Fighting the Fraudsters


Posted on by Gregory Touhill

With the exception of those in the financial services sector, many CISOs place anti-fraud activities near the bottom of their “things-to-do” lists. Those CISOs invest heavily in the traditional perimeter defense model in an attempt to prevent external attackers from gaining access inside the perimeter. This is the same perimeter defense model that has been used by generals since the time of Sun Tzu and Alexander the Great, yet it withers and fails in today’s perimeter-less Internet-enabled environment. Fraud can come through any source, and anti-fraud capabilities need to be reprioritized to a “must-pay” expense.

Ask a lawyer about fraud, and they define it as a deliberately deceptive action designed to provide the perpetrator with an unlawful gaining of something that may not have been provided without the deception. Those who perform fraudulent activities engage in criminal activity.

With the expansion of the Internet, we’ve seen an explosion in the volume and potency of fraud schemes directed against businesses, governments and individuals around the world. During the COVID-19 pandemic, we’ve seen the rate of fraudulent activity increase at logarithmic rates of acceleration. Examples abound, such as the 22,000+ new COVID-related domains that appeared in the first month of the pandemic, trying to attract victims with fraudulent information about vaccines and treatments or promises of access to coveted N-95 masks, protective equipment or sanitizing wipes. According to Cyber Defense Magazine, Google security personnel saw a spike of 18 million malware attacks and 240 million spam messages related to COVID-19 sent over Gmail every day. Pundits forecast that in 2021, damages from cybercrime will exceed $6 trillion USD. If that figure was concentrated in a single entity, it would qualify for status in the G-8 economic forum! We must take action against these threats as traditional cyber defenses are proving themselves inadequate.

Many of my students and fellow CISOs ask for recommendations on how to minimize cyber risk while incorporating an effective anti-fraud capability into their cyber arsenal of defenses. Here are my recommendations:

  • Adopt the Zero Trust security strategy. The traditional perimeter has been overcome by mobility, cloud-based “as-a-service” capabilities and other modern constructs. Adopting a Zero Trust strategy assumes a breach and focuses on permitting only authorized users to see what they are authorized to see, and nothing else. NIST SP 800-207 and the writings of Dr. Chase Cunningham and Forrester Research can help those wanting to learn more about Zero Trust.

     

  • Implement Secure Remote Access for everything. If you are not using multi-factor authentication (MFA) and software-defined perimeter (SDP) capabilities to secure access to your information, you are making yourself an easy target for cybercriminals. Username and password credentials were the state-of-the-art, secure access method fifty years ago and should no longer be employed. Similarly, virtual private networks (VPNs) emerged into the market the same year as PalmPilots. In 2020, the US government issued over a dozen major vulnerability warnings about VPN vulnerabilities. MFA paired with SDP as part of a Zero Trust security strategy enables you to retire your VPNs and Network Access Controls while saving you more than 50% for your secure remote access, all the while providing greater control of all assets.

     

  • Thwart the phishing. During 2020, we saw a 345% increase in phishing. Nearly every cyberattack starts with phishing, so it is essential to deploy an email authentication protocol, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), to prevent spoofed messages from reaching employee or customer inboxes.

     

  • Invest in training. A well-trained and educated workforce that understands its data and threats multiplies the effectiveness of every cyber tool. Conversely, a poorly trained workforce may neutralize every cyber tool. Invest in people so that they understand their data and its value, the threats and risks in the environment and their role in protecting data, brand and reputation. Invest in realistic training scenarios; drills and exercises as “one-and-done” training iterations is insufficient in today’s hotly contested cyber environment.

     

  • Implement an Anti-Fraud solution. Pick one that monitors online brand mentions and activity to protect your organization’s brand from being used in harmful or malicious manners. Ensure your anti-fraud solution has strong detection capabilities such as employing AI/ML capabilities to ensure attacks do not go unseen. Contextual analytics is key to understanding whether users are who they claim based on the device they are using, when/where they are accessing sensitive data and other conditional-based attributes. Software Defined Perimeter (SDP) is an important capability that can feed that contextual analytics engine. Also consider combining behavioral biometrics with the contextual device analytics as studies have shown that the combination is 91% more accurate than other models.

Traditional security strategies are no longer effective to combat the evolving threat landscape. It is time for all organizations to implement a multilayered, intelligent fraud protection program based on the Zero Trust security strategy in order to be best postured to manage risk in today’s contested cyber domain.


Contributors
Gregory Touhill

CERT Director, Software Engineering Institute Carnegie Mellon University

Anti-Fraud Machine Learning & Artificial Intelligence

fraud

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs