Can a fraud prevention plan be really effective?

FRAUD PREVENTION bases. There are many different ways, often individual to each company, in which it can be accessed. Up to here we have mostly considered mobile devices as a means of obtaining information, but they can also be a means of inserting unwanted data. They can store viruses as well as legitimate files, enabling us to infect a company’s entire network. Since we cannot prevent the use of mobile devices, we should understand how, when and what can be used and which protective measures should be implemented.

Intrinsic security of mobile devices Our main problem is that the few security measures we can apply to laptops cannot usually be applied to mobile devices. Consider for exam-

ple smart-phones, one of the biggest nightmares of a security manager. Features outweigh security. Different protocols and network automatic connectivities are big pluses, but this means that the user cannot even be sure which network they are connected to at a certain moment, and which protocol is being used.

“Encrypting data on the hard disk is often difficult, as is the possibility of limiting functions depending on the network to which the phone is connected” We need to be able to deploy our security policies on all IT devices, mobile and fixed, but it is difficult to see how it could be possible in the near future. We have too many different objects which interact and

Can a fraud prevention plan be really effective?

which we should manage in different ways. The only way out probably is to rationalise, adopt some standards, and restrict access to devices which are authenticated and which satisfy our security policies. Encrypting data on the hard disk is often difficult, as is the possibility of limiting functions depending on the network to which the phone is connected. On the other side, being mini-computers these devices are liable to bugs, which makes them open to compromise. Ultimately, today it is up to the user to protect data coming in and out of mobile devices. But we cannot expect everyone to be an ICT security expert, so we face some hard times. Technology and security solutions will catch up but for the moment the biggest burden unfortunately remains not just on the security managers, but also on the final users.

Dario Forte

Dario Forte, CISM, CFE, founder and CEO, DFLabs, Italy Why do insiders commit fraud? While there is no one answer to this question, we can make a few high-level observations that will help us get a grasp on the source of the problem.

Businesses are composed of various categories of employees. There are certainly honest employees who have a positive outlook on their companies and some degree of attachment to them. There are also employees who start out honest but may be led astray by circumstantial events, and other factors relating to their hierarchical and economic status within the company. Companies that ignore 18

Computer Fraud & Security

disequilibrium among these factors do so at their own peril.

“Insider fraud is a continually shifting target” Insider fraud is a continually shifting target. Many companies think they are safe just because they have already dealt with an instance of insider fraud, failing

to understand that it is an ongoing and shifting phenomenon that evolves along with trends in violations. A one-shot crackdown, even if carried out with grand style, is not going to do the trick. The top-down response is still limited. There has been much talk recently about getting top management involved in security issues. A recently published investigation by Carnegie Mellon March 2009

FRAUD PREVENTION

Figure 1: A graphical description of the top management priorities in terms of security governance

University’s Cylab (specialised in managing information risks) reveals that boards of directors take risk management extremely seriously, but there is still a large comprehension gap regarding how its various component factors interact. Many of the questionnaire responses reveal that the C-suite is not adequately involved in the key areas of enterprise security governance. This is further supported by interviewees who state that many boards review company security and privacy policies with an exclusive focus on formal aspects. These senior executives fail to grasp the importance of effective controls to mitigate the risk to company reputation and losses due to the improper or illegal use of personal information.

“There is often a murky relationship between a company’s code of ethics and its real behaviour” This problem also relates to top management’s awareness of the fraud issue. The result is generally a collection (often poorly organised) of documents, policies, standards and procedures which are March 2009

certainly vital but whose application is delegated to an overblown faith in pure technology. Last but not least, there is often a murky relationship between a company’s code of ethics and its real behaviour. All companies at a certain level have an ethical code (it is actually required by law in some places). It often reads quite nicely but is not always honoured (to put it mildly). This may also have repercussions in fraud prevention and the practical application of controls. The Association of Certified Fraud Examiners is a world-level team of fraud prevention professionals. During a recent conference in the United States, the message was made loud and clear that in addition to the above-mentioned honest and dishonest employees, the corporate world is full of higher-ups who work not on the basis of necessity but are driven by greed, a thirst for power or even political pursuits.

Why do outsiders commit fraud? The enterprise is one target in external fraud, but the other is the end user.

While the attackers’ modus operandi was initially simple phishing, multi-level attacks are now on the rise. ‘Elementary’ phishing from false email addresses based in eastern Europe is being increasingly displaced by ‘normal’ phishing where real and legitimate addresses are used in place of fake ones and the transmission chain of email messages is apparently legitimate.

“The enterprise is one target in external fraud, but the other is the end user” Many current phishing emails, for example, come from the addresses of local providers and are thus less subject to geolocation controls. They also have more modest monetary impacts (e.g., less than 500). This allows them to bypass basic transaction monitoring systems based on the total amount of the transaction. But that’s only part of the story. The attacker may have their sights not only on compromising the account devices of remote banking users, but also on compromising the victim’s entire machine so it can be used in a much Computer Fraud & Security

19

CALENDAR broader series of hacking operations and attacks. Criminal organisations are interested in transferring credit to their accounts, but also in trafficking compromised user accounts and machines that can work as stepping stones to other types of criminal activities. The economic value of a user account remains pretty much the same, but it may be applied to achieve a ‘greater’ and more nefarious purpose. This means that the responsibility for prevention is distributed among internet service providers, commercial service providers such as banks, and the final user, who must be increasingly vigilant and engaged in the chain of prevention if they are to have any hope of indemnification. More and more companies refuse to refund money to customers they deem careless. These customers are unable to prove that they have avoided unsafe web dealings or otherwise have exercised due diligence.

How to address the problem An effective fraud prevention programme entails a multi-level approach, ranging from human resources management and the effective application of incident monitoring and response methods to the practical affirmation of the company’s ethical principles. In Figure 1 we see that business security touches on various elements, from human resource management to litigation support. An increasing number of companies have implemented such capabilities to address liability and compliance issues associated with internal fraud. But the most serious problem, in my opinion, regards monitoring, which is vital to both internal and external fraud management. There are few companies that handle log files in an organic and effective way, and fraud and information incident management teams are generally inadequately sized to handle the fraud 20

Computer Fraud & Security

that occurs on a daily basis. Recourse is increasingly taken to external providers to resolve these issues, especially regarding external fraud such as phishing.

Calendar 2-3 April 2009 Forrester’s Security Forum EMEA 2009

“Many companies think they are safe just because they have already dealt with an instance of insider fraud”

Location: London, UK Website: http://www.forrester.com/ events/eventdetail?eventID=2358

These providers offer complex intelligence capabilities to prevent identity theft, which impacts the general final user. But even here we are witnessing growing problems. For example, individuals have recently complained about receiving phishing attacks that were not intercepted by the service provider, revealing holes in the provider’s intelligence net. In other cases, authentication management systems had faults that allowed both internal and external fraudsters to get around them in various ways. One thing is certain: neither technology alone nor delegation of management to external parties is going to solve things. This problem is everyone’s business.

Location: Brussels, Belgium Website: http://www.endeavourevents. com/upcomingevents.aspx

About the author

16-19 April 2009

Dario Forte, CFE, CISM, former police detective and founder of DFLabs has worked in information security since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com

Location: Cleveland, OH, USA Website: http://www.notacon.org/

6-7 April 2009 EnterSecurity 2009 Business Summit

7 April 2009 Identity Access Management Location: Dallas, TX, USA Website: http://public.cxo.com/ conferences/index.html?conferenceID=50

14-22 April 2009 SANS Tyson’s Corner 2009 Location: Tyson’s Corner, VA, USA Website: http://bit.ly/vqdZ

16-19 April 2009 Black Hat Europe 2009 Location: Amsterdam, The Netherlands Website: http://www.blackhat.com/html/ bh-europe-09/bh-eu-09-main.html/

Notacon 6

20-24 April 2009 RSA Conference Location: San Francisco, CA, USA Website: https://365.rsaconference.com/ index.jspa

26-29 April 2009 European Security Conference 2009 Location: Lake Geneva, Switzerland Website: https://www.asisonline.org /education/programs/montreux/ default.htm

March 2009