Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

6,203 views

Published on

Preventing Fraud from Top to Bottom was presented at the Information Security Summit in 2014 by Dr. Eric Vanderburg and Ramana Gaddamanugu.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information Security Summit 2014

  1. 1. Preventing Fraud from Top to Bottom Information Security Summit October 31, 2014 Session 8: 2:20–3:20 PM Dr. Eric A. Vanderburg Director, Cyber Security JURINNOV Ltd. Ramana Gaddamanugu, CFE Senior Manager, Risk and Compliance JURINNOV Ltd.
  2. 2. Who are we? Dr. Eric A. Vanderburg Director, Cyber Security JURINNOV Ltd. Ramana Gaddamanugu, CFE Senior Manager, Risk and Compliance JURINNOV Ltd. © 2014 Property of JurInnov Ltd. All Rights Reserved
  3. 3. © 2014 Property of JurInnov Ltd. All Rights Reserved Overview • Fraud Risks • Fraud Controls • Anti-Fraud Culture • Awareness • Fraud Incident Response
  4. 4. Fraud Risks • Facts and Figures • Fraud factors • Laws • Case studies • Addressing fraud risk © 2014 Property of JurInnov Ltd. All Rights Reserved
  5. 5. Facts and figures • 65% of fraud cases were discovered by tips or by an employee accidentally stumbling upon them during the course of their job duties.  Average organizational cost $5.5 million per incident -Ponemon Institute Study, March 2012  Financial impact of cybercrime expected to grow 10% per year through 2016 -Gartner top predictions for 2012 © 2014 Property of JurInnov Ltd. All Rights Reserved
  6. 6. Fraud factors Pressures / Incentives: • A situation that is so challenging the person cannot see any other way out • Personal financial pressure • Family pressures • Greed • Pressure to meet goals Rationalization: • A way to justify in the person’s consciousness that the act of fraud is not so bad • Common beliefs: © 2014 Property of JurInnov Ltd. All Rights Reserved • Person is owed this money • Just borrowing until they are able to pay it back • Everyone else is doing it Opportunity: • The set of circumstances that make it possible to commit fraud
  7. 7. © 2014 Property of JurInnov Ltd. All Rights Reserved Laws • The Ribicoff Bill • The Computer Fraud and Abuse Act of 1986 • The Electronic Communications Privacy Act of 1986 • The Communications Decency Act of 1996 • The Sarbanes-Oxley Act of 2002 (Sox) • The Gramm-Leach-Bliley Act (GLBA) • The California Database Security Breach Act (2003) • Identity Theft Enforcement and Restitution Act of 2008
  8. 8. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 1 – Pressure – Opportunity – Rationalization
  9. 9. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 2 – Pressure – Opportunity – Rationalization
  10. 10. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 3 – Pressure – Opportunity – Rationalization
  11. 11. Addressing fraud risk • Performing a fraud risk assessment • Options for dealing with risk © 2014 Property of JurInnov Ltd. All Rights Reserved – Accept – Mitigate – Transfer – Avoid
  12. 12. Addressing risk TRANSFER Impact (Probability * Loss) © 2014 Property of JurInnov Ltd. All Rights Reserved Cost ACCEPT MITIGATE AVOID
  13. 13. Fraud Controls • Access controls • Auditing • Business continuity • Application security • Cryptography • Security management • Governance • Segregation of Duties © 2014 Property of JurInnov Ltd. All Rights Reserved
  14. 14. Ways controls are executed • Manual (performed by people) – Examples: Authorizations, Management reviews • Automatic (embedded in application code) – Examples: Exception reports, Interface controls, System access © 2014 Property of JurInnov Ltd. All Rights Reserved
  15. 15. Control categories © 2014 Property of JurInnov Ltd. All Rights Reserved
  16. 16. Access controls • Least privilege • Types of authentication – What you have – What you are – What you know © 2014 Property of JurInnov Ltd. All Rights Reserved
  17. 17. © 2014 Property of JurInnov Ltd. All Rights Reserved Auditing • Server audit logs are turned on and retained • Proper review of logs and other data • Personnel held accountable
  18. 18. Business continuity • Key systems have uninterruptable power supplies • Backups tested regularly • Disaster recovery plans in place • Business continuity testing for key systems • System maintenance as scheduled © 2014 Property of JurInnov Ltd. All Rights Reserved
  19. 19. Application security • Security patches up to date • Equipment firmware is up to date • No unauthorized programs installed • Corporate applications have up to date security reviews • Antivirus software installed • Virus definitions up to date © 2014 Property of JurInnov Ltd. All Rights Reserved
  20. 20. Cryptography © 2014 Property of JurInnov Ltd. All Rights Reserved • Data at rest – Workstations – Servers – Backups – Laptops – Phones • Data in motion (in transit) – VPN – Web site access – File transfer – Network communication
  21. 21. Encryption example © 2014 Property of JurInnov Ltd. All Rights Reserved
  22. 22. Security management • Configuration changes approved prior to implementation • Incidents handled by incident response plans • Media sanitized before being reused or disposed © 2014 Property of JurInnov Ltd. All Rights Reserved
  23. 23. Governance • Security policies and procedures in place • Systems have documented security controls • Documented roles and responsibilities © 2014 Property of JurInnov Ltd. All Rights Reserved
  24. 24. Segregation of Duties • Process • Systems • Roles and Authority • Oversight • Audit © 2014 Property of JurInnov Ltd. All Rights Reserved
  25. 25. Test types © 2014 Property of JurInnov Ltd. All Rights Reserved • Inquiry – Interview staff to validate knowledge of a policy or requirement – Inquiry alone is not a sufficient test • Inspection – Review sample of source documents for evidence of control execution – Review exception reports and related documentation to identify preventive control failures and validate for risk occurrence – Reconcile process/system documentation to actual operation • Observation – Monitor personnel to validate execution of manual controls – Observe occurrence of automated controls (e.g. popup warnings) • Re-performing – Enter an illegal transaction to test control operation – Enter a valid transaction to test control operation
  26. 26. Anti-Fraud Culture • Role of leadership • Reinforcing the culture day to day • Business integration • Making it happen © 2014 Property of JurInnov Ltd. All Rights Reserved
  27. 27. Role of leadership • Incenting the behavior • Assignments and accountabilities • Personal contribution reports • Performance reviews • Daily interactions with team members • New system and process deployment © 2014 Property of JurInnov Ltd. All Rights Reserved
  28. 28. Role of leadership • Take a quick pulse • Demonstrate that security is critical • Challenge assumptions of security • Ask about the risks • Monitor, measure, report • Hold everyone accountable • Reward behaviors • Debrief projects including security focus © 2014 Property of JurInnov Ltd. All Rights Reserved
  29. 29. Reinforcing the culture: Day to Day • Monitoring, measuring and reporting • Integrating with business metrics • Weekly management meetings • Monthly dashboard review with employees • Quarterly goals met • Team rewards © 2014 Property of JurInnov Ltd. All Rights Reserved
  30. 30. Business integration Anti-fraud Strategy • Priorities • Roles and responsibilities • Targeted capabilities • Specific goals (timeframe) © 2014 Property of JurInnov Ltd. All Rights Reserved Business Strategy • Core values • Purpose • Capabilities • Client promise • Business targets • Specific goals • Initiatives • Action items • Assignments and accountabilities
  31. 31. Making it happen • Ask where are we today? – High level survey – taking the pulse – Assessment • Define and communicate expectations – Company policies – Employee training – Third party contract requirements © 2014 Property of JurInnov Ltd. All Rights Reserved
  32. 32. Making it happen • Implement changes – Workflow (make it easy) – Technology – Physical • Ask how are we doing? – Checkpoints – Audits © 2014 Property of JurInnov Ltd. All Rights Reserved
  33. 33. Awareness • Types of fraud • Everyone’s responsibility • Recognizing fraud • Who to notify • Whistleblowing policy © 2014 Property of JurInnov Ltd. All Rights Reserved
  34. 34. Fraud Incident Response • Preparation • Identification • Containment • Investigation • Eradication • Recovery © 2014 Property of JurInnov Ltd. All Rights Reserved
  35. 35. Preparation – Document procedures for likely incidents – Document steps for a non-specific incident – Prepare resources © 2014 Property of JurInnov Ltd. All Rights Reserved • Human • Technical – Is geographic diversity needed? – Determine notification procedure – Roles and responsibilities – Simulation – Review and maintenance
  36. 36. Identification • Use of dormant accounts • Log alteration • Notification by partner or © 2014 Property of JurInnov Ltd. All Rights Reserved peer • Violation of policy • Violation of law • Loss of availability • Unusual consumption of computing resources • Unusual network activity • Corrupt files • Data breach • Reported attacks • Activity at unexpected times • Unusual email traffic • Presence of unfamiliar files • Execution of unknown programs
  37. 37. Containment – Assembly – Restrict Access – Preservation – Notification © 2014 Property of JurInnov Ltd. All Rights Reserved
  38. 38. Investigation – Interviewing – Documentation • IP address of compromised system • Time frame • Malicious ports • Flow records • Host file © 2014 Property of JurInnov Ltd. All Rights Reserved – Analysis • Event Logs – Escalation
  39. 39. Eradication • Resolution- all that data should have given you action items. If not, look again – List action items – Rank in terms of risk level and time required – Prioritize – Coordinate and track remediation to completion © 2014 Property of JurInnov Ltd. All Rights Reserved • Validation – Confirm measures successfully remediated the incident
  40. 40. © 2014 Property of JurInnov Ltd. All Rights Reserved Recovery • Remediate vulnerabilities • Restore services • Restore data • Restore confidence
  41. 41. Questions
  42. 42. For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115 © 2014 Property of JurInnov Ltd. All Rights Reserved

×