In Mission Impossible: Ghost Protocol, Ethan Hunt garbed as a Russian General insider, crouches behind an ingenious and magic screen which projects an image of a quiet Kremlin hallway. The screen creates an illusion that he is invisible to the unsuspecting guard on duty.  He slides the screen down the hall remaining invisible.  He eventually reaches the door to a highly secured vault without a trace.  Going into the vault and seizing the files, he can now continue his mission to stop a nuclear war zealot.

While Ethan Hunt is posing as an insider in a fictional scenario, it serves to raise many questions about what level of planning, technology and intelligence is really required to pull off insider criminal activity such as we see in financial services today.

Malicious Insiders: Important Questions to Ask

In the financial sector where malicious insiders are among the most significant threats, what is the profile of the criminal fraudster, what is the motivation, and what are the tactics used to complete the mission?  And more importantly, what should firms be doing to prevent it? These are serious and significant questions challenging our security leaders.

DHS sponsored and directed a study which was published by members of the CERT ® Insider Threat Center at Carnegie Mellon.  The conclusions of this study indicate, it does not take an Ethan Hunt or his planning and intelligence.  In fact the most damaging acts of insider fraud are committed by those executing a “low and slow” plan performing common business transactions indicative of their assigned responsibilities.  These are stealth criminal acts masquerading as business as usual.  As it turns out, these are trusted insiders who are most often not in a technical role but in a business role with elevated privileges, and have an understanding of business operations.  They have the knowledge and authority which can be used for their own personal gain.

Managers versus Non-Managers

It was also found that substantially more damage was done and lasted longer when carried out by managers rather than by non managers.  Additionally, most criminal acts do not require the Ethan Hunt power team and are most often performed without assistance from the outside or inside. Moreover, most acts were discovered by audit, aware co-workers or irritated customers. And finally, the target was not always financial but PII.

The Fraud Triangle

To assist in the recognition of these findings and attributes of the study, it is additionally important to understand the principles of the system dynamics that underpin these events.  The principles were developed by the criminologist Donald Cressey in the mid 1950s. They follow the tenets of Fraud’s Triangle of system dynamics.

The Fraud Triangle points to (1) Pressure being felt by the person committing the act, often a financial stressor or problem.  (2) Opportunities or avenues are open to execute the fraud.  Authority, access and business knowledge give rise to this capability.  Organizations have more ability to contain this tenet than the others.  (3). Rationalization that enables the person to reconcile the situation within their own value systems.  This could include the thinking that the person will return the money and is really just borrowing it for a short time.

Actions to Take

So what can financial institutions do in the mission that they have chosen to accept to prevent fraud?  The recommendations of the study point to some of the best practices that many have in place today.  These practices should be re-visited with new understanding and evidence considerations.  Policies and standards should be revised with guidance from legal counsel on compliance with applicable regulations.

Practical recommendations for review:

  1. Audits should consider fraud and include risk baselines; consider adjusting the frequency for faster resolution
  2. Consider employee assistance when facing personal challenges
  3. Review the approach of least privilege and Separation of Duties
  4. Consider all employees with focus on their business role when implementing security practices
  5. Review the manager role and consider the accesses privileges
  6. Educate employees to be on the alert for suspicious activity and how to reporting the activity
  7. Consider opening new communications channels with anonymity for employees
  8. Focus on protecting PII at a similar value point as money

In summary, with thoughtful knowledge and insight, solid and directed policy, and sound and tested practices, the mission of preventing fraud is not so impossible.

Access here for more information on the Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector.

 

More from Banking & Finance

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today