Journal Online

Mitigating IT Vulnerabilities Provides Continual Fraud Prevention

alyssa G. Martin, CPa, is the Dallas executive partner and the firmwide partner in charge of the Risk Advisory Services group at Weaver and Tidwell LLP. With offices in Dallas, Fort Worth, Houston and San Antonio (Texas, USA), Weaver and Tidwell is ranked the largest independent certified public accounting firm in the Southwest US by Practical Accountant.

A bank clerk extracts customers personal and account information from a database and then sells the data. A production manager for a manufacturer improperly accesses the system to enter recurring service fees for a nonexistent vendor. Monthly disbursements are then made, with payments sent via electronic fund transfer to a bank account opened by the production manager. Everyday reliance upon technology makes it possible for these and so many other fraudulent schemes to unfold. The Computer Security Institute (CSI)s 2008 Computer Crime and Security Survey found that: Financial fraud ranked as the costliest type of IT incident, with an average reported cost of US $500,000 per incident.1 Twenty-five percent of respondents attributed up to 20 percent of IT-related financial losses to attacks from within their organizations, with 4 percent of respondents attributing at least 80 percent of those losses to inside sources.2 The survey was sent to 5,000 information security professionals and elicited responses from 522 practitioners, representing public and private sector organizations. Those entities ranged in size from fewer than 100 employees, to more than 50,000 employees. While the surveys primary purpose was to identify the most pressing security concerns facing IT professionals, its findings illustrate for all organizational leaders the intertwining of technology vulnerabilities and fraud threats. Technology presents so many opportunities for fraud to occur. Fortunately, technology also provides many opportunities to combat fraud. In a preventive role, technology enforces defined segregation of duties. It restricts access to IT systems and files, and limits the functions individuals may perform. Technology also helps organizations more promptly detect and respond to potential fraud incidents. In its 2008 Report to the Nation on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) examined

959 cases of occupational fraud investigated by Certified Fraud Examiners (CFEs) between January 2006 and February 2008. The ACFE report found that a typical fraud scheme goes undetected for two years.3 So much is lost and never recovered once a fraudulent scheme starts. Continuous monitoring technology, however, alerts managers whenever any suspicious IT-related activity occurs, thereby limiting the damage that follows an initial incident of fraud. Organizations vary immensely in the specific IT systems they deploy, but the following universal concepts aid every entity in addressing and combating technology-related fraud. General Fraud Prevention it Controls Managements tone at the top serves as a fundamental deterrent against fraud. By continually emphasizing the importance of ethical behavior, management creates an internal culture where individuals value protecting the organization and its assets. That culture sustains all fraud prevention concepts and controls, including those related to IT functions and operations. While each organization is unique in the individual and collective IT components it uses, addressing the following general control needs provides continual deterrence against fraud: Logical security Change management Database administration Data storage Data encryption Logical Security How easily can an individual gain unauthorized access to an application, database, data warehouse, operating system, utility or other IT component to manipulate or extract data? Logical security measures address that concern. Firewalls and software for blocking spyware and viruses provide network perimeter security
ISACA JOURNAL VOLUME 4, 2009

against the more common broad-based external attacks, but still leave organizations vulnerable to more targeted attacks or internal threats. Virtual private networks (VPNs) provide further online security for transmitting crucial data. Various white-list approaches also allow only authorized applications to run on any hardware, offering additional defense against malware. Within the network, authorization and authentication policies that go beyond standard login/password practices provide greater security for crucial files and applications residing within a network. Passwords and logins required for authorization should require combinations of numbers, letters and special characters that cannot be easily guessed, with regular updating required. Personal authentication practices provide an additional layer of protection by requiring a person to prove he/she is indeed the rightful individual using an authorized password and login combination. Authentication measures include challenge questions that only the authorized individual can answer. Smart cards or portable electronic tokens store a personal identification number (PIN), digital signature, fingerprint or other form of unique identification information. Such authentication information transmits to a desktop PC, laptop or mobile device via a card reader, radio-frequency identification (RFID), USB port or Bluetooth wireless technology. User provisions align with individuals passwords and logins, and define what IT access rights individuals need to perform work-related duties. Those user provisions enable organizations to enforce defined segregation of duties as it relates to IT access needs. IT directories maintain employee groupings and the levels of IT access granted to each individual, based on assigned user provisions. When someone attempts to sign on to a server, application or other IT element, access is granted or denied based on the login, password and the user provision information contained in the IT directories. While user provisions and IT directories enforce segregations of duties, individuals may neglect to close a file or application when departing for lunch or some other reason. That leaves crucial data and functions vulnerable to unauthorized access. Automatic logoff controls close work screens following brief periods of inactivity.

Change Management To commit fraud, someone may install unauthorized software or make unapproved changes to an existing program, utility, operating system or other network component, thereby compromising or disabling automated security settings. Organizations need to adhere to sound change management policies regarding any IT installations or modifications. Various file integrity agents detect all changes made to a file, not just the most recent modification. Regularly comparing those findings to a log of authorized changes helps administrators more easily detect improper alterations. Database Administration Databases house crucial information that can lead to immense losses when altered or stolen. Database administration controls define and enforce individual action, object and constraint rights. An action includes insert, read, modify or delete responsibilities. Granting authorization for only work-required actions deters a customer service representative from, for example, inserting a record for a nonexistent vendor. Object limitations restrict the types of database records someone can access. With object restrictions, for example, a hospital marketing manager cannot access individual patients treatment records or other private information. Constraint restrictions assign limitations for authorized actions. Based on assigned constraints, an automotive parts distributors sales representative would face monetary restrictions in entering a line of credit total for a new customer. Data Storage Where do critical data reside? Are they on a workstation or laptop hard drive, on a secure or unprotected server, within a data warehouse, or in an offsite repository? Data storage considerations need to reflect the nature of the data, with more crucial information requiring more secure storage and tighter access restrictions. A spreadsheet file used for critical financial reporting processes, for example, needs to reside on a secure file server directory and be passwordprotected to limit the potential for unauthorized access or manipulation. A large organization may hold millions of nonpublic records not needed for everyday operations. Such data are protected by regulation and must be secured. A secure data warehouse may be an appropriate location if the information is used to generate

ISACA JOURNAL VOLUME 4, 2009

companywide reports. Data that need to be archived should reside in an offsite storage repository. Nonpublic information not needed for future purposes should be properly disposed of to alleviate potential security breach concerns. Data Encryption Various methods of data encryption assure that crucial information remains in an unusable format if access restriction controls fail. For online transmissions, Secure Sockets Layer (SSL) encryption is commonly used to keep any intercepted data from being read. Utilizing SSL or similar technologies within an organization likewise ensures that individuals cannot extract and then misuse crucial, nonpublic data. Data encryption technologies enable companies to protect vital information while retaining common file management practices. Within an automobile insurance company server, for example, data encryption secures thousands of policyholders drivers license numbers while maintaining the metadata and existing file system view. Such general IT controls provide a first line of defense against fraud. They also complement fraud prevention efforts required for the US Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) Data Security Standards (DSS), and other compliance measures. These general controls are supplemented by application controls that serve in a preventive role and automated detective systems that immediately call out or suspend unusual or suspicious IT-related activities. adMinisterinG deFined seGreGation oF duties by iMPleMentinG aCCess restriCtions Segregation of duties is a crucial fraud prevention concept, and IT access restrictions need to align with the segregated work roles and responsibilities given to individuals. That alignment enables an organization to deploy application controls and other automated, preventive measures in the most effective manner. User provisions provide the foundation for establishing and enforcing segregation of duties within an organizations IT systems. The user provision defines what IT elements an individual needs to access to complete assigned work responsibilities. The user provision also incorporates the concept of least privilege, which restricts a persons IT access rights to only those components required to fulfill defined, segregated duties.

IT directories maintain employee groupings and the levels of IT access granted to each individual. When someone logs on to a server, application or other element, access is granted or denied based on the login, password and the user provision information contained in the IT directories. In conjunction with the IT directories, user provisions offer an automated means of ensuring that segregation of duties remains in place for all processes requiring IT access. Segregation of duties and corresponding IT access restrictions need to be applied to all financial, operational and IT tasks that present significant potential for fraudulent activity. iMPleMentinG aPPliCation Controls Application controls keep individuals from accessing all of the modules or functions needed to carry out a fraudulent transaction. Those controls keep a building material suppliers employee from authorizing, entering and issuing a refund or credit for goods that were never returned. For all internal processes, application controls help organizations maintain segregations of duties to protect data and other assets. Within a particular module, application controls block someone from viewing information not needed to complete an assigned duty. For an accounts receivable function, a work screen might show only a truncated version of customer credit card numbers. Application controls also enforce boundaries that keep employees from exceeding granted levels of authority. An organizational policy may restrict an equipment leasing companys employees from writing off overdue accounts above a specified balance without supervisory permission. If someone attempts to exceed that balance, the application automatically rejects that data entry. autoMated deteCtion For Potential inCidents oF Fraud Even with the best preventive measures, individuals may still find ways to commit fraud. Detective measures are important to deploy because IT controls cannot fully protect against collusion. Someone may misuse properly granted authorization. Someone else may share access information, while another individual may find some way to circumvent existing preventive controls. Various methods of detecting inappropriate or unexpected activity exist. Exception reports identify data anomalies or changes to protected data. Data analysis compares data sets to identify transactionsbased on rulesthat indicate incongruent or inappropriate activity.
ISACA JOURNAL VOLUME 4, 2009

Newer technologies also incorporate instant detection and notification capabilities. This eliminates the time lags, tedium and inconsistent practices associated with manual system log reviews. Database activity monitoring (DAM) systems, for example, continuously oversee all database activity. They enforce defined segregations of duties among database administrators and other users. They issue alerts whenever uncommon or improper activity occurs, such as an application user requesting multiple credit card numbers at one time. Security information and event management (SIEM) systems also automatically send notifications whenever unusual transactions, security infractions or other suspicious activities happen. SIEM oversight may cover a lone application or numerous programs, as well as servers and other IT components. Administrator-defined business rules and standards of normal IT activity determine when DAM or SIEM systems provide alerts. An alert may occur when someone spends too much time viewing a read-only file containing customer account numbers or when an individual attempts to save a crucial file to a USB drive. Managers may also get alerts when the volume of disbursements entered for a particular vendor exceeds normal quarterly averages or when an exceptionally high number of transactions is entered just before a financial reporting period closing. Screen shot files capture what someone was viewing when such actions were executed, and audit trail features document each entry made by an individual in question. Some systems also immediately suspend user activity whenever suspicious actions unfold. Such immediate detection eliminates the costly time lags and potentially inconsistent review practices associated with manually evaluating various IT logs to detect anomalies or exceptions. MaintaininG Continual viGilanCe Organizations face continual internal changes in personnel, processes and the IT systems used for everyday operations and analytical purposes. User provisions and related IT directories face continual revisions, as do defined segregations of duties. Potential financial gain continually prompts individuals to devise new plans for improperly accessing funds and crucial data.

Keeping pace with such change and providing optimal protection against fraud requires continual vigilance. When an IT incident occurs, it requires immediate investigation to determine the underlying cause and mitigate whatever vulnerabilities led to that incident. Such reviews also provide opportunities for evaluating the effectiveness of existing controls. Sustaining that vigilance takes money and time, but those cumulative costs are generally less than the expenses associated with just one incident of fraud discovery. The resources committed to fraud prevention and immediate detection function as a valuable form of insurancea form of insurance that saves so much potential expense, a form of insurance that provides peace of mind. reFerenCes Lumension, Sanctuary Application Control, 2009 Singelton, Tommie W.; What Every Auditor Should Know About Access Controls, Information Systems Control Journal, vol. 4, 2008 Ross, Steven J.; Managing Information Crises, Information Systems Control Journal, vol. 4, 2008 Mogull, Rich; Understanding and Selecting a Database Activity Monitoring System, The SANS Institute, 17 October 2008 Momento Security, Employee Fraud Stories, 2008 Adventone Pty Ltd., IntellinX-Activity Monitoring for SOX Compliance, 2008 Momento Security, Wachovia Transforms Its Fraud Detection Capabilities With Memento Security, 2008 Protiviti Inc., 2008 Internal Audit Capabilities and Needs Survey, 2008 RSA-The Security Division of EMC, 6 Best Practices for Preventing Enterprise Data Loss, 2008 RSA-The Security Division of EMC, RSA File Security Manager, 2008 PKWARE Inc., SecureZip Product Family, 2008 Protiviti Inc., Information Technology Configuration Management: Enabling IT Services and Assets, 2008

ISACA JOURNAL VOLUME 4, 2009

Stephenson, Brad; Preventing Identity Fraud in the Branch, Diebold Inc., 2006 Pacini, Carl; A Proactive Approach to Combating Fraud, Institute of Internal Auditors, April 2005 Shafer, Scott Tyler; Oversight Launches Fraud Prevention Software, InfoWorld, 22 March 2004 Dirven, William; Anthony Samer; David Taylor; Incident Response and Fraud InvestigationThe Role of the Information Technology Auditor, Protiviti Inc., 2003 The SANS Institute, Information Security Management Audit Checklist, 2003 Oliver, Derek J.; What to Audit and Why, Ravenswood Consultants Ltd. Winn, Thomas J., Jr.; Fraud DetectionA Primer for SAS Programmers, Texas State Auditors Office, USA endnotes 1 Richardson, Robert; 2008 Computer Crime and Security Survey, Computer Security Institute, 2008, p. 2 2 Ibid., p. 14 3 Association of Certified Fraud Examiners, 2008 Report to the Nation on Occupational Fraud and Abuse, 2008, p. 4

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content. 2009 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
ISACA JOURNAL VOLUME 4, 2009