The enemy from within
How much do you trust those that are entrusted with the accountability of securing your system? This seems to be a huge problem with all walks of life and it is ‘The enemy from within’!
- Internal IT staff colluding with syndication to create remote access points into a bank to commit fraud
- Police services being found with hijacked (car-jacked) and stolen motor vehicles at his residence
- Anti-poaching spokesman to be charged with rhino poaching
Everyone of these examples has a commonality… and this is an external influence such as syndication organised crime. Three types of staff exist and they can be qualified as follows:
- The first type WILL look for a fraud opportunity and commit it.
- The second type WILL NOT look for the opportunity, however when it comes past his/her way and it seems that the probability of being caught is low, they will be tempted to commit fraud.
- The last type is a person that must put food on the table for his children.
I think we all can be type casted in any of those categories and many of us have never been in the last category and it is impossible to say you will NOT be tempted. So we need to have a process in place whereby we can ‘check-the-checkers’. This means that certain staff in trusted positions such as Information Security Analysts, IT Auditors and Application Developers needs to have additional controls and regular ‘litmus-tests’ done to ensure your risk is managed within the acceptable threat matrix. If I do any consulting engagement, I ensure that the Non Disclosures, Declaration of Secrecy and all related policies are handled. This protects both parties.
What can you do?
- Ensure that background checks have been done on the relevant staff.
- It is actually all staff but make sure your staff in control and accountable positions, all paperwork is in order
- Ensure you have an anniversary for all critical staff to ensure you do a few checks such as credit, police clearance, etc
- Ensure that all policies have been signed
- I have seen examples where staff were temporary, consultants or contractors where no policies were signed when the eventually became permanent staff
- From a technical point of view, do you have adequate (better than the general) controls in place?
- Example includes an administrator which two accounts, one for administrative purposes and one for general work
- Is the privileged user locked to a terminal?
- Do you have additional monitoring in place and do you have some intelligence in place to mine the logs?
- Are you forensically ready?
- You have to ensure that the evidence is logged at all relevant functions and that this evidence can be trusted
There are so many area to ‘lock’ down and have enough controls to deter any user to fall in the trap to commit fraud.