By Brad Moody and Brian Straightiff

Unlike traditional methods that compartmentalize physical and cyber security, Lowers & Associates’ innovative strategy to security assessments unifies both realms seamlessly, emphasizing a holistic understanding of vulnerabilities and threats.

Traditionally, annual penetration tests focus only on digital assets. However, Lowers & Associates understands that some digital assets are exploitable through physical vulnerabilities. L&A developed a plan encompassing four pillars; external scans, internal scans, physical security, and social engineering, that not only slashes costs but also significantly enhances the breadth of an assessment.

Comprehensive Security Assessment: Exploring the Four Pillars

1. External Scan:

Utilizing advanced tools like Nessus, professionals conduct in-depth external scans. These assessments mimic real-world scenarios, identifying vulnerabilities visible from outside the network perimeter.

2. Internal Scan:

Authenticated access to applications provides a unique perspective, simulating potential insider threats. By identifying vulnerabilities specific to internal access, this scan offers invaluable insights into an organization’s security posture.

3. Physical Assessment:

Evaluate physical security conditions that allow bad actors to penetrate a facility to access networks and devices. Access controls, personnel, CCTV, and alarms are a large component in limiting the opportunity for exposure that allow risk.

4. Social Engineering:

Social engineering, the human element in security assessments, serves as a bridge between physical and cyber security. Spear phishing campaigns using Open-Source Intelligence (OSINT), target specific individuals within the organization. By exploiting human behavior and preferences, these campaigns reveal the organization’s susceptibility to attacks that cross the digital and physical boundaries.

The Fusion of Physical and Cyber Security:

The innovative aspect of this approach lies in its ability to merge physical and cyber security seamlessly. Instead of viewing security in silos, this strategy recognizes that physical and digital security are interconnected. For instance, social engineering extends beyond the digital realm, incorporating techniques like impersonation and elicitation to exploit human vulnerabilities physically and digitally.

The impact of this unified approach extends beyond identifying vulnerabilities. Following the assessment, organizations can actively address the identified weaknesses. By implementing targeted security awareness training and periodic simulations, employees become adept at recognizing and responding to both digital and physical threats.

Conclusion:

This integrated approach to security assessments heralds a new era in safeguarding organizational assets. By embracing both physical and cyber security, businesses can fortify their defenses comprehensively. In an era where threats are multifaceted, this holistic understanding of security vulnerabilities is not just an approach—it’s a necessity. As organizations navigate the evolving landscape of security challenges, this unified strategy stands as a testament to the proactive stance required to ensure a secure digital future.

“Virtual currencies, perhaps most notably Bitcoin, have captured the imagination of some, struck fear among others and confused the heck out of the rest of us — including me.” – Senator Tom Carper, chair of the Senate Homeland Security and Governmental Affairs Committee, November 2013

Today is day 2 of our Fraud Awareness Week series, Fraud Stories and Lessons Learned, and we want to highlight the rapidly emerging problem of cryptocurrency fraud. Brad Moody, EVP of Operations for Lowers & Associates, points out the rapid increase in crypto-related fraud noting that in 2016 there were only 340 active fraud cases of such fraud and by 2020, there were more than 80,000 cases in the U.S. alone.

In this fraud story, Brad explains how current schemes to capture victim organizations’ cryptocurrency are amplifying the need for effective internal controls, anti-fraud training, and third-party penetration testing.

Listen to the story here:

Interestingly, one of the best ways organizations can protect themselves from cryptocurrency fraud is through the same tried and true practices used to prevent social engineering, phishing, and other related attacks. Employees are increasingly subject to scams through email and link-sharing, so it’s important to look at how to detect and block such activity but also to train employees on how to recognize and avoid becoming victims to such scams.

David Gardiner, Senior Vice President of Lowers Forensics International, offers further advice: “Crypto based currencies are now becoming a professionally acceptable form of tender. Now more than ever, corporations need to proactively mitigate their risk and exposure. This can be done through a myriad of operating procedures including the process of facilitating not only their outbound, but even incoming payments. Strict rules of engagement, much like the protocols already used in wire transfers (verbal confirmation, dual signature authentication, etc.) should be followed here as well.”

Stay tuned tomorrow for another fraud story from the front lines of Lowers & Associates.

It’s hard to imagine that, on any given day, over $3 trillion dollars moves via electronic transfer.  Financial institutions make these B2B transactions happen seamlessly on a global scale, and we often take for granted the very simple instructions required (and accepted) between businesses that make single transactions of millions of dollars possible.  Since organizations perform these transactions almost exclusively online, the Internet of things has an inherit opportunity for malicious redirection when company employees become complacent with routine wire instructions.

Responsible organizations follow robust, documented and accepted practices in an environment that embraces process.  The culture of any high reliability organization allows employee intervention and systematic controls to prevent fraud opportunities.  It may feel as if these processes are tedious and repetitive, however, at the end of the day, human actions allow fraud to exist.

Since 2016, it’s estimated that over $26 billion in fraud losses has come from wire funds transfers as the result of business email compromise alone.  With the recent COVID-19 pandemic event, fraudsters have a new ability to exploit corporations, especially in highly impacted areas.  It is important for organizations to maintain a culture of process and have contingency plans in place to allow transfers to continue seamlessly.

On the Lowers & Associates LinkedIn, we’ll be highlighting a series of security insights that are applicable to ANY industry (the second bullet below should look familiar).  Specific to wire transfer fraud, here are a few additional actions employers can take to remove risk and eliminate potential for loss:

• Strengthen screening and re-screening employment practices.
• Integrate and document responsibilities of all parties authorized in dual controls into processes involving preparation of wire transfer instructions and authorizing and approving such transfers.
• Ensure there is independent and frequent review of investment transactions by a knowledgeable party.
• Conduct semi-annual audits of the wire transfer function. Ensure auditors review password requirements and controls during each examination.
• Conduct annual penetration tests and annual security audits of web-based wire transfer applications that are hosted by the company or by a third-party application service provider.

BONUS: These are a few additional steps that businesses should think about adopting:

• Email social engineering education.
• Passwords should be at least 14 characters, must be complex (at least 1 of each): 1 Uppercase, 1 Lowercase, 1 Number, 1 Symbol and changed every 90 days.
• Two-factor identification.
• Appropriate insurance coverage for the business.
• Monitor banking accounts regularly.

Ah, complacency. That quiet sense of security or satisfaction with the status quo that prevents a person from acknowledging the potential dangers or risks around them.

We become complacent about internal controls, believing our employees have always been trustworthy and therefore we can eliminate extra steps in the process. We slack off in our security training, thinking “surely our team knows not to click on an unfamiliar link.” Or, we fail to conduct a background check because the applicant is the nephew of one of our fellow executives.

In our recent blog, 4 Culprits of Complacency, we highlighted some of the underlying factors that lead to complacency. In this blog, we bring forth five stories that expose the negative fallout and damage that can occur when organizational complacency takes root.

1. The Law Firm with Weak Accounting Controls

A law firm specializing in intellectual property let complacency derail its internal controls. The firm has five offices throughout the United States, and the satellite offices normally forward their customer payments to the corporate office for processing. Recently, however, customers from at least one of the five locations notified the firm that their previously cashed payments were being duplicated, forged, and re-cashed, leading the customer to have fraudulent withdrawals taken from their bank accounts. Fraudsters left some of the personalized information on the check, such as handwritten notes in the memo line, but had replaced the recipient name, date, and check number with false information and deposited it remotely through an ATM. Rather than keeping customer payments in a secure, locked location, the firm’s complacency in its failure to follow its own internal controls led to this embarrassing and costly mistake.

2. The National Political Committee Duped by Social Engineering

It was the hack heard round the world, all perpetrated by a simple case of spear phishing made possible by complacency. Hackers sent an email to members of the committee that looked like it had been sent by Google and requested them to click a link to reset their passwords due to malicious activity on their accounts. Several members took the bait, and with the new credentials in hand, hackers subsequently breached (and later published) more than 150,000 emails stolen from the Gmail accounts of committee members.

3. The Nursing Home That Failed to Check Employee Backgrounds

A Texas nursing home employee was caught on video physically assaulting an 83-year-old resident, who had advanced Alzheimer’s disease and could barely move, talk, or understand what was going on around her. The family sued the nursing home for $1 million for its negligent hiring of a 23-year-old employee who had previous arrests for fraud, marijuana possession, and criminal mischief on his record. Had the facility not succumbed to complacency, it would have required all workers to undergo a background check before being hired.

4. The Business Merger That Skipped Due Diligence

Two regional telco companies that had been in competition with one another decided to take the plunge and merge, with Company A doing the actual acquiring and Company B being the one acquired. The executives of both teams had been collegial over the years and knew each other’s respective businesses fairly well, so Company A opted to forgo a formal due diligence process. It was only four months into the new merger that Company A realized Company B had inflated the size of its client base and the average revenue per subscriber (ARPS) for each of those clients. Yes, Company B had 800 clients in their account records, but a full 200 of those clients had discontinued service at some point in the preceding timeframe, leaving only 600 active clients. The true value of revenue, then, wasn’t ARPS x 800 clients, it was ARPS x 600 clients, a reduction of about $600,000 in revenue a year than had been presented in the pre-merger discovery process. Once again, complacency reared its ugly head.

5. The Medical Diagnostic Company Lacking Sound Loss Prevention Strategies

We like to think that all of our employees are honest, but even with good internal controls in place, people find ways to cheat their employers. In this case, a manager set up a series of fake companies, invoices and expense reports to reimburse himself for more than $1.2 million in false expenses. His deception was ultimately uncovered through mismatched addresses used on his falsified documents. While loss prevention tactics can’t necessarily filter out every deceitful action, it’s far better to be proactive than remain complacent, as this company did.

Is complacency a risk factor in your organization?

Lowers and Associates works with a wide range of industries, including financial institutions, healthcare providers, casinos, couriers, and insurance companies, to protect their people, brands, and profits. We offer a full range of services, from cash-in-transit evaluations to venue security to IT risk assessments.

If you’re concerned your business is at risk of being complacent, let’s talk. We’d love to help.

Wikipedia defines social engineering, in the context of information security, as the “psychological manipulation of people into performing actions or divulging confidential information.” Our increasing reliance on vast networks of digital technology for information storage, research, controls, and transactions makes organizations highly vulnerable to social engineering fraud.

There is a strong urge to combat this risk with a technological fix like stronger encryption or better management controls. The problem is not a technical one because social engineering fraud is based on the exploitation of human interactions and human frailties.

… Continue reading