Network Intelligence India Pvt. Ltd.

Information Technology Fraud Prevention & InvestigationK. K. Mookhey, PCI QSA, CISA, CISSP, CISM, CRISC

1Real-world Case StudiesLessons Learnt Fraud Risk ManagementFraud InvestigationConclusionsQ&AAgenda2Speaker Profile - K. K. MookheyPrincipal Consultant at Network IntelligenceOver 12 years of experience in Fraud Risk AssessmentsIT Governance, Risk Management & ComplianceIT Controls ReviewsApplication Security ConsultingComputer ForensicsCertificationsMember of ACFEPayment Card Industry (PCI) QSACertified Information Systems Auditor (CISA)Certified Information Systems Security Professional (CISSP)Certified Information Security Manager (CISM)Certified in Risk and Information Systems Control (CRISC)Speaker at Blackhat, Interop, IT UndergroundAuthor of two books and dozens of articles for ISACA, IIA, and other publications3Corporate EspionageCase Study 1Targeting and Exploitation Cycle

5It could be in your backyard!

Shoulder surfing

8Phishing

9

10Fake Book

11Increasing user awarenessStrong policies against misuse of end-point systemsStrong monitoring controlsPersonnel security controlsRun social engineering tests as part of your audits

SolutionsCyber-Crime and $$$Case Study 2

The biggest hack in historyHow to build a multinational multi-billion dollar enterprise overnight!16Gonzalez, TJX and Heart-break-land>200 million credit card number stolenHeartland Payment Systems, 7-Eleven, and 2 US national retailers hackedModus operandiVisit retail stores to understand workingsHack wireless networksAnalyze websites for vulnerabilitiesHack in using SQL injectionInject malwareSniff for card numbers and detailsHide tracks17The hacker undergroundAlbert Gonzaleza/k/a segvec,a/k/a soupnazi,a/k/a j4guar17

Malware, scripts and hacked data hosted on servers in:LatviaNetherlands

IRC chatsMarch 2007: Gonzalez planning my second phase against HannafordDecember 2007: Hacker P.T. thats how [HACKER 2] hacked Hannaford.

UkraineNew JerseyCalifornia

18TJX direct costs

$24 million to Mastercard$41 million to Visa$200 million in fines/penalties19SolutionsA single vulnerability in an Internet-facing web application could lead to disasterBlind reliance on technology based on product/vendor reputation is a bad ideaStrong logging controlsFraud risk assessment is different from a regular auditThink like a fraudster to identify fraudulent areas and implement adequate controlsConcurrent monitoring via ACL or BI tools is also importantIdentify red flags and put in place systems to monitor for these

Data Leakage PreventionInformation Rights ManagementEmail Gateway FilteringSecurity & Controls by DesignIdentity & Access Control ManagementEncryptionBusiness Intelligence SolutionsRevenue Assurance & Fraud Management Solutions

Leveraging Technology21Before we get to the technology

22Managing Fraud Risk23Systems crashingAudit trails not availableMysterious system user IDsWeak password controlsSimultaneous loginsAcross-the-board transactionsTransactions that violate trends weekends, excessive amounts, repetitive amountsReluctance to take leave or accept input/helpReluctance to switch over to a new systemTechnology Red Flags24Fraudulent Financial Reporting

Unauthorized access to accounting applications Personnel with inappropriate access to the general ledger, subsystems, or the financial reporting tool can post fraudulent entries.

Override of system controls General computer controls include restricted system access, restricted application access, and program change controls. IT personnel may be able to access restricted data or adjust records fraudulently. IT & Fraud Risks25Misappropriation of Assets Theft of tangible assets Individuals who have access to tangible assets (e.g., cash, inventory, and fixed assets) and to the accounting systems that track and record activity related to those assets can use IT to conceal their theft of assets. Theft of intangible assets Given the transition to a services-based, knowledge economy, more and more valuable assets of organizations are intangibles such as customer lists, business practices, patents, and copyrighted material.

Corruption Misuse of customer data Personnel within or outside the organization can obtain employee or customer data and use such information to obtain credit or for other fraudulent purposes. IT & Fraud Risks2627Takeaways & ConclusionsTechnology can be a double-edged swordRisks from introduction of new technologies should be fully assessedTechnological solutions should be fully-embraced to help address security and fraud challengesBut absence of a strong policy and process framework can yield even the strongest technologies completely useless!People should be adequately trained and user awareness should be constantly addressed.

TakeawaysGovernances Policies, Procedures and Organizational FrameworkApplication ControlsInfrastructure ControlsServerNetworkEnd-pointTechnological Controls for Fraud Detection, Prevention and Data SecurityTraining & AwarenessFraud-focused ReportingAudit Trail & Forensics

Conclusions30Q&A

Thank you!

K. K. MookheyFounder & Principal Consultantkkmookhey@niiconsulting.comwww.niiconsulting.com@kkmookheyhttp://in.linkedin.com/kkmookhey

31