Information Security

Defending the digital infrastructure

Minerva Studio - Fotolia

Manage Learn to apply best practices and optimize your operations.

Ranum Q&A: The data behind cyberfraud with Anyck Turgeon

Do we really have a good idea of how big a problem insider attacks are? A global data scientist, who is focused on fraud and money laundering, ponders the numbers.

Organizations lose 5% of revenues each year to fraud, according to the Association of Certified Fraud Examiners' Report to the Nations. Most fraudsters work for their employers for years before they begin to steal.

While cyberfraud is only a portion of the insider threat, Anyck Turgeon, who is a member of the ACFE, thinks the problem is much deeper. "As long as security professionals speak about fraud without proper training, certifications and qualified experience, and finance professionals use a different lingo, insider threat is actually being enabled by pure incompetence," says Turgeon, the founding CEO of both M-CAT Enterprises and The Fraud Institute.

Turgeon describes herself as a cybersecurity data scientist who is focused on cyberfraud and money laundering. She has consulted for Fortune 500 companies, worked in prominent financial centers (New York, Toronto and Paris) as well as in Silicon Valley, and received numerous international recognitions for her accomplishments including the 2015 International Business Association's "Maverick of the Year" award. Prior to M-CAT, she served as the chief of information strategy and security for Crossroad Systems, an Austin company that provides data security and storage. She is also the founding principal of the Tech Innovation Network in Austin.

With extensive educational training from Harvard University, University of California at Berkeley and the University of Texas at Austin's McCombs School of Business, as well as other organizations including Oracle University and McAfee Institute, she holds 12 active certifications and six licenses.

Marcus Ranum caught up with Turgeon as she was preparing to release a cyber-FRAML (fraud and anti-money laundering) dictionary. The dictionary is the first of its kind, she says. The following is an edited transcript of their conversation.

Marcus Ranum: Thanks for taking the time out of your schedule to talk with me about the dirty elephant in the room of computer security: insider threats. We've all heard '80% of attacks come from the inside,' but I know for a fact that the statistic was pulled out of thin air by a certain person at a conference back in the early days of the industry. Do we really have a good idea of how big a problem insider attacks are?

Anyck Turgeon: In an era of nanosecond processing, non-existent contextual security, social class redistribution -- the middle class disappearing -- and the upcoming challenges of unsecured interconnected devices, it is easy to forecast that insider threats are not just today's challenges, but tomorrow's nightmare, too.

Anyck TurgeonAnyck Turgeon

I am stunned by the omnipresent denial I witness -- especially from defrauded victims, who call my office after becoming literally jobless, bankrupt and homeless overnight. If current technologies are so bulletproof to cyberfraud, and if breaches do not matter, why is it that, according to the ACFE, one in three people are affected by fraud yearly?

It severely pains me to see tech companies selling cyberfraud and anti-money laundering solutions when nobody on-board is qualified -- as a Certified Fraud Examiner, Certified Anti-Money Laundering Specialist or Certified Financial Crimes Investigator -- or has hands-on experience in successfully resolving such crimes. (I know very well how large organizations and individuals publish marketing statistics that do not match reality.) To counter this trend, here are some shocking statistics from the latest ACFE's Report to the Nations:

  • Employees committed 42% of occupational frauds.
  • Middle managers committed 36% of frauds.
  • Only 5% of fraudsters have been convicted of a fraud-related offense previously.
  • 58% of the victim organizations had not recovered any of their losses due to fraud.
  • Only 14% of fraud victims made a full recovery.
  • Only 3% of frauds are detected through traditional external audits.
In most cases of occupational fraud, at least one C-level executive or board member is acting as a silent observer or as an enabling accomplice.
Anyck TurgeonCEO, M-CAT Enterprises

Interestingly, in most cases of occupational fraud, at least one c-level executive (typically the CFO and/or CEO) or board member is acting as a silent observer or as an enabling accomplice. For broader security breaches -- IP theft, cyber-ransom or deep Web resale of stolen identities -- I have noticed a range of internal threat agents.

Ranum: I feel that insider breaches or cyberfraud -- or whatever you want to call it -- is a huge issue that nobody in security really has a handle on, so it'd be awesome to get a few (no customer specifics, of course) stories. Can you offer some suggestions about what organizations can and should do in these situations?

Turgeon: First, I can appreciate as a technologist that peers of mine may feel that I am comparing oranges to apples, as cyberfraud is only a portion of insider threats. Yet, as long as security professionals speak about fraud (without proper training, certifications and qualified experience) and finance professionals use a different lingo (see list of money laundering abbreviations that all IT professionals should be familiar with), insider threat is actually being enabled by pure incompetence. As such, the experts on my team review corporate financials, and through fraud ratio analysis, forensic breach trails and compliance reporting metrics often demonstrate how different departments are like ships sailing on completely different seas, if not galaxies.

I see numerous challenges with the current way that we are developing cyber-risk metrics related to internal threats (insider threats and undetected active feeds).

Often, IT security staff members and related third parties, like auditors and fraud examiners, are performing tasks -- background investigations, hacking forensics, court expert testimony of IT security practices -- which they are not even licensed for. Although I do not agree with the current regulations -- as the exams have very little or nothing to do with IT security -- I find it interesting that most IT security CISSPs and risk management practitioners are required, as part of their curriculum, to complete a certain amount of ethics training yearly in order to renew their certifications. Yet they do not practice IT security compliance.

Remember that IT security professionals collaborated and were convicted in the Madoff scandal, so they can often be the enabling accomplices. ... It is important that regulatory bodies not only educate but also ensure alignment with laws by complying with higher standards, including those that require professionals to be licensed.

There are numerous other examples of the 'shoemaker's children going to school without shoes.' However, as long as most IT security practitioners are not complying on an individual basis, how can we expect them to provide reliable statistics about the true nature of corporate IT security postures?

Given our current porous security posture, I think that we need to shift the education responsibility to larger and more influential masses (like investors and consumers), so cybersecurity can eventually be handled as a comprehensive challenge, as opposed to the poorly patched environment of today.

Ranum: I think we're both aware that the costs of dealing with an insider gone rogue can be amazingly high. However, it seems that most organizations simply don't consider it as a realistic possibility.

Many organizations we consult with are shocked when we show them the [number] of valid user IDs, passwords, security questions and answers that we found on the deep Web about their customers, employees and investors. As long as companies focus on the 4% of the common Internet, reported risk statistics are unable to assess the real state of their enterprise cyberleakage or address the true long-term cost of the breaches.

I have caught employees pillaging the digital assets of their employers to silently resolve cyber-ransom on their own and protect their valuable assets. The rationalization used is that few corporations report financial valuation of their digital assets -- what is the value of your corporate data?

Since the discovery of misallocated funds often requires cyberfraud, money laundering and corporate finance expertise, I often receive calls from concerned CISOs who have identified cyberleaks or attacks but have questions about how to manage the following:

  • Identify the specific schemes encountered;
  • Resolve these challenges (civil, criminal, military, international, administrative courts or by using alternative methods) given that lawyers are often not qualified to handle more than one court and many challenges are are best negotiated;
  • Ensure recovery of their assets;
  • Manage investigations with law enforcement agencies in different countries; and
  • Minimize corporate liabilities upon crisis communications.

Although law enforcement can play a critical role, rare are the circumstances when the defrauded victim gets restitution and compensation for all future damages. Consider the resale of your customer and employee PII over the deep Web by a disgruntled employee. … Your IT security team may be able to identify a server leak and stop it by changing the firewall configuration. Yet an investigation about the on-going trades being performed on the deep Web needs to be completed in parallel.

Given the high-turnover of CISOs, I find it interesting that corporate decision makers still tend to kill the messenger. Given the ongoing focus on verification and prevention as opposed to collaborative resolution, we all need to educate the general public above their current primitive understanding of IT security. As long as the investment community keeps on favoring the 'zero-threat penetration' approach and decision makers opt for career-safe choices, the required innovation for true deterrence through contextual intelligence, swappable virtual partitions and liquid computing will stagnate.

Ranum: You've done cyberfraud investigations before. Do you consider cyberfraud and insider attacks to be the same thing or different facets of a common problem? For me, the distinction always seemed to be 'authorized people doing unauthorized things' versus 'unauthorized people from the outside stealing an authorized user's credentials.' 

Turgeon: As a Certified Fraud Examiner, Certified Board Advisor and Certified CISO, fraud is defined as 'wrongful or criminal deception intended to result in financial or personal gain.' As the ACFE statistics show, fraud can be conducted by insiders as well as outsiders -- like terrorist groups 'muling' teenagers under your stolen physical and digital identities. They are authorized and unauthorized people doing unauthorized things.

From a computer technology perspective, I define insider attacks as a malicious attack perpetrated on a network or computer system by a person with authorized system access. In this case, authorized as well as unauthorized people (like outsiders utilizing authorized users' credentials) are gaining access to valuable private and corporate assets.  Furthermore, insider threat can also involve activities like physical kidnappings, corporate defacing and stock market halt. The main difference for me is intent and gain.

To resolve these crimes legally or alternatively, the burden of proof required is much more challenging for fraud than comparable charges upon insider threats. But given the acquired computer awareness of most judges and lawyers, it is easier to secure convictions in cases of fraud. Interestingly, my experience has been that fraud cases will result in out-of-court settlements and plea bargains whereas cybersecurity charges are often pushed to courts where more severe sentencing (like life in jail) will result.

Of course, given my training as a CISSP, CPP and CIPP, I can confirm that there seems to be lots of confusion in regards to how to define both terms. Often, professionals from different fields of security will use the same terms but with different meanings. It gets much worse when judges, lawyers, corporate executives, board members and investors get involved. This is why I have spent the last five years studying different disciplines and writing the upcoming cyber-FRAML dictionary that will address these substantial differences and provide terminology reconciliation. This will allow us all to communicate well from suspicion to investigation, detection, discovery, analysis, resolution, audits and destruction.

Ranum: What should we be focusing on to effectively communicate how big or bad a breach is? It seems to me that the security trade media's focus on 'number of credit cards breached' or 'record count of personal data leaked' misses the point. It doesn't really tell us anything about how bad the situation is, and that allows people to shrug and keep on using passwords and trusting services that probably aren't trustworthy. When you're talking about most organizations losing 5% of their income, that's serious money! I used to say that the press should talk about failure modes: Another breach at an organization that failed to employ privileged access management!  But that's too big a sentence for the non-geek.

Turgeon: As much as I get mad watching TV at reporters discussing topics they obviously have zero expertise in, I almost feel that we need to start considering tech usage licensing. Just like one needs to demonstrate a certain understanding of laws and transportation standards to drive a car, shouldn't we make sure that all of the general public is being forced to educate itself about technology so, when security incidents take place, crisis is solved by resolution through contextualization.  Although this may not become a reality during our lifespan, it is important to start architecting contextualization now, so the gigantic gap between prevention and resolution can eventually be minimized.

The problem of cyberethics upon cybercommunications also needs to be addressed. In upcoming Linkedin posts, I will further outline the importance of educated communications upon cyberattacks and will provide a summary of communications challenges encountered upon past acts of cyberwar.

Finally, just like weather and sports are part of most news programs, we need all media outlets to include educated coverage of technology. … With the advent of the unsecured Internet of Things, we more desperately need to put in place different levels of cybereducation pronto so we will eventually be able to address the error of our current ways.

About the author:
Marcus J. Ranum, the chief of security at Tenable Network Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.

Article 5 of 6

Next Steps

Read more about cybercrime in this excerpt from the Cyber Crime and Cyber Terrorism Handbook

Worried about fraud? When it’s time for the information security team to step in

Countermeasures to Prevent fraud in the enterprise

This was last published in December 2015

Dig Deeper on Security Awareness Training and Internal Threats-Information

Get More Information Security

Access to all of our back issues View All