It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?
There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.
Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:
If it stopped there, we’d never be able to stop a lot of breaches, frauds and “non-policy” behaviour. (Gees…..we’re not now are we in a lot of cases?) But, many in our industry, behave and promote the “technical” side as the be-all and end-all and then just want to sell you things that may, (generally not) stop the “technical” side of things.
Have a think about that…..seriously……What a load of BS!
I keep re-linking to this one about Application Security Reviews. I do it for a reason. If you have read through this post and the link(s) in it, you’ll know what I am talking about. I won’t go on about what I have discussed in the links. Have a read again. We’re not going to stop fraud and malicious activity having that narrow focused view on what “Application Security” and “Security” in general is. It just makes no sense.
“Systems” view vs “Application view” – holistic view and strategy is key.
Lets look at “Application Security”. You can vulnerability test, penetration test, security test, run app scanners…whatever you want to call it…but does that give you a decent level of confidence that you know where your issues may lie to prevent fraud/protect your business? Will fixing those problems identified in these types of testing make your organisation more secure? Yeah? Well to a small degree. BUT, what is “security” trying to protect you against? You’ve done this type of testing, but what about:
- Security Architecture; System Development, System Management
- User Administration and Review; Logical Access, Access Controls, Access Review, Segregation of Duties
- Application Administration and Usage; System Maintenance
- System Security; Network Security, Integrity, Confidentiality, Availability, Non-Repudiation, Physical Security, Third Party and External Connections
- Security Logging and Monitoring; Audit Logs, Monitoring
- System Maintenance and Support; System Access, Change Control
- Handling and Storage of Information and BCP; Backup and Storage, Business Continuity Planning, Destruction of Data
- Legal and Regulatory
- Exception to Policies and Standards; Non-compliance Scenarios
If you’re not doing these things as a minimum as part of your application/systems security reviews, you’ll fail and always be wide open to fraud and business risks.
I question some people’s credentials as “Application Security Experts” when all they can talk about is technical vulnerabilities and attack vectors. That just makes you a coding problem expert who has good hacking skills to break code…not an “Application Security Expert”. If you want to be an expert in application security, you need to understand a little more and maybe fraud like that mentioned at the start of this post could be averted in more cases. Not sorry if that upsets some “Experts”.
Applications/Systems that cannot be hacked into because they have been penetration tested and problems fixed, and are protected by FWs, IDS/IPS and WAFs are easy game if you haven’t really looked at the “security” of the applications/systems.