Fraud Symptom 10 – Lapses in Information Assurance

The 2011 report of Panda Security titled “The Cyber Crime Black Market: Uncovered” discusses the way the crime organizations work to steal data and conduct frauds. The report mentions the ongoing rates for bank customer data – credit card information is sold between US$ 2 to US$ 90, depending on the nature of the card and information. European card details attract a higher price than US and Asia. The report mentions the roles of programmers, distributors, tech experts, hackers, fraudsters, cashiers, mules, tellers, and social engineering experts. They all have a role to play in the crime scene and collaborate to conduct high-level frauds.

In light of the increasing threat of cyber crime, information assurance plays a critical role in organizations, especially financial institutions. Media regularly provides cases of cyber attacks, which provide an external perspective. However, the foundation for sound information security is laid within the organization. Any lapses in this area, signifies a high risk of fraud. I am here giving some examples on how to identify the issues excluding the regular network breaches.

1.  Commitment to Information Assurance Policies and Procedures

The first indicator of lapses in information assurance appears on evaluating the information assurance policies and procedures. The questions to ask are – does it cover all sources of data leakage, does it monitor exceptions, how is the implementation and are regular audits conducted to ensure adherence.

To illustrate, I had once prepared an information assurance polices document for an organization. According to my estimate, on approval of the document, the implementation time was three months. However, to my surprise the management did not approve the document for over a year, despite repeated reminders on high exposure to information risks. I subsequently discovered that some senior executives were conducting frauds and laying the blame on the juniors. Their problem was that if the policies were implemented, they would not have easy escape goats.

2.    Level of Application Controls

Most organizations still lack focus on application controls – the basic input, processing and output controls and access controls. Access to critical information is available easily and hence can be stolen.

For example, in one case I had found that a VISA card application could be accessed by the employees working on the process from their homes or any internet café. Interestingly enough, all the customer information of the cards was visible outside of office premises and machines.

In another case, a Master card processing application of a bank had no input controls and verification controls on the amount. The employee could pass the transaction for US$ 5 million, when the real amount might be just US$ 5. The whole transaction was processed without verification checks and the only control available was at Master card office.

3.    Back-end Logs

From a fraud detection perspective, back-end logs are crucial. They provide the information of access of various accounts by employees, transactions conducted and the whole trail of activities. Analyzing the logs helps in identifying suspects.

However, some companies give the weird logic that maintaining back-end logs is expensive; hence, we do not keep them. With the cheap data storage facilities available, the organizations are losing the best tool available to them for fraud detection.

The second risk of back-end logs is that the information security personnel can play havoc with it. For example, if they have participated in a fraud, they can remain undetected. The simple process employed by deviant information security personnel is to download the back-end log, tamper with it to remove their own access trail and in its place put some other employee’s information. This way when the fraud is investigated, the other employee becomes the suspect.

These are just a few examples on how lapses in information assurance increase the risk of frauds.

Recommendations

To ensure that the organization is adequately covering information assurance risks, do the following:

a)  Implement information assurance policies and procedures.

b)  Put a system in place to regularly monitor adherence and address exceptions

c)  Conduct ethical network hacking to assess security vulnerabilities

d)  Review all critical applications for controls and mitigate the major weaknesses.

e)  Segregate duties of information technology and information security personnel to ensure that they do not tamper with the application. Build in some checks to monitor their activities.

f)  Investigate all breaches and incidents to determine the root cause analysis and make the environment more secure

References:

The Cyber-Crime Black Market: Uncovered by Panda Security

To read more on Fraud Symptom series, click here

About these ads