Fraud and cybercrime in the cybersphere and new economy have become focal points in the context of contemporary information security. This is due in part to technological developments and the increasing dependence of organizations on IT, and also to intensified networking and digitalization. This state of affairs contributes to the fact that we face a marked increase in security incidents, criminal activity, modern and more sophisticated attacks, and more systematic and successful methods of attack.

An examination of recent incidents

Today’s attacks – more targeted and individually tailored to their victims – are planned well in advance and carried out in a strategic, organized way. They represent a constant and ubiquitous threat: this customized computer crime – which flourishes as a commodity in the context of professional, organized services, such as _Attack as a Service_– operates on a constant and uninterrupted basis.

The organizations concerned are faced with a daunting challenge and have only limited options in terms of prevention against such attacks (if only due to time constraints, as the application of security patches is often neglected and takes too long). An appropriate and effective system of security measures and checks can enable these organizations to protect themselves from known, potential and probable attacks.

This means that detective and reactive forms of security should gain in importance. They enable companies to react quickly and effectively in the event of an attack and to dampen, mitigate or entirely avoid the damage that would otherwise result to their business.

The most recent incident involving WannaCry also conformed to the above-mentioned profile. An article in NZZ am Sonntag on May 21, 2017 details the following information:

A second wave of cyber-attacks: In the shadow of the ransomware WannaCry, criminals have infected hundreds of thousands of computers with a discreet but significantly more lucrative bug: Adylkuzz. Although the ransomware WannaCry has gained headlines worldwide, a second computer worm has been spreading nearly unnoticed: Adylkuzz. “This attack is more dangerous than WannaCry because it runs in the background, and many victims don’t realize they have been infected.” It has therefore attracted much less attention than WannaCry.

However, there is a parallel story. While the whole world talks about WannaCry, another worm has been quietly spreading using the same methods: Adylkuzz. This parasite operates discreetly and makes no demands of its host. Instead, it appropriates their computing power to create a different kind of cryptocurrency called Monero.

Internal threats as drivers

It should not be forgotten that companies – in the context of fraud, cybercrime and economic crime – are vulnerable not only to external threats in the form of hacking, DDoS, malware, ransomware, e-fraud, etc., but also to the internal threat posed by their employees who are willing to commit economically criminal acts. Changes in values, increasing individualization of employees, declining company loyalty in the face of ever-more demanding employers, complex and specialized products, and complicit networks are all factors that make internal criminality and the urge for personal enrichment more compelling.

Of course, the term “employees” should also be understood to include management, in particular because they are so often the ones guilty of internal fraud. See also: NZZ and KPMG Forensic Fraud Barometer for the last year:

Not surprisingly, when it comes to economic crime, those in leadership roles represent the greatest danger due to their position and freedom to act within the company: in 58% of all cases, management employees were solely responsible for the criminal acts in question; in a further 21% of all cases, management employees were jointly culpable with their subordinates.

In an attempt to explain the increasing incidence of fraud, one could also consider the cybersphere as an additional source of motivation (source: selected excerpts from an interview with the well-known philosopher Peter Sloterdijk in Tagesanzeiger):

These days, personal comparisons on the internet (cf. Facebook, Twitter, Instagram, Snapchat, etc.) have become more virulent when compared directly with the more privileged, and since the internet breaks down any social immunity, those who are less well-off are often consumed by an urge to compete with the better-off. The range of opportunities for advancement may have expanded significantly in modern times, but that is precisely why so many people in today’s society feel as if they are losing out: if there are countless chances, but one has not been able to take them, then this perception of marginalization is magnified (and the motivation to defraud may be greater).

The global financial services sector seems to be particularly affected by internal employee crime. Internal fraud and the corresponding compliance regulations and standards have once again become the subject of heated debate and reinforcement, above all in the heavily regulated financial services sector.

The rules to protect company value – in the context of economic and cyber-criminality, corruption, etc – have multiplied in the last few years, and the trend shows no signs of stopping. At the same time, prosecution and liability are being pursued on a transnational scope, as one can now systematically scrutinize the internal digital lives of organizations and companies.

Recognition without resolve

It has been generally observed that while security is widely valued in a broad array of life’s settings, the available means to ensure that security are often neglected. This is particularly true if one has no experience of the potential risks; the prevention is tied to a certain amount of effort in the form of money, time or a change in habitual behavior. This is recognizable in enterprises that deal with the reality of such threats only when they are actually confronted with novel forms of fraud, even though they may have been warned that the company was vulnerable to such threats.

• Due to the economic pressure to constantly adapt, changes to a company’s organization [are part of] everyday business (mergers and acquisitions, restructuring, staff reductions, etc). This can lead to weaknesses in existing security provisions that are then systematically exploited by fraudsters.
• Companies may indeed recognize potential problems posed by fraud, but are often unaware of the complexity and variety of fraud risk to which their organization is exposed. The missing factor is often an assessment of the suitability of existing countermeasures and an evaluation of the company’s actual exposure to risk.
• Insufficient preventative measures also facilitate the commission of fraud. A paucity of deductive, retroactive detection measures (logging, monitoring, SIEM, etc.) can mean internal fraud is discovered only after the fact, if at all.
• There is often a lack of employee knowledge on the proper course of action on suspicion or discovery of fraud. Employees may fail to report or properly react to potential or actual instances of fraud from fear or lack of knowledge. Benjamin Franklin once said: “An ounce of prevention is worth a pound of cure.” This axiom is particularly true in the case of information security. Simply put, it is better to prevent attacks than to have to deal with the consequences.

At what point does an act become a crime?

Due to growing digitalization and automation, criminals have increasingly shifted their focus to IT systems. Vulnerabilities in internal countermeasures are open to abuse by internal or external attackers, often resulting in the theft of significant quantities of data or otherwise used for unauthorized purposes. In addition to the term computer criminality, cybercrime has gained a great deal of significance. The distinction between the two lies in the fact that cyber criminality is seen as criminal activity carried out explicitly with the aid of the internet.

Criteria for the criminality of cyber-activity:

• Prosecutorial relevance
• Resultant damage to the company
• Premeditated acts on the part of employees, legal representatives, members of oversight bodies or third parties (in cases of internal fraud)

In such cases, it is normally assumed that the act results in an unfair or illegal advantage to the perpetrators.

The role of IT and InfoSec

The original – and still important – duty of the information security representative is their deployment in cases of internal inquiries, inspections, audits, investigations, etc.

The Federal Office of Security in Information Technology (BSI) indicates that a cybercrime investigation – as a responsibility of information security – should consist of:

Methodical data analysis on data carriers and in computer networks for the clarification of suspicion or actual discovery of fraudulent behavior.

In the context of data mining, data matching, data analysis, environment analysis and analysis of internal countermeasures, the following information should be obtained:

• Description of the time and place of the commission of fraud
• Concrete description of the type of incident
• Analysis of countermeasures and vulnerabilities
• Information about those involved in the incident; identification of perpetrators
• Investigation of the extent of damage (value, magnitude) and potential secondary damage

The role of the InfoSec representative:

• Information acquisition: gather relevant information
• Information analysis: analyze and evaluate information
• Provision of results: provide results and evidence to investigators and/or auditors
• Processing: process information for target groups so that those involved in inspection and investigation can understand and internalize the data

Further responsibilities:

• Performance of various internal interviews
• Securing of legally admissible evidence (time stamps, encryption, authorized signatures, etc.)
• Securing of digital evidence (emails, hard drives, USB sticks, cloud storage, etc.)
• Analysis and description of processes
• Determination of the extent of damage for the purpose of indemnification
• Collaboration in the reporting process

Although cyber criminality is largely the domain of international, geographically decentralized organizations, the costliest known attacks have often involved insiders, as well.

The contribution of internal employees to such attacks typically include:

• Localization of assets (asset tracing)
• Analysis of cash flow (follow the money)
• Transaction reconstruction
• Disclosure of insider information

Possible starting points

In order to combat fraud and cybercrime in all its forms, a procedural structure is required. This structure can be divided into the three classical areas of fraud defense: prevention, detection and reaction.

Such activities can often be integrated into existing organizational structures (InfoSec and compliance management are the obvious choices). Existing interfaces can be used to generate synergies. Prerequisites for such integration include:

• Willingness to make resources available for the organization’s anti-fraud and anti-cybercrime efforts
• Development and formation of rules, guidelines and work instructions
• Implementation of monitoring
• Planning and execution of risk analysis, including concrete scenarios
• Implementation of training courses

The following topics should be addressed within the three classical areas of fraud mitigation:

• Impediment and prevention: Ensuring the best possible avoidance of concrete risk scenarios necessitates the implementation of rule systems (e.g. anti-fraud guidelines, codes of conduct, addressing conflicts of interest and gratuities, training, employee reliability tests, due diligence and danger/risk analyses).
• Discovery and detection: With the help of predefined threshold values, the following can be used to shorten the duration of opportunities for fraud: Monitoring procedures and tools, whistle-blower systems and danger/risk analyses.
• Processing: Instances that exceed a predefined threshold value must be processed and sanctioned. This step also includes regularly executed assessment of cybercrime and fraud risk in order to improve the appropriate response: Communication plans (internal and external), emergency plans, incentive programs, sanctioning systems, lessons learned processes and reporting.

Conclusion

In order to ensure the best protection against fraud and cybercrime, special attention should be paid to the following:

• Consistent use of data analytics, monitoring, interface and key system logging, and full control of data analysis within all the relevant divisions.
• Planning and implementation of scenario-based, interactive sessions in order to assess fraud risk in the context of the sector and company. Risks must be identified and quantified as specifically as possible, and management must be informed of the risks posed to the organization and trained in the appropriate countermeasures.
• Establishment of key controls in crucial business divisions with preventative and deductive measures in place, including continuous monitoring of effectiveness. Further, automated technical solutions should also be implemented for support: Automated evaluation tools are increasingly significant for prevention, detection and reaction (particularly in light of climbing rates of computer and cyber criminality). This is the case not least because of their efficiency (big data), versatility and potential to lower the costs of forensic or deductive analysis, which otherwise would have to be carried out manually and laboriously by specialists.
• Formation of coordinated and targeted strategies, systems, guidelines, procedures and processes for active defense against fraud.
• General awareness of and concrete training programs on fraud at all levels (administration, management, audit committees, executive board, employees and other key staff).

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• http://www.tagesanzeiger.ch/ausland/europa/merkel-ging-einen-teufelspakt-ein/story/16212849
• https://home.kpmg.com/ch/de/home/medien/press-releases/2017/02/kpmg-forensic-fraud-barometer.html
• https://nzzas.nzz.ch/notizen/adylkuzz-dieser-neue-cyber-parasit-will-mit-unseren-computern-geld-scheffeln-ld.1295250
• https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Dienstleistungen/IT-Forensik/forensik_node.html
• https://www.nzz.ch/wirtschaft/57-faelle-in-der-schweiz-vor-gericht-milliardenschaeden-durch-wirtschaftskriminalitaet-ld.147039