Information security teams are asked to participate in forensic accounting because they know the digital forensics realm. How does information security support that process?
From an information security standpoint, normally the forensic accountant has a role in gathering information that is accounting-related. That information is usually produced by a business group. That group is using information technology at some level -- applications, operating systems. It's very important for information security teams to work closely with business units to understand what they're trying to achieve from a business perspective, and generate info and support the applications to achieve those business goals. All accounting data comes out of computers now, so infosec teams need to ensure that only the right people have access to them. When data is pulled by the forensic accountant to support whatever hypothesis they are trying to prove, that access control helps prove to the forensic accountant that the data they're pulling is accurate. What information security processes are most important to forensic accounting?
Information security teams can support the forensic accountant by being able to provide access to and verify the validity of firewall logs, IDS data, who has logical access, group rights and transaction rights. All of that can be important to support the transactional data on the accounting side. What are the most common circumstances that trigger a forensic accounting event -- and in turn, the involvement of information security teams -- in financial services firms?
I would say the top three are a suspected misallocation of funds, a business valuation effort or a bankruptcy. Another one might be an insurance claim, and a forensic accountant might be brought in to make a determination about how much something is worth. Being able to use forensic data to prove fraud is a key part of the forensic accounting process. What must infosec teams do or know to support that effort?
Definitely awareness of the fraud risk assessment process and being able to understand and explain how IT risks play into those assessments. For instance, take perimeter risks. What avenues of access do you have from the outside? There might be the Internet, a couple dial-in lines and the VPN through a third party. Those are the points of risk, and then you assess the risk. Tighten the firewall, deny only certain points, etc. so that risk assessment process is key.
One of the key areas in which information security definitely can support forensic accounting is database knowledge and an understanding of how the database system works. Forensic accountants understand all the info, but they don't understand all the systems it resides in. They don't understand how to get the data from the systems. So information security folks who can understand the a forensic accountant's goals can facilitate the process greatly. Talk through a scenario where you've seen a successful fraud investigation enabled through cooperation with an information security team. What sets that relationship up for success?
One example I can give is a payroll fraud where the payroll clerk was essentially paying himself twice a month instead of once a month. The information that proved the fraud was in a legacy database system had a great deal of custom coding done on it, so it was a mishmash. The forensic accountant needed certain info out of that system. A request was made to information security, and they were clued in on the forensic accountant's goals and it was made clear that their help was essential.
The forensic accountant requested a full payment history for the suspect, and thanks to that relationship, he was able to help us learn that normal payments are kept in one database table, but other payments are kept in a second table, and bonuses are in a third. The success of that request was based on mutual respect and appreciation. People in general want to be helpful, but if someone feels you don't respect them, they're not going to be helpful. The theme of your talk at the Computer Forensics Show is new perspectives and new discoveries. What does that mean?
For information security, it means looking at things from a fraud-awareness perspective. How might people perform fraudulent activities from an IT perspective? How could people use IT resources to run a fraudulent business or commit illegal activities? Normally IT is focused on keeping things running and fixing problems, but it's important to have a proactive approach with security operations in looking for fraud. Taking that new perspective will lead you to discover new things about how you should control your environment or implement new technologies, processes or controls. Based on your experience and some of the big recent fraud incidents, like Societe Generale, information security tends to be the last line of defense because it's monitoring the IT systems that often enable fraud. What are the warning signs infosec teams should watch for?
One is good processes that have good controls. I define a control as anything that ensures the right activities are being done. That's the bottom line. Information security should also be aware of the risks associated with improper settings. This is why infosec needs to work with business units; they're the ones responsible for assigning those rights. Infosec just applies them. Security might give access to the accounts payable system, for instance, but a business unit manager signs off that request. Infosec needs to make sure they're working with business units to provide them with information to review that the right people have the right privileges. A common recommendation in our IT audits is for business groups to conduct annual reviews of user rights. That's not information security's responsibility, but it has to provide the reports to do the review. So it comes back to having a team approach. It takes time, but it often takes a lot less time than you think and provides a lot more benefit than you think. What can information security teams learn from forensic accountants?
It goes back to risk assessment and the resulting material impact. Frequently people think it's not a big deal to have a couple extra people with administrator privileges, but if you have someone who shouldn't have admin rights, there's potential for a lot of damage to your systems. So it's important to identify those kinds of risks and then use that to explain to management what technology you may need.
For instance if you want to implement an intrusion detection system behind the firewall to ensure people are doing the right things at the right time, you'll have to link that back to a very concrete benefit, typically monetary. Because management will highlight the cost, and the security officer will need to say what kind of damage an attack could cause, and how much time, money and man-hours it would cost to fix it. Associating that concrete cost with that risk is important. Then it shows how the technology will reduce costs across the board by improving security operations.