Preventing IT Fraud: You (and Your Employees) are the Weakest Link!

Presented by

Nick DeLena, CISA, CRISC, MBA Senior Manager, IT Audit

O’Connor & Drew P.C. ndelena@ocd.com

Agenda

• IT fraud threat vectors ▫ Internal & external

• Why is everyone getting hacked? • What can we do about it?

IT fraud threat vectors

• Internal threats ▫ IT staff buying extra hardware and

software and… Reselling it on auction sites, Returning it for cash or credit, or Keeping it for personal use

IT fraud threat vectors

• Internal threats ▫ Using corporate resources for

personal use Running seedy websites Peer-to-peer file sharing

IT fraud threat vectors

• Internal threats with external partners ▫ Paying more for items or buying

unneeded upgrades from 3rd party IT staff gets a kickback

IT fraud threat vectors

• External threat ▫ Hackers (white/gray/black hat) ▫ Script kiddies ▫ Hacktivists ▫ State-sponsored ▫ Corporate espionage ▫ Terrorism

IT fraud threat vectors

• CIA Dir. John Brennan hack ▫ “Hey it’s CWA.” ▫ “What do you want?” ▫ “2 trillion dollars hahaha, just joking” ▫ “How much do you really want?” ▫ “We just want Palestine to be free and for you to

stop killing innocent people.”

Why do we keep getting hacked?

• Three reasons: ▫ PII including credit cards ▫ Target of opportunity ▫ “Hacktivism”

Why do we keep getting hacked?

• Three reasons: ▫ Companies or Nation States want

the info we have ▫ Intellectual property / Research ▫ Recently, physical harm

Why do we keep getting hacked?

• Three reasons: ▫ Target of opportunity Casting a wide net Lets see who we pick up The thief who tries every door, just

to find the open car

Why do we keep getting hacked?

• Three reasons: ▫ Hacktivism Payback for a perceived wrong Anonymous Fight against ISIS Environmental - dieselgate?

We are really, REALLY, bad at security

• Most popular passwords in 2014: ▫ 123456 ▫ password ▫ 12345 ▫ 12345678 ▫ qwerty

We are really, REALLY, bad at security

• Our teams find: ▫ 50% of assessments have the

“Crown Jewels” by 9:30am ▫ 100% of assessments have the

“Crown Jewels” by lunch time

ON MONDAY

How are they doing it?

How are they doing it?

How are they doing it?

• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester

How are they doing it?

• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester

How are they doing it?

• Spam • Phishing • Spear Phishing • Whaling • Watering hole attack

How are they doing it? • Some examples of Phishing ▫ Emails from people you know claiming to be stranded in a

foreign country, asking you to wire money so that they can travel home.

▫ Emails claiming to be from reputable news organizations capitalizing on trending news. These emails generally ask recipients to click a link to read the full story, which in turn leads the user to a malicious website.

▫ Emails claiming to be from organizations like the FTC and FDIC, referencing complaints filed or asking recipients to check their bank deposit insurance coverage.

▫ Emails from your bank, asking you to change your username and password.

Phishing

• Home Attacks

Phishing

• Home Attacks

Phishing

• Home Attacks ▫ Links on your phone are

especially dangerous. ▫ You often cannot “hover

over” the link.

How many errors can you spot?

Phishing

• Home Attacks ▫ Links on your phone are

especially dangerous. ▫ You often cannot “hover

over” the link.

Phishing

• Home Attacks ▫ Links on your phone are

especially dangerous. ▫ You often cannot “hover

over” the link.

http://bit.ly/1WB0vwF

Phishing

• Work Attacks

Spear-Phishing

• Targeting Attacks

Spear-Phishing & Watering hole

• Targeting Attacks

Then what?

• Backdoor

Exfiltration

What can we do about it?

• Internal threats ▫ Learn the IT basics ▫ Trust, but verify ▫ Asset management ▫ 3rd party reviews

What can we do about it?

• External threats ▫ END USER EDUCATION ▫ Perimeter security ▫ Desktop security ▫ FTC?

What can we do about it?

• End user education ▫ Awareness is key ▫ This session, tell your friends ▫ Social Engineering Tests Call the helpdesk, can you obtain

someone else's password reset? Fake email campaign (with immediate

re-education)

What can we do about it?

• End user education ▫ IT Department notices; will never

request passwords or other personal information via e-mail.

▫ Should not include a link to the “IT site” for more info –Reinforcing bad behavior

What can we do about it?

• End user education ▫ Social Engineering Tests First - educate employees (people are

emotional, computers are not) Second – test Immediate feedback on what they did

wrong and how to prevent the behavior in the future

What can we do about it?

• End user education ▫ Be wary of emails with links or language

errors ▫ Don’t give in to pressure to provide info

What can we do about it?

• End user education ▫ Don’t open LinkedIn invites via email ▫ During benefits annual enrollment

periods ▫ Shipping notices during the holidays ▫ IRS tax refund by April 15th

What can we do about it?

• End user education

What can we do about it?

• End user education

What can we do about it?

• Perimeter security ▫ Advanced firewall protection ▫ Unified Threat Management (UTM)

What can we do about it?

• Desktop security ▫ Keep operating systems and browsers

patched ▫ Anti-Virus / Anti-Malware up to date

and running ▫ Data Loss Prevention (DLP) tools

What can we do about it?

Conclusion

• We make it easy for fraud to happen ▫ Educate yourself ▫ Trust, but verify ▫ PLEASE, don’t click on links in email ▫ Know who to call when you suspect

an issue

Our Staff

Michael Hammond– IT Audit & Security Director Michael is the Director of IT Audit & Security at O’Connor & Drew. With over 20 years in various strategic and administrative IT positions, including 15 years designing and implementing security architecture and security controls, Michael is widely considered a foremost expert in IT security. Michael has traveled extensively as a frequent speaker on trending security topics. In addition to speaking on audit and security, Michael has performed audits and assessments on five continents spanning more than 12 regulatory authorities. Certifications and designations: • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • Certified Information Systems Security Professional (CISSP) • Certified Ethical Hacker (C|EH) • Michael is a member of InfraGard association.

A joint partnership between the FBI and private sector.

Nick DeLena– Senior Manager, IT Audit Nick is the lead Senior IT Audit Manager at O’Connor & Drew. He works in concert with internal senior management to scope and budget engagements. He provides oversight and training to existing staff. Nick’s prior engagements includes SOX compliance, SAS70, and FFIEC compliance. In addition to Nick’s 5 years audit and advisory experience, he also has 12 years in various IT operations and analyst positions. Certifications and designations: • Masters in Business Administration (MBA), Brown University • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • CompTIA Security+ • ITIL v3 Foundations Certification (ITILv3F) • Nick is a member of InfraGard association.

A joint partnership between the FBI and private sector.

George Calapai – IT Auditor George is a staff auditor with O’Connor & Drew. Prior to joining the firm, George was a senior IT management consultant and technical services lead for a number of medical startups. Currently, George performs IT audit control testing for O’Connor & Drew clients. Recent work include: • IT Risk and control assessments • Database account administration audits • Routing, firewall, wireless and IDS/IPS • VMware

Michael Huffman – IT Auditor Michael is a recent MBA graduate of UMass Dartmouth, with a degree in Supply Chain Management and Information Technology. Michael has assisted on several IT general controls reviews and vulnerability assessments for auto dealers.

O’Connor & Drew P.C.

Email: ndelena@ocd.com LinkedIn: www.linkedin.com/in/nickdelena Twitter: @ocdcpa