Cybercrime’s a business – and business is booming, writes Content Security’s Ken Pang…
It’s tempting to think most cybercriminals are simple unskilled petty criminals. Two hundred dollars of ransomware payments here, $1000 in stolen credit cards there, maybe the odd ‘executive phish’ for a little more, when they can socially engineer an unaware staff member.
Reality, however, is somewhat different. While the big crimes affecting many in a small way are the ones that make the front pages, the vast majority of money is stolen more discreetly. The goal of the hackers is for the victim to take as long as possible to notice the theft, so they try to hide their activity, taking advantage of weak business processes to conceal their doings among legitimate transactions.
As increasing numbers of business processes are digitised, the opportunity for cybercrime rises. This is because many organisations are rushing to digitise processes without first considering the impact on security.
The drivers of fraud
The majority of fraud occurs for one of three reasons:
- A failure to correctly identify a party
- A failure to correctly check the authorisation of an identified person or
- A logic or process abuse
These problems occur when those responsible for process digitisation don’t understand cybersecurity and how the changes they make will affect existing measures. This is why security needs a specialist during a digital transformation project.
The risks of digitising processes
For example, consider the security implications of digitising an accounts payable process.
Traditionally, making a binding payment instruction to your bank required identification of an authorised company representative. This would mean presenting a cheque with anti-forgery measures (something you ‘have’), and a signature (something you ‘do’). This combination makes it very difficult to conduct a fraudulent transaction.
However, most internet banking portals are now satisfied with a username and password (only something you know) which are easily copied. Digitising the identification process has therefore weakened it.
In many organisations, the authority model is such that accounts payable can only pay invoices that have been approved by another manager. However, the software can give individuals full rights to create new suppliers and pay fictitious invoices.
The authorisation process has been weakened by making assumptions as part of the process, rather than checking them in the software. While digital processes are very good at enforcing authorisation models, the models themselves rarely accurately reflect reality.
Software applications are also very susceptible to logic abuses because of their inability to learn. If a company has a policy that all cheques over $10,000 must be co-signed by the CFO, then a series of cheques worth $9999.99 to a new supplier would raise red flags with staff immediately.
However they would be processed without question by any application not programmed specifically to spot anomalies. Digitising the process has thus removed any ‘sanity checking’ from the process.
Compounding the problem
The problem posed by business process digitisation is compounded by several additional factors. For example, corrective controls – such as the ability to stop cheques – are generally not available in EFT transactions. Also, a chequebook is physically secured in an office and is usually only stolen through unlocked mailboxes. No such restriction is imposed on internet banking, so there are many more criminals able to target a company.
The internet offers anonymity, emboldening many would-be criminals who would otherwise fear being caught.
Overcoming the fraud threat
Organisations undertaking digitisation projects need to go back to base risk identification principles and find digital methods of managing risk, rather than trying to ‘translate’ them from manual processes. They then need to plan ideal ways to treat the risk, and understand any compromises they take between risk mitigation and convenience.
There are three key areas in which questions must be asked to ensure the risk of fraud is minimised: identity, authority and logic abuse. The questions to consider in each area include:
- Why does a person need to identify themselves to conduct this transaction?
- What is the worst possible impact if the person was an impersonator?
- How does a person or organisation identify themselves to me?
- Is this method easily copied or stolen? (passwords, dates of birth, ID cards etc.)
- Is the security of the ID commensurate with the risk (e.g. Access to gym vs access to bank vault)
- What is the absolute minimum authority a person needs to do their job? Is it ‘Pay an invoice’ (broad) or is it ‘Pay an invoice approved by another manager?’ (narrow)
- At each step of the process, how is this authority checked?
- If authority cannot be electronically enforced in a practical way, can abuse be detected early enough to correct?
- At each step of a process, what are the preconditions for starting that process? For example, making a payment cannot occur unless a signature from an authorised manager has been obtained, and the value is under $10,000.
- Do the preconditions enforce the process logic, both singularly and in batch? For example, is the transfer limit $10,000 per transfer, per supplier, per day, or per employee?
- How does the process verify that the preconditions have been met?
Digital processes can be just as, if not more, secure than traditional processes. However to reach that point, each must be carefully examined from the perspective of potential fraud.
By evaluating each step in turn, and focusing on identity, authority and logic abuse, organisations can take advantage of the power of digital transformation while ensuring their systems and processes remain as secure as possible at all times.