It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

If it stopped there, we’d never be able to stop a lot of breaches, frauds and “non-policy” behaviour. (Gees…..we’re not now are we in a lot of cases?) But, many in our industry, behave and promote the “technical” side as the be-all and end-all and then just want to sell you things that may, (generally not) stop the “technical” side of things.

Have a think about that…..seriously……What a load of BS!

I keep re-linking to this one about Application Security Reviews. I do it for a reason. If you have read through this post and the link(s) in it, you’ll know what I am talking about. I won’t go on about what I have discussed in the links. Have a read again. We’re not going to stop fraud and malicious activity having that narrow focused view on what “Application Security” and “Security” in general is. It just makes no sense.

“Systems” view vs “Application view” – holistic view and strategy is key.

Lets look at “Application Security”. You can vulnerability test, penetration test, security test, run app scanners…whatever you want to call it…but does that give you a decent level of confidence that you know where your issues may lie to prevent fraud/protect your business? Will fixing those problems identified in these types of testing make your organisation more secure? Yeah? Well to a small degree. BUT, what is “security” trying to protect you against? You’ve done this type of testing, but what about:

- Security Architecture; System Development, System Management
- User Administration and Review; Logical Access, Access Controls, Access Review, Segregation of Duties
- Application Administration and Usage; System Maintenance
- System Security; Network Security, Integrity, Confidentiality, Availability, Non-Repudiation, Physical Security, Third Party and External Connections
- Security Logging and Monitoring; Audit Logs, Monitoring
- System Maintenance and Support; System Access, Change Control
- Handling and Storage of Information and BCP; Backup and Storage, Business Continuity Planning, Destruction of Data
- Legal and Regulatory
- Exception to Policies and Standards; Non-compliance Scenarios

If you’re not doing these things as a minimum as part of your application/systems security reviews, you’ll fail and always be wide open to fraud and business risks.

I question some people’s credentials as “Application Security Experts” when all they can talk about is technical vulnerabilities and attack vectors. That just makes you a coding problem expert who has good hacking skills to break code…not an “Application Security Expert”. If you want to be an expert in application security, you need to understand a little more and maybe fraud like that mentioned at the start of this post could be averted in more cases. Not sorry if that upsets some “Experts”.

Applications/Systems that cannot be hacked into because they have been penetration tested and problems fixed, and are protected by FWs, IDS/IPS and WAFs are easy game if you haven’t really looked at the “security” of the applications/systems.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



  1. Hey

    As usual, we pretty much agree. I interpret the term ‘Application Security Expert/Specialist’ to mean they know about SDLC, secure coding practices, some level of offense capability (usually) and perhaps some compliance insight. That’s it.

    The real meat is served when the IT security team work closely with the resident fraud team. The mutual benefits are enormous. Tends to feed into other areas too – particularly incident response/investigations. Very complementary.

    There are some pretty important items I would emphasis more that directly relate to the application security process and fraud:
    - analysis of the business process itself…specifically how assets are valued/proved to exist…and how the system can help (rather than hinder) getting visibility when this isn’t happening properly
    - the need for ‘know your customer’, plugging into reputation databases, credit agencies
    - with the business push for fast ‘time to yes’ decisions (to help customers faster), analysis and definition of confidence levels around application/submitted data (typically combinations that throw the app into different buckets)
    - the need for and efficacy of traditional real-time transaction analytics to identify potentially fraudulent applications (say, for credit) and suspect transactions
    - application controls around floor limits and their modification (mix of prevention and visibility)
    - gaining of supervisor level controls (particularly with call center workers that shoulder surf)

    Hope this helps,

    Craig

  2. Steve Atcheson says:

    Good points. Your comments are pretty much what good auditors should look at when talking about application security. Not just understanding the technical controls but understanding the process. Security is about protecting an organisation from inappropriate use right whether that is external or internal users. For example if a banking application which processes cheques may be secure such that data cannot be tampered with whilst being “processed” but what if the data can be altered prior or post this process such as changing the “text” file which provides input to the cheque processing process as it is stored in a open share etc.

    In additition to what Craig pointed out, the “security expert” needs to look at the whole process and identify any weaknesses whether it be segregation of duties, key man, weaknesses in the storage of backup media such as the IT managers house, servers stored in a common room such as photo copiers etc with poor physical controls.

    Cheers
    Steve

  3. Yep says:

    Amen.

  4. Big Galoot says:

    Ya really gots to wonder about the tea-room discussions at EDS during that time.

    EDS workmate: “Hey Reescon, what’d you get up to on your holidays?”

    Reescon: “Oh, not much. Stayed at a 7 star resort in Dubai, bought a $100K BMW, bought a semi-trailer load of the finest French Champagne, showered my partner in $300k worth of jewellery. Other than that, not much at all, really.”

  5. Drazen Drazic says:

    Craig, Fully agree. A much larger scope of analysis required to get the better picture from a risk/security perspective. Awareness at all levels and understanding of the real time/effort required to perform appropriate analysis is key. The disconnect is clear in some many cases we have been involved in and this seems to be the norm rather than the exception. Secondary fraud detection mechanisms used as the backstop so to speak tend to work better than those controls for monitoring in the primary systems. While success is perceived, how successful is this really and as questioned, how much slips through the cracks unaccounted? (Landing in the “write-off” bin? – providing level of confidence to fraudsters that they won’t get caught). Gees, I could go on. :)

    Steve, as per comments to Craig. Totally agreed. No holistic view means holes in security and risk management processes. Don’t get me started on Risk Management. :) Amazes me that so many RM departments exist and have for years yet so few have a decent environmental awareness of what exists in their business. It’s RM basics/101 yet these groups fail at the first part! What is it they do you have to ask seriously?

    BG, you have to wonder?! I suppose these will have been factors that led to his downfall.

    DD

  6. Bily D says:

    This is the ultimate post on application security ever! Deal done!