SlideShare una empresa de Scribd logo

San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing

Descargar como PPT, PDF
P
Pw Carey

Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Definitive Future Of IT Auditing

1 de 41
G32 The Changing Influences of Social Media, WikiLeaks and Whistleblowers Future of IT Auditing: A Definitive Landscape
Agenda: • Part One: Social Media – Bart (The Metaphor), WikiLeaks, OpenLeaks, LulzSec, and Anonymous et al. . . • Part Two: Whistleblowers - A Growth Industry • Part Three: Auditors and Their Reputation When Dealing With Fraud • Part Four: What’s Over The Horizon • Part Five: Take Aways (aka: Tool Time) 2
Bart: The Metaphor • Bart The Story – Who was impacted • Commuters, Police, Employee’s of BART and Protesters – Friend’s and Family • Tools Used – Social media, Facebook, Twitter, et al. . . – Side Bar: Facebook handed $40,000 to hackers for finding flaws in its website as part of its Bug Bounty scheme. Facebook joins a growing list of companies, including Google, which pays independent hackers for this sort of information. 3
WikiLeaks, Its Influence. . .: • Leaked Documents Suggest China Might Have The Upper Hand in Cyber War. . . – “According to US investigators, China has stolen terabytes of sensitive data, from user names and passwords from State Dept. computers to designs for multi-billion-dollar weapons systems,” wrote Brian Grow & Mark Hosenball in a report for Reuters. – They credit WikiLeaks for revealing previously secret details about China’s ongoing cyber assault, which the US government has code named Byzantine Hades. Specifically, they wrote, the State Dept. cables that WikiLeaks published show that the Chinese military was the source of those attacks, not some rogue hacker group. . . 4
WikiLeaks: • A Tool For Whistleblowers • “A senior advisor to Gordon Brown put pressure on the commander of NATO forces in Afghanistan to play down the “bleak and deteriorating” situation to reduce criticism of his government, leaked documents disclose. Brown, the prime minister at the time, visited the country and met General Stanley McChrystal, the US military commander . . .” 5
OpenLeaks Joins The Crowd. . .: • 26th January 2011, OpenLeaks goes public • OpenLeaks considers itself a non-profit community and service provider for whistleblowers and organizations, media, and individuals who engage in promoting transparency. It makes leaking at a local, grassroot level possible and allows for certain scalability. – OpenLeaks will not accept or publish documents on its own platform, but rather create many "digital dropboxes" for its community members, each adapted to the specific needs of our members so that they can provide a safe and trusted leaking option for whistleblowers. . . . 6
OpenLeaks: – Besides developing and building the technical platform, we want to encourage leaking all over the world while minimizing risks for whistleblowers. • The split between submission and publication of leaked documents makes the whole process safer for all who participate in it, and at the same time makes scaling so much easier. Watch our video, which explains this concept visually. 7
LulzSec: Another Member of The Social Media ‘Hive’. . . • LulzSec 'takes down' CIA website • The hacker group Lulz Security claims it temporarily brought down the public-facing website of the US Central Intelligence Agency. • Lulz Security attacks » May 10: Fox.com user passwords, » May 15: Database listing locations of UK cash machines, » May 23: Sony music Japan website, » May 30: US broadcaster PBS. Staff logon information, » June 2: Sonypictures.com user information, » June 3: Infragard website (FBI affiliated organization), » June 3: Nintendo.com, » June 13: Senate.gov - website of US Senate, » June 13: Bethesda software website, user information 8
LulzSec: LulzSec Opens A Hack Request Hot Line. . . • Callers are met with a recorded message, in a heavy French accent, by an individual named Pierre Dubois. The (614) area code appears to relate to the state of Ohio. . . – LulzSec accesses 62,000 email addresses and passwords belonging to victims such as IBM, as well as state and federal governments. Affected agencies include but not limited to: US Army, Navy, and Air Force, FCC, US National Highway Traffic Safety Administration, Veteran’s Administration and the US Coast Guard. 9
Anonymous: One Among Many. . . • Sets An Example: – The HBGary hack • HBGary Federal position themselves as experts in computer security. . . • HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co- ordinating the group's actions, including the denial-of- service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year. . . 10
Anonymous. . . All Ages, All Walks of Life: • Here’s What They Can Do • When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. – HBGary's servers were broken into, – its e-mails pillaged and published to the world, – its data destroyed, – its website defaced. • As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published. 11
Anonymous. . . From Europa: • Say Brie. . . 12
Part Two: Whistleblowers A Growth Industry • Enron Whistleblower. . . The Use of Dodd- Frank Whistleblower Provisions – Sherron Watkins, former Vice President at Enron discussing the Dodd- Frank Whistleblower Provisions at an event held by the New York State Society of Certified Public Accountants on January 28th, 2011. • Corporate Whistleblowers – Will hand over corporate fraud evidence to media such as WikiLeaks rather than the SEC thereby allowing them to continue employment in the corporate world without the stigma of being a whistleblower. 13
Whistleblowers & The SEC, Too: • EFFECTIVE DATE: August 12, 2011 • SECURITIES AND EXCHANGE COMMISSION – Dodd-Frank requires the Commission to pay an award, subject to certain limitations, to eligible whistleblowers who voluntarily provide the Commission with original information about a violation of the federal securities laws that leads to the successful enforcement of a covered judicial or administrative action, or a related action. . . – Dodd-Frank also prohibits retaliation by employers against individuals who provide the Commission with information about possible securities violations. . . 14
Whistleblowers: Cut Across All Sectors • Swiss Bank HSBC Whistleblower. . . – Assets of about £13bn, could net millions in pounds in unpaid tax revenues. . . – A disk leaked to the French authorities, is said to contain the names of 79,000 HSBC clients in 180 countries. – An employee for HSBC in Geneva, leaked the data to French officials, who passed it onto the UK. A spokesperson for HSBC said: “HSBC in no way condones tax evasion and in no way do we assist it”. . . • SEC » A whistleblower at the SEC has accused the agency of destroying more than 9,000 files related to preliminary investigations into SAC Capital, Bernard Madoff, Goldman Sachs and other financial groups. . . (To Be Continued). 15
Part Three: Auditors, Their Reputation When Dealing With Fraud. . . “Because the determination of abuse is subjective, auditors are not required to detect abuse in financial audits. However. . .” A May 2010 COSO Study Dealing With Fraud from 1998 thru 2007 for US companies: » The most common fraud involved improper revenue recognition, next in-line was the overstatement of existing assets or capitalization of expenses » 89% of these incidents of fraud involved executive management at the C-Level (aka: CEO’s and/or CFO’s) » 347 alleged cases dealt with financial reporting » Dollar amount of these misstatements and/or misappropriations---nearly $120bn USDs 16
Auditors & Their Reputation When Dealing With The Global Fraud Economy. . . Global Patterns of Fraud – 2011 • Acts of fraud are rarely one-offs, 96% of fraudsters carried out fraud on a repeated basis, up from 91% in 2007 – Fraud at the Board level increased to 18% while fraudulent activities at the C-level increased to 26% – 87% were male, between the ages of 36 to 45, and committed fraud against their own employer – 32% work in a Finance function – 60% worked for the company more than 5 years, 33% 10 years and most colluded with others • So. . .where were the auditors? 17
Auditors & Their Reputation When Dealing With Fraud • Motivation for Fraud – Personal financial gain followed by fraudulent financial reporting. . . – 43% misappropriate of assets (mostly due to embezzlement and procurement fraud) – On avg. it took 3 years from fraud inception to detection – 50% were detected through tip-offs, both formal and informal or by accident. . . – 77% of investigations were not reported to the public – 50% of the cases revealed that a red flag had existed but was not acted upon. . . 18
Part Four: What’s Over The Horizon? • “Negligence” vs “Gross Negligence”. . . • And Negligence wins by a nose. . . • Clawbacks. . . • In the last meeting under chief Sheila Bair, The Federal Deposit Insurance Corp. (FDIC) voted five to one in favor of a “clawback” clause in new regulations, which will allow the government to reclaim compensation paid to executives whose banks have to be taken over and wound up by the state. 19
What’s Over The Horizon? • Increasing Liability Financial and Otherwise: – In a 2008 report issued by the GAO, between 1998 and 2008 “audit firms may have paid at least 10 settlements or awards of $100 million or more from private litigation”. . . • In mid-2008, the six largest US auditing firms were defendants in 90 audit-related suits, each of which involved damage claims in excess of $100 million--- ranging up to $10 billion. . . 20
What’s Over The Horizon? • Changing Expectations of The Auditors – Internal Auditors Rule 1210.A2 • Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. . . 21
What’s Over The Horizon: Changing Expectations. . . • External Auditors Rule ISA 240 • The objectives of the external auditor; to identify and assess the risks of material misstatement of the financial statements due to a fraud: – Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not. . . report to the audit committee. . . – To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatements due to a fraud, through designing and implementing appropriate responses; and such responses should at a minimum include the following: – Testing the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process. . . – Communicate fraud or suspected fraud to those charged with governance 22
What’s Over The Horizon? • In the past, generally, the auditor did not have an obligation to disclose possible or actual fraud to third parties, unless the matter is already reflected in the audit report • However. . . Not any more: • See the moving target referred to as Dodd-Frank. . . – US Regulatory Agencies Modify The Rules. . . – US Judiciary Modifies The Rules. . . » Lets all go to court. . . 23
What’s Over The Horizon? – The Securities Exchange Act of 1934 Should Be Extended to Cover Transnational Securities Fraud [Release No. 34-631374; File No. 4-617] 24
Part Five: Technical Take Aways---Benford’s Law More numbers begin with 1 than with larger numbers (2 - 9) – Benford Analysis is likely to be useful with sets of numbers that result from mathematical combinations of numbers where the result comes from two distributions » Accounts receivables (number sold x price) » Accounts payable (number bought x price) » Most sets of accounting numbers 25
Technical Take Aways: When Not to Apply Benford’s Law • When Benford Analysis is not likely to be useful: • Data set is comprised of assigned numbers: – Check numbers, invoice numbers, Zip codes • Numbers that are influenced by human thought: – Prices set at psychological thresholds ($1.99) – ATM withdrawls, eg $20, $40, $60, $80, $100 • Accounts with a large number of firm specific numbers: – Accounts specifically set up to record $100 refunds • Where no transaction is recorded: – Thefts, kickbacks, contract rigging, et cetera . . . 26
Technical Take Aways: Computer Aided Audit Techniques (CAATs) – Benford’s Law in conjunction with the following tools: • SAP & Oracle’s EGRCM (Enterprise Governance, Risk and Compliance Manager) – Asking questions such as: – Any changes in the top 10% of transactions by value (year to year) by quarter, by month? – Greatest number of changes made to a customer’s details file (year to year) by quarter, by month? – Any outliers/unusual data values? – Any unusual or suspicious patterns with data, dates, returns, end-of-month closeout transactions? 27
Technical Take Aways: SAP » Risk Analysis and Remediation (RAR) » Superuser Access Management (SPM) » Compliant User Provisioning (CUP) » Enterprise Role Management (ERM) 28
Technical Take Aways: SAP’s Backdoors • Backdoors. . . – BACKDOORS--come about in two ways. First, they can represent access into a system that is created during the application development process and is never removed, or. – Secondly, after an application is put into production and sold to the customer in the field, it can represent an unauthorized and/or undetected compromise of the system for the sole purpose of securing future access to data/information for industrial or financial espionage. . . • At a Black Hat Conference, Europa, 2010 demonstrated multiple backdoors into SAP 29
Technical Take Aways: Oracle – Easily set the scope of the AS5 Audit within Oracle Enterprise GRC Manager (EGRCM) – Pre-packaged reports showing Audit coverage, status and findings 30
Technical Take Aways: Oracle’s Backdoors • Backdoors. . . – A number of modules remain un-patched and vulnerable due in part to a difficult patch & upgrade process involving complex applications in addition to an attitude that if its working, don’t touch it. . . » For example: National Vulnerability Database (NVD) » Description: Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server…Oracle Fusion Middleware… allows remote attackers to affect confidentiality, integrity and availability via unknown vectors……(under review) 31
Technical Take Aways: In Their Defense • Backdoors---Created and used by the vendor and created and used by individuals with criminal intent. . .can and do threaten every information system CONNECTED TO THE INTERNET. This is NOT simply a problem unique to SAP or Oracle. . . • Going forward are two questions you may want to ask: are there any backdoors to your system and what are they used for? – View a list of your vendor’s backdoors. . . 32
Technical Take Aways: KDD, OLAP, Data Mining and Heuristic Analysis • KDD (Knowledge Discovery in Databases), • OLAP (On-line Analytical Processing), • Data Mining • Multiple vendors, bumping up against a clients: – Lack of Confidence/Trust in the Numbers – Belief that data collection methodologies are flawed and that the use of the data will threaten their decision-making authority. – Defense against charges of negligence or gross negligence – Weakens the claims of plausible deniability. – Impacts independence and integrity of auditor’s claims of non-bias, impartiality. 33
Technical Take Aways: Heuristic Analysis • Heuristic Analysis is defined by the act(s) and/ or processes associated with discovering the unknown thereby making it known… • Such Tools require TESTING. . .such as EICAR: • EICAR is a uniquely formatted program file, is not a virus which most AV (Anti Virus) programs recognize as a test program. See also: – AV Comparatives – AV-Testing – ICSA Labs – SC Magazine/West Coast LabsVirus Bulletin? 34
Non-Technical: Using Your Amgydala The Six Principles of An Auditor’s Achilles Heel • A lack of sufficient professional skepticism • Lack of support (real or imagined) @ the C-level • Not controlling the confirmation process especially at month end, ending quarter and year end • Not ascertaining whether the financial statements agree with or reconcile with accounting records • Over-relying on management (i.e., insufficient evidence to corroborate management’s representations • Not testing accuracy of computer-prepared data 35
Non-Technical: Using Your Amgydala & Have We Got A Tool For You. . . • The Vulnerability Assessment and Mitigation (VAM) Methodology. . . • RAND Corporation developed a methodology to help analysts in: » Understanding these relationships. . . » Facilitating the identification and/or discovery of system vulnerabilities. . . » Suggesting relevant mitigation techniques. . . • The VAM methodology takes a top-down approach uncovering vulnerabilities that are known, exploited or revealed today but also vulnerabilities that exist, yet have not been exploited or encountered to date. . . 36
Non-Technical: Using Your Amgydala • Is there a Major Disconnect between the C- Level folks and their employees. . .? – E.g. What motivates their employees…? • Their answers are almost always facing 180° in the opposite direction. . . • See also “Kiss Up, Kick Down” corporate culture. – “Social Intelligence”, “Emotional Intelligence” – “Blink”, “Mind Rules”, and “Outliers”. . . – The concept of Synchronicity, (aka: your gut. . .) 37
In Summary: What You Have Heard Today. . . • What steps you must take. . .to: • Ensure your independence, as an Auditor. . .? • Ensure your findings are: – timely, concise, clear, convincing, complete, objective, accurate and correct, with emphasis on CORRECT. • Analyze and re-visit your First Impressions (when necessary). . .First, Last and Always. . . 38
Questions?: – Please Note: We’ll be happy to discuss any of the issues raised this morning & best wishes the rest of the way. . . • In closing, thank you for your time and attention… • Respectfully yours: Pw Carey Consultant CISA SAP GRC Compliance Partners, LLC Suite 200 Barrington, Illinois 60010 www.complysys.com pwc.pwcarey@gmail.com or pwcarey@complysys.com 1-650-267-3130 or 1-224-633-1378 39
Resources and References • “The whistleblower’s handbook: how to be an effective resister”, by Brian Martin. Published in 1999 by Jon Carpenter in Charlbury, UK and Envirobook in Sydney, Australia. This book went out of print in 2008. This is the original text, with minor changes, a different format and page numbering (89 pages instead of 167), and omission of the list of contacts (now on the web) and index. • “Government Auditing Standards, August 2011, Internet Version” (aka: The Yellow Book), GAO, United States Government Accountability Office, By the Comptroller General of the United States, Weekly Auditor Liability Bulletin 02-11-2011. • http://www.orrick.com/publications/item.asp?action=article&articleID=3653 • New York State Society of Certified Public Accountants on January 28, 2011. • “A Short Course on Computer Viruses” 2nd Edition, pp 2, 49 (Dr Frederick B. Cohen): Wiley, 1994. • “KPMG ANALYSIS OF GLOBAL PATTERNS OF FRAUD Who is the typical fraudster: Executive Summary”, 2011. kpmg.com/cee • PwC PriceWatershouseCoopers Presentation: “The EU Audit Directive: Auditor Liability and Auditor Independence”, 25th May, 2011, by Gerhard Prachner, PwC. • PwC, UK: Audit Today and Tomorrow, ©2011 PwC. All rights reserved. • “SAP® Backdoors: A ghost at the heart of your business”, by Mariano Nunex DiCroce, April 14th, 2010, Black Hat Europe 2010 Briefings. © Onapsis SRL 2010 --- All rights reserved. • http://www.onapsis.com/research/slides/ONAPSIS-Penetration_Testing_SAP.pdf • “Attacking Oracle® Web Applications with Metasploit, by Chris Gates (carnalOwnage), RAPID7. Black Hat Washington, DC Conference, 2011. (http://www.owasp.org/index.php/Testing_for_Oracle). 40
Resources and References • “blink: The Power of Thinking Without Thinking” by Malcolm Gladwell, © 1997 to 2011. • “Working with emotional intelligence”, by Daniel Goleman © 1998. New York: Bantam Books. • “Social Intelligence: The New Science of Human Relationships”. By Daniel Goleman, © 2006, Bantam Books. ISBN 0553803522. • “Brain Rules: 12 Principles for Surviving and Thriving at Work, Home, and School”, by John Medina, Pear Press Release Date: March 10th, 2009. ISBN13: 9780979777745. • “How Does the Brain Work?”, NOVA scienceNOW,PBS Video. video.pbs.org/video/1757221034 • “The Criminal Mind Psychopathy as a Clinical and Empirical Construct”, Robert D. Hare1 and Craig S. Neumann, University of British Columbia, Vancouver, British Columbia BC V6T 1Z4; University of North Texas, Denton, Texas 76203-1280 • RAND Corp., Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology, by Philip S. Anton…[et al.]., ISBN 0-8330-3434-0 • http://www.rand.org/content/da/rand/pubs/monograph_reports/2005/MR1601.pdf • Microsoft Excel 2000 spreadsheet: http://www.rand.org/publications/MR/MR1601/ 41

Recomendados

G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...Pw Carey
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fiskJulesroa
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information AgeJordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Jordan Peacock
 
Future_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESFuture_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESJenny O'Meara
 
Bashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi
 
CWFI Presentation Version 1
CWFI Presentation Version 1CWFI Presentation Version 1
CWFI Presentation Version 1Brett L. Scott
 
Cyber war
Cyber warCyber war
Cyber warPraveen
 

Recomendados

G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...Pw Carey
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fiskJulesroa
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information AgeJordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Jordan Peacock
 
Future_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESFuture_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESJenny O'Meara
 
Bashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi
 
CWFI Presentation Version 1
CWFI Presentation Version 1CWFI Presentation Version 1
CWFI Presentation Version 1Brett L. Scott
 
Cyber war
Cyber warCyber war
Cyber warPraveen
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030Scott Dickson
 
Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Kunihiro Maeda
 
The hacker crackdown 3 law and order
The hacker crackdown 3 law and orderThe hacker crackdown 3 law and order
The hacker crackdown 3 law and orderrmvvr143
 
Organised Crime in the Digital Age
Organised Crime in the Digital AgeOrganised Crime in the Digital Age
Organised Crime in the Digital AgeYogeshIJTSRD
 
2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)Felipe Prado
 
Terror And Technology
Terror And TechnologyTerror And Technology
Terror And Technologypradhansushil
 
Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017NgocHaBui1
 
Insecure mag-33
Insecure mag-33Insecure mag-33
Insecure mag-33cheinyeanlim
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
The Brazilian Cybercriminal Underground in 2015
The Brazilian Cybercriminal Underground in 2015The Brazilian Cybercriminal Underground in 2015
The Brazilian Cybercriminal Underground in 2015Felipe Prado
 
Hello dr. aguiar and classmates,for this week’s forum we were as
Hello dr. aguiar and classmates,for this week’s forum we were asHello dr. aguiar and classmates,for this week’s forum we were as
Hello dr. aguiar and classmates,for this week’s forum we were assimba35
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question consimba35
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
Presentación3
Presentación3Presentación3
Presentación3Mikecdr
 
What if Petraeus was a hacker? Email privacy for the rest of us
What if Petraeus was a hacker? Email privacy for the rest of usWhat if Petraeus was a hacker? Email privacy for the rest of us
What if Petraeus was a hacker? Email privacy for the rest of usPhil Cryer
 
CyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarCyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
 
Cyber Warfare -
Cyber Warfare -Cyber Warfare -
Cyber Warfare -ideaflashed
 
GOVERNMENT SURVEILANCE
GOVERNMENT SURVEILANCEGOVERNMENT SURVEILANCE
GOVERNMENT SURVEILANCEYusuf Qadir
 
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...Pw Carey
 
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...Pw Carey
 
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...Pw Carey
 

Más contenido relacionado

La actualidad más candente

A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030Scott Dickson
 
Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Kunihiro Maeda
 
The hacker crackdown 3 law and order
The hacker crackdown 3 law and orderThe hacker crackdown 3 law and order
The hacker crackdown 3 law and orderrmvvr143
 
Organised Crime in the Digital Age
Organised Crime in the Digital AgeOrganised Crime in the Digital Age
Organised Crime in the Digital AgeYogeshIJTSRD
 
2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)Felipe Prado
 
Terror And Technology
Terror And TechnologyTerror And Technology
Terror And Technologypradhansushil
 
Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017NgocHaBui1
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
The Brazilian Cybercriminal Underground in 2015
The Brazilian Cybercriminal Underground in 2015The Brazilian Cybercriminal Underground in 2015
The Brazilian Cybercriminal Underground in 2015Felipe Prado
 
Hello dr. aguiar and classmates,for this week’s forum we were as
Hello dr. aguiar and classmates,for this week’s forum we were asHello dr. aguiar and classmates,for this week’s forum we were as
Hello dr. aguiar and classmates,for this week’s forum we were assimba35
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question consimba35
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
Presentación3
Presentación3Presentación3
Presentación3Mikecdr
 
What if Petraeus was a hacker? Email privacy for the rest of us
What if Petraeus was a hacker? Email privacy for the rest of usWhat if Petraeus was a hacker? Email privacy for the rest of us
What if Petraeus was a hacker? Email privacy for the rest of usPhil Cryer
 
CyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarCyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
 
GOVERNMENT SURVEILANCE
GOVERNMENT SURVEILANCEGOVERNMENT SURVEILANCE
GOVERNMENT SURVEILANCEYusuf Qadir
 

La actualidad más candente (19)

A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
 
Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212
 
The hacker crackdown 3 law and order
The hacker crackdown 3 law and orderThe hacker crackdown 3 law and order
The hacker crackdown 3 law and order
 
Organised Crime in the Digital Age
Organised Crime in the Digital AgeOrganised Crime in the Digital Age
Organised Crime in the Digital Age
 
2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)
 
Terror And Technology
Terror And TechnologyTerror And Technology
Terror And Technology
 
Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017
 
Insecure mag-33
Insecure mag-33Insecure mag-33
Insecure mag-33
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )
 
The Brazilian Cybercriminal Underground in 2015
The Brazilian Cybercriminal Underground in 2015The Brazilian Cybercriminal Underground in 2015
The Brazilian Cybercriminal Underground in 2015
 
Hello dr. aguiar and classmates,for this week’s forum we were as
Hello dr. aguiar and classmates,for this week’s forum we were asHello dr. aguiar and classmates,for this week’s forum we were as
Hello dr. aguiar and classmates,for this week’s forum we were as
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question con
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
 
Presentación3
Presentación3Presentación3
Presentación3
 
What if Petraeus was a hacker? Email privacy for the rest of us
What if Petraeus was a hacker? Email privacy for the rest of usWhat if Petraeus was a hacker? Email privacy for the rest of us
What if Petraeus was a hacker? Email privacy for the rest of us
 
CyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarCyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels Cyberwar
 
Cyber Warfare -
Cyber Warfare -Cyber Warfare -
Cyber Warfare -
 
GOVERNMENT SURVEILANCE
GOVERNMENT SURVEILANCEGOVERNMENT SURVEILANCE
GOVERNMENT SURVEILANCE
 

Destacado

San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...Pw Carey
 
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...Pw Carey
 
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...Pw Carey
 
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...Pw Carey
 
C24 Fraud In The Workplace 3 Mock Trials)[1]
C24 Fraud In The Workplace 3 Mock Trials)[1]C24 Fraud In The Workplace 3 Mock Trials)[1]
C24 Fraud In The Workplace 3 Mock Trials)[1]Pw Carey
 
ISACA San Francisco 2011 Fall Security Conference G32 A Modest Proposal
ISACA San Francisco 2011 Fall Security Conference G32 A Modest ProposalISACA San Francisco 2011 Fall Security Conference G32 A Modest Proposal
ISACA San Francisco 2011 Fall Security Conference G32 A Modest ProposalPw Carey
 
Actions during amidah
Actions during amidahActions during amidah
Actions during amidahtorahteachers
 
Corporate Personnel Brochure 2010
Corporate Personnel Brochure 2010Corporate Personnel Brochure 2010
Corporate Personnel Brochure 2010barbfrazier
 
Gestione Fermata Straordinaria Bi
Gestione Fermata Straordinaria BiGestione Fermata Straordinaria Bi
Gestione Fermata Straordinaria Bimaxvannu
 
Metodo de-estudios-y-modelo-de-aprendizaje-expo
Metodo de-estudios-y-modelo-de-aprendizaje-expoMetodo de-estudios-y-modelo-de-aprendizaje-expo
Metodo de-estudios-y-modelo-de-aprendizaje-expoCarlos Marte
 
Chistiznanie v dejstvie_vakarel
Chistiznanie v dejstvie_vakarelChistiznanie v dejstvie_vakarel
Chistiznanie v dejstvie_vakarelElena Anastasova
 

Destacado (20)

San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
 
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
San Francisco Isaca 2010 Fall Security Conference C24 Fraud In The Workplac...
 
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
 
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
San Francisco Isaca Fall Security Conference G32 A Modest Via Cobi T Proposal...
 
C24 Fraud In The Workplace 3 Mock Trials)[1]
C24 Fraud In The Workplace 3 Mock Trials)[1]C24 Fraud In The Workplace 3 Mock Trials)[1]
C24 Fraud In The Workplace 3 Mock Trials)[1]
 
ISACA San Francisco 2011 Fall Security Conference G32 A Modest Proposal
ISACA San Francisco 2011 Fall Security Conference G32 A Modest ProposalISACA San Francisco 2011 Fall Security Conference G32 A Modest Proposal
ISACA San Francisco 2011 Fall Security Conference G32 A Modest Proposal
 
Trainingportal Competence Days 2013 - Trude Bergum Stanger - Mintra Trainingp...
Trainingportal Competence Days 2013 - Trude Bergum Stanger - Mintra Trainingp...Trainingportal Competence Days 2013 - Trude Bergum Stanger - Mintra Trainingp...
Trainingportal Competence Days 2013 - Trude Bergum Stanger - Mintra Trainingp...
 
2011 jaarvergadering or
2011 jaarvergadering or2011 jaarvergadering or
2011 jaarvergadering or
 
Actions during amidah
Actions during amidahActions during amidah
Actions during amidah
 
TCD2011 - Effektiv kompetansestyring på Trainingportal v/Marianne Nilsen, Mintra
TCD2011 - Effektiv kompetansestyring på Trainingportal v/Marianne Nilsen, MintraTCD2011 - Effektiv kompetansestyring på Trainingportal v/Marianne Nilsen, Mintra
TCD2011 - Effektiv kompetansestyring på Trainingportal v/Marianne Nilsen, Mintra
 
Corporate Personnel Brochure 2010
Corporate Personnel Brochure 2010Corporate Personnel Brochure 2010
Corporate Personnel Brochure 2010
 
Intel
IntelIntel
Intel
 
Gestione Fermata Straordinaria Bi
Gestione Fermata Straordinaria BiGestione Fermata Straordinaria Bi
Gestione Fermata Straordinaria Bi
 
Mitzvot
MitzvotMitzvot
Mitzvot
 
Metodo de-estudios-y-modelo-de-aprendizaje-expo
Metodo de-estudios-y-modelo-de-aprendizaje-expoMetodo de-estudios-y-modelo-de-aprendizaje-expo
Metodo de-estudios-y-modelo-de-aprendizaje-expo
 
Tcd2015 teekay bruk av trainingportal
Tcd2015 teekay bruk av trainingportalTcd2015 teekay bruk av trainingportal
Tcd2015 teekay bruk av trainingportal
 
Chistiznanie v dejstvie_vakarel
Chistiznanie v dejstvie_vakarelChistiznanie v dejstvie_vakarel
Chistiznanie v dejstvie_vakarel
 
TCD2011 - Grunnleggende innføring i forskjellen mellom anbefalinger, retnings...
TCD2011 - Grunnleggende innføring i forskjellen mellom anbefalinger, retnings...TCD2011 - Grunnleggende innføring i forskjellen mellom anbefalinger, retnings...
TCD2011 - Grunnleggende innføring i forskjellen mellom anbefalinger, retnings...
 
Tcd 2014 pecha_kucha 05 mintra tp_kambodjsa
Tcd 2014 pecha_kucha 05 mintra tp_kambodjsaTcd 2014 pecha_kucha 05 mintra tp_kambodjsa
Tcd 2014 pecha_kucha 05 mintra tp_kambodjsa
 
Trainingportal Competence Days 2013 - Ellen Karine Jensen - Statoil
Trainingportal Competence Days 2013 - Ellen Karine Jensen - StatoilTrainingportal Competence Days 2013 - Ellen Karine Jensen - Statoil
Trainingportal Competence Days 2013 - Ellen Karine Jensen - Statoil
 

Similar a San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing

Whistle Blower - Another Reason why Open Government is Important
Whistle Blower - Another Reason why Open Government is ImportantWhistle Blower - Another Reason why Open Government is Important
Whistle Blower - Another Reason why Open Government is ImportantMujtaba Hussain
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introductionsunnysmith
 
NSA Snooping Scandal
NSA Snooping ScandalNSA Snooping Scandal
NSA Snooping ScandalArun Prasaath
 
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docxarnit1
 
Justice For All Act Of 2004
Justice For All Act Of 2004Justice For All Act Of 2004
Justice For All Act Of 2004Tiffany Graham
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...Tommi /. Vuorenmaa
 
Cyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliCyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliAdv Prashant Mali
 
402 chapter 7 counterintelligence
402 chapter 7 counterintelligence402 chapter 7 counterintelligence
402 chapter 7 counterintelligenceDoing What I Do
 
9694 thinking skills wikileaks
9694 thinking skills wikileaks9694 thinking skills wikileaks
9694 thinking skills wikileaksmayorgam
 
Security and Crypto-currency: Forecasting the Future of Privacy for Private I...
Security and Crypto-currency: Forecasting the Future of Privacy for Private I...Security and Crypto-currency: Forecasting the Future of Privacy for Private I...
Security and Crypto-currency: Forecasting the Future of Privacy for Private I...Investments Network marcus evans
 
Social media, surveillance and censorship
Social media, surveillance and censorshipSocial media, surveillance and censorship
Social media, surveillance and censorshiplilianedwards
 
https://uii.io/Oneconflict
https://uii.io/Oneconflicthttps://uii.io/Oneconflict
https://uii.io/OneconflictLucas395677
 

Similar a San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing (20)

Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Cyber security lifting the veil of hacking webinar
Cyber security lifting the veil of hacking webinarCyber security lifting the veil of hacking webinar
Cyber security lifting the veil of hacking webinar
 
Whistle Blower - Another Reason why Open Government is Important
Whistle Blower - Another Reason why Open Government is ImportantWhistle Blower - Another Reason why Open Government is Important
Whistle Blower - Another Reason why Open Government is Important
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introduction
 
NSA Snooping Scandal
NSA Snooping ScandalNSA Snooping Scandal
NSA Snooping Scandal
 
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx
ChapterEthics and Privacy3c03EthicsandPrivacy.ind.docx
 
Justice For All Act Of 2004
Justice For All Act Of 2004Justice For All Act Of 2004
Justice For All Act Of 2004
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
IT Risk Management In The Age of Wikileaks
IT Risk Management In The Age of WikileaksIT Risk Management In The Age of Wikileaks
IT Risk Management In The Age of Wikileaks
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Drm and crypto
Drm and cryptoDrm and crypto
Drm and crypto
 
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...
Dark Side of Decentralization – What are the Hidden Risks in a Blockchain Rev...
 
Cyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliCyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant Mali
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
402 chapter 7 counterintelligence
402 chapter 7 counterintelligence402 chapter 7 counterintelligence
402 chapter 7 counterintelligence
 
9694 thinking skills wikileaks
9694 thinking skills wikileaks9694 thinking skills wikileaks
9694 thinking skills wikileaks
 
Security and Crypto-currency: Forecasting the Future of Privacy for Private I...
Security and Crypto-currency: Forecasting the Future of Privacy for Private I...Security and Crypto-currency: Forecasting the Future of Privacy for Private I...
Security and Crypto-currency: Forecasting the Future of Privacy for Private I...
 
nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economy
 
Social media, surveillance and censorship
Social media, surveillance and censorshipSocial media, surveillance and censorship
Social media, surveillance and censorship
 
https://uii.io/Oneconflict
https://uii.io/Oneconflicthttps://uii.io/Oneconflict
https://uii.io/Oneconflict
 

San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing

  • 1. G32 The Changing Influences of Social Media, WikiLeaks and Whistleblowers Future of IT Auditing: A Definitive Landscape
  • 2. Agenda: • Part One: Social Media – Bart (The Metaphor), WikiLeaks, OpenLeaks, LulzSec, and Anonymous et al. . . • Part Two: Whistleblowers - A Growth Industry • Part Three: Auditors and Their Reputation When Dealing With Fraud • Part Four: What’s Over The Horizon • Part Five: Take Aways (aka: Tool Time) 2
  • 3. Bart: The Metaphor • Bart The Story – Who was impacted • Commuters, Police, Employee’s of BART and Protesters – Friend’s and Family • Tools Used – Social media, Facebook, Twitter, et al. . . – Side Bar: Facebook handed $40,000 to hackers for finding flaws in its website as part of its Bug Bounty scheme. Facebook joins a growing list of companies, including Google, which pays independent hackers for this sort of information. 3
  • 4. WikiLeaks, Its Influence. . .: • Leaked Documents Suggest China Might Have The Upper Hand in Cyber War. . . – “According to US investigators, China has stolen terabytes of sensitive data, from user names and passwords from State Dept. computers to designs for multi-billion-dollar weapons systems,” wrote Brian Grow & Mark Hosenball in a report for Reuters. – They credit WikiLeaks for revealing previously secret details about China’s ongoing cyber assault, which the US government has code named Byzantine Hades. Specifically, they wrote, the State Dept. cables that WikiLeaks published show that the Chinese military was the source of those attacks, not some rogue hacker group. . . 4
  • 5. WikiLeaks: • A Tool For Whistleblowers • “A senior advisor to Gordon Brown put pressure on the commander of NATO forces in Afghanistan to play down the “bleak and deteriorating” situation to reduce criticism of his government, leaked documents disclose. Brown, the prime minister at the time, visited the country and met General Stanley McChrystal, the US military commander . . .” 5
  • 6. OpenLeaks Joins The Crowd. . .: • 26th January 2011, OpenLeaks goes public • OpenLeaks considers itself a non-profit community and service provider for whistleblowers and organizations, media, and individuals who engage in promoting transparency. It makes leaking at a local, grassroot level possible and allows for certain scalability. – OpenLeaks will not accept or publish documents on its own platform, but rather create many "digital dropboxes" for its community members, each adapted to the specific needs of our members so that they can provide a safe and trusted leaking option for whistleblowers. . . . 6
  • 7. OpenLeaks: – Besides developing and building the technical platform, we want to encourage leaking all over the world while minimizing risks for whistleblowers. • The split between submission and publication of leaked documents makes the whole process safer for all who participate in it, and at the same time makes scaling so much easier. Watch our video, which explains this concept visually. 7
  • 8. LulzSec: Another Member of The Social Media ‘Hive’. . . • LulzSec 'takes down' CIA website • The hacker group Lulz Security claims it temporarily brought down the public-facing website of the US Central Intelligence Agency. • Lulz Security attacks » May 10: Fox.com user passwords, » May 15: Database listing locations of UK cash machines, » May 23: Sony music Japan website, » May 30: US broadcaster PBS. Staff logon information, » June 2: Sonypictures.com user information, » June 3: Infragard website (FBI affiliated organization), » June 3: Nintendo.com, » June 13: Senate.gov - website of US Senate, » June 13: Bethesda software website, user information 8
  • 9. LulzSec: LulzSec Opens A Hack Request Hot Line. . . • Callers are met with a recorded message, in a heavy French accent, by an individual named Pierre Dubois. The (614) area code appears to relate to the state of Ohio. . . – LulzSec accesses 62,000 email addresses and passwords belonging to victims such as IBM, as well as state and federal governments. Affected agencies include but not limited to: US Army, Navy, and Air Force, FCC, US National Highway Traffic Safety Administration, Veteran’s Administration and the US Coast Guard. 9
  • 10. Anonymous: One Among Many. . . • Sets An Example: – The HBGary hack • HBGary Federal position themselves as experts in computer security. . . • HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co- ordinating the group's actions, including the denial-of- service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year. . . 10
  • 11. Anonymous. . . All Ages, All Walks of Life: • Here’s What They Can Do • When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. – HBGary's servers were broken into, – its e-mails pillaged and published to the world, – its data destroyed, – its website defaced. • As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published. 11
  • 12. Anonymous. . . From Europa: • Say Brie. . . 12
  • 13. Part Two: Whistleblowers A Growth Industry • Enron Whistleblower. . . The Use of Dodd- Frank Whistleblower Provisions – Sherron Watkins, former Vice President at Enron discussing the Dodd- Frank Whistleblower Provisions at an event held by the New York State Society of Certified Public Accountants on January 28th, 2011. • Corporate Whistleblowers – Will hand over corporate fraud evidence to media such as WikiLeaks rather than the SEC thereby allowing them to continue employment in the corporate world without the stigma of being a whistleblower. 13
  • 14. Whistleblowers & The SEC, Too: • EFFECTIVE DATE: August 12, 2011 • SECURITIES AND EXCHANGE COMMISSION – Dodd-Frank requires the Commission to pay an award, subject to certain limitations, to eligible whistleblowers who voluntarily provide the Commission with original information about a violation of the federal securities laws that leads to the successful enforcement of a covered judicial or administrative action, or a related action. . . – Dodd-Frank also prohibits retaliation by employers against individuals who provide the Commission with information about possible securities violations. . . 14
  • 15. Whistleblowers: Cut Across All Sectors • Swiss Bank HSBC Whistleblower. . . – Assets of about £13bn, could net millions in pounds in unpaid tax revenues. . . – A disk leaked to the French authorities, is said to contain the names of 79,000 HSBC clients in 180 countries. – An employee for HSBC in Geneva, leaked the data to French officials, who passed it onto the UK. A spokesperson for HSBC said: “HSBC in no way condones tax evasion and in no way do we assist it”. . . • SEC » A whistleblower at the SEC has accused the agency of destroying more than 9,000 files related to preliminary investigations into SAC Capital, Bernard Madoff, Goldman Sachs and other financial groups. . . (To Be Continued). 15
  • 16. Part Three: Auditors, Their Reputation When Dealing With Fraud. . . “Because the determination of abuse is subjective, auditors are not required to detect abuse in financial audits. However. . .” A May 2010 COSO Study Dealing With Fraud from 1998 thru 2007 for US companies: » The most common fraud involved improper revenue recognition, next in-line was the overstatement of existing assets or capitalization of expenses » 89% of these incidents of fraud involved executive management at the C-Level (aka: CEO’s and/or CFO’s) » 347 alleged cases dealt with financial reporting » Dollar amount of these misstatements and/or misappropriations---nearly $120bn USDs 16
  • 17. Auditors & Their Reputation When Dealing With The Global Fraud Economy. . . Global Patterns of Fraud – 2011 • Acts of fraud are rarely one-offs, 96% of fraudsters carried out fraud on a repeated basis, up from 91% in 2007 – Fraud at the Board level increased to 18% while fraudulent activities at the C-level increased to 26% – 87% were male, between the ages of 36 to 45, and committed fraud against their own employer – 32% work in a Finance function – 60% worked for the company more than 5 years, 33% 10 years and most colluded with others • So. . .where were the auditors? 17
  • 18. Auditors & Their Reputation When Dealing With Fraud • Motivation for Fraud – Personal financial gain followed by fraudulent financial reporting. . . – 43% misappropriate of assets (mostly due to embezzlement and procurement fraud) – On avg. it took 3 years from fraud inception to detection – 50% were detected through tip-offs, both formal and informal or by accident. . . – 77% of investigations were not reported to the public – 50% of the cases revealed that a red flag had existed but was not acted upon. . . 18
  • 19. Part Four: What’s Over The Horizon? • “Negligence” vs “Gross Negligence”. . . • And Negligence wins by a nose. . . • Clawbacks. . . • In the last meeting under chief Sheila Bair, The Federal Deposit Insurance Corp. (FDIC) voted five to one in favor of a “clawback” clause in new regulations, which will allow the government to reclaim compensation paid to executives whose banks have to be taken over and wound up by the state. 19
  • 20. What’s Over The Horizon? • Increasing Liability Financial and Otherwise: – In a 2008 report issued by the GAO, between 1998 and 2008 “audit firms may have paid at least 10 settlements or awards of $100 million or more from private litigation”. . . • In mid-2008, the six largest US auditing firms were defendants in 90 audit-related suits, each of which involved damage claims in excess of $100 million--- ranging up to $10 billion. . . 20
  • 21. What’s Over The Horizon? • Changing Expectations of The Auditors – Internal Auditors Rule 1210.A2 • Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. . . 21
  • 22. What’s Over The Horizon: Changing Expectations. . . • External Auditors Rule ISA 240 • The objectives of the external auditor; to identify and assess the risks of material misstatement of the financial statements due to a fraud: – Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not. . . report to the audit committee. . . – To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatements due to a fraud, through designing and implementing appropriate responses; and such responses should at a minimum include the following: – Testing the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process. . . – Communicate fraud or suspected fraud to those charged with governance 22
  • 23. What’s Over The Horizon? • In the past, generally, the auditor did not have an obligation to disclose possible or actual fraud to third parties, unless the matter is already reflected in the audit report • However. . . Not any more: • See the moving target referred to as Dodd-Frank. . . – US Regulatory Agencies Modify The Rules. . . – US Judiciary Modifies The Rules. . . » Lets all go to court. . . 23
  • 24. What’s Over The Horizon? – The Securities Exchange Act of 1934 Should Be Extended to Cover Transnational Securities Fraud [Release No. 34-631374; File No. 4-617] 24
  • 25. Part Five: Technical Take Aways---Benford’s Law More numbers begin with 1 than with larger numbers (2 - 9) – Benford Analysis is likely to be useful with sets of numbers that result from mathematical combinations of numbers where the result comes from two distributions » Accounts receivables (number sold x price) » Accounts payable (number bought x price) » Most sets of accounting numbers 25
  • 26. Technical Take Aways: When Not to Apply Benford’s Law • When Benford Analysis is not likely to be useful: • Data set is comprised of assigned numbers: – Check numbers, invoice numbers, Zip codes • Numbers that are influenced by human thought: – Prices set at psychological thresholds ($1.99) – ATM withdrawls, eg $20, $40, $60, $80, $100 • Accounts with a large number of firm specific numbers: – Accounts specifically set up to record $100 refunds • Where no transaction is recorded: – Thefts, kickbacks, contract rigging, et cetera . . . 26
  • 27. Technical Take Aways: Computer Aided Audit Techniques (CAATs) – Benford’s Law in conjunction with the following tools: • SAP & Oracle’s EGRCM (Enterprise Governance, Risk and Compliance Manager) – Asking questions such as: – Any changes in the top 10% of transactions by value (year to year) by quarter, by month? – Greatest number of changes made to a customer’s details file (year to year) by quarter, by month? – Any outliers/unusual data values? – Any unusual or suspicious patterns with data, dates, returns, end-of-month closeout transactions? 27
  • 28. Technical Take Aways: SAP » Risk Analysis and Remediation (RAR) » Superuser Access Management (SPM) » Compliant User Provisioning (CUP) » Enterprise Role Management (ERM) 28
  • 29. Technical Take Aways: SAP’s Backdoors • Backdoors. . . – BACKDOORS--come about in two ways. First, they can represent access into a system that is created during the application development process and is never removed, or. – Secondly, after an application is put into production and sold to the customer in the field, it can represent an unauthorized and/or undetected compromise of the system for the sole purpose of securing future access to data/information for industrial or financial espionage. . . • At a Black Hat Conference, Europa, 2010 demonstrated multiple backdoors into SAP 29
  • 30. Technical Take Aways: Oracle – Easily set the scope of the AS5 Audit within Oracle Enterprise GRC Manager (EGRCM) – Pre-packaged reports showing Audit coverage, status and findings 30
  • 31. Technical Take Aways: Oracle’s Backdoors • Backdoors. . . – A number of modules remain un-patched and vulnerable due in part to a difficult patch & upgrade process involving complex applications in addition to an attitude that if its working, don’t touch it. . . » For example: National Vulnerability Database (NVD) » Description: Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server…Oracle Fusion Middleware… allows remote attackers to affect confidentiality, integrity and availability via unknown vectors……(under review) 31
  • 32. Technical Take Aways: In Their Defense • Backdoors---Created and used by the vendor and created and used by individuals with criminal intent. . .can and do threaten every information system CONNECTED TO THE INTERNET. This is NOT simply a problem unique to SAP or Oracle. . . • Going forward are two questions you may want to ask: are there any backdoors to your system and what are they used for? – View a list of your vendor’s backdoors. . . 32
  • 33. Technical Take Aways: KDD, OLAP, Data Mining and Heuristic Analysis • KDD (Knowledge Discovery in Databases), • OLAP (On-line Analytical Processing), • Data Mining • Multiple vendors, bumping up against a clients: – Lack of Confidence/Trust in the Numbers – Belief that data collection methodologies are flawed and that the use of the data will threaten their decision-making authority. – Defense against charges of negligence or gross negligence – Weakens the claims of plausible deniability. – Impacts independence and integrity of auditor’s claims of non-bias, impartiality. 33
  • 34. Technical Take Aways: Heuristic Analysis • Heuristic Analysis is defined by the act(s) and/ or processes associated with discovering the unknown thereby making it known… • Such Tools require TESTING. . .such as EICAR: • EICAR is a uniquely formatted program file, is not a virus which most AV (Anti Virus) programs recognize as a test program. See also: – AV Comparatives – AV-Testing – ICSA Labs – SC Magazine/West Coast LabsVirus Bulletin? 34
  • 35. Non-Technical: Using Your Amgydala The Six Principles of An Auditor’s Achilles Heel • A lack of sufficient professional skepticism • Lack of support (real or imagined) @ the C-level • Not controlling the confirmation process especially at month end, ending quarter and year end • Not ascertaining whether the financial statements agree with or reconcile with accounting records • Over-relying on management (i.e., insufficient evidence to corroborate management’s representations • Not testing accuracy of computer-prepared data 35
  • 36. Non-Technical: Using Your Amgydala & Have We Got A Tool For You. . . • The Vulnerability Assessment and Mitigation (VAM) Methodology. . . • RAND Corporation developed a methodology to help analysts in: » Understanding these relationships. . . » Facilitating the identification and/or discovery of system vulnerabilities. . . » Suggesting relevant mitigation techniques. . . • The VAM methodology takes a top-down approach uncovering vulnerabilities that are known, exploited or revealed today but also vulnerabilities that exist, yet have not been exploited or encountered to date. . . 36
  • 37. Non-Technical: Using Your Amgydala • Is there a Major Disconnect between the C- Level folks and their employees. . .? – E.g. What motivates their employees…? • Their answers are almost always facing 180° in the opposite direction. . . • See also “Kiss Up, Kick Down” corporate culture. – “Social Intelligence”, “Emotional Intelligence” – “Blink”, “Mind Rules”, and “Outliers”. . . – The concept of Synchronicity, (aka: your gut. . .) 37
  • 38. In Summary: What You Have Heard Today. . . • What steps you must take. . .to: • Ensure your independence, as an Auditor. . .? • Ensure your findings are: – timely, concise, clear, convincing, complete, objective, accurate and correct, with emphasis on CORRECT. • Analyze and re-visit your First Impressions (when necessary). . .First, Last and Always. . . 38
  • 39. Questions?: – Please Note: We’ll be happy to discuss any of the issues raised this morning & best wishes the rest of the way. . . • In closing, thank you for your time and attention… • Respectfully yours: Pw Carey Consultant CISA SAP GRC Compliance Partners, LLC Suite 200 Barrington, Illinois 60010 www.complysys.com pwc.pwcarey@gmail.com or pwcarey@complysys.com 1-650-267-3130 or 1-224-633-1378 39
  • 40. Resources and References • “The whistleblower’s handbook: how to be an effective resister”, by Brian Martin. Published in 1999 by Jon Carpenter in Charlbury, UK and Envirobook in Sydney, Australia. This book went out of print in 2008. This is the original text, with minor changes, a different format and page numbering (89 pages instead of 167), and omission of the list of contacts (now on the web) and index. • “Government Auditing Standards, August 2011, Internet Version” (aka: The Yellow Book), GAO, United States Government Accountability Office, By the Comptroller General of the United States, Weekly Auditor Liability Bulletin 02-11-2011. • http://www.orrick.com/publications/item.asp?action=article&articleID=3653 • New York State Society of Certified Public Accountants on January 28, 2011. • “A Short Course on Computer Viruses” 2nd Edition, pp 2, 49 (Dr Frederick B. Cohen): Wiley, 1994. • “KPMG ANALYSIS OF GLOBAL PATTERNS OF FRAUD Who is the typical fraudster: Executive Summary”, 2011. kpmg.com/cee • PwC PriceWatershouseCoopers Presentation: “The EU Audit Directive: Auditor Liability and Auditor Independence”, 25th May, 2011, by Gerhard Prachner, PwC. • PwC, UK: Audit Today and Tomorrow, ©2011 PwC. All rights reserved. • “SAP® Backdoors: A ghost at the heart of your business”, by Mariano Nunex DiCroce, April 14th, 2010, Black Hat Europe 2010 Briefings. © Onapsis SRL 2010 --- All rights reserved. • http://www.onapsis.com/research/slides/ONAPSIS-Penetration_Testing_SAP.pdf • “Attacking Oracle® Web Applications with Metasploit, by Chris Gates (carnalOwnage), RAPID7. Black Hat Washington, DC Conference, 2011. (http://www.owasp.org/index.php/Testing_for_Oracle). 40
  • 41. Resources and References • “blink: The Power of Thinking Without Thinking” by Malcolm Gladwell, © 1997 to 2011. • “Working with emotional intelligence”, by Daniel Goleman © 1998. New York: Bantam Books. • “Social Intelligence: The New Science of Human Relationships”. By Daniel Goleman, © 2006, Bantam Books. ISBN 0553803522. • “Brain Rules: 12 Principles for Surviving and Thriving at Work, Home, and School”, by John Medina, Pear Press Release Date: March 10th, 2009. ISBN13: 9780979777745. • “How Does the Brain Work?”, NOVA scienceNOW,PBS Video. video.pbs.org/video/1757221034 • “The Criminal Mind Psychopathy as a Clinical and Empirical Construct”, Robert D. Hare1 and Craig S. Neumann, University of British Columbia, Vancouver, British Columbia BC V6T 1Z4; University of North Texas, Denton, Texas 76203-1280 • RAND Corp., Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology, by Philip S. Anton…[et al.]., ISBN 0-8330-3434-0 • http://www.rand.org/content/da/rand/pubs/monograph_reports/2005/MR1601.pdf • Microsoft Excel 2000 spreadsheet: http://www.rand.org/publications/MR/MR1601/ 41

Notas del editor

  1. Good morning and thank you all for coming….and now for a bit of logistics: © October 16 th , 2011 under the Creative Commons Attribution-ShareAlike 3.0 Unported License Please Note: The information contained within this presentation has been offered with the understanding that it is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we have endeavored to provide accurate and timely information, there can be no guarantee (real or imagined) that such information is accurate as of the date it is received or that it will remain accurate in the future. No one should act, (in isolation) on such information, nor should they act without appropriate professional advice. In addition, as this presentation contains general information based on the experience and research of the presenter (aka: Pw Carey) it should be treated as same. Pw gives his permission to link, post, distribute, or reference this presentation for any lawful non-commercial purpose, provided attribution is made to the author. Also, Pw will be happy to discuss after the presentation any of the topics covered in today’s presentation. Lastly, he can be reached via email at either pwc.pwcarey@gmail.com or pwcarey@complysys.com
  2. CITYAM August 31st, 2011 Facebook has handed $40,000 to hackers for finding flaws in its website as part of its Bug Bounty scheme. Facebook joins a growing list of companies, including Google, which pays independent hackers for information
  3. Lamp Virus Maybe linked to China & What It Can Do: The Lamp Trojan, which according to some researchers may have been developed in China, contains an MS-Office Suite "Document Grabber,"--- a specific command designed for the sole purpose of collecting Microsoft Office Suite documents. This is an unusual feature among private Trojans which typically focus on collecting financial and banking information. This implies that the Lamp Trojan collects Word files, Excel spreadsheets, and PowerPoint presentations. Lamp may be one of the only examples of a Trojan that, in addition to collecting financial information from more than two dozen US financial institutions, may be specifically interested in industrial espionage...(aka: DoD Aerospace & Defense airfoil diagrams/schematics et cetera stolen...) from defense contractor(s).... Leaked documents suggest China might have the upper hand By Michael Hardy, Apr 21, 2011 The Cold War took its name from the relative lack of shooting that characterized it. The United States and Soviet Union fought one another politically, diplomatically and economically but rarely with guns or tanks. It was not a hot war. We have a couple of hot wars going on now, but there's another cold war under way, too — one being fought between the United States and China, primarily using IT. And it looks as though China has the upper hand at the moment. "According to U.S. investigators, China has stolen terabytes of sensitive data, from user names and passwords for State Department computers to designs for multibillion-dollar weapons systems," write Brian Grow and Mark Hosenball in a report for Reuters. "And Chinese hackers show no signs of letting up." Grow and Hosenball credit WikiLeaks for revealing many previously secret details about China's ongoing cyber assault, which the U.S. government has code named Byzantine Hades. Specifically, they write, the State Department cables that WikiLeaks published show that the Chinese military was the source of those attacks, not some rogue hacker group.
  4. Government Documents Leaked: CITYAM Feb. 9th, 2011---As Reported in The Daily Telegraph WikiLeaks: No. 10 Urged Commander to Play Down Afghanistan Failures A senior adviser to Gordon Brown (UK Prime Minister) put pressure on the commander of NATO forces in Afghanistan to play down the "bleak and deteriorating" situation to reduce criticism of his government, leaked documents disclose. Brown, the prime minister at the time, visited the country and met General Stanley McChrystal, the US military commander.
  5. Q&A: Lulz Security 06 JUNE 2011, TECHNOLOGY Nintendo server hit by hackers 06 JUNE 2011, BUSINESS More Technology stories RSS LulzSec 'takes down' CIA website The hacker group Lulz Security claims it temporarily brought down the public-facing website of the US Central Intelligence Agency. Duke Nukem PR firm publicly axed Rioting Canadians exposed online
  6. BBC Technology, 15 June 2011---LulzSec opens hack request line. . . It claims to have launched denial of service attacks on several websites as a result, although it did not detail which ones. The unspecified hacks formed part of a wave of security breaches that the group called Titanic Takeover Tuesday. The group publicised the telephone hotline on its Twitter feed. LulzSec has risen to prominence in recent months by attacking Sony, Nintendo and several US broadcasters. Lulz Security's request line features the voice of Pierre Dubois - possibly the name of its comic icon. Lulz Security said it had used distributed denial of service attacks (DDoS) against eight sites suggested by callers.
  7. The Register UK Newspaper Original URL: http://www.theregister.co.uk/2011/07/07/anonymous_feature/ ANONYMOUS: Behind the mask, inside the Hivemind Where and who are the Anons? Everywhere and everyone By Trevor Pott ----- Posted in Security , 7th July 2011 10:00 GMT
  8. Enron Whistleblower Discusses Use of Dodd-Frank Whistleblower Provisions   Sherron Watkins, former vice president at Enron, Marion Koenigs, deputy director in PCAOB's Division of Enforcement and  Investigations, and Paul Atkins, former SEC commissioner, served as a panel of experts discussing the Dodd-Frank whistleblower provision at  an event held by the New York State Society of Certified Public Accountants on January 28, 2011.   During the discussion, Watkins, an accountant and Enron whistleblower, predicted that corporate whistleblowers will start to hand over evidence of corporate fraud to media such as WikiLeaks rather than use the SEC's whistleblower provisions.  Watkins said that anonymously leaking documents to WikiLeaks will allow individuals to continue with employment in the corporate world without having the stigma of being a whistleblower.   
  9. 17 CFR Parts 240 and 249, [Release No. 34-64545; File No. S7-33-10] RIN 3235-AK78 Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 AGENCY: Securities and Exchange Commission (“Commission”). ACTION: Final rule. SUMMARY: The Commission is adopting rules and forms to implement Section 21F of the Securities Exchange Act of 1934 (“Exchange Act”) entitled “Securities Whistleblower Incentives and Protection.” The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted on July 21, 2010 (“Dodd-Frank”), established a whistleblower program that requires the Commission to pay an award, under regulations prescribed by the Commission and subject to certain limitations, to eligible whistleblowers who voluntarily provide the Commission with original information about a violation of the federal securities laws that leads to the successful enforcement of a covered judicial or administrative action, or a related action. Dodd-Frank also prohibits retaliation by employers against individuals who provide the Commission with information about possible securities violations.
  10. June 6 th , 2011- Swiss Bank HSBC Accounts in question hold assets of about £13bn and could net millions in pounds in unpaid tax revenues. The British customers’ details were found on a disk leaked to the French authorities, which is said to contain the names of 79,000 HSBC clients in 180 countries . Mr. Herve Falciani, an IT expert worked for HSBC in Geneva, leaked the data to French officials, who passed it onto the UK. A spokesperson for HSBC said: “HSBC in no way condones tax evasion and in no way do we assist it”. August 18th, 2011 CITYAM,GRASSLEY QUZZES SEC ON FILE PURGING--A whistleblower at the Securities an Exchange Commission has accused the agency of destroying more than 9,000 files related to preliminary investigations into SAC Capital, Bernard Madoff, Goldman Sachs and other financial groups, according to Charles Grassley, senior Republican on the Senate Judiciary Committee. Grassley wrote to Mary Shapiro, SEC chairman yesterday.
  11. Because the determination of abuse is subjective, auditors are not required to detect abuse in financial audits. However. . .GAO 2011 Government Auditing Standards Yellow Book COSO study regarding fraud of (publicly traded) US companies from 1998 to 2007: The most common fraud technique involved improper revenue recognition, then overstatement of existing assets or capitalization of expenses. 89% of the incidents of fraud involved were at the C-level (aka: CEO and/or CFO) 347 alleged cases of public traded companies dealt with financial reporting from 1998 to 2007 compared with 294 cases from 1987 to 1997. The total for these misstatements and/or misappropriations reached nearly $120bn USDs.
  12. KPMG Analysis of Global Patterns of Fraud – 2011 Executive Whitepaper KPMG Analysis of Global Patterns of Fraud Who is the typical fraudster 2011 Executive Summary kpmg.com/cee 2011 Fraud Demographics: Acts of fraud are rarely one-offs: 96% of fraudsters in the 2011 survey carried out fraud on a repeated basis – up from 91% in 2007. At The Board level, increased from 11% in 2007 to 18% in 2011 At the C level, CEO fraudulent activities increased from 11% in 2007 to 26% in 2011 Typically Reside In The Following Categories: 87% were male, although Females are demanding access to the club Between the ages of 36 and 45 Commits fraud against his own employer 32% works in the Finance function or in a finance related role 25% work in Operations & Sales, followed by Procurement, Back Office, Research & Development & Legal Is a member of senior management 60% worked for the company more than 5 years 33% worked for the company for more than 10 years Most often colludes with others Females prefer not to collude
  13. Motivation for fraud: Personal financial gain followed by Fraudulent financial reporting 43% misappropriate of assets (mostly due to embezzlement and procurement fraud) On average it took 3 years from fraud inception to fraud detection Exploitation of internal controls by fraudsters increased significantly from 49% in 2007 to 74% by 2011. Nearly 50% of frauds were detected through tip-offs (read whistleblowers) both formal and informal or by accident suggesting that internal controls are either lacking, or are not functioning appropriately. Most of the frauds investigated, involved the exploitation of weak internal controls. 77% of the fraud investigations undertaken were not reported to the public. Internal communication of the matter dropped to 46%, compared to 50% polled in 2007. Internal announcements regarding fraud fell from 35% in 2007 to 13% in 2011. In 2011, 50% of the cases revealed that a red flag associated with a fraud existed but had not been acted upon – up from 21 percent in 2007. Employee awareness of other behaviors can help businesses identify frauds earlier. be alert to the following employee behavioral red flags: • Refuses or does not seek promotion and gives no reasonable explanation. • Has opportunities to manipulate personal pay and reward. • Rarely takes holidays. • Is suspected to have over-extended personal finances. • Does not or will not produce records/information voluntarily or on request. • Persistent rumors/indications of personal bad habits/addictions/vices. • Unreliable and prone to mistakes and poor performance. dot Cuts corners and/or bends rules. • Tends to shift blame and responsibility for errors. seems unhappy at work and is poorly motivated. • Surrounded by “favorites” or people who do not challenge them. • Accepts hospitality that is excessive or contrary to corporate rules. • Level of performance or skill demonstrated by new employees does not reflect past experience detailed on CVs • Seems stressed and under pressure. • Bullies or intimidates colleagues. Volatile and melodramatic, arrogant, confrontational, threatening, or aggressive when challenged. • Vendors/suppliers will only deal with this individual. Self-interested and concerned with own agenda. • Lifestyle seems excessive for income. • Micro-manages some employees; keeps others at arm’s length.
  14. In the last meeting under its current chief Sheila Bair, the Federal Deposit Insurance Corp (FDIC) voted five to one in favor of a "clawback" clause in new regulations, which will allow the government to reclaim compensation paid to executives whose banks have to be taken over and wound up by the state. The rule puts flesh on the bones of a proposal included in the 2010 Dodd-Frank Act, which overhauls American Financial regulation. It gives some clarity to a major question as to when circumstances determine when executives pay should be confiscated, with the broader "negligence" favored over "gross negligence". The vote also established a debt hierarchy in winding up a firm, with the FDIC's costs incurred in resolving the company and debt to the government topping the list, along with any money owed to employees. Other creditors will be paid off afterwards. The status of clawback clauses in Europe is unclear at present, with EU authorities suggesting that firms write them into contracts. Regulation By Juliet Samuel CITYAM UK
  15. Audit firms’ litigation exposure in connection with securities class actions is, of course, a significant part of the broader litigation risk that accompanies audit work. In the 12 years after the enactment of the Private Securities Litigation Reform Act of 1995,12 the six largest U.S. auditing firms paid out $5.66 billion to resolve 362 securities class actions and other suits related to public company audits, private company audits, and all other non-audit services, with 65% of the total ($3.68 billion) related to public company audits.13 And in mid-2008, the six largest U.S. auditing firms were defendants in 90 audit-related suits, each of which involved damage claims in excess of $100 million—ranging up to $10 billion.14
  16. International Standards for the professional practices of internal auditing, 1210.A2- Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. ISA 240, Revised: The objectives of the external auditor: To identify and assess the risks of material misstatement of the financial statements due to a fraud: Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not=> report to the audit committee... To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and Such responses should at a minimum include the following: -testing of the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process; -review the accounting estimates for bias (e.g., provisions, valuation allowances, percentage of completion of sales transactions, results of the impairment tests); -analyze significant unusual transactions outside of the normal course of business. To respond appropriately to fraud or suspected fraud identified during the audit: Communicate fraud or suspected fraud to those charged with governance.
  17. ISA 240, Revised: The objectives of the external auditor: To identify and assess the risks of material misstatement of the financial statements due to a fraud: Obtain understanding of the internal controls in respect of those assertions which are subject to fraud (e.g., revenue) and ensure those controls are designed effectively. If not=> report to the audit committee... To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and Such responses should at a minimum include the following: -testing of the appropriateness of journal entries, especially at the end of the reporting period. Make inquiries of individuals involved in financial reporting process; -review the accounting estimates for bias (e.g., provisions, valuation allowances, percentage of completion of sales transactions, results of the impairment tests); -analyze significant unusual transactions outside of the normal course of business. To respond appropriately to fraud or suspected fraud identified during the audit: Communicate fraud or suspected fraud to those charged with governance.
  18. GAO High Risk Series February 2011: The Dodd-Frank Act includes many provisions that are intended to improve the U.S. financial regulatory system. However, many of the act's changes, including new regulatory structures, agencies, and requirements, are yet to be implemented, and many decisions by regulators as to how new regulations will address various problem areas are forthcoming. For example, the new oversight council has only recently begun meetings to fulfill its mission. Similarly, financial regulators have yet to develop and issue many of the rules necessary to fully implement various changes, including those related to proprietary trading, trading and clearing of over-the-counter derivatives, and others. Until these new structures, requirements, and entities are in place, fully staffed, and functioning effectively, the act's intent to reform the financial system will not be achieved.
  19. At the Building Public Trust Awards dinner in September 2010, Ian Powell outlined the following five-point plan: raising the standard of all the work we do to the standard of the best; improving transparency of the scope, processes and decision-making in an audit; extending the scope of the auditor’s report without changing the corporate reporting model to provide further assurance over narrative reporting; changing the reporting model and changing the scope of the auditor’s report as a consequence; and working for longer-term reform. As Professor John C. Coffee, Jr. of Columbia Law School noted in 2004, “the most ominous fact [for the future] may be that accounting irregularities tend increasingly to be the primary focus of securities class actions.”9 Recent statistics show the continuation of this trend: according to Cornerstone, “[i]n 2009 allegations related to violations of Generally Accepted Accounting Principles (GAAP) were included in more than 65 percent of settled cases. These cases continued to be resolved with larger settlement amounts than cases not involving accounting allegations.”10 And audit firms were named in a number of recent high-profile securities class actions stemming from the financial crisis. For example, according to Audit Analytics, as of late 2009, eight accounting firms had been named as defendants in eleven securities class actions based on allegations relating to Bernard Madoff’s Ponzi scheme, and six firms had been named as defendants in nine securities class actions relating to the credit crisis generally.
  20. When Benford Analysis is likely to be useful will be sets of numbers that result from mathematical combinations of numbers where the result comes from two distributions: Accounts receivables (number sold x price) Accounts payable (number bought x price) Transaction level data - No need to sample: Disbursements Sales Expenses Large data sets - with more observations the better:
  21. Other types of fraud exist that cannot be detected by Benford analysis: duplicate addresses duplicate bank accounts ghost employees shell companies duplicate purchase orders duplicate invoice numbers duplicate payments contract rigging defective deliveries defective shipments defective returns Use Benford's law to assist and audit in conjunction with other tools both technical and non-technical such as: Experience based Intuition, (aka: trust your gut & verify) Social Intelligence & Emotional Intelligence Surveys and interviews Corporate Culture (Kiss Up/Kick Down) Confirmation and Verification Professional Skepticism Use Benford's law to assist and audit in conjunction with other tools both technical and non-technical such as: Intuition, Social Intelligence, Emotional Intelligence Surveys and interviews Corporate Culture (Kiss Up/Kick Down) Confirmation and Verification Professional Skepticism
  22. WizRule, Numara Software, TopCAATs, IDEA, ACL, SAP, Oracle. . .
  23. SAP GRC Access Control comes with the following four main product capabilities: Risk Analysis and Remediation (RAR): SAP GRC Access Control supports real-time compliance around the clock to detect, remove, and prevent access and authorization risk and stops security and controls violations before they occur. Using live data to assess risk, SAP GRC Access Control enables your organization to identify conflicts immediately, drill down into root causes, and achieve resolutions. x Superuser Access Management (SPM): The application enables users to perform emergency activities outside their roles under a “privileged user,” but in a controlled and auditable environment. x Compliant User Provisioning (CUP): As companies provision and de-provision access to enterprise systems, they often overlook how these changes can impact SoD requirements. SAP GRC Access Control can automate provisioning, test for SoD issues, streamline approvals, review and reaffirm access and reduce the workload for IT staff. x Enterprise Role Management (ERM): This functionality standardizes and centralizes role creation, eliminating manual errors and making it easier to enforce best practices. The application prevents SoD violations by performing a real-time simulation of the data in a production system and testing the entire SAP software landscape.
  24. SAP Backdoors Black Hat Conference Europa 2010 Oracle Backdoors Black Hat Conference Washington, DC 2011 A backdoor can come about in two ways. First it can represent access to a system created during the application development process and is never removed or secondly, after an application is put into production in the field, or it can represent an unauthorized and/or undetected compromise of the system for the sole purpose of securing future access to data/information for industrial and financial espionage.
  25. Integrated, Efficient, and Effective The FAST Blueprint for Oracle GRC Applications integrates the Oracle Enterprise Governance, Risk, and Compliance Manager (EGRCM) with Hyperion Financial Management (HFM) to automate assessment scoping and preparation. The blueprint enables both a top-down, risk-based approach and a bottom-up controls-coverage based approach to audit scoping. Key Features: • Easily set the scope of the AS 5 Audit within Oracle Enterprise GRC Manager • One-way synch utility for Hyperion Financial Management accounts to Oracle Enterprise GRC Manager • Ability to specify and select Controls to be included in audit scope • Pre-packaged reports showing Audit coverage, status and findings
  26. Oracle Backdoors Black Hat Conference Washington, DC 2011 Black Hat Conference, Washington DC 2011 A lot of Oracle is un-patched and vulnerable because support and patches cost and must pay for extended advisory information (aka: metalink).... Example: CVE-2010-2390 (under review) National Vulnerability Database (NVD) Description---Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Difficult patch & upgrade process... Complex applications....if it works don't touch it mentality...
  27. Examples of backdoors potentially impacting in the following areas: SAP Business Modules Authentication Procedures Please note: Backdoors can threaten every information system, and are not simply a problem for Oracle and/or SAP Oracle Backdoors Black Hat Conference Washington, DC 2011 Black Hat Conference, Washington DC 2011 A lot of Oracle is un-patched and vulnerable because support and patches cost and must pay for extended advisory information (aka: metalink).... Example: CVE-2010-2390 (under review) National Vulnerability Database (NVD) Description---Unspecified vulnerability in the Database Control component in EM (Enterprise Manager) Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Difficult patch & upgrade process... Complex applications....if it works don't touch it mentality...
  28. See Anderson Consulting desire to use an automated deterministic/predictive tool when auditing Enron and Enron’s Legal Dept. refusing to allow it to be used based upon plausible deniability. . .
  29. EICAR test file Is a uniquely formatted program file, which most AV programs recognize as a test program, and respond to in a very similar way to that in which they respond to viruses. The EICAR file is not a virus and presents no malicious threat: if executed, it simply displays a screen identifying itself as a test file. AV Comparatives (http://www.av-comparatives.org/) AV-Test.org ( http://www.av-test.org/ ) ICSA Labs ( http://www.icsalabs.com/ ) SC Magazine/West Coast Labs (http://www.westcoastlabs.org/) Virus Bulletin (http://www.virusbtn.com/) Mail gateway filters use rules to specify what file types and file names are permitted as attachments. Such filters are very good at countering obvious threats such as files with extensions like .LNK or .JPG, and .EXE, but can be rather inflexible in their rejection of whole classes of executable files. 1 Some filters use more advanced techniques, such as checking that the headers of the fi le scanned match the filename extension. This can significantly reduce the risk of false positives (and false negatives). 1 Why are these obvious threats? In the first case, because the .LNK suffix denotes a program shortcut, which doesn’t usually make sense as an email attachment because there is no direct link between the shortcut and the program to which it should be linked: however, a shortcut file in an email attachment is often simply a Windows executable file, renamed to evade filters intended to block executable attachments. In the second case, the double extension suggests an attempt to pass off an executable file as a non-executable (graphics) file, a common virus writer’s trick.
  30. SIX Guiding Principles for Auditors A lack of sufficient professional skepticism Intentional lack of support (real or imagined) @ the C-level Not controlling the confirmation process or not confirming the terms of large or unusual sales transactions, especially those that occurred at year end. Not ascertaining whether the financial statements agreed or reconciled with the accounting records Over relying on management's representations (i.e., not obtaining sufficient evidence to corroborate or refute management representations, such as management's explanations for unusual fluctuations noted when performing analytical procedures) Not testing the accuracy of computer-prepared schedules
  31. The Vulnerability Assessment and Mitigation (VAM) Methodology. The RAND Corporation has developed and evolved a methodology to help analysts to understand these relationships, facilitate the identification or discovery of system vulnerabilities, and suggest relevant mitigation techniques... The VAM methodology takes a top-down approach and seeks to uncover not only vulnerabilities that are known and exploited or revealed today but also the vulnerabilities that exist yet have not been exploited or encountered during operation. Sophisticated adversaries are always searching for new ways to attack unprotected resources ("the soft underbelly" of the information systems); thus, the methodology can be valuable as a way to hedge and balance current and future threats This report should be of interest to individuals or teams conducting vulnerability assessments and planning mitigation responses. Because it facilitates the identification of new vulnerabilities, it should be of particular interest to designers building new systems, as well as to security specialists concerned about highly capable and well-resourced system attackers, such as nation-states or terrorists motivated to identify new security holes and exploit them in subtle and creative ways. http://www.rand.org/content/da/rand/pubs/monograph_reports/2005/MR1601.pdf
  32. Develop and trust your intuition. This can be challenging for high-level financial services professionals, who naturally tend towards facts, figures and other hard factors, but soft factors are equally important. Start with your intuition and then make sure it is backed by a strong business case. Understand the power of "no". Many of us find this one of the most difficult things to say, but it is actually on of the most powerful words in business and often much more effective than "yes", particularly when backed by a sound judgement. Understand and be true to yourself. At the risk of sounding like a personal development coach, far too few people in the financial services sector embrace self-awareness despite the benefits it brings. Everything you do must be congruent with who you are; incongruity increases stress, hampers performance and simply cannot last. Make time to stop and think. Evaluate where you are, what you like and what you do not. Ask yourself whether you are doing the right job in the right environment; whether that be country, company or culture. If you are not totally happy with the way things are, make changes. Do not let your job define you. Too many people allow themselves to become trapped in careers they no longer enjoy. If you do not like what you do, have the courage to be true to yourself and walk away; allowing a job to define your life risks years of compromise and missed opportunity. There are always other options. Trust me. . .PwC
  33. Trust me. . .PwC
  34. 1. “A Short Course on Computer Viruses 2nd Edition”, pp 2, 49 (Dr Frederick B Cohen): Wiley, 1994. See AICPA AU Section 240, Consideration of Fraud in a Financial Statement Audit (Redrafted). See AICPA AU Section 250, Consideration of Laws and Regulations in an Audit of Financial Statements.
  35. ©Creative Commons Attribution-ShareAlike 3.0 Unported License For non-commercial purposes only you are free to share, copy, distribute and transmit this work under the following conditions. You must attribute this work in the manner specified by the author (Pw Carey), and not in any way that suggests the author (Pw Carey) endorses either you or your use of this work. See the following for additional license description: http://creativecommons.org/licenses/by-sa/3.0/