How to address the two types of insider threats

“I read about fraud all the time – hackers, online gangs, angry employees, etc.. It seems like it’s on the rise. Why is this so hard to detect and how can we prevent fraud in our organization?”

It is true that fraud is increasing, and it does seem that we read about incidents on an almost daily basis. This is a factor of the rise in the amount of sensitive information that is now online, an increased number of online applications that access this information, and the growing number of users who use online services for financial services. The result is more opportunity for fraud, with less effort, so it’s no surprise criminals have moved their activities online and that insider-led fraud is on the rise.

Let’s look at insider-led fraud first. Insider-led incidents involve a malicious employee or contractor who uses company systems to commit some form of fraud against the company itself. One of the motivations behind the Sarbanes-Oxley regulation was to ensure companies have the proper internal controls to prevent this type of fraud.

Everyone seems to use the example of an accounting clerk adding her brother-in-law as a new payee, then also cutting a payment to him and splitting the proceeds. This is a common example of a separation-of-duties control to prevent fraud, but there are plenty of others. Consider, for example, quote fraud in the insurance industry, where someone in the insurance company provides details to a rival firm so the rival can outbid and win a contract.

There are many variations on insider-led fraud, and these continue to grow as new applications and business processes come online. Separation of duties control monitoring, and privileged user data access monitoring are two common methods of detecting this type of fraud.

The other type of fraud we read about is led by external criminals against an organization’s customers. This type usually includes some form of account takeover to enter fraudulent transactions and drain the customer’s account.

Account takeover techniques might include phishing, smishing (phishing via SMS text messages) and vishing (phishing using VOIP services such as Skype). Each of these tricks the customer into divulging his account credentials which are then used to steal funds.

These fraudulent techniques can be detected by analyzing items such as geographic location (e.g. the customer is located in London but the wire transfer is being requested from Russia), trend analysis (e.g. the customer never requests transfers over $1,000, but this transfer is for $25,000), or device analysis (e.g. this PC has requested wire transfers from three different accounts today).

Even more insidious is the “Man in the Browser” fraud technique, where malware is installed in a customer’s browser, and during a banking transaction, the malware sends transfer requests or creates bill-payees and payment requests without the customer knowing. The customer doesn’t discover the problem until her monthly statement arrives containing a batch of unauthorized payments, and the money is long gone. This technique is harder to detect, but analysis of Web page requests can be an effective prevention method for this type of fraud.

The key point in all of these examples, whether insider-led or external fraud, is that the key bits of evidence needed to detect the problem are always there; it’s a matter of seeing them ahead of time.

I believe the best approach to fraud detection is what I call “collect and connect” – gather all the relevant information and then connect the dots to see where risk lies, and then take action to prevent the loss. Sounds easy, but it isn’t always so. Fortunately, tools exist to collect and connect, and the correlation capabilities of a SIEM engine make it one of the best of these tools.

SIEM technologies help detect fraud in two ways. First, they assist in both data collection and in rules-based analysis of that data. Second, many financial and insurance organizations already deploy many specialized fraud detection tools, such as IP blacklists, account profiling solutions, and risk-based authentication tools. SIEM can also collect and connect across these other fraud technologies, producing composite fraud scores that integrate all of these other produces.

Earlier this year, Gartner Group estimated that 7.5% of all adults in the U.S. lost money to financial fraud in 2008. This year will likely be even worse. It has become a cliché to say, following a fraud incident, that all the clues were there, if only someone had pieced them together. Given the increasing frequency of fraud and the amount of dollars at risk, this situation is not acceptable. Organizations have powerful tools available; hopefully they will use them.

Learn more about this topic

Tokenization vs. end-to-end encryption

How to maintain security without increasing the operational load on IT staff
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)