problem from an adversary or competitor’s perspective. As part of an IT security strategy, enterprises can use red teams to test the effectiveness of the security structure as a whole and to provide a relevance factor to the intelligence feeds on cyber threats. This can help CEOs decide what threats are relevant and have higher exposure levels compared to others. The evolution of cyber threat response, cyber threat  intelligence and cyber threat assessment (red teams) in conjunction with the existing IT risk framework can be used as an effective strategy to counter the agility of evolving cyber threats. The cyber threat assessment process assesses and challenges the structure of existing enterprise security systems, including designs, operational-level controls and the overall cyber threat response and intelligence process to ensure they remain capable of defending against current relevant exploits.

Cyber threat assessment exercises can also be extremely helpful in highlighting the most relevant attacks and in quantifying their potential impacts. The word “adversary” in the definition of the term ‘red team’ is key in that it emphasizes the need to independently challenge the security structure from the view point of an attacker.  Red team exercises should be designed to be independent of the scope, asset profiling, security, IT operations and coverage of existing security policies. Only then can enterprises realistically apply the attacker’s perspective, measure the success of its risk strategy and see how it performs when challenged. It’s essential that red team exercises have the freedom to treat the complete security structure and to point to flaws in all components of the IT risk framework. It’s a common notion that a red team exercise is a penetration test. This is not the case. Use of penetration test techniques by red teams is a means to identify the information required to replicate cyber threats and to create a controlled security incident. The technical shortfalls that are identified during standard penetration testing are mere symptoms of gaps that may exist in the governance of people, processes and technology. Hence, to make the organization more resilient against cyber threats, red team focus should be kept on addressing the root cause and not merely on fixing the security flaws discovered during the exercise. Another key point is to include cyber threat response and threat monitoring in the scope of such assessments. This demands that red team exercises be executed, and partially announced, with CEO-level approval. This ensures that enterprises challenge the end-to-end capabilities of an enterprise to cope with a real-time security incident. Lessons learned from red teaming can be documented to improve the overall security posture of the organization and as an aid in dealing with future threats.

Our speaker concluded by saying that as cyber threats evolve, one-hundred percent security for an active business is impossible to achieve. Business is about making optimum use of existing resources to derive the desired value for stakeholders. Cyber-defense cannot be an exception to this rule. To achieve optimized use of their security investments, CEOs should ensure that security spending for their organization is mapped to the real emerging cyber threat landscape. Red teaming is an effective tool to challenge the status quo of an enterprise’s security framework and to make informed judgements about the actual condition of its actual security posture today. Not only can the judgements resulting from red team exercises be used to improve cyber threat defense, they can also prove an effective mechanism to guide a higher return on cyber-defense investment.

A CDC for Cyber

I remember reading somewhere a few years back that Microsoft had commissioned a report which recommended that the U.S. government set up an entity akin to its Center for Disease Control but for cyber security.  An intriguing idea.  The trade press talks about malware and computer viruses and infections to describe self -replicating malicious code in the same way doctors talk about metastasizing cancers or the flu; likewise, as with public health, rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest/prosecute (cure) those responsible (the cancer cells, hackers) long after the original harm is done. Regarding cyber, what if we extended this paradigm and instead viewed global cyber security as an exercise in public health?

As I recall, the report pointed out that organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats; structures and frameworks that are far more developed than those existent in today’s cyber-security community. Given the many parallels between communicable human diseases and those affecting today’s technologies, there is also much fraud examiners and security professionals can learn from the public health model, an adaptable system capable of responding to an ever-changing array of pathogens around the world.

With cyber as with matters of public health, individual actions can only go so far. It’s great if an individual has excellent techniques of personal hygiene, but if everyone in that person’s town has the flu, eventually that individual will probably succumb as well. The comparison is relevant to the world of cyber threats. Individual responsibility and action can make an enormous difference in cyber security, but ultimately the only hope we have as a nation in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to construct new institutions to coordinate our response. A trusted, international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies, a crucial step required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.

Such a proposed cyber CDC could go a long way toward counteracting the technological risks our country faces today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. A cyber CDC could fulfill many roles that are carried out today only on an ad hoc basis, if at all, including:

• Education — providing members of the public with proven methods of cyber hygiene to protect themselves;
• Network monitoring — detection of infection and outbreaks of malware in cyberspace;
• Epidemiology — using public health methodologies to study digital cyber disease propagation and provide guidance on response and remediation;
• Immunization — helping to ‘vaccinate’ companies and the public against known threats through software patches and system updates;
• Incident response — dispatching experts as required and coordinating national and global efforts to isolate the sources of online infection and treat those affected.

While there are many organizations, both governmental and non-governmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that cyber risks continue to mount. An epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the disease in those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the pools where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What stagnant pools can we drain in cyberspace to achieve a comparable result? The answer represents the yet unanswered challenge.

There is another major challenge a cyber CDC would face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This significant difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have even joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised. The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you’re sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others?

Addressing these issues could be a key area of import for any proposed cyber CDC and fundamental to future communal safety and that of critical information infrastructures. Cyber-security researchers have pointed out the obvious Achilles’ heel of the modern technology infused world, the fact that today everything is either run by computers (or will be) and that everything is reliant on these computers continuing to work. The challenge is that we must have some way of continuing to work even if all the computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly give way, what would humanity’s backup plan be? The answer is simply, we don’t now have one.

Complicating all this from a law enforcement and fraud investigation perspective is that black hats generally benefit from technology long before defenders and investigators ever do. The successful ones have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who must follow the digital evidence trail to investigate the matter?  As with all government activities, policies, and procedures, regulations must be followed. Trans-border cyber-attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Baltimore has no authority to compel an ISP in Paris to provide evidence, nor can he make an arrest on the right bank. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, most countries still do not even have cyber-crime laws on the books, meaning that criminals can act with impunity making response through a coordinating entity like a cyber-CDC more valuable to the U.S. specifically and to the world in general.

Experts have pointed out that we’re engaged in a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched.  The point is, if we are to survive the progress offered by our technologies and enjoy their benefits, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats confronting us. On this most important of imperatives, there is unambiguously no time to lose.

Help for the Little Guy

It’s clear to the news media and to every aware assurance professional that today’s cybercriminals are more sophisticated than ever in their operations and attacks. They’re always on the lookout for innovative ways to exploit vulnerabilities in every global payment system and in the cloud.

According to the ACFE, more consumer records were compromised in 2015-16 than in the previous four years combined. Data breach statistics from this year (2017) are projected to be even grimmer due to the growth of increasingly sophisticated attack methods such as increasingly complex malware infections and system vulnerability exploits, which grew tenfold in 2016. With attacks coming in many different forms and from many different channels, consumers, businesses and financial institutions (often against their will) are being forced to gain a better understanding of how criminals operate, especially in ubiquitous channels like social networks. They then have a better chance of mitigating the risks and recognizing attacks before they do severe damage.

As your Chapter has pointed out over the years in this blog, understanding the mechanics of data theft and the conversion process of stolen data into cash can help organizations of all types better anticipate in the exact ways criminals may exploit the system, so that organizations can put appropriate preventive measures in place. Classic examples of such criminal activity include masquerading as a trustworthy entity such as a bank or credit card company. These phishers send e-mails and instant messages that prompt users to reply with sensitive information such as usernames, passwords and credit card details, or to enter the information at a rogue web site. Other similar techniques include using text messaging (SMSishing or smishing) or voice mail (vishing) or today’s flood of offshore spam calls to lure victims into giving up sensitive information. Whaling is phishing targeted at high-worth accounts or individuals, often identified through social networking sites such as LinkedIn or Facebook. While it’s impossible to anticipate or prevent every attack, one way to stay a step ahead of these criminals is to have a thorough understanding of how such fraudsters operate their enterprises.

Although most cyber breaches reported recently in the news have struck large companies such as Equifax and Yahoo, the ACFE tells us that small and mid-sized businesses suffer a far greater number of devastating cyber incidents. These breaches involve organizations of every industry type; all that’s required for vulnerability is that they operate network servers attached to the internet. Although the number of breached records a small to medium sized business controls is in the hundreds or thousands, rather than in the millions, the cost of these breaches can be higher for the small business because it may not be able to effectively address such incidents on its own.  Many small businesses have limited or no resources committed to cybersecurity, and many don’t employ any assurance professionals apart from the small accounting firms performing their annual financial audit. For these organizations, the key questions are “Where should we focus when it comes to cybersecurity?” and “What are the minimum controls we must have to protect the sensitive information in our custody?” Fraud Examiners and forensic accountants with client attorneys assisting small businesses can assist in answering these questions by checking that their client attorney’s organizations implement a few vital cybersecurity controls.

First, regardless of their industry, small businesses must ensure their network perimeter is protected. The first step is identifying the vulnerabilities by performing an external network scan at least quarterly. A small business can either hire an outside company to perform these scans, or, if they have small in-house or contracted IT, they can license off-the-shelf software to run the scans, themselves. Moreover, small businesses need a process in place to remedy the identified critical, high, and medium vulnerabilities within three months of the scan run date, while low vulnerabilities are less of a priority. The fewer vulnerabilities the perimeter network has,
the less chance that an external hacker will breach the organization’s network.

Educating employees about their cybersecurity responsibilities is not a simple check-sheet matter. Smaller businesses not only need help in implementing an effective information security policy, they also need to ensure employees are aware of the policy and of their responsibilities. The policy and training should cover:

–Awareness of phishing attacks;
–Training on ransomware management;
–Travel tips;
–Potential threats of social engineering;
–Password protection;
–Risks of storing sensitive data in the cloud;
–Accessing corporate information from home computers and other personal devices;
–Awareness of tools the organization provides for securely sending emails or sharing large files;
–Protection of mobile devices;
–Awareness of CEO spoofing attacks.

In addition, small businesses should verify employees’ level of awareness by conducting simulation exercises. These can be in the form of a phishing exercise in which organizations themselves send fake emails to their employees to see if they will click on a web link, or a social engineering exercise in which a hired individual tries to enter the organization’s physical location and steal sensitive information such as information on computer screens left in plain sight.

In small organizations, sensitive information tends to proliferate across various platforms and folders. For example, employees’ personal information typically resides in human resources software or with a cloud service provider, but through various downloads and reports, the information can proliferate to shared drives and folders, laptops, emails, and even cloud folders like Dropbox or Google Drive. Assigned management at the organization should check that the organization has identified the sites of such proliferation to make sure it has a good handle on the state of all the organization’s sensitive information:

–Inventory all sensitive business processes and the related IT systems. Depending on the organization’s industry, this information could include customer information, pricing data, customers’ credit card information, patients’ health information, engineering data, or financial data;
–For each business process, identify an information owner who has complete authority to approve user access to that information;
–Ensure that the information owner periodically reviews access to all the information he or she owns and updates the access list.

Organizations should make it hard to get to their sensitive data by building layers or network segments. Although the network perimeter is an organization’s first line of defense, the probability of the network being penetrated is today at an all-time high. Management should check whether the organization has built a layered defense to protect its sensitive information. Once the organization has identified its sensitive information, management should work with the IT function to segment those servers that run its sensitive applications.  This segmentation will result in an additional layer of protection for these servers, typically by adding another firewall for the segment. Faced with having to penetrate another layer of defense, an intruder may decide to go elsewhere where less sensitive information is stored.

An organization’s electronic business front door also can be the entrance for fraudsters and criminals. Most of today’s malware enters through the network but proliferates through the endpoints such as laptops and desktops. At a minimum, internal small business management must ensure that all the endpoints are running anti-malware/anti-virus software. Also, they should check that this software’s firewall features are enabled. Moreover, all laptop hard drives should be encrypted.

In addition to making sure their client organizations have implemented these core controls, assurance professionals should advise small business client executives to consider other protective controls:

–Monitor the network. Network monitoring products and services can provide real-time alerts in case there is an intrusion;
–Manage service providers. Organizations should inventory all key service providers and review all contracts for appropriate security, privacy, and data breach notification language;
–Protect smart devices. Increasingly, company information is stored on mobile devices. Several off-the-shelf solutions can manage and protect the information on these devices. Small businesses should ensure they are able to wipe the sensitive information from these devices if they are lost or stolen;
–Monitor activity related to sensitive information. Management IT should log activities against their sensitive information and keep an audit log in case an incident occurs and they need to review the logs to evaluate the incident.

Combined with the controls listed above, these additional controls can help any small business reduce the probability of a data breach. But a security program is only as strong as its weakest link Through their assurance and advisory work, CFE’s and forensic accountants can proactively help identify these weaknesses and suggest ways to strengthen their smaller client organization’s anti-fraud defenses.