How are Your Organizations Deterring the Fraudulent Flow of Intellectual Property Out the Door?

/

LETTER FROM THE PRESIDENT

James D. Ratley, CFE

I bet your organization works extremely hard to find good employees. Weeks of intensive searching, vetting of qualifications and background checks hopefully yield hardworking, loyal colleagues. Of course, you know all that cultivation still can yield some rotten apples.

Ryan Duquette, CFE, CFCE, author of the latest Fraud Magazine cover article, "Insider threats! Using digital forensics to prevent intellectual property theft," quotes studies that show that half of all departing employees leave with confidential company information — either deliberately or unintentionally. That's sobering. How are your organizations deterring the fraudulent flow of intellectual property out the door?

Because most fraud examinations focus on establishing if, and how, someone did what they're suspected of doing, the author writes, they must learn fraudsters' common methods to remove sensitive information. These include the obvious means, such as personal webmail accounts, portable storage media and personal devices. But they also include accessing corporate systems via remote sessions and cloud storage.

Duquette emphasizes that fraud examiners should be part of the everyday work routines to examine new and leaving employees. "Your input and expertise is vital because you might see different patterns and suggest other methods, which could help examine broader fraud matters in your organization,” he writes.

Fraud examiners can use their skills at observing behaviors to help their organizations, he explains, such as looking for those who take proprietary information home via thumb drives or email without authorization, and inappropriately seek or obtain proprietary or classified information on subjects not related to their work duties.

Duquette also says we can help by looking for those who disregard the organization's computer policies on installing personal software or hardware, access restricted websites, conduct unauthorized searches or download confidential information.

As always, we have to review local, regional and national privacy laws and regulations on examining employees, which seem to change daily around the world.

"If the employee’s role grants them privileged access to highly confidential data such as payment card numbers, personally identifiable information or financial information, there's a risk that your activities might result in compliance issues," Duquette writes. "For example, you might locate payment card and transactional data and duplicate it to present as evidence. That action, while well intended, might be in a contravention of a policy or control that you've agreed to adhere to because you're moving the data outside of a controlled environment."

As Duquette implores, don't let departing employees leave with valuable intellectual property. Use digital forensics in daily workflows before they resign and in exit interviews to prevent IP theft rather than potentially be involved in litigation after they're gone.

Read more about the cover article and more at Fraud-Magazine.com.

Investigator Dives Deep Into Digital Data & Information

/

MEMBER PROFILE

Tyson Johnson, CFE, CPP
VP, Business Development, BrightPlanet  
Oakville, Ontario, Canada

Before even graduating from college, Tyson Johnson, CFE, CPP, VP of Business Development at BrightPlanet in Ontario, had spent hundreds of hours conducting surveillance, performing interviews, writing reports, conducting undercover investigations, and even testifying in court. Johnson says that his passion for fighting fraud is something that has always been in him. “I spent my summers and free time between studies working as a private investigator, cutting my teeth on suspect personal injury claimants for insurance firms,” Johnson said. “It started early in my life and has simply become part of who I am.”

What steps led you to your current position?  

I have always been passionate about 'intelligence' and its ability to help nations, companies and individuals to make better decisions by identifying risks and opportunities. While in university, I knew I wanted to enter the Canadian Security Intelligence Service (CSIS). I was fortunate to be selected by CSIS, and I enjoyed my time with that organization. It was during my years as an Intelligence Officer that I obtained my CFE credential and also became aware of BrightPlanet. After departing CSIS I held progressively more senior risk management roles, starting with a global bank, and then two global manufacturing firms, before having the opportunity to join BrightPlanet.

Did you always plan to pursue the role you are currently in?  

Actually, yes. For the past decade I have used BrightPlanet's services. I began speaking with their leadership five years ago and stated that should they ever wish to move its business into the mainstream (diversify away from government contracts) I would be interested. The phone call happened about six months ago, and the rest is history. I am very excited to help my fellow CFEs with their online anti-fraud objectives.

How do you think online investigations have changed in the last five years?  

Online investigations have changed and will continue to change as fast as the technology changes. Years ago, I remember conducting an investigation and obtaining an Anton Pillar (civil search order) to collect digital data devices for forensic review. That amounted to one desktop computer, one thumb drive and diskettes. Today, anyone looking to collect digital data will need to deal with laptops, smart phones, thumb drives, MP3 players, SD cards, DropBox accounts, Gmail accounts and social media profiles, all while ensuring privacy laws, data ownership issues and other legal issues are properly dealt with. Not to mention the difficulties we face with Bring Your Own Device (BYOD) strategies at the workplace. This happens when personal devices are used to access the Internet within a secure environment and employees have access to confidential information.

What career advice do you have for those just starting out in the fraud-fighting field?  

Become rooted in the fundamentals of fraud investigation, but remain innovative and open to embracing changes in the legal and technological landscapes. Find a good mentor and listen to their counsel. Become a lifelong learner in fighting fraud, and take pride in your work.

Read Tyson's full profile in the Career Center on ACFE.com.

Online Battlefield: Cyber Attack Vectors

/

SPECIAL TO THE WEB

Robert Tie
Contributing Writer, Fraud Magazine

"Israel, all your base are belong to us," tweeted hacker group Anonymous when, in support of Gaza militants, it launched millions of cyber attacks against Israeli government and corporate websites in November. According to media coverage, the hacktivist offensive brought down more than 600 Israeli websites, deleted the databases of the country's Ministry of Foreign Affairs and the Bank of Jerusalem, and exposed more than 2,000 email addresses and passwords.

"With cyber-attack losses on the front page yet again, CFEs should reiterate to clients that tomorrow's headlines might report the theft or disclosure of their most valuable and confidential information," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber security firm in Sacramento, Calif.

"Such losses often have reputational, political or strategic consequences," he said. "But if management isn't equally mindful of a successful cyber attack's negative financial impact, information security will seem like a cost. In fact, it's an essential investment in organizational survival. Treating it as anything else is negligent."

An introduction to Butterworth's proactive recommendations on this subject appeared in Fraud-Magazine.com's November 2012 Special to the Web article, "Cyber-Attack Vector? Who, Me?" This article continues that discussion.

FAMOUS LAST WORDS

"It's just WordPress," a company's overconfident system administrator recently told Butterworth after bringing him in to perform a routine security audit of the HBGary client's corporate system. (WordPress is a free and open-source blogging tool and content management system.) Butterworth had drawn the admin's attention to PHP blogging software files on the company's Web-connected server — an apparently harmless presence that in fact was cleverly concealing the means through which hackers were surreptitiously accessing proprietary corporate information. Unfortunately, by the time the client engaged Butterworth, its server had already been infected and its data stolen.

Coined in the 1990s, the acronym PHP is short for Personal Home Page — the versatile open-source scripting language whose English-like syntax non-programmers use to automate commands in their WordPress blogs and other web applications. Savvy hackers now hide powerful malware in WordPress PHP files — where only trend-aware security professionals would think to look for it.

"Blog-embedded malware is a new weapon in the hacker arsenal," Butterworth said. "But note that WordPress is not innately an attack vector. The vulnerability occurs when a company that has WordPress on its server doesn't properly configure it to resist hacker intrusions. Every organization should employ IT professionals who know how to detect and prevent such attacks. A company will get more than its money's worth; those staff members will be very busy."

Recent history bears this out. A media report quoted analysts from Kapersky Lab, a global IT security consultancy headquartered in Moscow, as saying that as many as 100,000 WordPress installations were infected early in 2012 — 85 percent of them in the U.S.

Hackers reportedly loaded onto these blog sites programming code that silently redirected visitors to the hackers' servers, which detected the operating systems on victims' PCs and sent customized malware to do the hackers' bidding. Many of the infected computers were Macs. 

Read the full article at Fraud-Magazine.com.

Digital Artifacts the Keys to Making or Breaking a Fraud Case

/
philip-rodokanakis.jpg

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP

U.S. Data Forensics, LLC

Herndon, Va.

In my last two blog posts, Follow the Digital Tracks to Uncover Fraud and Unearthing Digital Artifacts to Uncover Fraud, I presented a couple of case studies and addressed how digital artifacts can assist anti-fraud professionals in an examination or white-collar crime investigation. Digital artifacts allow us to quickly build a profile of the user, including family details, financial details, personal habits and associations.

Digital artifacts can be used to track events such as the timing of when an external drive was connected to the computer. This may be no big deal under ordinary circumstances, but if a fraud examiner is investigating the theft of intellectual property stored in digital files, knowing when and who connected external storage devices to the computers in an organization can make or break the case.

A computer user may insist that he did not read or open a particular file, but the digital artifacts left behind can easily prove if he is wrong or intentionally lying. These sorts of digital artifacts are logged in various Windows system files and logs, as well as the Windows registry hives.

Rumor has it that the Windows registry files are referred to as hives because the original developers of Windows NT hated bees. So the developer who was responsible for the registry snuck in as many bee references as he could.  A registry file is called a "hive," and registry data are stored in "cells," which are what honeycombs are made of.

The registry hives are files loaded into the Windows environment every time the computer boots into the operating system. They contain all kind of data, from tracking logins and installed software to personalized details, like what wallpaper image is displayed on the user’s desktop, where on the screen a particular window opens, what were the last files a user worked with and the time and date different apps were run. 

If you’re involved in a fraud examination, I am sure you see the value of knowing what files the user accessed, what programs he ran, what network share drives were accessed, what external storage devices were used, what files were deleted, what software was installed or whether an application was used to intentionally delete and wipe (e.g., overwrite) certain files. These sorts of details can easily be provided to the investigative team by a competent digital forensic examiner who has been engaged to examine the trove of digital information that exists in today’s computer networks.

You can find Phil at the 23rd Annual ACFE Fraud Conference & Exhibition next week when he presents on "Digital Forensics & eDiscovery for Fraud Examiners."

Unearthing Digital Artifacts to Uncover Fraud

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In my last blog post, “Follow the Digital Tracks to Uncover Fraud,” I discussed how following the digital tracks has replaced the old technique of “follow the money” in uncovering and solving fraud schemes. The post included case examples where digital data left behind on a computer was instrumental in solving complex fraud investigations.

The operating system (OS) keeps track of digital data in allocated clusters (e.g., the used space on the drive) which are occupied by active files (e.g., files that are actively tracked by the OS). Data no longer tracked by the OS resides in unallocated clusters (e.g., the free space on the drive). 

The data in unallocated clusters can include complete files no longer tracked by the OS (e.g., deleted or temporary files) or file fragments (e.g., partial files or remnants from files that were previously stored on the drive). Digital forensic examiners usually refer to these remnants as file artifacts.

In addition to file artifacts, OS generate many logs and system files that can contain artifacts of interest in a digital examination. For example, a user’s Internet surfing history is usually captured in system databases that record a plethora of details about the user’s surfing activity. Additionally, as different websites are visited, the pages are downloaded to the browser’s cache, which consists of system generated files and folders that temporarily store the information accessed online.

With today’s gargantuan hard disk drives, temporary or deleted files, or their file fragments can reside on a drive for a long, long time. For example, it’s not unusual to be able to retrieve Internet browsing history going back a year or longer.

These sorts of digital artifacts may enable a fraud examiner to follow the money. For example, the browsing history may include visits to financial institutions that may disclose the existence of bank or investment accounts. Better yet, if the user accessed online items like cancelled checks or account statements, they may have been downloaded and left behind in the browser’s cache.

Another fruitful area in fraud examinations may be the type of file remnants left behind from webmail sessions. Webmail describes online email services like Gmail, Hotmail, Yahoo, etc. Usually these services are accessed through an Internet browser, meaning that file artifacts from online webmail sessions can be found and retrieved from hard disk drives. Computer users frequently use webmail for their private communications, particularly when using a computer at work. Such webmail artifacts can and often do contain information of great use to fraud examiners. 

My next post will examine other digital artifacts that can come in handy in fraud examinations and white-collar crime investigations.