SlideShare a Scribd company logo
1 of 42
Download to read offline
Preventing Fraud from Top to Bottom 
Information Security Summit 
October 31, 2014 
Session 8: 2:20–3:20 PM 
Dr. Eric A. Vanderburg 
Director, Cyber Security 
JURINNOV Ltd. 
Ramana Gaddamanugu, CFE 
Senior Manager, Risk and Compliance 
JURINNOV Ltd.
Who are we? 
Dr. Eric A. Vanderburg 
Director, Cyber Security 
JURINNOV Ltd. 
Ramana Gaddamanugu, CFE 
Senior Manager, Risk and Compliance 
JURINNOV Ltd. 
© 2014 Property of JurInnov Ltd. All Rights Reserved
© 2014 Property of JurInnov Ltd. All Rights Reserved 
Overview 
• Fraud Risks 
• Fraud Controls 
• Anti-Fraud Culture 
• Awareness 
• Fraud Incident Response
Fraud Risks 
• Facts and Figures 
• Fraud factors 
• Laws 
• Case studies 
• Addressing fraud risk 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Facts and figures 
• 65% of fraud cases were 
discovered by tips or by an 
employee accidentally stumbling 
upon them during the course of 
their job duties. 
 Average organizational cost $5.5 million per incident 
-Ponemon Institute Study, March 2012 
 Financial impact of cybercrime expected to grow 10% 
per year through 2016 
-Gartner top predictions for 2012 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Fraud factors 
Pressures / Incentives: 
• A situation that is so 
challenging the person 
cannot see any other way 
out 
• Personal financial pressure 
• Family pressures 
• Greed 
• Pressure to meet goals 
Rationalization: 
• A way to justify in the person’s 
consciousness that the act of 
fraud is not so bad 
• Common beliefs: 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Person is owed this 
money 
• Just borrowing until they 
are able to pay it back 
• Everyone else is doing it 
Opportunity: 
• The set of circumstances 
that make it possible to 
commit fraud
© 2014 Property of JurInnov Ltd. All Rights Reserved 
Laws 
• The Ribicoff Bill 
• The Computer Fraud and Abuse Act of 1986 
• The Electronic Communications Privacy Act of 1986 
• The Communications Decency Act of 1996 
• The Sarbanes-Oxley Act of 2002 (Sox) 
• The Gramm-Leach-Bliley Act (GLBA) 
• The California Database Security Breach Act (2003) 
• Identity Theft Enforcement and Restitution Act of 2008
Case studies 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Example 1 
– Pressure 
– Opportunity 
– Rationalization
Case studies 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Example 2 
– Pressure 
– Opportunity 
– Rationalization
Case studies 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Example 3 
– Pressure 
– Opportunity 
– Rationalization
Addressing fraud risk 
• Performing a fraud risk assessment 
• Options for dealing with risk 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
– Accept 
– Mitigate 
– Transfer 
– Avoid
Addressing risk 
TRANSFER 
Impact 
(Probability * Loss) 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
Cost 
ACCEPT 
MITIGATE 
AVOID
Fraud Controls 
• Access controls 
• Auditing 
• Business continuity 
• Application security 
• Cryptography 
• Security management 
• Governance 
• Segregation of Duties 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Ways controls are executed 
• Manual (performed by people) 
– Examples: Authorizations, Management reviews 
• Automatic (embedded in application code) 
– Examples: Exception reports, Interface controls, 
System access 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Control categories 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Access controls 
• Least privilege 
• Types of authentication 
– What you have 
– What you are 
– What you know 
© 2014 Property of JurInnov Ltd. All Rights Reserved
© 2014 Property of JurInnov Ltd. All Rights Reserved 
Auditing 
• Server audit logs are turned on and retained 
• Proper review of logs and other data 
• Personnel held accountable
Business continuity 
• Key systems have 
uninterruptable power 
supplies 
• Backups tested 
regularly 
• Disaster recovery plans in place 
• Business continuity testing for key systems 
• System maintenance as scheduled 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Application security 
• Security patches up to date 
• Equipment firmware is up to date 
• No unauthorized programs installed 
• Corporate applications have up to date security 
reviews 
• Antivirus software installed 
• Virus definitions up to date 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Cryptography 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Data at rest 
– Workstations 
– Servers 
– Backups 
– Laptops 
– Phones 
• Data in motion (in 
transit) 
– VPN 
– Web site access 
– File transfer 
– Network 
communication
Encryption example 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Security management 
• Configuration changes 
approved prior to 
implementation 
• Incidents handled by 
incident response plans 
• Media sanitized before 
being reused or disposed 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Governance 
• Security policies and 
procedures in place 
• Systems have 
documented security 
controls 
• Documented roles and 
responsibilities 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Segregation of Duties 
• Process 
• Systems 
• Roles and Authority 
• Oversight 
• Audit 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Test types 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Inquiry 
– Interview staff to validate knowledge of a policy or requirement 
– Inquiry alone is not a sufficient test 
• Inspection 
– Review sample of source documents for evidence of control execution 
– Review exception reports and related documentation to identify preventive 
control failures and validate for risk occurrence 
– Reconcile process/system documentation to actual operation 
• Observation 
– Monitor personnel to validate execution of manual controls 
– Observe occurrence of automated controls (e.g. popup warnings) 
• Re-performing 
– Enter an illegal transaction to test control operation 
– Enter a valid transaction to test control operation
Anti-Fraud Culture 
• Role of leadership 
• Reinforcing the culture day to day 
• Business integration 
• Making it happen 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Role of leadership 
• Incenting the behavior 
• Assignments and accountabilities 
• Personal contribution reports 
• Performance reviews 
• Daily interactions with team members 
• New system and process deployment 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Role of leadership 
• Take a quick pulse 
• Demonstrate that security is critical 
• Challenge assumptions of security 
• Ask about the risks 
• Monitor, measure, report 
• Hold everyone accountable 
• Reward behaviors 
• Debrief projects including security focus 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Reinforcing the culture: 
Day to Day 
• Monitoring, measuring and reporting 
• Integrating with business metrics 
• Weekly management meetings 
• Monthly dashboard review with employees 
• Quarterly goals met 
• Team rewards 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Business integration 
Anti-fraud 
Strategy 
• Priorities 
• Roles and 
responsibilities 
• Targeted capabilities 
• Specific goals 
(timeframe) 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
Business 
Strategy 
• Core values 
• Purpose 
• Capabilities 
• Client promise 
• Business targets 
• Specific goals 
• Initiatives 
• Action items 
• Assignments and 
accountabilities
Making it happen 
• Ask where are we today? 
– High level survey – taking the pulse 
– Assessment 
• Define and communicate expectations 
– Company policies 
– Employee training 
– Third party contract requirements 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Making it happen 
• Implement changes 
– Workflow (make it easy) 
– Technology 
– Physical 
• Ask how are we doing? 
– Checkpoints 
– Audits 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Awareness 
• Types of fraud 
• Everyone’s responsibility 
• Recognizing fraud 
• Who to notify 
• Whistleblowing policy 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Fraud Incident Response 
• Preparation 
• Identification 
• Containment 
• Investigation 
• Eradication 
• Recovery 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Preparation 
– Document procedures for likely incidents 
– Document steps for a non-specific incident 
– Prepare resources 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Human 
• Technical 
– Is geographic diversity needed? 
– Determine notification procedure 
– Roles and responsibilities 
– Simulation 
– Review and maintenance
Identification 
• Use of dormant accounts 
• Log alteration 
• Notification by partner or 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
peer 
• Violation of policy 
• Violation of law 
• Loss of availability 
• Unusual consumption of 
computing resources 
• Unusual network activity 
• Corrupt files 
• Data breach 
• Reported attacks 
• Activity at unexpected 
times 
• Unusual email traffic 
• Presence of unfamiliar 
files 
• Execution of unknown 
programs
Containment 
– Assembly 
– Restrict Access 
– Preservation 
– Notification 
© 2014 Property of JurInnov Ltd. All Rights Reserved
Investigation 
– Interviewing 
– Documentation 
• IP address of compromised system 
• Time frame 
• Malicious ports 
• Flow records 
• Host file 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
– Analysis 
• Event Logs 
– Escalation
Eradication 
• Resolution- all that data should have given you 
action items. If not, look again 
– List action items 
– Rank in terms of risk level and time required 
– Prioritize 
– Coordinate and track remediation to completion 
© 2014 Property of JurInnov Ltd. All Rights Reserved 
• Validation 
– Confirm measures successfully remediated the 
incident
© 2014 Property of JurInnov Ltd. All Rights Reserved 
Recovery 
• Remediate vulnerabilities 
• Restore services 
• Restore data 
• Restore confidence
Questions
For assistance or additional information 
• Phone: 216-664-1100 
• Web: www.jurinnov.com 
JurInnov Ltd. 
The Idea Center 
1375 Euclid Avenue, Suite 400 
Cleveland, Ohio 44115 
© 2014 Property of JurInnov Ltd. All Rights Reserved

More Related Content

What's hot

Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Cyber Security Awareness (Reduce Personal & Business Risk)
Cyber Security Awareness (Reduce Personal & Business Risk)Cyber Security Awareness (Reduce Personal & Business Risk)
Cyber Security Awareness (Reduce Personal & Business Risk)Gian Gentile
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Cyber security awareness for students
 Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for studentsAkhil Nadh PC
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Computer & internet Security
Computer & internet SecurityComputer & internet Security
Computer & internet SecurityGerard Lamusse
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpointArifa Ali
 
Corporate Espionage: Technical Surveillance Threats
Corporate Espionage: Technical Surveillance ThreatsCorporate Espionage: Technical Surveillance Threats
Corporate Espionage: Technical Surveillance Threatspattcom
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyDavid Rogers
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Social media threats and risks: corporate espionage
Social media threats and risks: corporate espionageSocial media threats and risks: corporate espionage
Social media threats and risks: corporate espionageHHSome
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessInnocent Korie
 
Internet Security
Internet SecurityInternet Security
Internet Securitymjelson
 

What's hot (20)

Internet security
Internet securityInternet security
Internet security
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Cyber Security Awareness (Reduce Personal & Business Risk)
Cyber Security Awareness (Reduce Personal & Business Risk)Cyber Security Awareness (Reduce Personal & Business Risk)
Cyber Security Awareness (Reduce Personal & Business Risk)
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
Cyber security awareness for students
 Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for students
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...
Seguridad de la Información y Controles contra Hackers - Getting hacked 101  ...Seguridad de la Información y Controles contra Hackers - Getting hacked 101  ...
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...
 
Network Security
Network SecurityNetwork Security
Network Security
 
Computer & internet Security
Computer & internet SecurityComputer & internet Security
Computer & internet Security
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 
Corporate Espionage: Technical Surveillance Threats
Corporate Espionage: Technical Surveillance ThreatsCorporate Espionage: Technical Surveillance Threats
Corporate Espionage: Technical Surveillance Threats
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden history
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Social media threats and risks: corporate espionage
Social media threats and risks: corporate espionageSocial media threats and risks: corporate espionage
Social media threats and risks: corporate espionage
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Internet Security
Internet SecurityInternet Security
Internet Security
 

Viewers also liked

Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatRansomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatEric Vanderburg
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
Correct the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric VanderburgCorrect the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric VanderburgEric Vanderburg
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsEric Vanderburg
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgEric Vanderburg
 
A Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric VanderburgA Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric VanderburgEric Vanderburg
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
IT Professional Development - HDI Keynote - Eric Vanderburg
IT Professional Development - HDI Keynote - Eric VanderburgIT Professional Development - HDI Keynote - Eric Vanderburg
IT Professional Development - HDI Keynote - Eric VanderburgEric Vanderburg
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Physical security primer - JURINNOV - Eric Vanderburg
Physical security primer - JURINNOV - Eric VanderburgPhysical security primer - JURINNOV - Eric Vanderburg
Physical security primer - JURINNOV - Eric VanderburgEric Vanderburg
 
Kubernetes @ Nanit by Chen Fisher
Kubernetes @ Nanit by Chen FisherKubernetes @ Nanit by Chen Fisher
Kubernetes @ Nanit by Chen FisherDoiT International
 
Quality Software Development LifeCycle
Quality Software Development LifeCycleQuality Software Development LifeCycle
Quality Software Development LifeCycleConsulthinkspa
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Consulthinkspa
 
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOVUnderstanding computer attacks and attackers - Eric Vanderburg - JURINNOV
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOVEric Vanderburg
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
PRESENTACION DE SERVICIOS CORPORATIVOS
PRESENTACION DE SERVICIOS CORPORATIVOSPRESENTACION DE SERVICIOS CORPORATIVOS
PRESENTACION DE SERVICIOS CORPORATIVOSQuinta Esencia Spa
 

Viewers also liked (20)

Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatRansomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware Threat
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
 
Correct the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric VanderburgCorrect the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric Vanderburg
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
 
A Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric VanderburgA Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric Vanderburg
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
 
Frases biblicas escritas em imagens
Frases biblicas escritas em imagensFrases biblicas escritas em imagens
Frases biblicas escritas em imagens
 
IT Professional Development - HDI Keynote - Eric Vanderburg
IT Professional Development - HDI Keynote - Eric VanderburgIT Professional Development - HDI Keynote - Eric Vanderburg
IT Professional Development - HDI Keynote - Eric Vanderburg
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
 
Physical security primer - JURINNOV - Eric Vanderburg
Physical security primer - JURINNOV - Eric VanderburgPhysical security primer - JURINNOV - Eric Vanderburg
Physical security primer - JURINNOV - Eric Vanderburg
 
Kubernetes @ Nanit by Chen Fisher
Kubernetes @ Nanit by Chen FisherKubernetes @ Nanit by Chen Fisher
Kubernetes @ Nanit by Chen Fisher
 
Quality Software Development LifeCycle
Quality Software Development LifeCycleQuality Software Development LifeCycle
Quality Software Development LifeCycle
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
 
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOVUnderstanding computer attacks and attackers - Eric Vanderburg - JURINNOV
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOV
 
Iam infosafe janvier 2017
Iam infosafe janvier 2017 Iam infosafe janvier 2017
Iam infosafe janvier 2017
 
PRESENTACION DE SERVICIOS CORPORATIVOS
PRESENTACION DE SERVICIOS CORPORATIVOSPRESENTACION DE SERVICIOS CORPORATIVOS
PRESENTACION DE SERVICIOS CORPORATIVOS
 

Similar to Preventing Fraud from Top to Bottom

Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Armstrong Teasdale
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
Data Breach Lessons from 2013 - Eric Vanderburg - CodeMash 2014
Data Breach Lessons from 2013 -  Eric Vanderburg  - CodeMash 2014Data Breach Lessons from 2013 -  Eric Vanderburg  - CodeMash 2014
Data Breach Lessons from 2013 - Eric Vanderburg - CodeMash 2014Eric Vanderburg
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist, LLC
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Understanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of ComplianceUnderstanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of ComplianceVeridium
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointbradleyl2
 
Anticipative Safety Management - Performance Based Monitoring
Anticipative Safety Management - Performance Based MonitoringAnticipative Safety Management - Performance Based Monitoring
Anticipative Safety Management - Performance Based MonitoringFionaMacGael
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 
MySQL Manchester TT - Security
MySQL Manchester TT  - SecurityMySQL Manchester TT  - Security
MySQL Manchester TT - SecurityMark Swarbrick
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Winston & Strawn LLP
 
Computer Fraud - Eric Vanderburg - China Resource Network Conference
Computer Fraud - Eric Vanderburg - China Resource Network ConferenceComputer Fraud - Eric Vanderburg - China Resource Network Conference
Computer Fraud - Eric Vanderburg - China Resource Network ConferenceEric Vanderburg
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINALRick Kingsley
 

Similar to Preventing Fraud from Top to Bottom (20)

Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
Data Breach Lessons from 2013 - Eric Vanderburg - CodeMash 2014
Data Breach Lessons from 2013 -  Eric Vanderburg  - CodeMash 2014Data Breach Lessons from 2013 -  Eric Vanderburg  - CodeMash 2014
Data Breach Lessons from 2013 - Eric Vanderburg - CodeMash 2014
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Understanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of ComplianceUnderstanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of Compliance
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power point
 
Anticipative Safety Management - Performance Based Monitoring
Anticipative Safety Management - Performance Based MonitoringAnticipative Safety Management - Performance Based Monitoring
Anticipative Safety Management - Performance Based Monitoring
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
 
MySQL Manchester TT - Security
MySQL Manchester TT  - SecurityMySQL Manchester TT  - Security
MySQL Manchester TT - Security
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
Computer Fraud - Eric Vanderburg - China Resource Network Conference
Computer Fraud - Eric Vanderburg - China Resource Network ConferenceComputer Fraud - Eric Vanderburg - China Resource Network Conference
Computer Fraud - Eric Vanderburg - China Resource Network Conference
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL
 
Architelos gac domain abuse best practices feb 12
Architelos gac domain abuse best practices feb 12Architelos gac domain abuse best practices feb 12
Architelos gac domain abuse best practices feb 12
 

More from Eric Vanderburg

GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveEric Vanderburg
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgEric Vanderburg
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Eric Vanderburg
 
Mobile Forensics and Cybersecurity
Mobile Forensics and CybersecurityMobile Forensics and Cybersecurity
Mobile Forensics and CybersecurityEric Vanderburg
 
Emerging Technologies: Japan’s Position
Emerging Technologies: Japan’s PositionEmerging Technologies: Japan’s Position
Emerging Technologies: Japan’s PositionEric Vanderburg
 
Principles of technology management
Principles of technology managementPrinciples of technology management
Principles of technology managementEric Vanderburg
 
Japanese railway technology
Japanese railway technologyJapanese railway technology
Japanese railway technologyEric Vanderburg
 
Evaluating japanese technological competitiveness
Evaluating japanese technological competitivenessEvaluating japanese technological competitiveness
Evaluating japanese technological competitivenessEric Vanderburg
 
Japanese current and future technology management challenges
Japanese current and future technology management challengesJapanese current and future technology management challenges
Japanese current and future technology management challengesEric Vanderburg
 
Technology management in Japan: Robotics
Technology management in Japan: RoboticsTechnology management in Japan: Robotics
Technology management in Japan: RoboticsEric Vanderburg
 
Incident response table top exercises
Incident response table top exercisesIncident response table top exercises
Incident response table top exercisesEric Vanderburg
 
Deconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric VanderburgDeconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric VanderburgEric Vanderburg
 
The security professional's guide to programming - Eric Vanderburg
The security professional's guide to programming - Eric VanderburgThe security professional's guide to programming - Eric Vanderburg
The security professional's guide to programming - Eric VanderburgEric Vanderburg
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgEric Vanderburg
 
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
Ethical hacking   Chapter 12 - Encryption - Eric VanderburgEthical hacking   Chapter 12 - Encryption - Eric Vanderburg
Ethical hacking Chapter 12 - Encryption - Eric VanderburgEric Vanderburg
 

More from Eric Vanderburg (16)

GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should Have
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
 
Mobile Forensics and Cybersecurity
Mobile Forensics and CybersecurityMobile Forensics and Cybersecurity
Mobile Forensics and Cybersecurity
 
Emerging Technologies: Japan’s Position
Emerging Technologies: Japan’s PositionEmerging Technologies: Japan’s Position
Emerging Technologies: Japan’s Position
 
Principles of technology management
Principles of technology managementPrinciples of technology management
Principles of technology management
 
Japanese railway technology
Japanese railway technologyJapanese railway technology
Japanese railway technology
 
Evaluating japanese technological competitiveness
Evaluating japanese technological competitivenessEvaluating japanese technological competitiveness
Evaluating japanese technological competitiveness
 
Japanese current and future technology management challenges
Japanese current and future technology management challengesJapanese current and future technology management challenges
Japanese current and future technology management challenges
 
Technology management in Japan: Robotics
Technology management in Japan: RoboticsTechnology management in Japan: Robotics
Technology management in Japan: Robotics
 
Incident response table top exercises
Incident response table top exercisesIncident response table top exercises
Incident response table top exercises
 
Deconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric VanderburgDeconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric Vanderburg
 
The security professional's guide to programming - Eric Vanderburg
The security professional's guide to programming - Eric VanderburgThe security professional's guide to programming - Eric Vanderburg
The security professional's guide to programming - Eric Vanderburg
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
 
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
Ethical hacking   Chapter 12 - Encryption - Eric VanderburgEthical hacking   Chapter 12 - Encryption - Eric Vanderburg
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
 

Recently uploaded

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Recently uploaded (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Preventing Fraud from Top to Bottom

  • 1. Preventing Fraud from Top to Bottom Information Security Summit October 31, 2014 Session 8: 2:20–3:20 PM Dr. Eric A. Vanderburg Director, Cyber Security JURINNOV Ltd. Ramana Gaddamanugu, CFE Senior Manager, Risk and Compliance JURINNOV Ltd.
  • 2. Who are we? Dr. Eric A. Vanderburg Director, Cyber Security JURINNOV Ltd. Ramana Gaddamanugu, CFE Senior Manager, Risk and Compliance JURINNOV Ltd. © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 3. © 2014 Property of JurInnov Ltd. All Rights Reserved Overview • Fraud Risks • Fraud Controls • Anti-Fraud Culture • Awareness • Fraud Incident Response
  • 4. Fraud Risks • Facts and Figures • Fraud factors • Laws • Case studies • Addressing fraud risk © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 5. Facts and figures • 65% of fraud cases were discovered by tips or by an employee accidentally stumbling upon them during the course of their job duties.  Average organizational cost $5.5 million per incident -Ponemon Institute Study, March 2012  Financial impact of cybercrime expected to grow 10% per year through 2016 -Gartner top predictions for 2012 © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 6. Fraud factors Pressures / Incentives: • A situation that is so challenging the person cannot see any other way out • Personal financial pressure • Family pressures • Greed • Pressure to meet goals Rationalization: • A way to justify in the person’s consciousness that the act of fraud is not so bad • Common beliefs: © 2014 Property of JurInnov Ltd. All Rights Reserved • Person is owed this money • Just borrowing until they are able to pay it back • Everyone else is doing it Opportunity: • The set of circumstances that make it possible to commit fraud
  • 7. © 2014 Property of JurInnov Ltd. All Rights Reserved Laws • The Ribicoff Bill • The Computer Fraud and Abuse Act of 1986 • The Electronic Communications Privacy Act of 1986 • The Communications Decency Act of 1996 • The Sarbanes-Oxley Act of 2002 (Sox) • The Gramm-Leach-Bliley Act (GLBA) • The California Database Security Breach Act (2003) • Identity Theft Enforcement and Restitution Act of 2008
  • 8. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 1 – Pressure – Opportunity – Rationalization
  • 9. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 2 – Pressure – Opportunity – Rationalization
  • 10. Case studies © 2014 Property of JurInnov Ltd. All Rights Reserved • Example 3 – Pressure – Opportunity – Rationalization
  • 11. Addressing fraud risk • Performing a fraud risk assessment • Options for dealing with risk © 2014 Property of JurInnov Ltd. All Rights Reserved – Accept – Mitigate – Transfer – Avoid
  • 12. Addressing risk TRANSFER Impact (Probability * Loss) © 2014 Property of JurInnov Ltd. All Rights Reserved Cost ACCEPT MITIGATE AVOID
  • 13. Fraud Controls • Access controls • Auditing • Business continuity • Application security • Cryptography • Security management • Governance • Segregation of Duties © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 14. Ways controls are executed • Manual (performed by people) – Examples: Authorizations, Management reviews • Automatic (embedded in application code) – Examples: Exception reports, Interface controls, System access © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 15. Control categories © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 16. Access controls • Least privilege • Types of authentication – What you have – What you are – What you know © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 17. © 2014 Property of JurInnov Ltd. All Rights Reserved Auditing • Server audit logs are turned on and retained • Proper review of logs and other data • Personnel held accountable
  • 18. Business continuity • Key systems have uninterruptable power supplies • Backups tested regularly • Disaster recovery plans in place • Business continuity testing for key systems • System maintenance as scheduled © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 19. Application security • Security patches up to date • Equipment firmware is up to date • No unauthorized programs installed • Corporate applications have up to date security reviews • Antivirus software installed • Virus definitions up to date © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 20. Cryptography © 2014 Property of JurInnov Ltd. All Rights Reserved • Data at rest – Workstations – Servers – Backups – Laptops – Phones • Data in motion (in transit) – VPN – Web site access – File transfer – Network communication
  • 21. Encryption example © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 22. Security management • Configuration changes approved prior to implementation • Incidents handled by incident response plans • Media sanitized before being reused or disposed © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 23. Governance • Security policies and procedures in place • Systems have documented security controls • Documented roles and responsibilities © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 24. Segregation of Duties • Process • Systems • Roles and Authority • Oversight • Audit © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 25. Test types © 2014 Property of JurInnov Ltd. All Rights Reserved • Inquiry – Interview staff to validate knowledge of a policy or requirement – Inquiry alone is not a sufficient test • Inspection – Review sample of source documents for evidence of control execution – Review exception reports and related documentation to identify preventive control failures and validate for risk occurrence – Reconcile process/system documentation to actual operation • Observation – Monitor personnel to validate execution of manual controls – Observe occurrence of automated controls (e.g. popup warnings) • Re-performing – Enter an illegal transaction to test control operation – Enter a valid transaction to test control operation
  • 26. Anti-Fraud Culture • Role of leadership • Reinforcing the culture day to day • Business integration • Making it happen © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 27. Role of leadership • Incenting the behavior • Assignments and accountabilities • Personal contribution reports • Performance reviews • Daily interactions with team members • New system and process deployment © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 28. Role of leadership • Take a quick pulse • Demonstrate that security is critical • Challenge assumptions of security • Ask about the risks • Monitor, measure, report • Hold everyone accountable • Reward behaviors • Debrief projects including security focus © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 29. Reinforcing the culture: Day to Day • Monitoring, measuring and reporting • Integrating with business metrics • Weekly management meetings • Monthly dashboard review with employees • Quarterly goals met • Team rewards © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 30. Business integration Anti-fraud Strategy • Priorities • Roles and responsibilities • Targeted capabilities • Specific goals (timeframe) © 2014 Property of JurInnov Ltd. All Rights Reserved Business Strategy • Core values • Purpose • Capabilities • Client promise • Business targets • Specific goals • Initiatives • Action items • Assignments and accountabilities
  • 31. Making it happen • Ask where are we today? – High level survey – taking the pulse – Assessment • Define and communicate expectations – Company policies – Employee training – Third party contract requirements © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 32. Making it happen • Implement changes – Workflow (make it easy) – Technology – Physical • Ask how are we doing? – Checkpoints – Audits © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 33. Awareness • Types of fraud • Everyone’s responsibility • Recognizing fraud • Who to notify • Whistleblowing policy © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 34. Fraud Incident Response • Preparation • Identification • Containment • Investigation • Eradication • Recovery © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 35. Preparation – Document procedures for likely incidents – Document steps for a non-specific incident – Prepare resources © 2014 Property of JurInnov Ltd. All Rights Reserved • Human • Technical – Is geographic diversity needed? – Determine notification procedure – Roles and responsibilities – Simulation – Review and maintenance
  • 36. Identification • Use of dormant accounts • Log alteration • Notification by partner or © 2014 Property of JurInnov Ltd. All Rights Reserved peer • Violation of policy • Violation of law • Loss of availability • Unusual consumption of computing resources • Unusual network activity • Corrupt files • Data breach • Reported attacks • Activity at unexpected times • Unusual email traffic • Presence of unfamiliar files • Execution of unknown programs
  • 37. Containment – Assembly – Restrict Access – Preservation – Notification © 2014 Property of JurInnov Ltd. All Rights Reserved
  • 38. Investigation – Interviewing – Documentation • IP address of compromised system • Time frame • Malicious ports • Flow records • Host file © 2014 Property of JurInnov Ltd. All Rights Reserved – Analysis • Event Logs – Escalation
  • 39. Eradication • Resolution- all that data should have given you action items. If not, look again – List action items – Rank in terms of risk level and time required – Prioritize – Coordinate and track remediation to completion © 2014 Property of JurInnov Ltd. All Rights Reserved • Validation – Confirm measures successfully remediated the incident
  • 40. © 2014 Property of JurInnov Ltd. All Rights Reserved Recovery • Remediate vulnerabilities • Restore services • Restore data • Restore confidence
  • 42. For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115 © 2014 Property of JurInnov Ltd. All Rights Reserved