The Threat Within - Association of Financial Mutuals

The Threat Within
Nick Harwood
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
Introduction
•People
•Greatest Asset?
•Greatest Threat?
•Examples of what can go wrong – highly visible
•External threats and internal threats
•Experience of investigations
•Lessons we can learn
•Questions
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
2
Do you know people?
•Who are you sat next to?
•Do we really know anybody?
•How well do you know your employees?
•What secrets have you got?
•What about the person next to you?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
3
Current situation
•Cost reduction
•Downsizing
•Delayering
•Streamlining
•Remote operations
•Outsourcing
•Contractors
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
4
Protection
•We need to protect staff from
•SPAM
•Porn
•Stress
•Overwork
•Becoming victim of crime
•We need to protect organisation from
•External Threats
•Internal Threats
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
5
Paranoia?
Recent cases you will have seen
•ICO has greater powers and can fine up to £500k
•FSA adopting “direct and intrusive” approach
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
It will never happen to me…
6
The Reality
•Zurich failed due to lack of oversight of outsourcer
•HMRC failed due to system control failure
•Nationwide failed as there was no need for the data
•HSBC failed due to wide disregard for controls
•All a lack of systems and control
•All delayed taking action
This can happen to anyone
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
7
And these were accidents…
•How do you prevent accidents?
•Awareness
•Training
•Policy
•Security Controls
•Restrict access vs Allow people to do the job
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
8
Deliberate Acts
•How do you get data out of the organisation?
•Memory stick
•Email
•CD/DVD
•Print
•Data transfer
•Remote Access
•Post it
•Handbag
•Memorise the information
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
You can’t stop it, only
minimise the impact
9
Risk
•We never really know people that well
•If you don’t know people
•You don’t know what they are doing
•You don’t know what they are capable of
•You can’t stop them making mistakes
•You can’t stop deliberate acts
•Yet you are responsible!
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
10
Armed Robbery
•Highly visible
•Many witnesses
•Vivid activity to remember
•Dangerous
•High chance of detection
•Special teams to contend with threat
•Long prison sentences
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
11
White-collar crime
•Less visible
•No witnesses
•Victimless
•No-one gets hurt
•Low detection rate
•Minimal sentencing
•How much of a problem is it?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
12
The Respected Employee
•Senior office manager
•Company man with long service
•Rarely off work
•Authorised payment
•Had documentation returned to him
•Kept in desk drawer
•Made unauthorised payments to mother over several years
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
13
The Ex-Employee
•Highly qualified accountant
•Worked at benefit office for six months
•Learned about checks and verifications
•Created many false identities
•Made fraudulent benefit claims
•Invested money
•New property to support more frauds
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
14
The Planted Employees
• College student
•Used classic “terrorist cell” approach
•Widespread organised fraud
•Employed professional people
•To work as cleaners and security guards
•Access to buildings out of hours
•They gathered “useful” documents
•Used these to support other frauds
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
15
Revenge attack
•Major foreign investment into UK
•Made employee “redundant”
•New system administrator starts
•Company unable to access systems
•Indentified ex-employee had
•Installed modem on system
•Dialled in
•Changed system level privileges
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
16
Industrial Espionage
•Many examples exist
•Organisations and foreign powers
•Individuals and competitors
•Can you protect?
•Procedures in place?
•Mistake or not?
•A costly error
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
17
Model Employee
•Trusted to clear backlog on overtime
•Does a good job
•Indentifies that he could do more…
•… if only his manager worked Saturdays
•Reset manager’s password
•Found it was set to default
•Did the same for more than 100 others
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
18
Major organised crime
•Attempt to defraud banking systems
•The early days
•Tried armed robbery
•Successful small scale fraud
•Thinking big
•Prove they can do it
•Need support and money to set up
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
19
Major organised crime (2)
•Need help from other organisations
•A Bank?
•A Telco?
•Technicians?
•The Prison Service
•A car hire firm?
•Some muscle
•A Distribution channel?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
20
Major organised crime (3)
•At the time of arrest
•100,000 white cards
•8,000 with bank account details
•Information to create more on computer
•Seven principal organisers plead guilty
•Many “insiders” arrested
•Various motives
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
21
Crime
•Cost of crime?
•Cost of security breach?
•$3.4m average cost per incident
•$142 per customer
•35% involved outsourcers/third parties
•36% were hacks
•The crime iceberg…
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
22
Summary of these cases
•Insider knowledge essential
•Trusted positions
•No previous convictions
•Long service
•No classic motive for fraud/deception
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
23
External Threats
•Just one case to highlight
•Three men aged 17 to 25
•Never met
•Never spoke
•Conspired to hack systems world-wide
•Why?
•Only wanted to see where they could go
•Egos
•Competition
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
24
External Threats (2)
•Sought help from each other
•Destroyed cancer research database
•Put charity out of business
•How?
•The 17 year old
•In trouble with mother over ‘phone bill
•Modem confiscated
•Banned from using telephone
•So how did he do it?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
25
External Threats (3)
•Burgled Grandmother’s house
•Retrieved modem
•Stole wooden desk from school
•Hid modem
•Hid telephone cable into desk leg
•Connected cable to telephone line
•Telephone line protected by PIN
•Itemised billing would catch him out
•Tape recorder used to capture tones
•Program written to decode PIN
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
26
External Threats (4)
•PIN used to access telephone service
•Found freephone numbers to dial
•Identified flaw in some countries
•Routed calls back to UK
•Hacked into University network
•Used University network to hack
•Met up with fellow conspirators
•Continued to hack
•Finally met co-conspirators after arrest
•Motive
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
27
Lessons Learned
•Segregation of duties
•Prevention
•Ability to recover from an accident
•Auditing
•Alerting
•Identification
•Apprehension
•Only as good as your last backup
•Where is it? Who has access to it?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
28
Lessons Learned (2)
•Data ransom
•Take a copy out of cycle as baseline
•Can you restore?
•Have you tested?
•Is it documented?
•Standards for system installation
•Remove defaults
•Root/root
•System/system
•Admin/admin
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
29
Lessons Learned (3)
•Remove backdoors
•Segregate developers from production
•Favourite passwords
•Password
•Sex
•Death
•Fred
•m0dem5
•These are known and hackers use them
•Manage unused accounts – CEO?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
30
Lessons Learned (4)
•Control remote access
•Methods
•Who has access?
•To what?
•When?
•Employees?
•People you do not know?
•System weaknesses and vulnerabilities
•Countermeasures
•On-going process to patch systems
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
31
Lessons Learned (5)
•Business process weaknesses
•People
•Social engineering
•Downsizing/outsourcing/change
•Morale may be low
•Risk increases
•Delayering reduces checking
•Controlling from a distance
•Many transactions can hide fraud
•People know the loopholes and limits
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
32
Summary of Lessons Learned
Most breaches are accidental – what are the key steps to take to prevent accidents?
•Identify risk
•Look at controls and countermeasures
•Test them
•Report on them
•Improve on them where needed
•Prevent, detect, recover
•Escalation
•Reporting
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
33
I promised no statistics but…
•80% of crime is by insiders
•20% by external parties
•80% of crime is unnoticed
•Less than 1% hits the press
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
34
Summary
•Internal crime
•External threats
•Minimising the risk
•Lessons learned
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
35
Thank you very much
Any questions?
Royal London Group
A group of specialist companies where the bottom line is always financial sense.
36