Poorly Governed Financial Systems and Fraud –
It Starts with Access Controls

Note:

This article is an abbreviated version of an article submitted to the Association of Certified Fraud Examiners (ACFE) journal. 

Overview:

Access/Identity control is a fundamental component of data security that dictates who is allowed to access and use company information and resources. 

We are still experiencing an explosion of fraud (internal and external) in organizations with a consistent theme that appears to be the lack of controls over access or lack of utilization of controls around the IT resources that are supposed to be in place to govern these identities and practices – especially the intentional misrepresentation of finance statements or the misappropriation of an organization’s assets. 

Financial statement fraud or embezzlement are crimes of opportunity. Companies with lax internal controls, manual accounting systems, or dishonest and overly aggressive leaders are more likely to fall prey. The key to combating financial statement fraud is to prevent it from ever happening. 

Utilization of on-premises and cloud-based identity auditing programs help to reduce fraud by controlling the privileges of insiders (clients, staff and consultants) and keeping outsiders from accessing your systems by eliminating or managing all potential KEY Identity EXPLOITS. and controlling the privileges of insiders (clients, staff and consultants). 

Key External and Internal Exploits That Lead to Fraud:

First, an outline of internal and external exploits that enterprises are facing.    This doc will call out both identity and nonidentity exploits with an eye on how the exploit either utilizes or leads to an identity exploit. 

Insider Exploits:

Ghost Accounts:

• These are the accounts of users who are no longer with the enterprise but still have active accounts in the enterprise. Hackers, internal and external, love these accounts because they tend to avoid the reviewal process and can manipulate these ignored accounts at will. 

Privilege Creep:

• Privilege creep often occurs when an employee changes job responsibilities within an organization and is granted new privileges. While employees may need to retain their former privileges during a period of transition, those privileges are rarely revoked and result in an unnecessary accumulation of access privileges. 

Unauthorized Access:

• This is the concept of a user account or service having logical or physical access to resources that are inappropriate, violating the Principle of Least Privilege. The accounts must be identified and removed. The best practice to identify this unauthorized access is an access review of rights and a review of logs and other controls.

Privilege Escalation:

• This is the concept of a user being escalated from the rights that are correct to higher, inappropriate level of access – usually to admin privileges. Privilege escalation is both an internal and external threat – because external hackers will often create or commandeer an existing internal account and then escalate the privilege for nefarious purposes.

Lateral Movement:

• Lateral movement is a tactic used to move laterally within a network to gain access to additional resources and potentially sensitive data. This concept of a Lateral movement is a key part of the Cyber Kill Chain, and usually enacted after the attacker takes over an internal account and escalates the privilege of the account. This is why user access review of user accounts is so important – to stop the progress of the attack before the account can move around the network. 

External Exploits:

These are key aspects to how the attackers begin and complete their hacker (outsider) journey into the compromised enterprises. 

Recon:

• This is the first step of the external hacker to compromise a system. It is known as the reconnaissance step in the “Cyber Kill Chain”. The hacker is trying to identify system, web and application types and versions to then map known vulnerabilities (CVEs) to attack these systems and begin the exploitation process.    Systems are quantified to help identify weakness in all systems – including identity stores.

Exfiltration:

• This is the last step of the Cyber Kill Chain. An attacker compromises an internal account, escalates privileges, conducts lateral movement to find a target resource – and then exfiltrates the data to its C2 (command and control center).   Hacked identities with high dwell time (undiscovered orphaned and ghost accounts) are often used for exfiltratoin.

Denial of Service:

• This is an attack on a resource either through an internal or external mechanism. External attacks usually involve bots sent to consume network, web, and application resources to overwhelm the system. It is usually done through a coordinated effort of a massive number of bots pointed at the target at a coordinated time – called a DDOS (Distributed Denial of Service) attack.

Anti-Forensics:

• This is the concept of “covering your tracks”. Hackers will do all they can to remove from the logs evidence of their efforts. This is why logs can NOT be the only way of looking at status changes in the system. A regular “state-in-time” comparison between roles done on a regular basis will help alert a security team of privilege changes and privilege escalation. Hacked accounts with high dwell time are often used for the “cleaning of the tracks”. 

Current State of Financial Identity Governances Lead to Fraud

Financial software, like other software, are mostly functional and proficient.   That is enterprises are executing with the software and the functional aspects are  in place. Identity roles are set up and users are set up to get the basic functionality out of these tools.

But this is often where the implementation stops.

The system works – as far as users are set up to ensure that the information is inputted, and the minimal amount of reporting is created.

But what about the governance? 

Who is checking that the same people who have the roles for expenditures are also creating the reports on who is being paid? 

KEY: It is important to note – that governance, especially role-based governance, is NOT built into these tools. 

The best practices and procedures around these tools should be established by a professional who helps decision-makers understand the function of the tools and then map these to enforceable identity roles.

Improvements in financial identity governance:

As with many endeavors – it is best to look at outside practices and procedures to solve the problem of governance that plagues the financial application world. 

In the identity and access management world – there are tools specifically designed to what is called IGA (Identity Governance and Administration). These tools integrate, in various means, with the existing identity resources at the enterprise. (The identity tools are called IAM or Identity and Access Management). Historically, most of these IAM products stood alone and had little to no built-in governance. E.G., the IAM tools provided access but had little in way to attest the access. 

To this end – the cyber world created a whole suite of identity governance tools to address the governance on the identities and access granted by the IAM systems.

These IGA tools – and the practice and procedures around the IGA tools – should be deployed to protect the financial tools in place by so many firms. 

IGA, when used correctly, flushes out all the entitlement information on the users with access to these tools. That includes the users, roles, permissions, and attributes. This information needs to be reviewed NOT by the owner of the tool – though this can be part of the review – but by the business-line manager of the users in question. The managers MUST review the users to determine if each user should have access.

Recommendations:

As discussed, the first recommendation is that enterprises:

• Quantify the applications that have access to financial information.
• Quantify the data sources and which account(s) have access to these resources.
• Utilize modern IGA tools to:
  • Immediately review the access to these resources
  • Clear out ghost accounts.
  • Clear out unauthorized access
  • Rinse and repeat on a regular basis.

Important to note: Regulations like SOX mandate these resources are reviewed 1x a year. This is ludicrously out of date – and the roles should be reviewed at least on a quarterly, if not monthly, basis.

Given that the GRC (governance risk and compliance) is fraught with manual processes – this is the first and foremost recommendation. Enterprises must step up their game with either a direct usage of a user access review (UAR) tool – or demand that their managed services deploy a tool that makes these reviews simple and repeatable. 

YouAttest and Financial Resource Auditing:

YouAttest is designed to provide comprehensive auditing of user, entitlements and access rights to all identity-base systems.   Relevantly, YouAttest has recently augmented its direct coupled agents, that provide real-time views of roles and entitlements to include Salesforce – a key financial reporting system for enterprises.

YouAttest’s integration into Salesforce is immediate (set-up in minutes) and complete.  The YouAttest integration includes fine grained entitlement information that financial auditors require including:

• Salesforce Roles
• Salesforce Profiles and 
• Salesforce Permission Sets

These entitlements are imbibed into the secure, scalable YouAttest cloud-bases system which auto-delegates out to the proper manager(s). 

—

Authored by:

• Jeffrety M. Tilton,  CFE –  Chief Fraud Advisor to YouAttest
• Garret Grajek, CEH, CISSP –  CEO of YouAttest

Contact YouAttest to learn more about how YouAttest can help improve your identity audits, via automating user access reviews for compliance and better identity secure your enterprise.