ISO Standarts or Tools

1
Fraude Cybernétique
Paradis des criminels
Présenté à Montréal CAUBO
2
Cyberspace Frauds
Paradise for criminals
Presented in Montreal CAUBO
3
Fraude Cybernétique
Paradis des criminels
 
Avec larrivé massive des moyens déchange
transactionnel ainsi que les ouvertures au marché
mondial, la fraude est plus quune réalité. Ce
moyen est le véhicule privilégié des criminels
pour avoir ce quils désirent et cela, à moindre
risques. Cette session explorera les approches et
moyens utilisés par les criminels pour vous
exploiter en toute confiance.
 
4
Cyberspace Frauds
Paradise for criminals
 
With new means of communication and information
exchange that are multiplying around the globe ,
electronic fraud are more than a real treat , It
is the new way for criminals to get what they
what at no risk. This session will explore the
impact of there means and ways used to exploit
you with full confidence.
 
5
Sylvain Viau TP, CD, pm, CISA, BSI
Président de lAssociation de Sécurité de
linformation du Montréal Métropolitain
(ASIMM). President of the Association of
Security in Information for the Montreal
Metropolitan (ASIMM)
Conseillé en sécurité de linformation depuis
plus de 8 ans, Sylvain Viau est spécialisé dans
le développement et la pratique de la continuité
des affaires. Il est aussi reconnu pour son
expertise dans lévaluation de conformité en
sécurité de linformation pour les grandes
entreprise, banques canadiennes et agences
gouvernementales. Il a aussi servi dans la Force
Régulière et uvre présentement avec la Réserve
Primaire de l'Armée Canadienne pour un total de
plus de 27 ans en génie de télécommunication,
Guerre Électronique, sécurité physique et de
linformation.
Security consultant for more than 8 years,
Sylvain Viau is specialized in the development of
business continuity practices. He is also well
recognized for its expertise in security
conformity by multi-national corporations,
canadian banks and government agencies. He also
served in the Regular Forces and still active in
the Primary Reserve with 27 years of combine
service in telecommunication engineering,
Electronic Warfare, information and physical
security.
Courriel / e-mail sviau_at_asimm.orgCellulaire
/ mobile (514) 704-8400
6
(No Transcript)
7
Découvertes 9 avril 2006

• - Le cyberespace à vos risques et périls -Ce
  futur imaginé il y a 20 ans dans les laboratoires
  de quelques visionnaires est aujourdhui à la
  portée de tous les doigts. À la vitesse de la
  lumière, en faisant fi des distances, anonyme, un
  réseau de connexions unique dans lhistoire de
  lhumanité fait maintenant office de continent
  virtuel. Dans le cybermonde, il y a un milliard
  dordinateurs, dont les conversations en mode
  numérique sont devenues lespace de jeu et
  daffaires de la planète entière. Passeport
  pour se rendre dans le cyberespace un simple
  ordinateur. Cest la clé dentrée dans un
  territoire virtuel impossible à délimiter, dans
  lequel se paient les factures, se mobilisent les
  ONG, se communiquent les dernières nouvelles de
  la famille, sébauchent des banques de données
  médicales universelles et se complètent les
  rapports dimpôts, avec en prime, le numéro
  dassurance sociale, clé de voûte de lidentité
  légale des citoyens. Dans le cyberespace
  circulent, chaque jour, 60 milliards de courriels
  et un trillion de dollars on y trouve, en
  consultation libre, l'équivalent de 400 milliards
  de livres. Mais si les avantages offerts par le
  cyberespace sont fabuleux, les périls y sont
  aussi de plus en plus nombreux. Et ils commencent
  à la maison. Journaliste Mario Masson
  Réalisatrice Jeannita Richard

8
Découvertes 9 avril 2006

• - Le cyberespace à vos risques et périls -Ce
  futur imaginé il y a 20 ans dans les laboratoires
  de quelques visionnaires est aujourdhui à la
  portée de tous les doigts. À la vitesse de la
  lumière, en faisant fi des distances, anonyme, un
  réseau de connexions unique dans lhistoire de
  lhumanité fait maintenant office de continent
  virtuel. Dans le cybermonde, il y a un milliard
  dordinateurs, dont les conversations en mode
  numérique sont devenues lespace de jeu et
  daffaires de la planète entière. Passeport
  pour se rendre dans le cyberespace un simple
  ordinateur. Cest la clé dentrée dans un
  territoire virtuel impossible à délimiter, dans
  lequel se paient les factures, se mobilisent les
  ONG, se communiquent les dernières nouvelles de
  la famille, sébauchent des banques de données
  médicales universelles et se complètent les
  rapports dimpôts, avec en prime, le numéro
  dassurance sociale, clé de voûte de lidentité
  légale des citoyens. Dans le cyberespace
  circulent, chaque jour, 60 milliards de courriels
  et un trillion de dollars on y trouve, en
  consultation libre, l'équivalent de 400 milliards
  de livres. Mais si les avantages offerts par le
  cyberespace sont fabuleux, les périls y sont
  aussi de plus en plus nombreux. Et ils commencent
  à la maison. Journaliste Mario Masson
  Réalisatrice Jeannita Richard

9
Sujets couverts par la présentation

• Quest la fraude?
• Les types
• Qui fraude?
• Pourquoi les gens fraude
• Comment détectons nous la fraude?

10
Topics For Discussion

• What is Fraud?
• Types of Fraud
• Who Commits Fraud?
• Why People Commit Fraud
• Who Detects Fraud?

11
Statistique 2004

• 53 fraudes au États-Unis sont reliées à
  lInternet (388,603)
• 250,000 US 120,000 UK vol didentité ont été
  répertoriés.
• 70 des Européens 50 of Américains non pas
  confiance en leur système bancaire.
• 94 des personnes interrogés questionne le
  bienfait des transactions en lignes.

12
Statistics 2004

• 53 frauds in the US are linked to the Internet
  (388,603)
• 250,000 US 120,000 UK customers filed identity
  theft complaints.
• 70 of Europeans 50 of Americans are not
  confident in the security of their personal
  finance.
• 94 of surveyed people are outweighing online
  transaction benefits.

13
Statistique 2005 (Top dix)

• Type Complaints
  Av Lost
• Encan 44 999
• Marchandise 30 4,386
• Offre monétaire Nigériane 7 11,370
• Chèques falsifiés 5 4,733
• Hameçonnage 4 298
• Tirage 3 3,953
• Service dAdulte 2 277
• Travail a domicile 1 726
• Eqpt. Informatique 1 608
• Concours 1 2,351

14
Statistics 2005 (Top Ten)

• Type Complaints
  Av Lost
• Auctions 44 999
• General Merchandise 30 4,386
• Nigerian Money Offers 7 11,370
• Fake Checks 5 4,733
• Phishing 4 298
• Lotteries 3 3,953
• Adult Services 2 277
• Work-at-home 1 726
• Computer Eqpt. 1 608
• Sweepstakes 1 2,351

15
Que signifie le mots Fraude ?
16
What is Fraud?
17
Définition de la Fraude

• MORT
• Mauvaise représentation
• Objet ou un fait trompeur
• Relié par quelquun dautre ou complice qui
• Tourmente le elle et lui impliqué

Attaque et ébranle la confiance des individus et
corporations touchés, qui par son levier
affecte les règles daffaires, législatives
ainsi que sur les processus de contrôles et de
conformités
18
What is Fraud?

• MORT
• Misrepresentation
• Of a material fact
• Relied upon by someone
• To his/her detriment

19
Ingrédients des fraudeurs
Intentions et motifs
Monétaire Reconnaissance Vengeance Pression
Rationalisation
Opportunité ou cible
Victime ou complice
Interne Externe passage
Processus Technologie Individu
20
The Fraud ingredients
Intentions et motifs
Monétaire Reconnaissance Vengeance Pression
Rationalisation
Opportunité ou cible
Victime ou complice
Interne Externe passage
Processus Technologie Individu
21
Qui Fraude?
DES GENS COMME VOUS ET MOI ET CEUX QUI OEUVRES
DANS NOTRE ENTOURAGE
La masse de fraudeurs est en général constitué de
criminel non compulsif et non récidiviste qui ne
commenteront plus de crimes.
22
Who Commits Fraud?
PEOPLE LIKE YOU AND I AND THOSE THAT WORK AROUND
US US
Most perpetrators are first-time offenders who
would not commit other crimes.
23
Profile dun Fraudeur Cybernétique

• Intelligent, patient, attentif
• Position de confiance
• 75 Hommes 25 Femmes
• Bon citoyen
• Travailleur stable
• Sans précédent judiciaire
• Très bonne connaissance de lenvironnement visé

24
Cybercrime Fraud profile

• Intelligent, patient, focus
• Good possition
• 75 men's, 25 Women's
• Good Citizens
• Stable worker
• Without previous convictions

25
Bonne paroles

• Pierre Boutroux (6 December 1880 - 15 August
  1922) français
• Mathématicien, et historien de la science.
• "Logic is invincible because in order to combat
  logic it is necessary to use logic."
• Albert Einstein (March 14, 1879 April 18, 1955)
  Allemand, théoricien et physicien et scientifique
  reconnu ai 20th siecle.
• "The secret to creativity is knowing how to hide
  your sources. 
• "The only source of knowledge is experience"
• "Only two things are infinite, the universe and
  human stupidity, and I'm not sure about the
  former."

26
Good Words

• Pierre Boutroux (6 December 1880 - 15 August
  1922) was a French mathematician and historian of
  science.
• "Logic is invincible because in order to combat
  logic it is necessary to use logic."
• Albert Einstein (March 14, 1879 April 18, 1955)
  was a German-born theoretical physicist widely
  regarded as the greatest scientist of the 20th
  century.
• "The secret to creativity is knowing how to hide
  your sources. 
• "The only source of knowledge is experience"
• "Only two things are infinite, the universe and
  human stupidity, and I'm not sure about the
  former."

27
Recent Headlines

• Fraud cost 2 million, school district says The
  News Observer (Raleigh, North Carolina), April
  23, 2005
• The district says some workers got kickbacks from
  a supplier after bus parts were ordered and paid
  for but never delivered. Five school system
  employees have resigned.
• State report cites massive waste in schools
  program Philadelphia Inquirer, April 22, 2005
• New Jersey's 8.6 billion school-construction
  program is riddled with questionable spending and
  management practices that may have wasted tens of
  millions of dollars, the state inspector general
  reported yesterday.
• Audit slams school firm Operator of failed
  charter system misused millions in state funds,
  report says Sacramento Bee, April 15, 2005
• A rogue charter school operator appears to have
  bilked the state out of at least 23 million,
  using school funds for fat salaries, lavish
  events at Disneyland, luxury cars and Jet Skis
• Fraud alleged in E-rate investigation AP,
  February 10, 2005
• Federal prosecutors are investigating fraud
  allegations in E-rate technology grants that were
  given to Atlanta Public Schoolsreports that
  school officials had misspent 73 million in
  E-rate and local money. Much of the money was
  spent on overpriced and unnecessary equipment and
  services.

28
(No Transcript)
29
(No Transcript)
30
Fraude dinformation Information Fraud
31
SAQ en 2005

• 173 enquêtes
• 11 remerciés
• 37 en attentes de véridiques
• Statistique CPE
• US
• Perte fraudes et voles 6 (660G) du produit
  brute
• SAQ cela peut représenter 162M

32

• Avez- vous une histoire à partager?
• Do you have a story to share?

33
Moyens utilisé par le fraudeur

• Image reconnues
• Systèmes et infrastructures
• Abus de pouvoir
• Systèmes transactionnelle
• Compromis au niveau des performances
• Clonage de linformation personnel
• Substitution de lidentité
• Vol didentité

34
Criminals means

• Credible organization
• Systems and infrastructures
• Abuse of power
• Transactional systems
• Performance failure
• Cloning of personal information
• Identity substitution
• Identity theft

35
Éléments Ciblés et technologique
36
Targeted elements and technologies
37
Les cibles

• Securité
• Physique et du personnelle
• Réseautique
• Applications
• Systèmes dexploitation (OS)
• Bases de Données
• Internet- Intranet
• Outils et Logiciel de supervision et rapport
  dévènement de détection et dintrusion
• Information volée ( Encryptions)

38
targets

• Security
• Physical and personnel
• Network (All)
• Applications
• Operating Systems (OS)
• Data Bases
• Internet- Intranet
• Tools software used in the monitoring, reports,
  intrusion detection and preventive measures
• Encryptions ( Channels, data, networks,
  passwords)

39
Contremesures
40
Countermeasures
41
(No Transcript)
42
(No Transcript)
43
Synergie de la Sécurité
Réduction des risques
Chaque contrôle a une efficacité de 80
Data Systèmes Avoirs
0
80
96
99.2
99.84
99.97
Application Services
Source TruSecure
44
Synergistic Security
Each control is 80 effective
Risk Reduction
Data Systems Assets
0
80
96
99.2
99.84
99.97
Source TruSecure
45
Approche PDCA
Plan
Établis par LISMS
CIA
Act
Do
Implanter Opérer
Maintien Amélioration
Check
Supervision et revues
ISMS Information Security Management Systems
46
PDCA approach
Plan
Establish the ISMS
CIA
Act
Do
Implement Operate
Maintain Improve
Check
Monitor Review
ISMS Information Security Management Systems
47
Risques Restrictions(Bon ou Mauvais pour le
fraudeur ?)
EU Data Protection
Competition
HIPAA
Project management
Terrorism
Businesspartners
Physical security
Humanresources
Privacy
PIPEDA
Sarbanes - Oxley
Relationships
Business continuity
IT Security
Investment
Outsourcing
Liability
GLBA
Industry regulation
Operational risk
Informationsecurity
Marketvolatility
Financial management
Credit risk
Compliance
Intellectualproperty
Reputation
48
A Multiplicity of Risk and Restrictions
EU Data Protection
Competition
HIPAA
Project management
Terrorism
Businesspartners
Physical security
Humanresources
Privacy
PIPEDA
Sarbanes - Oxley
Relationships
Business continuity
IT Security
Investment
Outsourcing
Liability
GLBA
Industry regulation
Operational risk
Informationsecurity
Marketvolatility
Financial management
Credit risk
Compliance
Intellectualproperty
Reputation
49
Comment détecter les fraudes
50
Who Detects Fraud?
51
Comment détecter les fraudes

• Audits interne ou externe?
• Source externe (Ex. vendeurs , partenaire
  daffaire etc?
• Conseil interne ou externe ( juridique)?
• Votre personnel?
• Technologie et des contrôles automatisés?

52
Who Detects Fraud?

• External Auditors and CPAs?
• Third Parties (i.e., regulators, vendors)?
• Internal or External Counsel?
• Internal Audit?
• You

53
Qui détecte les fraudes ?

• Resource interne
• Une once de prévention
• comte pour une livre
• de de soins
• Supporter les ressources qui améliore les
  contrôles interne est extrêmement rentable.

54
Who Detects Fraud?

• Most Fraud is detected internally
• An ounce of prevention
• is worth a pound of cure
• Investing in resources that improve internal
  controls will pay significant dividends in
  problems and costs that are avoided.

55
Votre role

• Vous rappeler
• La fraude ne débute pas avec un manque de loyauté
• Elle débute avec la pression
• Débute petit
• Grandis avec le temps
• Il ny a pas de voies de sortie

56
Your Role

• Remember
• Fraud does not start with dishonesty
• It starts with pressure
• It starts small
• It grows over time
• There is no way out

57
Largument de force contre la fraude
est Vraiment croire que vous serez pris et
punis !
58
The single most effective deterrent to
fraud Belief you will be caught and punished!
59
Delta University (Montréal) 30-31 Octobre 1
novembre 2006
60
Delta University (Montréal) 30-31 Octobre 1
novembre 2006
61
Questions
62
Follow the road
63
(No Transcript)
64
(No Transcript)
65
.references
Organizations Tools
66
Types of Fraud
67
Types de Fraudes
68
Acte criminel

• Appâts et transfères
• Abus de confiance
• Fausse représentation
• Vol didentité
• Facturation bidon
• forgery of documents or signatures
• Utilisation de fonds public ou privé pour gain
  personnel
• Recèle et revente de biens dautrui
• Compagnie artificielle
• Réclamation frauduleuses
• Faillite planifié
• Fraude dinvestissement
• Fraude de sécurité
• En plus dêtre un déli criminel la fraude est
  aussi considéré comme une violation au code
  civil.l

69
Acts which may constitute criminal fraud include

• bait and switch
• confidence tricks such as the 419 fraud, Spanish
  Prisoner, and the shell game
• false advertising
• identity theft
• false billing
• forgery of documents or signatures
• taking money which is under your control, but not
  yours (embezzlement)
• health fraud, selling of products of spurious
  use, such as quack medicines
• creation of false companies or "long firms"
• false insurance claims
• bankruptcy fraud, is a US federal crime that can
  lead to criminal prosecution under the charge of
  theft of the goods or services
• investment frauds, such as Ponzi schemes
• securities frauds such as pump and dump
• Fraud, in addition to being a criminal act, is
  also a type of civil law violation

70
Types of Fraud - General

• Misstatements in Financial Statements
• Misrepresentations or omissions
• Misapplications of GAAP/GASB
• Manipulation, falsification or alteration of
  accounting records
• Usually perpetrated by top management
• Misappropriation of Assets
• Direct theft of cash, inventory, or other
  assets
• Indirect bribes, kickbacks, other schemes
• Perpetrated by both employees and top management

71
Types of Fraud - General

• Misstatements in Financial Statements
• Misrepresentations or omissions
• Misapplications of GAAP/GASB
• Manipulation, falsification or alteration of
  accounting records
• Usually perpetrated by top management
• Misappropriation of Assets
• Direct theft of cash, inventory, or other
  assets
• Indirect bribes, kickbacks, other schemes
• Perpetrated by both employees and top management

72
Types of Fraud Financial Reporting

• Misclassifying expenditures to stay within
  legally approved budget
• Over-funding self-insurance funds or other
  employee benefit type funds to build up a source
  of revenues to be used in future periods outside
  of the control of the County and City and the
  Schools financial statements.
• Netting vendor credits or reimbursements against
  expenditures
• Over stating open encumbrances. How this is
  typically done
• Top side journal entry by management
• Fictitious PO
• Not purging old/dead residual amounts left on
  POs out of system on a timely basis
• Getting vendors to advance bill accounts (e.g.,
  bill schools for the books in June 2004 and ship
  them to me in August 2004)
• Backdating POs

73
Types of Fraud Misappropriation of Assets

• Embezzlement
• Employee Expense Account Frauds
• Credit card fraud
• Investments and cash management
• Skimming interest off of investments into a
  personal account
• Purchase investments not approved by federal,
  state, and local laws and regulations
• Vendor Frauds
• Kickback/Bribery Schemes-Directly or indirect
  remuneration to a Schools employee, officer or
  Board member
• Setting up fictitious vendors
• Failure to comply with federal, state and local
  procurement laws and regulations
• Theft of Inventory
• Misuse of Assets
• School buildings
• Buses and vehicles

74
Types of Fraud Misappropriation of Assets

• Payroll Frauds
• Fictitious employee
• Terminated employee never removed from the roles
  by payroll or HR
• Overstating Overtime as a result of lack of
  supervisory review
• Understating vacation for same reason
• Payroll staff modifying federal and state tax
  withholding in violation of federal or state laws
• Employers not depositing all employee
  withholdings with state and federal government on
  a timely basis so they can borrow the funds

75
Investigation digitale
76
Digital Investigation
77
Digital InvestigationsThe Golden Rules (What
they are and what they mean to you)

• No two investigation are identical
• Preparation is critical
• Investigate as if it will go to court
• Document

78
Why prepare for digital Investigations

• Law require different responses to attack
• Regulations are directly driving the need for
  investigation capabilities
• Civil litigation is driving the need to
  investigate
• Law enforcement might come to you, looking for
  evidence

79
IT Security vs Information Security
IT Security
Information Security

• Firewalls
• Intrusion detection
• Viruses, worms
• System hardening
• Encryption

• Intellectual property
• Business/financial integrity
• Regulatory compliance
• Insider abuse
• Industrial espionage
• Privacy Acts

Technology problems
Business information management problems
Physical problems
80
Fraud Prevention and Deterrence
81
Fraud Prevention

• Hiring Practices
• School System Environment
• Internal Controls
• Training

82
Fraud Prevention

• Hiring Practices
• Pre-employment Screening
• Criminal history
• Civil litigation
• Credit history
• Drug screening
• Reference/Employment Reviews

83
Fraud Prevention

• School System Environment
• Integrity and ethical values
• Attitude towards risk/controls
• Willingness to investigate/prosecute
• Involvement of Board/Audit Committee
• Clarity and transparency of roles/responsibilities

84
Fraud Prevention

• Internal Controls
• Segregation of duties
• Management review
• Physical security
• Third-party verifications
• Internal audit
• Fraud response plan
• Risk management ownership

85
Fraud Prevention

• Training
• Fraud Awareness Training
• Educate employees on red flags of fraud
• Newsletters detailing current schemes
• Educate employees on the consequences of fraud

86
Fraud Deterrence

• Ability for employees to voice their opinion
  (environment, hotline, etc.)
• Appropriate action against fraud perpetrators
• Federal and State Sentencing Guidelines
• Federal and State Audits

87
Conclusion
88
Thank You
89
Types of Fraud - Other

• False Claims Act Violations
• E-rate violations
• Misuse of State and Federal funds
• Financial Reporting fraud

90
Who Commits Fraud?
91
Profile of White Collar Criminals

• White Collar Criminals are generally
• Older (30 years)
• 75 male, 25 female
• Appearance of stable family situation
• Above-average education
• Less likely to have criminal record
• Appearance of good psychological health
• Position of trust
• Detailed knowledge of financial systems and their
  weaknesses

92
Why People Commit Fraud
93
Pressures/Incentives (Red Flags)

• Unfavorable Economic Conditions
• Financial Pressures
• Declining Enrollments
• Poor Test Scores
• Pressure to Meet Requirements of Third-Parties
• Protection of Vendor/Supplier

• High Personal Debts or Unusual Financial Losses
• Gambling
• Substance abuse
• Lives beyond means
• Extensive investment speculation
• Credit Problems
• Adverse Relationship With Entity
• Job Frustration/Resentment of Superiors
• Known or anticipated layoffs
• Rewards inconsistent with expectations/based on
  performance criteria
• Greed

94
Opportunity (Red Flags)

• Large amounts of cash on hand or processed
• Inventory items small in size, high in value, or
  high in demand, and easy to misappropriate
• Inadequate internal control
• Inadequate segregation of duties
• Inadequate job applicant screening of employees
• Control Procedures not understood or followed
• No internal audit (monitor)
• Close Association with Vendor/Supplier
• Entity Always in Crisis Mode

• Weak / Decentralized Management
• Excessive Turnover
• Control Environment flaws (message from above)
• Lack of Corp. Governance
• Lack of Accountability
• Lack of Oversight

95
Rationalization (Red Flags)

• Ineffective communication, implementation,
  support, or enforcement of the entitys values or
  ethical standards by management or the
  communication of inappropriate values or ethical
  standards
• Its not GAAP or GASB, but its not material.
• Grants are Grants, shifting a few dollars here
  and there is not a big deal.
• Everybody else is getting theirs.
• Behavior indicating displeasure or
  dissatisfaction with the company or its treatment
  of the employee
• I deserve more.

• Management failing to correct known reportable
  conditions
• Well fix it later.
• The costs outweigh the benefits.
• Other
• I am only borrowing the money Ill pay it
  back.
• Nobody will get hurt.

96
Forrester April 12

• Though online teens (ages 13 to 18) are slightly
  less likely than online adults to be victimized
  by phishing 15 of online teens have received a
  fraudulent message, compared with 22 of adults
  they are not blind to this malicious practice.
  Nearly two-thirds (62) of online teens have
  heard the term "phishing," though only 55 are
  aware of its meaning, and 14 more know the
  practice but not the term. Most online teens view
  themselves as the first line of defense against
  online fraud, and many are willing to alter some
  online behaviors to increase protection of their
  personal information.