FRAUD AND OTHER THREATS

1
FRAUD AND OTHERTHREATS

• FRAUD (Michael Comer, Corporate fraud)
• Any behaviour by which one person intends to gain
  a dishonest advantage over another
• SYSTEMS SECURITY
• The protection of the hardware, software and
  files of data from loss or damage
• (accidental or deliberate) and unauthorised
  access
• QUALITY ASSURANCE (I Jackson, Corporate
  Information Management)
• The management of integrity by the establishment
  of organisational procedural controls such that
  the system will continue to perform according to
  specifications, and the data reflects the
  corporate world accurately.
• 'Honesty hath no fence against superior cunning'
  - Swift, Gulliver's Travels
• 'Fraud is like AIDS - neither victims nor
  perpetrators want to talk about it' - Levi,
  Police Review

2
IT AND MANAGEMENTSECURITY AND FRAUD - WHAT IS
AT RISK

• INVESTMENT IN THE SYSTEM - by sabotage,
  carelessness
• FUNDS FROM EMBEZZLEMENT - by fraud,
  mismanagement
• FUTURE INCOME AND PRODUCTIVITY - by loss of
  software, files
• TRADE SECRETS - by data theft
• LAWSUITS - political use of stolen data
• REPUTATION - by unauthorised access to
  personnel files
• PREVENTION IS BETTER THAN CURE both SECURITY
  and FRAUD

3
IT AND MANAGEMENTSECURITY FRAUD - WHO IS AT
RISK?

• INDIVIDUALS
• - vulnerability due to ignorance
• - motivation of identity theft
• - criminal misuse of the system
• - accidental loss (eg kicking out the
  plug)
• SMALL BUSINESSES tend to use packaged software
  - few staff with computer experience -
  unfamiliarity with control procedures -
  limited training/support - reluctance to
  use control procedures - costly/time
  consuming - limited opportunity for
  segregation of duties (especially in financial
  systems)

• SMALL DEPARTMENTS - similar situation PLUS (for
  tailor made MIS) - inadequate program
  testing - danger of introducing wrong
  data to main system - uncritical
  acceptance of output - bad decision
  making (or worse) - management ignorance of
  dangers - no moves towards security
• LARGE ORGANISATIONS- same again PLUS -
  industrial espionage
• - political/social grudge
• - technical challenge for hackers
• - more tempting rewards for thieves

4
IT AND MANAGEMENT WHY COMPUTER SYSTEMS ARE AT
RISK

• SPEED -gt rapid availability removal of
  proceeds
• ACCESS -gt remote, continuous and anonymous
• VOLUMES -gt easier transmission concealment
• AUTOMATION -gt more difficult detection
  apprehension
• COMPLEXITY -gt difficult to detect understand

5
IT AND MANAGEMENTFRAUD - THE JARGON

• salami fraud- manipulation of large volumes of
  small amounts of money
• scavenging- browsing computer memory (after
  program run)
• superzap- total destruction of a file/database
• logic bomb/time bomb- triggering a program
  routine by logic or time
• trojan horse- code in one program which can
  alter another

• virus- a trojan horse which can propogate itself
• piggy backing- impersonation of an authorised
  user
• spoofing- tricking a user into believing you are
  computer
• trapdoor - exploiting development shortcuts in
  program
• data diddling- altering data being fed into
  computer

6
IT AND MANAGEMENTFRAUD - MAIN RISK AREAS

• falsification/suppression of input - eg
  inflation of purchase invoice values suppression
  of sales data
• passive injection - eg invoices for non
  existent goods false expense claims
  inventing non existent employees
• masterfile manipulation - eg temporary
  altering of a price prior to a transaction
• manipulation of suspense accounts (rejections
  from normal processing cycle)
• misuse of restricted facilities - eg copying
  utilities, debugging facilities
• program patching - adding/altering routines
  to perform a task

Only about 10 reported to police Only about 1 in
30 lead to recovery of loss
7
IT AND MANAGEMENTTYPES OF FRAUD (50 CASES
ANALYSED) (Davis H E Braun R L (2004),
Computer Fraud, CPA Journal, July)
8
IT AND MANAGEMENTFRAUD OTHER CHARACTERISTICS
(Davis H E Braun R L (2004), Computer Fraud,
CPA Journal, July) topICAEW (1990), bottom
9
IT AND MANAGEMENTPERPETRATORS OF FRAUD (Davis
H E Braun R L (2004), Computer Fraud, CPA
Journal, July)- left ICAEW - right
10
IT AND MANAGEMENTFRAUD - MOTIVATION AND DETECTION

• motivation - Personal Gain - Revenge
  (for real or imagined wrong) - Desire to
  "Beat the System" - Hackers may be
  beneficial - also boredom, fun
  - no malicious intent - Poor
  staff/management relations - Company ethos
  - Pressure from workmates - Vandalism
  - Fame - eg breaking into Prince
  Phillip's EM box - Unintentional crime
  - student PRESTEL flowers

• symptoms among employees - work a lot of
  overtime/take few holidays - unwilling to be
  promoted - exude unexpected affluence -
  drink/drugs/gambling problem or grudge -
  cultivate friendships in other departments
• AND - Look for undue incidence of missing
  records - customer/supplier complaints
  - persistent stock shortages

11
IT AND MANAGEMENT THE RANGE OF THREATS TO A
SYSTEM

• physical environment
• Fire, Explosion, Lightning, Power, Water
  Sabotage
• hardware
• Processor, RAM, Disk Crash, Power Supply,
  Monitor, Data files
• operating system
• Bugs, Access Control
• applications programs
• Bugs
• communications
• Errors, Data Loss, Eavesdropping
• privacy
• Personal data, Corporate data

12
IT AND MANAGEMENTPRACTICAL STEPS TO REDUCE RISKS
(ICAEW)

• completeness/accuracy of data
• Masterfiles, Transactions
• file storage/backup
• Data, Programs. HOW??
• documentation of procedures
• Why? What? For whom?

• security of computers/data
• Physical access. Protection. Encryption. Belt
  Braces
• maintenance
• Level of protection? How?
• Insurance
• Environment. Equipment. Profits. 3rd party
  Malicious damage
• contingency planning
• Testing. Disaster Planning

13
IT AND MANAGEMENT DESIGN AND SECURITY

• company policy
• Security Officer? Staff training?
• quality assurance
• Documented Systems procedures
• Standards enforcement
• Modifications process
• auditor consultation
• Audit trails. Policy reviews.
• Training Advice. Techniques.
• BUT
• how close?
• Qui custodiet custodies?
• role of external auditors?

14
IT AND MANAGEMENT MANAGEMENT STRATEGIES
RISK MANAGEMENT APPROACH (I Jackson)

• objectives
• The computer system will be operational when
  required
• The data will be accurate
• Access to resources will be controlled
• components of risk management
• Establish a threat team (MIS, User,
  Mgt)
• Identify prioritise the risks (risk types,
  asset values)
• Measure the risks (expected
  loss cost of loss x probability)
• Control the risks (select
  countermeasure.
  direct or insurance.
• 
  reduce to acceptable level)
• Conduct periodic review (checklist)

15
IT AND MANAGEMENTMANAGEMENT STRATEGIES
PERSONEL APPROACH (I Jackson)

• assumptions a People problem requires a
  people-oriented approach
• Protection of people
• protection of the environment
• Protection from people
• separation of duties
• auditing
• access controls
• policy (need to know v info sharing)
• Personnel management
• staff morale, working conditions
• (reduce motivation for fraud)
• selection/recruitment/training
• career development. grievance procedures. enforce
  leave. job rotation
• Contingency planning
• disaster planning/recovery
• plan the recovery procedures
• budget
• top management commitment