IT Security for Fraud Investigation and Prevention

1
IT Security for Fraud Investigation and
Prevention

• Nikolai Samodaev
• Maxim Malezhin
• Ernst Young
• Technology and Security Risk Services

2
Agenda

• Introduction
• Computer crimes
• Examples of computer fraud
• Reactive measures
• Proactive measures
• Q A

3
Introduction

• Computer crimes are increasing
• Many crimes are never detected or reported
• Computer crimes result in billions of dollars in
  losses to companies in the worldwide economy
• Computer crimes fall into two main categories
• crimes committed against the computer
• crimes using the computer

4
Unauthorised use of computer systems
5
Most critical IT security issues
6
Losses from insider threats
7
Examples of computer crimes

• Insider crimes / fraud
• Employee misconduct
• Hacking / cracking
• Network intrusion
• Computer viruses
• Blackmail
• Industrial espionage

8
Types of computer fraud

• Fraud by computer manipulation
• Input manipulation
• Program or data manipulation
• Output manipulation
• Fraud by damage to or modification of computer
  data or programs
• Economic/Competitive advantage
• Theft of data or programs
• Holding data for blackmail
• Sabotage

9
Common fraud schemes

• Internal
• Billing schemes
• Inventory fraud
• Payroll fraud
• Skimming/salami techniques
• Check tampering
• Register schemes
• External
• Telecommunications fraud
• Hacking
• Internet fraud
• Software piracy

10
Reactive measures

• Computer forensics
• collecting of information from and about computer
  systems
• Journal Entry Testing
• responds to revised ISA-240 requirements
• includes an additional review of the book keeping
  records
• may discover fraudulent actions by management or
  employees

11
Computer forensic evidence that can be found

• All existing data in the computer's directory
  structure
• Deleted files not been overwritten by the
  operating system
• Deleted e-mails
• Pages recently printed on the suspect's printer
• Renamed files

12
Computer forensic evidence that can be found

• Application software
• Specific words, numbers, etc.
• Recently accessed web sites
• Passwords to commonly used programs/websites
• Password protected files

13
Computer forensic main stages

• Stage 1. Search and seizure
• Control the scene, suspects, etc.
• Identify evidence
• Stage 2. Processing the scene
• Document
• Take photos
• Label evidence
• Stage 3. Preserving the evidence
• Make an image of hard drives
• Stage 4. Evidence examination
• Find the needle

14
Journal entry testing
EY response
Management is in a unique position to perpetrate
fraud because of its ability to directly or
indirectly manipulate accounting records and
prepare fraudulent financial statements by
overriding established controls that otherwise
appear to be operating effectively.

• Reviewing estimates for evidence of management
  bias
• Evaluating unusual transactions
• Testing Journal Entries

Management
Client Business Subject to Risk of Management
Fraud
FSCP
Controls
Business Processes
15
Preventive measures (examples)

• Security policy
• Data classification
• Access control
• Segregation of duties
• Change control

16
Data classification

• Sensitivity
• Sensitivity is the characteristic of an asset,
  which implies its value to the organization using
  it, and the assets vulnerability to accidental or
  deliberate threats.
• Criticality
• Criticality is a subjective or objective measure
  of the degree to which an organization depends on
  the continued availability of the system or data
  to conduct its normal operations.

17
Segregation of duties (examples)

• The principal incompatible duties to segregate
  are
• custody of assets
• authorization or approval of related transactions
  affecting those assets
• Examples of incompatible IT duties
• Individuals requesting program development or
  program change
• Individuals that program the development or
  changes
• Individuals who manage the movement of the
  programs, primarily in and out of production
• Individuals who monitor program development and
  changes

18
Access control

• The objective of logical access controls is to
  ensure that only authorized persons and
  applications have access to data, and to perform
  specifically defined functions.
• Examples
• Formal policies and procedures to define approach
  to system security.
• Users are assigned unique accounts.
• Adequate passwords are required.
• Administrator rights are assigned to a limited
  number of individuals who require those rights to
  perform their job duties.

19
Change Control

• The objective of the program change controls is
  to ensure that all changes to applications are
  properly authorized, tested, and approved before
  implementation.
• Examples
• Program changes are
• Introduced based on formal requests
• Standardized
• Logged
• Approved
• Documented
• Subject to formal change management procedures
• Emergency changes are documented and subject to
  formal change management procedures.
• Migration of programs to production is performed
  by authorized individuals only.

20
Questions Answers

• Nikolai Samodaev, CISA, MBCI
• Senior Manager
• Nikolai.Samodaev_at_ru.ey.com
• Maxim Malezhin, CISA, CISSP
• Senior Consultant
• Maxim.Malezhin_at_ru.ey.com