This document discusses the changing influences of social media, WikiLeaks, and whistleblowers on the future of IT auditing. It covers topics such as the impact of social media protests like BART, WikiLeaks' role in exposing government and corporate secrets, the emergence of whistleblowing sites like OpenLeaks, and hacktivist groups like Anonymous and LulzSec. It also addresses growth in whistleblowers reporting financial and tax fraud, and challenges facing auditors in detecting abuse and fraud by top executives.
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...Pw Carey
The document discusses how social media, whistleblowers, and hackers have influenced information sharing through platforms like WikiLeaks and Anonymous, examining incidents like the BART protests and hacks of HBGary and HSBC. It also looks at growth of whistleblowers utilizing new laws and the role of auditors in detecting fraud, referencing a COSO study on common types of fraud committed by executive management. The future of privacy and information security is considered in light of these changing influences on the sharing of sensitive data.
This document discusses cyber warfare and the threats it poses. It defines cyber warfare as using computers and the internet to conduct warfare in cyberspace. It notes governments' vulnerability due to their reliance on internet-connected systems like power grids. Examples are given of cyber attacks on Estonia, the Pentagon, and countries involved in conflicts like Georgia. The document suggests future wars may target critical infrastructure through cyber means to cause damage without risking attackers' lives. It remains unclear if a large-scale cyber war has occurred but attacks are developing and pose threats like crippling a country by disrupting communication, utilities, and access to sensitive information.
The document discusses several key issues related to privacy in the information age:
- Personal data from many major data breaches and hacks has been exposed, including information from Target, Home Depot, Anthem, and the OPM, putting millions of individuals at risk.
- Countries like China, Russia, and the US have significant cyber capabilities and have been accused of hacking for political and economic gains. China in particular has penetrated many US corporations.
- Laws and policies intended to enable surveillance like Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act have been criticized for being overly broad and not properly overseen.
- Loss of data privacy and
Privacy in the Information Age [Q3 2015 version]Jordan Peacock
Three key points:
1. The document discusses privacy concerns in the information age, noting increased data collection by both government and private organizations and the lack of adequate legal protections and oversight.
2. Issues addressed include mass surveillance programs, vulnerabilities in internet infrastructure, lack of security practices, and implications for privacy internationally. Countries like the US, China, and Russia are described as major cyber actors.
3. Potential solutions proposed include reforming US surveillance laws, establishing international privacy agreements, incentivizing better security by companies, and consumers practicing layered personal security strategies, though individual options are limited against structural issues. Overall the document outlines growing threats to privacy from inadequate policy responses.
The document provides an overview of the documentary "Future Radicals" which tracks the history and growth of the hacktivist group Anonymous from its beginnings on 4chan to its evolution into a more organized group conducting cyber protests in support of issues like Wikileaks and the Arab Spring. It discusses how Anonymous employs the same digital technologies it aims to protect to conduct distributed denial-of-service attacks and website defacements. The documentary includes insider accounts of Anonymous operations and interviews with cybersecurity experts and Anonymous members on the group's activities and increasing surveillance from law enforcement agencies around the world.
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi
The National Security Law Brief is excited to publish the second issue of the Forum on National Security Law. This issue, completed with the help and support of the Volume IX editorial board, is a project designed to increase the Brief’s scope by providing an opportunity for practitioners and students alike to explore debates in national security law and policy through short, topical pieces.
Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.
Cyberwarfare involves politically motivated attacks on computer systems and networks. Many countries are engaging in cyber attacks and developing cyber weapons. A major cyber attack could significantly impact a country's economy and critical infrastructure by disrupting financial systems, communications, and other daily activities that rely on internet connectivity. Protecting against cyber threats will require increased security measures and international cooperation.
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...Pw Carey
The document discusses how social media, whistleblowers, and hackers have influenced information sharing through platforms like WikiLeaks and Anonymous, examining incidents like the BART protests and hacks of HBGary and HSBC. It also looks at growth of whistleblowers utilizing new laws and the role of auditors in detecting fraud, referencing a COSO study on common types of fraud committed by executive management. The future of privacy and information security is considered in light of these changing influences on the sharing of sensitive data.
This document discusses cyber warfare and the threats it poses. It defines cyber warfare as using computers and the internet to conduct warfare in cyberspace. It notes governments' vulnerability due to their reliance on internet-connected systems like power grids. Examples are given of cyber attacks on Estonia, the Pentagon, and countries involved in conflicts like Georgia. The document suggests future wars may target critical infrastructure through cyber means to cause damage without risking attackers' lives. It remains unclear if a large-scale cyber war has occurred but attacks are developing and pose threats like crippling a country by disrupting communication, utilities, and access to sensitive information.
The document discusses several key issues related to privacy in the information age:
- Personal data from many major data breaches and hacks has been exposed, including information from Target, Home Depot, Anthem, and the OPM, putting millions of individuals at risk.
- Countries like China, Russia, and the US have significant cyber capabilities and have been accused of hacking for political and economic gains. China in particular has penetrated many US corporations.
- Laws and policies intended to enable surveillance like Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act have been criticized for being overly broad and not properly overseen.
- Loss of data privacy and
Privacy in the Information Age [Q3 2015 version]Jordan Peacock
Three key points:
1. The document discusses privacy concerns in the information age, noting increased data collection by both government and private organizations and the lack of adequate legal protections and oversight.
2. Issues addressed include mass surveillance programs, vulnerabilities in internet infrastructure, lack of security practices, and implications for privacy internationally. Countries like the US, China, and Russia are described as major cyber actors.
3. Potential solutions proposed include reforming US surveillance laws, establishing international privacy agreements, incentivizing better security by companies, and consumers practicing layered personal security strategies, though individual options are limited against structural issues. Overall the document outlines growing threats to privacy from inadequate policy responses.
The document provides an overview of the documentary "Future Radicals" which tracks the history and growth of the hacktivist group Anonymous from its beginnings on 4chan to its evolution into a more organized group conducting cyber protests in support of issues like Wikileaks and the Arab Spring. It discusses how Anonymous employs the same digital technologies it aims to protect to conduct distributed denial-of-service attacks and website defacements. The documentary includes insider accounts of Anonymous operations and interviews with cybersecurity experts and Anonymous members on the group's activities and increasing surveillance from law enforcement agencies around the world.
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi
The National Security Law Brief is excited to publish the second issue of the Forum on National Security Law. This issue, completed with the help and support of the Volume IX editorial board, is a project designed to increase the Brief’s scope by providing an opportunity for practitioners and students alike to explore debates in national security law and policy through short, topical pieces.
Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.
Cyberwarfare involves politically motivated attacks on computer systems and networks. Many countries are engaging in cyber attacks and developing cyber weapons. A major cyber attack could significantly impact a country's economy and critical infrastructure by disrupting financial systems, communications, and other daily activities that rely on internet connectivity. Protecting against cyber threats will require increased security measures and international cooperation.
The document outlines a proposed 2030 US Cybersecurity Strategy. It discusses current cyber threats and concerns, including from terrorist groups and state actors. Four potential future scenarios are presented based on the uncertainty of terrorist groups and global polarity in 2030. The document recommends shaping actions like international cooperation and hedging actions such as developing resilient infrastructure to protect critical systems and data under the potential scenarios.
This document discusses confidence building measures (CBM) for cyber peace. It provides examples of CBMs used during the Cold War like the hotline between the US and Soviet Union. It argues that communication channels between potential adversaries are important for preventing conflict through miscommunication. Soft law and relationships built over time can help in emergencies. While technology can enable harm, raising digital literacy standards can help ensure technology is used positively. International cooperation is needed to address issues like cyber terrorism and building consensus on definitions and frameworks.
Digital technology has transformed organizational life. Developments in communications, and in information storage and retrieval, to name just two areas, have greatly enhanced the efficiency with which legitimate organizations operate. Unfortunately, the benefits of digital technology are not lost on criminal organizations, which exploit digital technology to enhance the efficiency and effectiveness of their own operations. This paper will discuss the organized criminal exploitation of digital technology, by looking at a number of illustrative cases from Asia and around the world. It will discuss the various types of “conventional†organized crime that can be facilitated by digital technology, as well as terrorism, which itself can be regarded as a special kind of organized criminal activity. One fundamental question that the paper will seek to address is whether the activities of Asian organized crime have become substantively different as a result of technology, or whether traditional organized criminal activities in Asia are merely being conducted on a more efficient and effective basis. The paper will note the transnational nature of much organized criminal activity, and will discuss mechanisms for the control of organized crime in the digital age. Dr. S. Krishnan | Mr Harsh Pratap | Ms Sakshi Gupta "Organised Crime in the Digital Age" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-4 , June 2021, URL: https://www.ijtsrd.compapers/ijtsrd41185.pdf Paper URL: https://www.ijtsrd.comcomputer-science/computer-security/41185/organised-crime-in-the-digital-age/dr-s-krishnan
President Bill Clinton gave a speech declaring cyber attacks a serious threat and hackers a primary source of this threat. He claimed hackers have stolen information, raided bank accounts, run up credit card charges, and extorted money by threatening to unleash viruses. However, hackers argue there is little evidence of these acts and that insiders, criminals, or those with grudges are more likely culprits. Clinton's characterization of hackers is unfair and inaccurate according to their perspective. The speech also proposed allocating billions of dollars and potentially placing the military in charge of fighting cyber threats domestically, concerning civil liberties.
This document discusses how terrorist organizations use the internet and social media. It outlines that the internet provides an ideal platform for terrorism due to easy and anonymous communication, low costs, and ability to spread information quickly to vast audiences. It describes how terrorists utilize various online facilities like email, social media, video sharing sites for purposes like propaganda, recruitment, fundraising, and sharing tactical information. The document warns that the internet enables new threats like online radicalization and internet-based training for terrorists.
Cyberdefense strategy - Boston Global Forum - 2017NgocHaBui1
This document discusses principles for developing an effective national cyber defense strategy. It notes the increasing threats from state and non-state actors conducting cyber attacks that disrupt infrastructure and steal data and money. An effective strategy should streamline government cyber operations, increase public support through education, and strongly collaborate with the private sector. Key principles include characterizing thresholds for considering attacks a national security risk, resolving issues around hack back authority between government and industry, and connecting national strategy to local governance for response.
The document discusses the February issue of (IN)SECURE Magazine. It mentions that the issue focuses on Android security and includes articles on web security, shellcode, mobile security, and more. It also notes that the RSA Conference will be held later in February, which the magazine will cover. It provides contact information for the magazine.
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
1. Local governments are increasingly being targeted by cyber attacks as more infrastructure becomes internet-
connected. This exposes sensitive data and critical systems to risks.
2. State and local governments are often unprepared to deal with cybersecurity threats due to a lack of skilled
personnel and budgetary resources. They also may not adequately share intelligence about threats.
3. The annual cost of cyber attacks on businesses alone is estimated to be between $400-500 billion. Securing critical
infrastructure like power grids against cyber threats will require tremendous resources, with some projections
putting worldwide annual cybersecurity costs at trillions of dollars by 2020.
The Brazilian Cybercriminal Underground in 2015Felipe Prado
The document discusses the Brazilian cybercriminal underground in 2015. It describes how young Brazilian cybercriminals are boldly displaying their illegal activities online. It outlines two main types of players - developers who create banking malware and other tools, and operators who use these tools. Popular offerings in the Brazilian underground include banking malware, ransomware, tutorials for learning cybercriminal skills, and the online sale of counterfeit goods and documents that were previously only available on physical black markets. Law enforcement faces challenges in addressing this growing cybercrime problem in Brazil.
Hello dr. aguiar and classmates,for this week’s forum we were assimba35
The document discusses three potential capstone project topics related to security management. Topic 1 examines the positive and negative effects of implementing Crime Prevention Through Environmental Design (CPTED) at public schools. Topic 2 focuses on the essential need for U.S. maritime port security and the importance of compatibility between private and government security functions. Topic 3 addresses the required need for adequate training of private security professionals and how integrated training with law enforcement could advance security.
Instructions please write a 5 page paper answering the question consimba35
Stuxnet was a sophisticated computer virus that targeted Iran's nuclear program in 2010. It exploited vulnerabilities in Windows and industrial control systems to damage nuclear centrifuges at Natanz. Stuxnet demonstrated the destructive potential of cyberweapons and marked the emergence of cyberwarfare. The document discusses Stuxnet's technical details and impact, and poses questions about preventing future cyberattacks of this nature.
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
The document summarizes trends in various types of financial crimes including data breaches, identity theft, mortgage fraud, and other cybercrimes from 2005 to 2009. It discusses specific cases like the Sony rootkit scandal and fraud involving forged deeds and stolen identities that resulted in people losing their homes. The document also mentions the large economic impact of crimes like telemarketing fraud and the growing problem of botnets and zombie computers being used to steal data and money.
A study found that Chinese hacking of American companies sharply dropped off in the year before President Obama and President Xi agreed to curb cyberespionage. This is attributed to Xi's efforts to bring the military, a main sponsor of attacks, under control. While some targets are still hit, the daily barrage has diminished due to public pressure from indictments of Chinese officers. The agreement between Obama and Xi narrowly covers intellectual property theft but not ordinary espionage against government targets.
What if Petraeus was a hacker? Email privacy for the rest of usPhil Cryer
The document discusses the privacy of email and how David Petraeus's affair with Paula Broadwell was discovered through their emails. It notes that Petraeus and Broadwell tried to avoid creating an email trail by composing draft emails and leaving them in a draft folder for the other to access. The FBI was ultimately able to use subpoenas to obtain IP logs connecting Broadwell's anonymous Gmail account to others accessed from her devices, confirming her involvement with Petraeus. The discovery of the affair led to Petraeus's resignation as CIA director.
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
The White House unveiled a new international cybersecurity strategy with the goal of working with other nations to promote a secure and open internet. The strategy includes establishing international cybersecurity standards and consequences for countries that fail to meet them. It also directs the Department of Homeland Security to take the lead in protecting federal government IT systems.
The document discusses the history and current state of cyber warfare between several nations including Israel/Palestine, India/Pakistan, the US/Al Qaeda, Cuba/US, and China/US. It outlines the key hackers and groups involved on both sides of these conflicts, their main targets and strategies. It also examines how cyber warfare has influenced military operations and foreign policy, and considers its importance relative to traditional warfare.
The document discusses government surveillance and its threats to privacy. It states that numerous government agencies, including the NSA, FBI, and DHS, intrude on private communications and collect vast amounts of data on citizens' phone calls and activities under vague security standards. This data collection is an invasion of privacy, and the data is often misused, with innocent people facing consequences like travel restrictions or job barriers. Once collected, data can be widely shared and retained for years without oversight.
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...Pw Carey
The document maps the control objectives of ITIL V3, ISO/IEC 27002, and CobiT 4.1 frameworks across each process area. It provides mappings for four process areas: Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME), and Plan and Organize (PO). For each process area, it lists the relevant control objectives from each framework and the associated section numbers to show how they correspond to one another. It concludes by thanking the audience and providing contact information for the author.
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...Pw Carey
1) The document discusses Cressey's Fraud Triad which outlines the three factors that commonly lead to fraud: perceived unshareable financial need, perceived opportunity, and rationalization.
2) It provides an overview of common mistakes made by whistleblowers and steps that should be taken when exposing wrongdoing.
3) The document outlines the typical steps involved in a mock trial, including opening statements, witness questioning, closing arguments, and the jury deliberating to reach a verdict.
The document outlines a proposed 2030 US Cybersecurity Strategy. It discusses current cyber threats and concerns, including from terrorist groups and state actors. Four potential future scenarios are presented based on the uncertainty of terrorist groups and global polarity in 2030. The document recommends shaping actions like international cooperation and hedging actions such as developing resilient infrastructure to protect critical systems and data under the potential scenarios.
This document discusses confidence building measures (CBM) for cyber peace. It provides examples of CBMs used during the Cold War like the hotline between the US and Soviet Union. It argues that communication channels between potential adversaries are important for preventing conflict through miscommunication. Soft law and relationships built over time can help in emergencies. While technology can enable harm, raising digital literacy standards can help ensure technology is used positively. International cooperation is needed to address issues like cyber terrorism and building consensus on definitions and frameworks.
Digital technology has transformed organizational life. Developments in communications, and in information storage and retrieval, to name just two areas, have greatly enhanced the efficiency with which legitimate organizations operate. Unfortunately, the benefits of digital technology are not lost on criminal organizations, which exploit digital technology to enhance the efficiency and effectiveness of their own operations. This paper will discuss the organized criminal exploitation of digital technology, by looking at a number of illustrative cases from Asia and around the world. It will discuss the various types of “conventional†organized crime that can be facilitated by digital technology, as well as terrorism, which itself can be regarded as a special kind of organized criminal activity. One fundamental question that the paper will seek to address is whether the activities of Asian organized crime have become substantively different as a result of technology, or whether traditional organized criminal activities in Asia are merely being conducted on a more efficient and effective basis. The paper will note the transnational nature of much organized criminal activity, and will discuss mechanisms for the control of organized crime in the digital age. Dr. S. Krishnan | Mr Harsh Pratap | Ms Sakshi Gupta "Organised Crime in the Digital Age" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-4 , June 2021, URL: https://www.ijtsrd.compapers/ijtsrd41185.pdf Paper URL: https://www.ijtsrd.comcomputer-science/computer-security/41185/organised-crime-in-the-digital-age/dr-s-krishnan
President Bill Clinton gave a speech declaring cyber attacks a serious threat and hackers a primary source of this threat. He claimed hackers have stolen information, raided bank accounts, run up credit card charges, and extorted money by threatening to unleash viruses. However, hackers argue there is little evidence of these acts and that insiders, criminals, or those with grudges are more likely culprits. Clinton's characterization of hackers is unfair and inaccurate according to their perspective. The speech also proposed allocating billions of dollars and potentially placing the military in charge of fighting cyber threats domestically, concerning civil liberties.
This document discusses how terrorist organizations use the internet and social media. It outlines that the internet provides an ideal platform for terrorism due to easy and anonymous communication, low costs, and ability to spread information quickly to vast audiences. It describes how terrorists utilize various online facilities like email, social media, video sharing sites for purposes like propaganda, recruitment, fundraising, and sharing tactical information. The document warns that the internet enables new threats like online radicalization and internet-based training for terrorists.
Cyberdefense strategy - Boston Global Forum - 2017NgocHaBui1
This document discusses principles for developing an effective national cyber defense strategy. It notes the increasing threats from state and non-state actors conducting cyber attacks that disrupt infrastructure and steal data and money. An effective strategy should streamline government cyber operations, increase public support through education, and strongly collaborate with the private sector. Key principles include characterizing thresholds for considering attacks a national security risk, resolving issues around hack back authority between government and industry, and connecting national strategy to local governance for response.
The document discusses the February issue of (IN)SECURE Magazine. It mentions that the issue focuses on Android security and includes articles on web security, shellcode, mobile security, and more. It also notes that the RSA Conference will be held later in February, which the magazine will cover. It provides contact information for the magazine.
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
1. Local governments are increasingly being targeted by cyber attacks as more infrastructure becomes internet-
connected. This exposes sensitive data and critical systems to risks.
2. State and local governments are often unprepared to deal with cybersecurity threats due to a lack of skilled
personnel and budgetary resources. They also may not adequately share intelligence about threats.
3. The annual cost of cyber attacks on businesses alone is estimated to be between $400-500 billion. Securing critical
infrastructure like power grids against cyber threats will require tremendous resources, with some projections
putting worldwide annual cybersecurity costs at trillions of dollars by 2020.
The Brazilian Cybercriminal Underground in 2015Felipe Prado
The document discusses the Brazilian cybercriminal underground in 2015. It describes how young Brazilian cybercriminals are boldly displaying their illegal activities online. It outlines two main types of players - developers who create banking malware and other tools, and operators who use these tools. Popular offerings in the Brazilian underground include banking malware, ransomware, tutorials for learning cybercriminal skills, and the online sale of counterfeit goods and documents that were previously only available on physical black markets. Law enforcement faces challenges in addressing this growing cybercrime problem in Brazil.
Hello dr. aguiar and classmates,for this week’s forum we were assimba35
The document discusses three potential capstone project topics related to security management. Topic 1 examines the positive and negative effects of implementing Crime Prevention Through Environmental Design (CPTED) at public schools. Topic 2 focuses on the essential need for U.S. maritime port security and the importance of compatibility between private and government security functions. Topic 3 addresses the required need for adequate training of private security professionals and how integrated training with law enforcement could advance security.
Instructions please write a 5 page paper answering the question consimba35
Stuxnet was a sophisticated computer virus that targeted Iran's nuclear program in 2010. It exploited vulnerabilities in Windows and industrial control systems to damage nuclear centrifuges at Natanz. Stuxnet demonstrated the destructive potential of cyberweapons and marked the emergence of cyberwarfare. The document discusses Stuxnet's technical details and impact, and poses questions about preventing future cyberattacks of this nature.
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
The document summarizes trends in various types of financial crimes including data breaches, identity theft, mortgage fraud, and other cybercrimes from 2005 to 2009. It discusses specific cases like the Sony rootkit scandal and fraud involving forged deeds and stolen identities that resulted in people losing their homes. The document also mentions the large economic impact of crimes like telemarketing fraud and the growing problem of botnets and zombie computers being used to steal data and money.
A study found that Chinese hacking of American companies sharply dropped off in the year before President Obama and President Xi agreed to curb cyberespionage. This is attributed to Xi's efforts to bring the military, a main sponsor of attacks, under control. While some targets are still hit, the daily barrage has diminished due to public pressure from indictments of Chinese officers. The agreement between Obama and Xi narrowly covers intellectual property theft but not ordinary espionage against government targets.
What if Petraeus was a hacker? Email privacy for the rest of usPhil Cryer
The document discusses the privacy of email and how David Petraeus's affair with Paula Broadwell was discovered through their emails. It notes that Petraeus and Broadwell tried to avoid creating an email trail by composing draft emails and leaving them in a draft folder for the other to access. The FBI was ultimately able to use subpoenas to obtain IP logs connecting Broadwell's anonymous Gmail account to others accessed from her devices, confirming her involvement with Petraeus. The discovery of the affair led to Petraeus's resignation as CIA director.
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
The White House unveiled a new international cybersecurity strategy with the goal of working with other nations to promote a secure and open internet. The strategy includes establishing international cybersecurity standards and consequences for countries that fail to meet them. It also directs the Department of Homeland Security to take the lead in protecting federal government IT systems.
The document discusses the history and current state of cyber warfare between several nations including Israel/Palestine, India/Pakistan, the US/Al Qaeda, Cuba/US, and China/US. It outlines the key hackers and groups involved on both sides of these conflicts, their main targets and strategies. It also examines how cyber warfare has influenced military operations and foreign policy, and considers its importance relative to traditional warfare.
The document discusses government surveillance and its threats to privacy. It states that numerous government agencies, including the NSA, FBI, and DHS, intrude on private communications and collect vast amounts of data on citizens' phone calls and activities under vague security standards. This data collection is an invasion of privacy, and the data is often misused, with innocent people facing consequences like travel restrictions or job barriers. Once collected, data can be widely shared and retained for years without oversight.
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...Pw Carey
The document maps the control objectives of ITIL V3, ISO/IEC 27002, and CobiT 4.1 frameworks across each process area. It provides mappings for four process areas: Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME), and Plan and Organize (PO). For each process area, it lists the relevant control objectives from each framework and the associated section numbers to show how they correspond to one another. It concludes by thanking the audience and providing contact information for the author.
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...Pw Carey
1) The document discusses Cressey's Fraud Triad which outlines the three factors that commonly lead to fraud: perceived unshareable financial need, perceived opportunity, and rationalization.
2) It provides an overview of common mistakes made by whistleblowers and steps that should be taken when exposing wrongdoing.
3) The document outlines the typical steps involved in a mock trial, including opening statements, witness questioning, closing arguments, and the jury deliberating to reach a verdict.
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...Pw Carey
The document maps the control objectives of ITIL V3, ISO/IEC 27002, and CobiT 4.1 frameworks. It provides mappings for each process area (Acquire and Implement, Deliver and Support, Monitor and Evaluate, Plan and Organize) and lists the relevant control objectives from each framework. Tables and diagrams are used to visually depict the mappings between frameworks. The document aims to show alignments between the frameworks to benefit business.
C24 Fraud In The Workplace 3 Mock Trials)[1]Pw Carey
The document summarizes key aspects of Eli Lilly's audit committee charter and compliance program for monitoring sales and marketing activities. It notes that Lilly conducts risk-based monitoring and auditing of sales and marketing functions. However, a prosecution witness alleges that Lilly salespeople used tactics like planted questions at physician events to promote off-label uses of the drug Zyprexa, despite risks of weight gain.
ISACA San Francisco 2011 Fall Security Conference G32 A Modest ProposalPw Carey
The document maps the control objectives of ITIL V3, ISO/IEC 27002, and CobiT 4.1 frameworks across each process area. It provides mappings for four process areas: Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME), and Plan and Organize (PO). For each process area, it lists the relevant control objectives from each framework and the associated page numbers where the mappings are described in detail. It concludes by thanking the audience and providing contact information for the author.
Self-adjusting Recommendations for People-driven Ad-hoc Processeschristophdorn
Presented @BPM2010 conference by Thomas Burkhart (DFKI) and Christoph Dorn (Vienna University of Technology) on
Supporting experts and generalists in people-driven process by continuously evaluating what recommendation these people need while updating the underlying ad-hoc process model
Don Mills Toronto Bungalow - $688,000
A Bright and Spacious Family Bungalow Large picture window, inset lighting and fireplace add warmth and ambiance to this open family room.
Welcome to this warm and gracious three bedroom bungalow nestled in prime Don Mills. This open-concept home boasts a wonderfully spacious, sun-drenched living room with fireplace, and an exceedingly large eat in kitchen. The fabulous dining room with a large picture window over¬looking pool and patio is ideal for entertaining, and the sprawling lower level offers an additional overflow of family living space. 15 Chatfield is conveniently located near sought-after area schools, the shops of Don Mills, 401 and DVP.
For more details visit http://www.15chatfield.com/
Presented by: Sharon Zalkind, Sales Representative, Sage Real Estate Cell: 416 931 6058 | SZalkind@trebnet.com
La Unión Europea ha acordado un embargo petrolero contra Rusia en respuesta a la invasión de Ucrania. El embargo prohibirá las importaciones marítimas de petróleo ruso a la UE y pondrá fin a las entregas a través de oleoductos dentro de seis meses. Esta medida forma parte de un sexto paquete de sanciones de la UE destinadas a aumentar la presión económica sobre Moscú y privar al Kremlin de fondos para financiar su guerra.
David Kaleel and DPGroup LLC provide a range of professional consulting services to businesses from small startups to large corporations, including strategic partnerships, management consulting, board advisors, mentoring, and commercial real estate services. They have over 30 years of experience working with companies across many industries. Their services are designed to meet each client's unique needs and provide cost-effective solutions to improve operations and foster business success.
The document discusses how technology has advanced rapidly in recent decades. It notes that today's average consumer wears more computing power than existed in the entire world in 1961. Computer power is now 8,000 times less expensive than 30 years ago. The document also discusses how technology has increased the amount of information available, noting that more information has been produced in the last 30 years than the previous 5,000 years. However, it cautions that technology should be used to facilitate learning rather than dominate in the classroom.
The document summarizes the evolution of the American system of government from the Articles of Confederation to the U.S. Constitution. Key figures like Jefferson, Madison, and Washington came together and drafted a new Constitution that established a more centralized federal government with three branches: the executive, led by the President; the judicial, headed by the Supreme Court; and the legislative, composed of Congress. The Constitution and the addition of the Bill of Rights helped transform the loose confederation of states under the Articles into a unified national government.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
An APM webinar sponsored by the APM Midlands Branch on 15 March 2022.
Speaker: Fábio Morais
An overview of the people behind major cybercriminal activities, the dark web and how much your data is worth; and finally what basic measures project managers should be putting in place to reduce the cyber-risk profile of their projects.
In today’s data-driven world, data breaches can impact on projects that affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and data breaches have scaled up with it as attackers exploit the data-dependencies of daily life.
With recent attacks threatening to de-rail high profile projects, it’s vital that the risks are identified and actions implemented, not only to protect project data, but to protect project managers and stakeholders.
Most cybercrime is an attack on information about individuals, corporations, or governments and events can occur in jurisdictions separated by vast distances. The Internet offers criminals multiple hiding places in the real world as well as in the network itself, posing severe problems for law enforcement, since international cooperation is usually required to investigate and attempt to trace down cybercriminals.
But who are these individuals and where exactly does cybercrime take place? What, as project professionals, can we do to protect ourselves?
We look to answer these questions by lifting the veil of hacking and the Dark Web.
https://youtu.be/TDXPetxXDMA
https://www.apm.org.uk/news/cyber-security-for-project-managers-lifting-the-veil-of-hacking-webinar/
Whistle Blower - Another Reason why Open Government is ImportantMujtaba Hussain
The document discusses whistleblowers and provides several definitions and perspectives on what constitutes a whistleblower. It also provides brief summaries on notable whistleblowers such as Chelsea Manning, Julian Assange, and Mark Klein. While whistleblowing aims to expose unlawful or unethical behavior, whistleblowers often face negative consequences for their actions such as termination, legal punishment, or risk to their safety and security. However, in some cases whistleblowers have also received compensation or recognition for bringing important issues to light in the public interest. The document concludes that laws protecting whistleblowers are important but not always effective, and more participatory democracy is needed to support whistleblowers and the information they bring forward.
- Ethical hacking involves discovering vulnerabilities in systems through authorized penetration testing to improve security. Ethical hackers have strong technical skills and work to answer questions about what intruders can access and do on targeted systems.
- The Certified Ethical Hacker (C|EH) certification from EC-Council covers topics including reconnaissance, scanning, enumeration, hacking web servers, social engineering, cryptography, and penetration testing to evaluate system defenses.
- Ethical hackers are paid well, with experienced consultants earning over $120,000 annually and freelancers receiving $10,000-$45,000 per project. Many large organizations have certified ethical hackers on staff to test their security.
- PRISM is a classified US government program to collect internet communications from major internet companies like Google and Facebook.
- It was revealed to the public in 2013 after former NSA contractor Edward Snowden leaked classified documents about the program.
- PRISM collects emails, photos, videos, logs of online chats, file transfers and more, with the stated goal of monitoring communications of non-US citizens outside the US.
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docxarnit1
Chapter
Ethics and Privacy
3
c03EthicsandPrivacy.indd Page 60 02/12/11 9:19 AM F-497c03EthicsandPrivacy.indd Page 60 02/12/11 9:19 AM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
[ LEARNING OBJECTIVES ] [ CHAPTER OUTLINE ] [ WEB RESOURCES ]
1. Defi ne ethics, list and
describe the three fundamental
tenets of ethics, and describe
the four categories of ethical
issues related to information
technology.
2. Identify three places that store
personal data, and for each one,
discuss at least one potential
threat to the privacy of the data
stored there.
Student Companion Site
wiley.com/college/rainer
• Student PowerPoints for note taking
• Interactive Case: Ruby’s Club
Assignments
• Complete glossary
WileyPlus
All of the above and
• E-book
• Mini-lecture by author for each
chapter section
• Practice quizzes
• Flash Cards for vocabulary review
• Additional “What’s in IT for Me?”
cases
• Video interviews with managers
• Lab Manual for Microsoft Offi ce
2010
• How-to Animations for Microsoft
Offi ce 2010
3.1 Ethical Issues
3.2 Privacy
POMFIN HRMKT MISACCT
Ensure correctness of
annual reports
Adhere to regulatory
environment
Monitor labor laws
overseas
Monitor appropriate
use of IT in workplace
Monitor correct use
of sensitive company
data
Ensure privacy of
customers
What’s In
ITFor Me?
T H I S C H A P T E R W I L L H E L P P R E P A R E Y O U T O . . .
61
c03EthicsandPrivacy.indd Page 61 02/12/11 9:19 AM F-497c03EthicsandPrivacy.indd Page 61 02/12/11 9:19 AM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
62 CHAPTER 3 Ethics and Privacy
[ What to
Do About
WikiLeaks?]
The Problem (?)
O
ne of the major controversies generated by the Vietnam War occurred in 1971, when
The New York Times and other sources publicized excerpts from a secret Defense
Department study—quickly labeled The Pentagon
Papers—that detailed the history of U.S. involvement
in Southeast Asia. These documents had been copied by defense
analyst Daniel Ellsberg, one of the contributors to the study. Given
the existing technologies, Ellsberg had to photocopy thousands
of documents by hand. Today, whistleblowers—employees with
insider knowledge of an organization—can capture huge amounts
of incriminating documents on a laptop, memory stick, or por-
table hard drive. They can send the information through personal e-mail accounts or online drop
sites, or they can simply submit it directly to WikiLeaks (www.wikileaks.org).
WikiLeaks was offi cially unveiled in December 2006. Julian Assange, one of the founders,
was reportedly inspired by the leak of the Pentagon Papers. Assange intended WikiLeaks to
serve as a dropbox for anyone, anywhere, who disagreed with any organization’s activities or
secrets. According to its Web site, WikiLea ...
The document discusses the Human Tissue Act 2004 in the UK. Some key points:
- The Act regulates the removal, storage, use and disposal of human tissue from deceased and living persons for research.
- Consent is required to use tissue from deceased individuals and can be given by the deceased prior to death or a representative after death.
- Consent is also required to use tissue from living individuals and they can withdraw their consent at any time, though collected tissue may still be stored and used for previous research.
- The Act and Human Tissue Authority were created to standardize practices around human tissue research while protecting participant rights and safety.
The Best Online Security Service for
CIM – Central Management
Log Monitoring
Intrusion Detection Systems
Firewall Monitoring System
Host based IDSs
Vulnerability Scanning
Evidence Retention
CIM Intelligence
A must to see for all,......!!!
This presentation outlines the leaps and bounds of Cloud Computing and Risk Management in the age of enormous global data surveillance, whistle blowers, Wikileaks, data leakage and what to do to protect data.
This document discusses social engineering techniques such as exploiting human traits like fear, anxiety, and trust to elicit information that can be used to steal data, access systems, or manipulate others. It provides examples of common social engineering attacks like phishing and pretexting calls. It also outlines defenses against social engineering like implementing least privilege access, strong password policies, and security awareness training.
Michael Calce, who went by the online alias "Mafiaboy", launched denial-of-service attacks in 2000 that temporarily shut down major websites like Yahoo!, eBay and CNN when he was 15 years old. This led to a manhunt by law enforcement agencies. Calce has now written a memoir, "Mafiaboy: How I Cracked the Internet and Why It's Still Broken", recounting his criminal past and examining current online security issues.
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...Tommi /. Vuorenmaa
The document discusses the risks of anonymity in blockchain and cryptocurrencies. It notes that while anonymity protects free speech, it can also enable illicit activity like money laundering. Regulators in the US have started cracking down on fraudulent or unregistered coin offerings that resemble securities. The SEC uses the Howey Test to determine if a coin is actually an investment contract and thus subject to securities laws. Overall the document examines the tradeoffs between privacy and oversight in cryptocurrency markets.
Dr. Shawn P. Murray was invited to the National Security Institute in April 2012 to present current topics related to social engineering and the threats they pose to organizations and their sensitive information. This presentation analyzes the principles of social engineering tactics as they relate to technology and security practices. Dr. Murray is a well known Cyber Security professional and has presented at various conferences regarding Cyber Security and Information Assurance topics.
The document discusses counterintelligence (CI) and some of the challenges involved. It notes that CI aims to protect a country's intelligence operations from hostile penetration. While CI should permeate all aspects of intelligence, it is often seen as just a security issue. The document also discusses different types of CI (collection, defensive, offensive). It highlights problems that can arise in assessing CI operations, such as covert penetrations being difficult to detect and tendencies to trust one's own people. Problems in uncovering spies like Aldrich Ames and Robert Hanssen are examined.
Whistleblowers are people who expose wrongdoing in government and business. They may operate from inside as employees or externally. WikiLeaks is an organization that publishes leaked classified documents and information from anonymous sources. It has released videos and documents related to the Iraq and Afghanistan wars, including evidence of civilian casualties and abuse of detainees. The source of the leaks was Bradley Manning. WikiLeaks and its founder Julian Assange face legal issues and criticism over whether they ethically handled and released classified government information.
This document discusses security challenges facing family offices with regards to privacy, cyber threats, and cryptocurrencies. It notes that family offices are targets due to governments seeking revenue, opaque sources of wealth, and lack of security resources. It outlines how family offices can be covertly targeted through social engineering, hacking, and malware. The document then focuses on challenges of cryptocurrencies like bitcoin, including lack of regulation, anonymity enabling money laundering, and risk of government intervention. It provides background on bitcoin and key terms. Finally, it advises family offices on protecting themselves through principles-based governance and practicing offensive cybersecurity tactics.
Last i t talk. L t minute t lk about underground economy and cybercrime. The speaker discussed the evolution of hacking from curiosity to money motivated crimes and the rise of underground economies that facilitate cybercrimes like identity theft and banking fraud.
Social media, surveillance and censorshiplilianedwards
Talk delivered at European University Florence, March 2012. Did the Aran spring really prove that social media enables the flowering of democracy or are social media in fact easy venues for blanket state surveillance? Can they be arenas for free speech when platforms likeTwitter are refining their censorship policies to avoid legal risk?
This document provides an analysis of the Russia-Ukraine conflict and outlines related cyber threats. It begins with a timeline of the conflict from 2014 to 2022. It then discusses the roots of tensions between Russia and Ukraine and international responses. The document analyzes past Russian cyberattacks on healthcare, including NotPetya, FIN12, and Ryuk ransomware. It describes new wiper malware used in cyber operations against Ukraine called HermeticWiper and WhisperGate. It also outlines potential impacts on the US healthcare sector and recommends best practices and mitigations to enhance cybersecurity posture in response.
Similar to San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing (20)
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing
1. G32
The Changing Influences of Social
Media, WikiLeaks and Whistleblowers
Future of IT Auditing: A Definitive
Landscape
2. Agenda:
• Part One: Social Media
– Bart (The Metaphor), WikiLeaks, OpenLeaks,
LulzSec, and Anonymous et al. . .
• Part Two: Whistleblowers - A Growth Industry
• Part Three: Auditors and Their Reputation
When Dealing With Fraud
• Part Four: What’s Over The Horizon
• Part Five: Take Aways (aka: Tool Time)
2
3. Bart: The Metaphor
• Bart The Story
– Who was impacted
• Commuters, Police, Employee’s of BART and Protesters
– Friend’s and Family
• Tools Used
– Social media, Facebook, Twitter, et al. . .
– Side Bar: Facebook handed $40,000 to hackers for finding
flaws in its website as part of its Bug Bounty scheme.
Facebook joins a growing list of companies, including Google,
which pays independent hackers for this sort of information.
3
4. WikiLeaks, Its Influence. . .:
• Leaked Documents Suggest China Might Have
The Upper Hand in Cyber War. . .
– “According to US investigators, China has stolen terabytes of
sensitive data, from user names and passwords from State
Dept. computers to designs for multi-billion-dollar weapons
systems,” wrote Brian Grow & Mark Hosenball in a report for
Reuters.
– They credit WikiLeaks for revealing previously secret details
about China’s ongoing cyber assault, which the US
government has code named Byzantine Hades. Specifically,
they wrote, the State Dept. cables that WikiLeaks published
show that the Chinese military was the source of those
attacks, not some rogue hacker group. . .
4
5. WikiLeaks:
• A Tool For Whistleblowers
• “A senior advisor to Gordon Brown put pressure on the
commander of NATO forces in Afghanistan to play down
the “bleak and deteriorating” situation to reduce
criticism of his government, leaked documents disclose.
Brown, the prime minister at the time, visited the
country and met General Stanley McChrystal, the US
military commander . . .”
5
6. OpenLeaks Joins The Crowd. . .:
• 26th January 2011, OpenLeaks goes public
• OpenLeaks considers itself a non-profit community and
service provider for whistleblowers and organizations,
media, and individuals who engage in promoting
transparency. It makes leaking at a local, grassroot level
possible and allows for certain scalability.
– OpenLeaks will not accept or publish documents on its own
platform, but rather create many "digital dropboxes" for its
community members, each adapted to the specific needs of
our members so that they can provide a safe and trusted
leaking option for whistleblowers. . . .
6
7. OpenLeaks:
– Besides developing and building the technical
platform, we want to encourage leaking all over
the world while minimizing risks for
whistleblowers.
• The split between submission and publication of leaked
documents makes the whole process safer for all who
participate in it, and at the same time makes scaling so
much easier. Watch our video, which explains this
concept visually.
7
8. LulzSec: Another Member of The Social Media
‘Hive’. . .
• LulzSec 'takes down' CIA website
• The hacker group Lulz Security claims it temporarily
brought down the public-facing website of the US
Central Intelligence Agency.
• Lulz Security attacks
» May 10: Fox.com user passwords,
» May 15: Database listing locations of UK cash machines,
» May 23: Sony music Japan website,
» May 30: US broadcaster PBS. Staff logon information,
» June 2: Sonypictures.com user information,
» June 3: Infragard website (FBI affiliated organization),
» June 3: Nintendo.com,
» June 13: Senate.gov - website of US Senate,
» June 13: Bethesda software website, user information
8
9. LulzSec:
LulzSec Opens A Hack Request Hot Line. . .
• Callers are met with a recorded message, in a heavy
French accent, by an individual named Pierre Dubois.
The (614) area code appears to relate to the state of
Ohio. . .
– LulzSec accesses 62,000 email addresses and passwords
belonging to victims such as IBM, as well as state and federal
governments. Affected agencies include but not limited to: US
Army, Navy, and Air Force, FCC, US National Highway Traffic
Safety Administration, Veteran’s Administration and the US
Coast Guard.
9
10. Anonymous: One Among Many. . .
• Sets An Example:
– The HBGary hack
• HBGary Federal position themselves as experts in
computer security. . .
• HBGary Federal CEO Aaron Barr thought he had
unmasked the hacker hordes of Anonymous and was
preparing to name and shame those responsible for co-
ordinating the group's actions, including the denial-of-
service attacks that hit MasterCard, Visa, and other
perceived enemies of WikiLeaks late last year. . .
10
11. Anonymous. . . All Ages, All Walks of Life:
• Here’s What They Can Do
• When Barr told one of those he believed to be an
Anonymous ringleader about his forthcoming exposé,
the Anonymous response was swift and humiliating.
– HBGary's servers were broken into,
– its e-mails pillaged and published to the world,
– its data destroyed,
– its website defaced.
• As an added bonus, a second site owned and operated
by Greg Hoglund, owner of HBGary, was taken offline
and the user registration database published.
11
13. Part Two:
Whistleblowers A Growth Industry
• Enron Whistleblower. . . The Use of Dodd-
Frank Whistleblower Provisions
– Sherron Watkins, former Vice President at Enron discussing the Dodd-
Frank Whistleblower Provisions at an event held by the New York State
Society of Certified Public Accountants on January 28th, 2011.
• Corporate Whistleblowers
– Will hand over corporate fraud evidence to media such as
WikiLeaks rather than the SEC thereby allowing them to
continue employment in the corporate world without the
stigma of being a whistleblower.
13
14. Whistleblowers & The SEC, Too:
• EFFECTIVE DATE: August 12, 2011
• SECURITIES AND EXCHANGE COMMISSION
– Dodd-Frank requires the Commission to pay an award, subject
to certain limitations, to eligible whistleblowers who
voluntarily provide the Commission with original information
about a violation of the federal securities laws that leads to
the successful enforcement of a covered judicial or
administrative action, or a related action. . .
– Dodd-Frank also prohibits retaliation by employers against
individuals who provide the Commission with information
about possible securities violations. . .
14
15. Whistleblowers: Cut Across All Sectors
• Swiss Bank HSBC Whistleblower. . .
– Assets of about £13bn, could net millions in pounds in unpaid
tax revenues. . .
– A disk leaked to the French authorities, is said to contain the
names of 79,000 HSBC clients in 180 countries.
– An employee for HSBC in Geneva, leaked the data to French
officials, who passed it onto the UK. A spokesperson for HSBC
said: “HSBC in no way condones tax evasion and in no way
do we assist it”. . .
• SEC
» A whistleblower at the SEC has accused the agency of
destroying more than 9,000 files related to preliminary
investigations into SAC Capital, Bernard Madoff, Goldman
Sachs and other financial groups. . . (To Be Continued).
15
16. Part Three: Auditors, Their Reputation When
Dealing With Fraud. . .
“Because the determination of abuse is
subjective, auditors are not required to detect
abuse in financial audits. However. . .”
A May 2010 COSO Study Dealing With Fraud from 1998 thru
2007 for US companies:
» The most common fraud involved improper revenue
recognition, next in-line was the overstatement of existing
assets or capitalization of expenses
» 89% of these incidents of fraud involved executive
management at the C-Level (aka: CEO’s and/or CFO’s)
» 347 alleged cases dealt with financial reporting
» Dollar amount of these misstatements and/or
misappropriations---nearly $120bn USDs
16
17. Auditors & Their Reputation When Dealing
With The Global Fraud Economy. . .
Global Patterns of Fraud – 2011
• Acts of fraud are rarely one-offs, 96% of fraudsters
carried out fraud on a repeated basis, up from 91% in
2007
– Fraud at the Board level increased to 18% while fraudulent
activities at the C-level increased to 26%
– 87% were male, between the ages of 36 to 45, and committed
fraud against their own employer
– 32% work in a Finance function
– 60% worked for the company more than 5 years, 33% 10 years
and most colluded with others
• So. . .where were the auditors?
17
18. Auditors & Their Reputation When Dealing
With Fraud
• Motivation for Fraud
– Personal financial gain followed by fraudulent
financial reporting. . .
– 43% misappropriate of assets (mostly due to
embezzlement and procurement fraud)
– On avg. it took 3 years from fraud inception to detection
– 50% were detected through tip-offs, both formal and informal
or by accident. . .
– 77% of investigations were not reported to the public
– 50% of the cases revealed that a red flag had existed but was
not acted upon. . .
18
19. Part Four: What’s Over The Horizon?
• “Negligence” vs “Gross Negligence”. . .
• And Negligence wins by a nose. . .
• Clawbacks. . .
• In the last meeting under chief Sheila Bair, The Federal
Deposit Insurance Corp. (FDIC) voted five to one in
favor of a “clawback” clause in new regulations, which
will allow the government to reclaim compensation
paid to executives whose banks have to be taken over
and wound up by the state.
19
20. What’s Over The Horizon?
• Increasing Liability Financial and Otherwise:
– In a 2008 report issued by the GAO, between 1998
and 2008 “audit firms may have paid at least 10
settlements or awards of $100 million or more
from private litigation”. . .
• In mid-2008, the six largest US auditing firms were
defendants in 90 audit-related suits, each of which
involved damage claims in excess of $100 million---
ranging up to $10 billion. . .
20
21. What’s Over The Horizon?
• Changing Expectations of The Auditors
– Internal Auditors Rule 1210.A2
• Internal auditors must have sufficient knowledge to
evaluate the risk of fraud and the manner in which it is
managed by the organization, but are not expected to
have the expertise of a person whose primary
responsibility is detecting and investigating fraud. . .
21
22. What’s Over The Horizon: Changing
Expectations. . .
• External Auditors Rule ISA 240
• The objectives of the external auditor; to identify and
assess the risks of material misstatement of the
financial statements due to a fraud:
– Obtain understanding of the internal controls in respect of those assertions
which are subject to fraud (e.g., revenue) and ensure those controls are
designed effectively. If not. . . report to the audit committee. . .
– To obtain sufficient appropriate audit evidence regarding the assessed risks
of material misstatements due to a fraud, through designing and
implementing appropriate responses; and such responses should at a
minimum include the following:
– Testing the appropriateness of journal entries, especially at the end of the
reporting period. Make inquiries of individuals involved in financial
reporting process. . .
– Communicate fraud or suspected fraud to those charged with governance
22
23. What’s Over The Horizon?
• In the past, generally, the auditor did not have
an obligation to disclose possible or actual
fraud to third parties, unless the matter is
already reflected in the audit report
• However. . .
Not any more:
• See the moving target referred to as Dodd-Frank. . .
– US Regulatory Agencies Modify The Rules. . .
– US Judiciary Modifies The Rules. . .
» Lets all go to court. . .
23
24. What’s Over The Horizon?
– The Securities Exchange Act of 1934 Should Be
Extended to Cover Transnational Securities Fraud
[Release No. 34-631374; File No. 4-617]
24
25. Part Five:
Technical Take Aways---Benford’s Law
More numbers begin with 1 than with larger numbers (2 - 9)
– Benford Analysis is likely to be useful with sets of numbers that result from
mathematical combinations of numbers where the result comes from two
distributions
» Accounts receivables (number sold x price)
» Accounts payable (number bought x price)
» Most sets of accounting numbers
25
26. Technical Take Aways: When Not to Apply
Benford’s Law
• When Benford Analysis is not likely to be
useful:
• Data set is comprised of assigned numbers:
– Check numbers, invoice numbers, Zip codes
• Numbers that are influenced by human thought:
– Prices set at psychological thresholds ($1.99)
– ATM withdrawls, eg $20, $40, $60, $80, $100
• Accounts with a large number of firm specific numbers:
– Accounts specifically set up to record $100 refunds
• Where no transaction is recorded:
– Thefts, kickbacks, contract rigging, et cetera . . .
26
27. Technical Take Aways: Computer Aided Audit
Techniques (CAATs)
– Benford’s Law in conjunction with the following
tools:
• SAP & Oracle’s EGRCM (Enterprise Governance, Risk
and Compliance Manager)
– Asking questions such as:
– Any changes in the top 10% of transactions by value (year to
year) by quarter, by month?
– Greatest number of changes made to a customer’s details file
(year to year) by quarter, by month?
– Any outliers/unusual data values?
– Any unusual or suspicious patterns with data, dates, returns,
end-of-month closeout transactions?
27
28. Technical Take Aways: SAP
» Risk Analysis and Remediation (RAR)
» Superuser Access Management (SPM)
» Compliant User Provisioning (CUP)
» Enterprise Role Management (ERM)
28
29. Technical Take Aways: SAP’s Backdoors
• Backdoors. . .
– BACKDOORS--come about in two ways. First, they can
represent access into a system that is created during the
application development process and is never removed, or.
– Secondly, after an application is put into production and sold
to the customer in the field, it can represent an unauthorized
and/or undetected compromise of the system for the sole
purpose of securing future access to data/information for
industrial or financial espionage. . .
• At a Black Hat Conference, Europa, 2010 demonstrated
multiple backdoors into SAP
29
30. Technical Take Aways: Oracle
– Easily set the scope of the AS5 Audit within Oracle Enterprise
GRC Manager (EGRCM)
– Pre-packaged reports showing Audit coverage, status and
findings
30
31. Technical Take Aways: Oracle’s Backdoors
• Backdoors. . .
– A number of modules remain un-patched and vulnerable due
in part to a difficult patch & upgrade process involving
complex applications in addition to an attitude that if its
working, don’t touch it. . .
» For example: National Vulnerability Database (NVD)
» Description: Unspecified vulnerability in the Database
Control component in EM (Enterprise Manager) Console
in Oracle Database Server…Oracle Fusion Middleware…
allows remote attackers to affect confidentiality, integrity
and availability via unknown vectors……(under review)
31
32. Technical Take Aways: In Their Defense
• Backdoors---Created and used by the vendor
and created and used by individuals with
criminal intent. . .can and do threaten every
information system CONNECTED TO THE
INTERNET. This is NOT simply a problem
unique to SAP or Oracle. . .
• Going forward are two questions you may want to ask:
are there any backdoors to your system and what are
they used for?
– View a list of your vendor’s backdoors. . .
32
33. Technical Take Aways: KDD, OLAP, Data Mining
and Heuristic Analysis
• KDD (Knowledge Discovery in Databases),
• OLAP (On-line Analytical Processing),
• Data Mining
• Multiple vendors, bumping up against a clients:
– Lack of Confidence/Trust in the Numbers
– Belief that data collection methodologies are flawed and that
the use of the data will threaten their decision-making
authority.
– Defense against charges of negligence or gross negligence
– Weakens the claims of plausible deniability.
– Impacts independence and integrity of auditor’s claims of
non-bias, impartiality.
33
34. Technical Take Aways: Heuristic Analysis
• Heuristic Analysis is defined by the act(s) and/
or processes associated with discovering the
unknown thereby making it known…
• Such Tools require TESTING. . .such as EICAR:
• EICAR is a uniquely formatted program file, is not a
virus which most AV (Anti Virus) programs recognize as
a test program. See also:
– AV Comparatives
– AV-Testing
– ICSA Labs
– SC Magazine/West Coast LabsVirus Bulletin?
34
35. Non-Technical: Using Your Amgydala
The Six Principles of An Auditor’s Achilles Heel
• A lack of sufficient professional skepticism
• Lack of support (real or imagined) @ the C-level
• Not controlling the confirmation process especially at
month end, ending quarter and year end
• Not ascertaining whether the financial statements
agree with or reconcile with accounting records
• Over-relying on management (i.e., insufficient evidence
to corroborate management’s representations
• Not testing accuracy of computer-prepared data
35
36. Non-Technical: Using Your Amgydala & Have
We Got A Tool For You. . .
• The Vulnerability Assessment and
Mitigation (VAM) Methodology. . .
• RAND Corporation developed a methodology to help
analysts in:
» Understanding these relationships. . .
» Facilitating the identification and/or discovery of system
vulnerabilities. . .
» Suggesting relevant mitigation techniques. . .
• The VAM methodology takes a top-down approach
uncovering vulnerabilities that are known, exploited or
revealed today but also vulnerabilities that exist, yet
have not been exploited or encountered to date. . .
36
37. Non-Technical: Using Your Amgydala
• Is there a Major Disconnect between the C-
Level folks and their employees. . .?
– E.g. What motivates their employees…?
• Their answers are almost always facing 180° in the
opposite direction. . .
• See also “Kiss Up, Kick Down” corporate culture.
– “Social Intelligence”, “Emotional Intelligence”
– “Blink”, “Mind Rules”, and “Outliers”. . .
– The concept of Synchronicity, (aka: your gut. . .)
37
38. In Summary: What You Have Heard Today. . .
• What steps you must take. . .to:
• Ensure your independence, as an Auditor. . .?
• Ensure your findings are:
– timely, concise, clear, convincing, complete, objective,
accurate and correct, with emphasis on CORRECT.
• Analyze and re-visit your First Impressions
(when necessary). . .First, Last and Always. . .
38
39. Questions?:
– Please Note: We’ll be happy to discuss any of the issues
raised this morning & best wishes the rest of the way. . .
• In closing, thank you for your time and attention…
• Respectfully yours:
Pw Carey
Consultant CISA SAP GRC
Compliance Partners, LLC
Suite 200
Barrington, Illinois 60010
www.complysys.com
pwc.pwcarey@gmail.com or
pwcarey@complysys.com
1-650-267-3130 or 1-224-633-1378
39
CITYAM August 31st, 2011 Facebook has handed $40,000 to hackers for finding flaws in its website as part of its Bug Bounty scheme. Facebook joins a growing list of companies, including Google, which pays independent hackers for information
Lamp Virus Maybe linked to China & What It Can Do: The Lamp Trojan, which according to some researchers may have been developed in China, contains an MS-Office Suite "Document Grabber,"--- a specific command designed for the sole purpose of collecting Microsoft Office Suite documents. This is an unusual feature among private Trojans which typically focus on collecting financial and banking information. This implies that the Lamp Trojan collects Word files, Excel spreadsheets, and PowerPoint presentations. Lamp may be one of the only examples of a Trojan that, in addition to collecting financial information from more than two dozen US financial institutions, may be specifically interested in industrial espionage...(aka: DoD Aerospace & Defense airfoil diagrams/schematics et cetera stolen...) from defense contractor(s).... Leaked documents suggest China might have the upper hand By Michael Hardy, Apr 21, 2011 The Cold War took its name from the relative lack of shooting that characterized it. The United States and Soviet Union fought one another politically, diplomatically and economically but rarely with guns or tanks. It was not a hot war. We have a couple of hot wars going on now, but there's another cold war under way, too — one being fought between the United States and China, primarily using IT. And it looks as though China has the upper hand at the moment. "According to U.S. investigators, China has stolen terabytes of sensitive data, from user names and passwords for State Department computers to designs for multibillion-dollar weapons systems," write Brian Grow and Mark Hosenball in a report for Reuters. "And Chinese hackers show no signs of letting up." Grow and Hosenball credit WikiLeaks for revealing many previously secret details about China's ongoing cyber assault, which the U.S. government has code named Byzantine Hades. Specifically, they write, the State Department cables that WikiLeaks published show that the Chinese military was the source of those attacks, not some rogue hacker group.
Government Documents Leaked: CITYAM Feb. 9th, 2011---As Reported in The Daily Telegraph WikiLeaks: No. 10 Urged Commander to Play Down Afghanistan Failures A senior adviser to Gordon Brown (UK Prime Minister) put pressure on the commander of NATO forces in Afghanistan to play down the "bleak and deteriorating" situation to reduce criticism of his government, leaked documents disclose. Brown, the prime minister at the time, visited the country and met General Stanley McChrystal, the US military commander.
Q&A: Lulz Security 06 JUNE 2011, TECHNOLOGY Nintendo server hit by hackers 06 JUNE 2011, BUSINESS More Technology stories RSS LulzSec 'takes down' CIA website The hacker group Lulz Security claims it temporarily brought down the public-facing website of the US Central Intelligence Agency. Duke Nukem PR firm publicly axed Rioting Canadians exposed online
BBC Technology, 15 June 2011---LulzSec opens hack request line. . . It claims to have launched denial of service attacks on several websites as a result, although it did not detail which ones. The unspecified hacks formed part of a wave of security breaches that the group called Titanic Takeover Tuesday. The group publicised the telephone hotline on its Twitter feed. LulzSec has risen to prominence in recent months by attacking Sony, Nintendo and several US broadcasters. Lulz Security's request line features the voice of Pierre Dubois - possibly the name of its comic icon. Lulz Security said it had used distributed denial of service attacks (DDoS) against eight sites suggested by callers.
The Register UK Newspaper Original URL: http://www.theregister.co.uk/2011/07/07/anonymous_feature/ ANONYMOUS: Behind the mask, inside the Hivemind Where and who are the Anons? Everywhere and everyone By Trevor Pott ----- Posted in Security , 7th July 2011 10:00 GMT
Enron Whistleblower Discusses Use of Dodd-Frank Whistleblower Provisions Sherron Watkins, former vice president at Enron, Marion Koenigs, deputy director in PCAOB's Division of Enforcement and Investigations, and Paul Atkins, former SEC commissioner, served as a panel of experts discussing the Dodd-Frank whistleblower provision at an event held by the New York State Society of Certified Public Accountants on January 28, 2011. During the discussion, Watkins, an accountant and Enron whistleblower, predicted that corporate whistleblowers will start to hand over evidence of corporate fraud to media such as WikiLeaks rather than use the SEC's whistleblower provisions. Watkins said that anonymously leaking documents to WikiLeaks will allow individuals to continue with employment in the corporate world without having the stigma of being a whistleblower.
17 CFR Parts 240 and 249, [Release No. 34-64545; File No. S7-33-10] RIN 3235-AK78 Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 AGENCY: Securities and Exchange Commission (“Commission”). ACTION: Final rule. SUMMARY: The Commission is adopting rules and forms to implement Section 21F of the Securities Exchange Act of 1934 (“Exchange Act”) entitled “Securities Whistleblower Incentives and Protection.” The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted on July 21, 2010 (“Dodd-Frank”), established a whistleblower program that requires the Commission to pay an award, under regulations prescribed by the Commission and subject to certain limitations, to eligible whistleblowers who voluntarily provide the Commission with original information about a violation of the federal securities laws that leads to the successful enforcement of a covered judicial or administrative action, or a related action. Dodd-Frank also prohibits retaliation by employers against individuals who provide the Commission with information about possible securities violations.
June 6 th , 2011- Swiss Bank HSBC Accounts in question hold assets of about £13bn and could net millions in pounds in unpaid tax revenues. The British customers’ details were found on a disk leaked to the French authorities, which is said to contain the names of 79,000 HSBC clients in 180 countries . Mr. Herve Falciani, an IT expert worked for HSBC in Geneva, leaked the data to French officials, who passed it onto the UK. A spokesperson for HSBC said: “HSBC in no way condones tax evasion and in no way do we assist it”. August 18th, 2011 CITYAM,GRASSLEY QUZZES SEC ON FILE PURGING--A whistleblower at the Securities an Exchange Commission has accused the agency of destroying more than 9,000 files related to preliminary investigations into SAC Capital, Bernard Madoff, Goldman Sachs and other financial groups, according to Charles Grassley, senior Republican on the Senate Judiciary Committee. Grassley wrote to Mary Shapiro, SEC chairman yesterday.
Because the determination of abuse is subjective, auditors are not required to detect abuse in financial audits. However. . .GAO 2011 Government Auditing Standards Yellow Book COSO study regarding fraud of (publicly traded) US companies from 1998 to 2007: The most common fraud technique involved improper revenue recognition, then overstatement of existing assets or capitalization of expenses. 89% of the incidents of fraud involved were at the C-level (aka: CEO and/or CFO) 347 alleged cases of public traded companies dealt with financial reporting from 1998 to 2007 compared with 294 cases from 1987 to 1997. The total for these misstatements and/or misappropriations reached nearly $120bn USDs.
KPMG Analysis of Global Patterns of Fraud – 2011 Executive Whitepaper KPMG Analysis of Global Patterns of Fraud Who is the typical fraudster 2011 Executive Summary kpmg.com/cee 2011 Fraud Demographics: Acts of fraud are rarely one-offs: 96% of fraudsters in the 2011 survey carried out fraud on a repeated basis – up from 91% in 2007. At The Board level, increased from 11% in 2007 to 18% in 2011 At the C level, CEO fraudulent activities increased from 11% in 2007 to 26% in 2011 Typically Reside In The Following Categories: 87% were male, although Females are demanding access to the club Between the ages of 36 and 45 Commits fraud against his own employer 32% works in the Finance function or in a finance related role 25% work in Operations & Sales, followed by Procurement, Back Office, Research & Development & Legal Is a member of senior management 60% worked for the company more than 5 years 33% worked for the company for more than 10 years Most often colludes with others Females prefer not to collude
Motivation for fraud: Personal financial gain followed by Fraudulent financial reporting 43% misappropriate of assets (mostly due to embezzlement and procurement fraud) On average it took 3 years from fraud inception to fraud detection Exploitation of internal controls by fraudsters increased significantly from 49% in 2007 to 74% by 2011. Nearly 50% of frauds were detected through tip-offs (read whistleblowers) both formal and informal or by accident suggesting that internal controls are either lacking, or are not functioning appropriately. Most of the frauds investigated, involved the exploitation of weak internal controls. 77% of the fraud investigations undertaken were not reported to the public. Internal communication of the matter dropped to 46%, compared to 50% polled in 2007. Internal announcements regarding fraud fell from 35% in 2007 to 13% in 2011. In 2011, 50% of the cases revealed that a red flag associated with a fraud existed but had not been acted upon – up from 21 percent in 2007. Employee awareness of other behaviors can help businesses identify frauds earlier. be alert to the following employee behavioral red flags: • Refuses or does not seek promotion and gives no reasonable explanation. • Has opportunities to manipulate personal pay and reward. • Rarely takes holidays. • Is suspected to have over-extended personal finances. • Does not or will not produce records/information voluntarily or on request. • Persistent rumors/indications of personal bad habits/addictions/vices. • Unreliable and prone to mistakes and poor performance. dot Cuts corners and/or bends rules. • Tends to shift blame and responsibility for errors. seems unhappy at work and is poorly motivated. • Surrounded by “favorites” or people who do not challenge them. • Accepts hospitality that is excessive or contrary to corporate rules. • Level of performance or skill demonstrated by new employees does not reflect past experience detailed on CVs • Seems stressed and under pressure. • Bullies or intimidates colleagues. Volatile and melodramatic, arrogant, confrontational, threatening, or aggressive when challenged. • Vendors/suppliers will only deal with this individual. Self-interested and concerned with own agenda. • Lifestyle seems excessive for income. • Micro-manages some employees; keeps others at arm’s length.
In the last meeting under its current chief Sheila Bair, the Federal Deposit Insurance Corp (FDIC) voted five to one in favor of a "clawback" clause in new regulations, which will allow the government to reclaim compensation paid to executives whose banks have to be taken over and wound up by the state. The rule puts flesh on the bones of a proposal included in the 2010 Dodd-Frank Act, which overhauls American Financial regulation. It gives some clarity to a major question as to when circumstances determine when executives pay should be confiscated, with the broader "negligence" favored over "gross negligence". The vote also established a debt hierarchy in winding up a firm, with the FDIC's costs incurred in resolving the company and debt to the government topping the list, along with any money owed to employees. Other creditors will be paid off afterwards. The status of clawback clauses in Europe is unclear at present, with EU authorities suggesting that firms write them into contracts. Regulation By Juliet Samuel CITYAM UK
Audit firms’ litigation exposure in connection with securities class actions is, of course, a significant part of the broader litigation risk that accompanies audit work. In the 12 years after the enactment of the Private Securities Litigation Reform Act of 1995,12 the six largest U.S. auditing firms paid out $5.66 billion to resolve 362 securities class actions and other suits related to public company audits, private company audits, and all other non-audit services, with 65% of the total ($3.68 billion) related to public company audits.13 And in mid-2008, the six largest U.S. auditing firms were defendants in 90 audit-related suits, each of which involved damage claims in excess of $100 million—ranging up to $10 billion.14
International Standards for the professional practices of internal auditing, 1210.A2- Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. ISA 240, Revised: The objectives of the external auditor: To identify and assess the risks of material misstatement of the financial statements due to a fraud: Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not=> report to the audit committee... To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and Such responses should at a minimum include the following: -testing of the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process; -review the accounting estimates for bias (e.g., provisions, valuation allowances, percentage of completion of sales transactions, results of the impairment tests); -analyze significant unusual transactions outside of the normal course of business. To respond appropriately to fraud or suspected fraud identified during the audit: Communicate fraud or suspected fraud to those charged with governance.
ISA 240, Revised: The objectives of the external auditor: To identify and assess the risks of material misstatement of the financial statements due to a fraud: Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not=> report to the audit committee... To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and Such responses should at a minimum include the following: -testing of the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process; -review the accounting estimates for bias (e.g., provisions, valuation allowances, percentage of completion of sales transactions, results of the impairment tests); -analyze significant unusual transactions outside of the normal course of business. To respond appropriately to fraud or suspected fraud identified during the audit: Communicate fraud or suspected fraud to those charged with governance.
GAO High Risk Series February 2011: The Dodd-Frank Act includes many provisions that are intended to improve the U.S. financial regulatory system. However, many of the act's changes, including new regulatory structures, agencies, and requirements, are yet to be implemented, and many decisions by regulators as to how new regulations will address various problem areas are forthcoming. For example, the new oversight council has only recently begun meetings to fulfill its mission. Similarly, financial regulators have yet to develop and issue many of the rules necessary to fully implement various changes, including those related to proprietary trading, trading and clearing of over-the-counter derivatives, and others. Until these new structures, requirements, and entities are in place, fully staffed, and functioning effectively, the act's intent to reform the financial system will not be achieved.
At the Building Public Trust Awards dinner in September 2010, Ian Powell outlined the following five-point plan: raising the standard of all the work we do to the standard of the best; improving transparency of the scope, processes and decision-making in an audit; extending the scope of the auditor’s report without changing the corporate reporting model to provide further assurance over narrative reporting; changing the reporting model and changing the scope of the auditor’s report as a consequence; and working for longer-term reform. As Professor John C. Coffee, Jr. of Columbia Law School noted in 2004, “the most ominous fact [for the future] may be that accounting irregularities tend increasingly to be the primary focus of securities class actions.”9 Recent statistics show the continuation of this trend: according to Cornerstone, “[i]n 2009 allegations related to violations of Generally Accepted Accounting Principles (GAAP) were included in more than 65 percent of settled cases. These cases continued to be resolved with larger settlement amounts than cases not involving accounting allegations.”10 And audit firms were named in a number of recent high-profile securities class actions stemming from the financial crisis. For example, according to Audit Analytics, as of late 2009, eight accounting firms had been named as defendants in eleven securities class actions based on allegations relating to Bernard Madoff’s Ponzi scheme, and six firms had been named as defendants in nine securities class actions relating to the credit crisis generally.
When Benford Analysis is likely to be useful will be sets of numbers that result from mathematical combinations of numbers where the result comes from two distributions: Accounts receivables (number sold x price) Accounts payable (number bought x price) Transaction level data - No need to sample: Disbursements Sales Expenses Large data sets - with more observations the better:
Other types of fraud exist that cannot be detected by Benford analysis: duplicate addresses duplicate bank accounts ghost employees shell companies duplicate purchase orders duplicate invoice numbers duplicate payments contract rigging defective deliveries defective shipments defective returns Use Benford's law to assist and audit in conjunction with other tools both technical and non-technical such as: Experience based Intuition, (aka: trust your gut & verify) Social Intelligence & Emotional Intelligence Surveys and interviews Corporate Culture (Kiss Up/Kick Down) Confirmation and Verification Professional Skepticism Use Benford's law to assist and audit in conjunction with other tools both technical and non-technical such as: Intuition, Social Intelligence, Emotional Intelligence Surveys and interviews Corporate Culture (Kiss Up/Kick Down) Confirmation and Verification Professional Skepticism
WizRule, Numara Software, TopCAATs, IDEA, ACL, SAP, Oracle. . .
SAP GRC Access Control comes with the following four main product capabilities: Risk Analysis and Remediation (RAR): SAP GRC Access Control supports real-time compliance around the clock to detect, remove, and prevent access and authorization risk and stops security and controls violations before they occur. Using live data to assess risk, SAP GRC Access Control enables your organization to identify conflicts immediately, drill down into root causes, and achieve resolutions. x Superuser Access Management (SPM): The application enables users to perform emergency activities outside their roles under a “privileged user,” but in a controlled and auditable environment. x Compliant User Provisioning (CUP): As companies provision and de-provision access to enterprise systems, they often overlook how these changes can impact SoD requirements. SAP GRC Access Control can automate provisioning, test for SoD issues, streamline approvals, review and reaffirm access and reduce the workload for IT staff. x Enterprise Role Management (ERM): This functionality standardizes and centralizes role creation, eliminating manual errors and making it easier to enforce best practices. The application prevents SoD violations by performing a real-time simulation of the data in a production system and testing the entire SAP software landscape.
SAP Backdoors Black Hat Conference Europa 2010 Oracle Backdoors Black Hat Conference Washington, DC 2011 A backdoor can come about in two ways. First it can represent access to a system created during the application development process and is never removed or secondly, after an application is put into production in the field, or it can represent an unauthorized and/or undetected compromise of the system for the sole purpose of securing future access to data/information for industrial and financial espionage.
Integrated, Efficient, and Effective The FAST Blueprint for Oracle GRC Applications integrates the Oracle Enterprise Governance, Risk, and Compliance Manager (EGRCM) with Hyperion Financial Management (HFM) to automate assessment scoping and preparation. The blueprint enables both a top-down, risk-based approach and a bottom-up controls-coverage based approach to audit scoping. Key Features: • Easily set the scope of the AS 5 Audit within Oracle Enterprise GRC Manager • One-way synch utility for Hyperion Financial Management accounts to Oracle Enterprise GRC Manager • Ability to specify and select Controls to be included in audit scope • Pre-packaged reports showing Audit coverage, status and findings
Oracle Backdoors Black Hat Conference Washington, DC 2011 Black Hat Conference, Washington DC 2011 A lot of Oracle is un-patched and vulnerable because support and patches cost and must pay for extended advisory information (aka: metalink).... Example: CVE-2010-2390 (under review) National Vulnerability Database (NVD) Description---Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Difficult patch & upgrade process... Complex applications....if it works don't touch it mentality...
Examples of backdoors potentially impacting in the following areas: SAP Business Modules Authentication Procedures Please note: Backdoors can threaten every information system, and are not simply a problem for Oracle and/or SAP Oracle Backdoors Black Hat Conference Washington, DC 2011 Black Hat Conference, Washington DC 2011 A lot of Oracle is un-patched and vulnerable because support and patches cost and must pay for extended advisory information (aka: metalink).... Example: CVE-2010-2390 (under review) National Vulnerability Database (NVD) Description---Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Difficult patch & upgrade process... Complex applications....if it works don't touch it mentality...
See Anderson Consulting desire to use an automated deterministic/predictive tool when auditing Enron and Enron’s Legal Dept. refusing to allow it to be used based upon plausible deniability. . .
EICAR test file Is a uniquely formatted program file, which most AV programs recognize as a test program, and respond to in a very similar way to that in which they respond to viruses. The EICAR file is not a virus and presents no malicious threat: if executed, it simply displays a screen identifying itself as a test file. AV Comparatives (http://www.av-comparatives.org/) AV-Test.org ( http://www.av-test.org/ ) ICSA Labs ( http://www.icsalabs.com/ ) SC Magazine/West Coast Labs (http://www.westcoastlabs.org/) Virus Bulletin (http://www.virusbtn.com/) Mail gateway filters use rules to specify what file types and file names are permitted as attachments. Such filters are very good at countering obvious threats such as files with extensions like .LNK or .JPG, and .EXE, but can be rather inflexible in their rejection of whole classes of executable files. 1 Some filters use more advanced techniques, such as checking that the headers of the fi le scanned match the filename extension. This can significantly reduce the risk of false positives (and false negatives). 1 Why are these obvious threats? In the first case, because the .LNK suffix denotes a program shortcut, which doesn’t usually make sense as an email attachment because there is no direct link between the shortcut and the program to which it should be linked: however, a shortcut file in an email attachment is often simply a Windows executable file, renamed to evade filters intended to block executable attachments. In the second case, the double extension suggests an attempt to pass off an executable file as a non-executable (graphics) file, a common virus writer’s trick.
SIX Guiding Principles for Auditors A lack of sufficient professional skepticism Intentional lack of support (real or imagined) @ the C-level Not controlling the confirmation process or not confirming the terms of large or unusual sales transactions, especially those that occurred at year end. Not ascertaining whether the financial statements agreed or reconciled with the accounting records Over relying on management's representations (i.e., not obtaining sufficient evidence to corroborate or refute management representations, such as management's explanations for unusual fluctuations noted when performing analytical procedures) Not testing the accuracy of computer-prepared schedules
The Vulnerability Assessment and Mitigation (VAM) Methodology. The RAND Corporation has developed and evolved a methodology to help analysts to understand these relationships, facilitate the identification or discovery of system vulnerabilities, and suggest relevant mitigation techniques... The VAM methodology takes a top-down approach and seeks to uncover not only vulnerabilities that are known and exploited or revealed today but also the vulnerabilities that exist yet have not been exploited or encountered during operation. Sophisticated adversaries are always searching for new ways to attack unprotected resources ("the soft underbelly" of the information systems); thus, the methodology can be valuable as a way to hedge and balance current and future threats This report should be of interest to individuals or teams conducting vulnerability assessments and planning mitigation responses. Because it facilitates the identification of new vulnerabilities, it should be of particular interest to designers building new systems, as well as to security specialists concerned about highly capable and well-resourced system attackers, such as nation-states or terrorists motivated to identify new security holes and exploit them in subtle and creative ways. http://www.rand.org/content/da/rand/pubs/monograph_reports/2005/MR1601.pdf
Develop and trust your intuition. This can be challenging for high-level financial services professionals, who naturally tend towards facts, figures and other hard factors, but soft factors are equally important. Start with your intuition and then make sure it is backed by a strong business case. Understand the power of "no". Many of us find this one of the most difficult things to say, but it is actually on of the most powerful words in business and often much more effective than "yes", particularly when backed by a sound judgement. Understand and be true to yourself. At the risk of sounding like a personal development coach, far too few people in the financial services sector embrace self-awareness despite the benefits it brings. Everything you do must be congruent with who you are; incongruity increases stress, hampers performance and simply cannot last. Make time to stop and think. Evaluate where you are, what you like and what you do not. Ask yourself whether you are doing the right job in the right environment; whether that be country, company or culture. If you are not totally happy with the way things are, make changes. Do not let your job define you. Too many people allow themselves to become trapped in careers they no longer enjoy. If you do not like what you do, have the courage to be true to yourself and walk away; allowing a job to define your life risks years of compromise and missed opportunity. There are always other options. Trust me. . .PwC
Trust me. . .PwC
1. “A Short Course on Computer Viruses 2nd Edition”, pp 2, 49 (Dr Frederick B Cohen): Wiley, 1994. See AICPA AU Section 240, Consideration of Fraud in a Financial Statement Audit (Redrafted). See AICPA AU Section 250, Consideration of Laws and Regulations in an Audit of Financial Statements.