21 February 2019

Business Process Compromise - Insider and Outsider Threat

Author :

Last year I was at a security symposium in Sydney where I bumped into a friend working for a large security vendor. We discussed the latest industry rumours, trends and shared a few interesting stories on breaches - this is when I asked if his firm performs risks assessments for Business Process Compromise (BPC) to which he replied - "No". I was now thinking how on earth do they perform security assessments when they only look at one half of the big picture? Surely the other big half is equally as important? Don't believe me? - what about the big cyber-heist of Bangladesh's Central Bank which I will use as a case study a little later.

Interestingly I was told by my friend that often business process compromise results in fraud which is the responsibility of Human Resources, Finance, and Risk Officers. For those of you that have not heard of business process compromise - simply explained means that someone with deep knowledge (subject matter expert) as to how a process works typically in finance, sales, procurement and payroll, can bypass security controls, checks and balances, to commit financial theft, sabotage or intellectual property theft.

What makes business process compromise difficult to detect and counter is that it's usually performed by employees in sensitive or senior roles. These people are trusted to do the right thing and this makes it extremely difficult to identify who of them is biased to this type of behaviour - worst still, these employees know processes extremely well, including how security is configured on their specific systems such as finance, payroll and accounts payable - so monitoring for malicious actions and detection is that much more difficult. 

For those of you new to the concept of business process compromise it is important to note that there are two classes of malicious actors - the insider which is typically an employee or contractor employed by your firm, and the outsider which typically is someone outside of the organisation such as a terminated or ex-employee, consultant, technology vendors, supplier, etc. Both of these classes of the malicious actor have intimate knowledge of how your sensitive corporate functions work, for example, the financial platform consultant knows how your accounts payable process works front-to-back because they configured and installed the system based on your processes which they helped you capture and articulate. 

Now, should the financial platform consultant switch to the dark side (criminal intentions) and decide to commit fraud by issuing you a fake invoice using clever means such as Business Email Compromise (BEC) and social engineering - more than likely they will succeed, and more than likely detection will take many months if not longer.

The case involving the cyberheist at the Bangladesh Central Bank (BCB) was a combination of both insider and outsiders threat actors staging a sophisticated attack which involved hacking, social engineering, corruption of employees, intimate knowledge of the central bank operations, and deep knowledge of international financial banking platform - SWIFT

In a nutshell, what happened, malicious actors hacked into the SWIFT platform owned by the Bangladesh Central Bank and sent fraudulent instructions to their major bank account held at the Federal Reserve Bank of New York. The instructions were to transfer $1 Billion US dollars to offshore bank accounts in low compliance jurisdictions such as Philippines, Sri Lanka, Macau, etc. The majority of the payments were stopped, but $81 Million dollars made it through and ended up in fake bank accounts in a Philippine bank which was then transferred to a local casino and never to be found - the trail ended at the bank! Very sophisticated operation.

In summary, the following key points were identified as weaknesses which led to the cyber heist, I have summarised a few:

  • Insider threats were involved in some capacity - somehow malware got onto a "supposedly" secure machine, the only mechanisms available were email or USB memory stick. There are suggestions that someone most probably inserted an infected USB memory stick into the SWIFT server which allowed cybercriminals to create an undetected backdoor. The cybercriminals were probably accessing the infected server from anywhere from a few weeks to a year.
  • Insider threats most probably disabled the CCTV camera which was not working on the weekend the criminal activity took place. There are tell-tale signs of sabotage which investigators believed strongly pointed to the central bank employees or building maintenance contractors.
  • Outsider threats had intimate knowledge of global banking and settlements processes as they specifically targeted the central bank on a Friday which in Bangladesh is a bank holiday, this meant nobody was available to detect and stop the fraudulent fund's transfer.
  • Outsider threats built and deployed malware which specifically targeted the SWIFT payment platform - suggestions were that nation-states might have been involved as the malware was extremely sophisticated in that it covered the criminal's trail. 
  • Outsider threats knew that the Federal Reserve of New York has limited manpower to manually check for fraudulent payments, and also had knowledge that there was no 24 x 7 hotline to alert their employees to halt fraudulent payments.
  • Outsider threats created fake bank accounts 1 year before the heist of the Philippine bank - they corrupted the branch manager to create the fake accounts, and immediately settle the transfer and convert it to cash. (She was arrested - but was probably a minor player in the grand heist)

Now the interesting bit - how do you assess your vulnerability to business process compromise? The approach I advise is to identify your key business process, whatever they are - payroll, HR, accounts payable, finance, etc. Bring together diverse groups from within your firm, and even your trusty security consultants and ask them to let their minds run free - ask the question: if they were to commit the ultimate white-collar crime within your firm what would it be? how would they do it? Take note as the scenarios might sound far-fetched and impossible, but with time and resources, they are more than likely achievable.

Some methods to reduce exposure to business process compromise includes:
  • Listen to employee concerns in regard to insecure processes and systems.
  • Performing criminal and employment history background checks on new employment candidates, this includes contractors.
  • Monitoring employee movements - in some industries employees are asked to detail their travel plans. 
  • Monitoring of employee wealth - financial theft is sometimes identified by employees living beyond their means.
  • Regular physical and cyber security assessments. (Yes, physical security too!)
  • Auditing of employee access to facilities - both CCTV footage and electronic keycard access logs.
  • Using simple Machine Learning (ML) based in a wider context such as incorporating physical security and IT system logs. (Out of hours access to sensitive platforms might give away signs of possible fraud)
  • Cyber security awareness - teach employees tell-tale signs of phishing and social engineering. Build a culture where employees are encouraged to challenge suspect instructions.
  • Human resources should be vigilant with employee behaviour in particular with repeat offenders that don't respect company policies

I hope you found this article of interest. Feel free to contact me if you would like to further discuss - I look forward to a gold old chat!

Written by:
John Kouroutzoglou

19 February 2019

Number 1 Strategy Guaranteed  to Help Your Organisation to Survive Disruption

Author :

There are many disciplines that contribute to organisational resilience which include governance, risk, compliance, business continuity, security, emergency and crisis management but whatever the nature of a business disruption is that tests an organisation’s resilience, there will always be the common factor of people being affected. Whether it is staff who are expected to respond and restore the business to business as usual, or stakeholders who do not receive the service they are paying for or the general public who are in the building that may be impacted by the flow on effects of the disruption.  

In order for an organisation to survive disruption, it must ensure that their people can survive the disruption first and foremost because without the people there is no organisation. The organisation must then ensure that they have a culture of resilience that permeates through all their policies, processes, procedures to support their people. 

Resilience is often mistaken simply as the ability to bounce back, but it is actually so much more. There are two key themes that are not immediately evident from the usual resilience definitions. The first is that resilience is not just reactive, but crucially is also proactive, meaning managing risk in advance, learning from the experience of others, and actively preventing disruptions both at personal and organisational levels.

Second, resilience is not just about coming back to where you were before, but instead using each setback as an opportunity to advance towards a larger goal and purpose. 

Resilience is an increasingly important skill to have in today's climate of change. First, it was IQ (Intelligence Quotient), then it became EQ (Emotional Quotient). Now there is increased importance on RQ (The Resilience Quotient). 

These skills are increasingly needed by people of all ages and all life stages. As change accelerates, people need the mental skills to thrive despite adversity. It is worth remembering that someone's resilience capacity is not constant throughout life. We can improve our resilience, and our resilience can be worn down 

Whether it gets worn down due to the environment and external events or through internal negativity, the fact is, no one is invincible. As resilience improves, we gain a natural resistance against being worn down, although a toxic environment will eventually get to us. This is worth keeping in mind as the work environment is where many people spend most of their time, meaning it has a key influence on their resilience. 

The benefit is not just to the organisation, but to individuals themselves. Resilience increases their own sense of safety at a subconsciousness level, improving relationships, goal achievement, sense of purpose and overall sense of wellness. This translates into greater compassion and empathy at a societal level, highlighting how an organisation drive for resilience can have a profound global impact. Cultivating resilience, therefore, represents a major long-term opportunity.

By developing your organisation's resilience culture, there should be: 

  • A reduction in absenteeism and presenteeism; 
  • An increase in staff retention; 
  • Improved productivity and flexibility; 
  • Increased engagement and work satisfaction; 
  • Improved communication, collaboration and innovation;  
  • The development of a shared mindset.

The question now is, how do you start to develop this resilience culture in your people? 

It starts with an assessment of the current level of resilience at the individual and team level which can then be aggregated to the organisational level. This baselining assessment can then be used to inform the development of a tailored program that will develop various aspects of resilience.  

One such assessment tool is the Predictive 6 Factor Resilience scale which is a psychometric assessment across six domains including Vision, Composure, Reasoning, Health, Tenacity and Collaboration. The differentiating component of this assessment tool to others is its forward-looking Momentum score which can predict future movement (declining or improving) of resilience levels. 

There are many ways that an organisation can then go about improving the resilience levels of their staff whether it is through targeted information campaigns, provision of online tools, the introduction of mental health first aid officers, therapeutic drumming workshops, running of regular simulations/exercises, or conducting formal resilience training classes. 

The important thing to remember is that developing resilience is not a once-off process and doesn’t happen overnight. It takes time but it is worth it for when (not if) a big disruption occurs. 

 Blog written by:

TAMMIE HORTONChief Executive OfficerPhynix Initiative and Former Business Continuity Manager Department of Education and Training