a forensic accountant in cyber security - wordpress.com · 03-11-2017 · service (ddos) attacks...

17
Gertjan Groen, President ACFE Netherlands Chapter Fraud Awareness Week Event ACFE Belgium 14 November 2017, Brussels A Forensic Accountant in Cyber Security

Upload: vuongnga

Post on 05-Jul-2018

216 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Gertjan Groen, President ACFE Netherlands ChapterFraud Awareness Week Event ACFE Belgium14 November 2017, Brussels

A Forensic Accountant in Cyber Security

Page 2: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Personal Background

• Started my career in auditing (1988, KPMG)• Part of establishment and development of KPMG Forensic

Accounting NL (1993)• Self-employed (2007 – 2015)• Partner at BDO Forensics & Litigation Support NL (2015 – 2017)• Since June 2013 Board Member of ACFE The Netherlands

Chapter. As of May 1, 2017 President• As of October 1, 2017 Business Line Manager Forensics &

Incident Response at Fox-IT, member of NCC Group

Page 3: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

This is not….

• A presentation from a Cyber Crime specialist• A presentation on Bits, Bites and techniques

Instead, this is a presentation… • Of a forensic accountant with 25 years of experience in

forensic accounting sharing his experience after (only) six weeks in cyber security

• About differences and similarities between fraud and cyber crime (or forensic accounting and cyber security)

• À titre personnel

Page 4: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

My main search: where do Fraud and Cyber Crime meet?

• My hypotheses:

• there are a lot of similarities

• within the next 5 to 10 years fraud and cyber crime will come (more or less) together (and thus Forensic Accounting and Cyber Forensics)

• Next months to explore! Today I give my first reflections

Page 5: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Fox-IT Forensics & Incident Response in brief

• Part of Fox-IT Cyber Threat Management• Approx. 25 FTE• Services include:

• Incident Response (CERT)

• Forensics

• eDiscovery

• Compromise Assessments

• Response Readiness Assessments

Page 6: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Fraud goes back to 300 b.c.whereas Cyber Crime only goes back to

1971

1971 1981 1989 1994 1995 1999 2000 2000 2016/

2017‘Blue Box’.

Give away

whistle

used to

make free

phone calls

First cyber

crime

conviction

First large-

scale case

of ransom-

ware

Intro-

duction of

World

Wide Web

First

Macro-

viruses

Melissa virus

released.

Most

virulent

computer

infection to

date

Denial of

Service

(DDoS)

attacks

are

launched

Stuxnet.

Supposedly

developed to

sabotage the

nuclear

program of

Iran.

Wannacry,

Petya,

NotPetya

Page 7: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Cyber actors not your typical fraudster:

Intent

Capability

Disgruntled employees

Terrorists

Hacktivists

Script kiddies

Criminals

State actors

Page 8: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Do you remember?

Page 9: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Many cyber attacks come back to human: the weakest link

• The typical person has 26 password protected accounts• 60% of people reuse their password(s)• 11% uses only 1 (!) password for all of his accounts (just

imagine these people working at your organization….)• How do people remember passwords:

• 39% writes them down on a piece of paper

• 10% keeps them in a file on their computer

• 7% keeps them in a file on Dropbox or similar

• People publish a lot of personal information on social media –a valuable source for cyber criminals (e.g. CEO fraud)

Page 10: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Working in Cyber Security: time for me to have a look into the mirror!

Page 11: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

A password isn’t a password unless…

….so I changed basically all my private passwords (> 50)!

Page 12: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Social media? My score (and probably not complete…).

What’s your score?? If you think it’s not a problem for you: your personal data can (also) be used to scam other people!

Page 13: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Cyber Crime threat landscape

• Cyber Crime is all around us and still growing. Are we sitting on a Volcano?

• Victimized organizations relatively naïve: try to resolve it themselves, often destroying evidence and/or increasing damage

• Internet of things!• Malware is traded on the internet and easily accessible:

cyber crime for everyone!• Threat of terrorists and State actors is increasing• Basically every organization can (and will) be a victim of

cyber crime – the main question is: are you prepared?

Page 14: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

The Cyber incident: are you prepared?

• Do you have an incident response plan, including communication, retention of data, etc.?

• Do you have first incident handlers within your organization?• Do you have a Cyber Emergency Response Team (CERT?)• If not: do you have a retainer contract with an external CERT

provider?• Do you have a Cyber Insurance policy?• Etc.

In practice: majority of organizations are not prepared

at all!

Page 15: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Some differences between Cyber Crime and Fraud

• Fraud is usually detected afterwards; Cyber Crime can be detected in a very early stage

• Fraud is often committed by insiders, Cyber Crime usually by outsiders

• The identity of the fraudster often can be determined, whereas the identity of a cyber criminal usually is difficult to determine.

• In Fraud Risk Management relatively limited attention for Threat Intell. In Cyber Risk Management increasing attention – aim is to display vulnerabilities and predict potential attacks

Page 16: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

Where Fraud and Cyber Crime (could) meet

• Cyber Crime more and more is a modus operandi of fraud (e.g. CEO-fraud and Man-in-the-Middle (MITM) attacks)

• Cyber forensics can support (traditional) fraud investigations and vice versa

• Like fraud awareness, cyber awareness usually only exists after an incident

• Cyber Security Framework looks like, sounds like …. Fraud Risk Management

Page 17: A Forensic Accountant in Cyber Security - WordPress.com · 03-11-2017 · Service (DDoS) attacks are launched Stuxnet. Supposedly developed to sabotage the nuclear program of Iran

ACFE Netherlands Chapter

• Approx. 320 members, of which less than 10 members

working in Cyber Security

• Members have background in private sector (banks,

insurance companies, law firms, multinationals, accountancy

& consultancy firms, etc.) and public sector (Police, Tax

Authorities, Public Oversight, etc.)

• 4 events per year, open to all members and their guests –

Belgian Chapter members welcome!

• New website www.acfe.nl