I’ve recently taken a new position with a global financial institution and have been tasked with conducting a scenario analysis. For those not familiar with SA’s, we are required to take a high impact (monetarily), low likelihood scenario and see how our current processes would interact with the scenario.
I am here because I would like some input on what scenarios I could come up with. The only restrictions are that it has to be applicable to HR and related to cyber/tech risk. An example would be that an employee gained access to PII data such as names, DOBs, SSNs, etc. and used the data for personal gain.
The SA would analyze this breach and and put our policies/procedures/governance to the test to see if we would be able to prevent this, and in a worst case scenario, what would be the monetary impact that the firm would face (i.e., litigation costs, legal fees, regulatory fines/penalties, etc.).
Any help would be greatly appreciated!
There can be several ways to look at it. You are describing an insider threat scenario so there are multiple angles to look at:
1) How did you find out about the incident? Tests your incident detection/response, auditing, and role separation policies.
2) How long has the event been going on? Was it a one-time dump of info? Was the person slowly siphoning off and using the info?
3) What was the motive? Financial gain? Company ruin?
4) Is this an isolated incident? Are there more people doing it?
5) How would you prevent it in the future? Data Loss Prevention rules/policies/actions being improved?
6) What did you learn?
You will have to lay out your process and then look for anywhere a person could inject fraud into the equation.
1) Do you do background checks on your employees? Do certain employees with certain roles, i.e. finance, HR, procurement, etc. get special checks for credit problems/issues?
2) Could this not just happen to HR, but other departments as well? At one agency I worked at we had requirements that anyone that accessed a certain system had to have a background check, but they forgot about IT administrators who could take over those employees accounts. They didn't require it for them (until I got there and pointed this out). Don't forget that IT employees often have the keys to the kingdom, so inject that possibility into your situation.
3) Think outside the box. I heard a story of an HR manager who couldn't believe his bad luck of hiring for a particular role. He had to keep firing people for theft for this one particular role. All of the newly hired employees swore that they were not stealing, but got fired anyway. A hidden camera investigation, combined with a "fake" hire, proved that they were right. A current employee would wait until someone was hired into that role and then start stealing. When they were fired, she stopped stealing and waited for them to rehire a person for the role, and then would start stealing again. When mentioning his bad luck of hiring to a friend, the friend suggested a sting operation where they "hire" him and install hidden cameras to catch the real thief.
I can tell of several insider threats that I have experience with.
1) We had separation of duties policies/practices where one person created an award and a separate person approved it. We were defeated by a mother & son combo who worked together (he was an award creator and she was an approver). The son would receive a death notice and instead of terminating the award, he changed the bank account information on the award and then the mother approved the change to the account. They were caught because they used the same bank account for 6 different people. It was noticed during an audit that 6 people had the same bank routing and account numbers (This would be a VERY unlikely situation). Fraud detection method (auditing of bank accounts searching for duplicates, red flag/anomaly detection) Post detection improvements were made to look at the create/approval patterns to look for patterns, and change in rules to prevent relatives from working the same cases.
2) We had one person who was able to order their own supplies. During audits for very high usage of some expendable items and some missing equipment audits, the employee claimed that other employees had come in and stolen those items and since those employees were in a "protected" class (and no it was not due to race but type of employee) that management was not going to do anything about it. It turned out the employee was selling the stuff on eBay. They were caught because they took photos of the equipment for sale on the carpet of the office and the office carpet had a VERY distinct pattern. An employee, who just happened to work in the same office building, who was browsing eBay joked to their wife that the carpet in those pictures looked "Just like the carpet at work!" Turns out it was the same carpet. When bringing up the story (and later the website) at work, someone who was involved in the audits overheard it and combined with the type of inventory that was mentioned, came over and inquired and then put the information together and was able to successfully prosecute the employee. Fraud detection method (observation and luck, combined with auditing) Post detection improvements were a tightening up on audit intervals, closer inspection of orders and better inventory management.
3) The company ran several gas station/convenience stores (this was before the prepay at the pumps was instituted and you could turn the gas pumps on just by lifting the handle). We had one particular cashier who claimed to have a high level of "drive-offs" during her shift. A "drive off" would be someone who pulled up to the gas pump, pumped some gas into their car, and then instead of heading inside to pay for it, would just drive off. She seemed to have an abnormally high number of these events when compared to other cashiers. So a hidden camera investigation was set up and she was caught. She had figured out that the cash registers had a subtotal button that would print out a receipt, but not finalize the sale. Someone would come in and pay for $20 in gas, she would hit the subtotal button so a receipt would print out, which she would give to the customer. Then when they went outside she would hit cancel on the order and pocket the cash. The gas pumps would still work so the customer didn't know she was pocketing the cash. To everyone working there it looked like a totally normal transaction.
Fraud detection method (Abnormality of an adverse event, auditing of losses, video evidence to confirm suspicions). Post detection improvements - Elimination of the subtotal button function. Changed rules around "drive-offs". Ended the "trust the customer to come in and pay" policy on the gas pumps and transitioned to prepay only.
Criminals are innovative and think differently than "normal" people do, so you must try to think like they do. Read some true stories about corporate espionage and criminal activities to get some ideas of how people work around the system. This may help give you some ideas to use in your scenario. Then, if you really want to take it to the next level, think about this. There are also different levels of criminals. The beginner level is what we call "smash and grab". They usually choose the quickest way to get money (usually small amounts). They go for the quick win. In your scenario it might be one big dump of employee data and then try to sell it. The "middle tier" usually go about it in a slower, but not perfect manner to avoid detection and go for more money over a longer period of time. So your insider might start using identity theft of one person at a time and try to keep it under the "get noticed" threshold and try to make more money over a long period of time. Then you have the "big-time, or planners" type of criminal. They think through the crime, take time to plan it out, try to learn the detection algorithms or "how security works at this place". Think Bernie Madoff. These people usually try to go for the big score. Get the company to wire large amounts of money to a back account type of stuff. Could your HR insider trick the CEO or CFO into wiring money to a fake bank account?
I know this is long but, hopefully this helps.
Plane crashes into your main data centre facility used to be a popular scenario thrown at companies by regulators.
We had a guy that was really creative at building scenarios. In addition to making work a bit more "fun", it helps focus people on out-of-the-box thinking. One of my favorites....
Third-shift operator George's car developed a coolant leak on the way to work. Being a creative guy, he observantly noticed that removing a few floor tiles in the data center would create the perfect mechanic's pit and that per manufacturer's specs the tiles could safely support his light car. All went well as he carefully nudged his classic Ford Pinto into place. Sadly, he ultimately mistook the gas and brake pedals, resulting in the car "flying" into Rack #1. In an unexplainable act of physics, the car ended up toppling rack #1 with the car ending up squarely on the rack's formerly left- and now top- side. George had a front row seat as he watched rack 1 fall into rack 2; 2 into 3 and so-forth. Just like his misfortune, this chain reaction continued to "domino" until Rack 10 was deflected away from its neighbor by the fire pull on an adjacent post.
System Admins John, Richard and Paul were first on-scene to amusingly see George racing the engine with tires spinning in free air as he desperately attempted to dislodge the car. Their intent was honorable as they offered a good, hard shove, but unfortunately went horribly wrong because the fuel tank "somehow" got sliced, pouring what we now know to be 7.5 gallons of fuel under the floating floor. Witnesses reported that the subsequent fireball was quite the sight, with floor tiles flying "everywhere".
In a bit of good news, emergency services arrived earlier than expected due to Rack #10's fortuitous (and at the time false) alarm. This promptness is credited for no loss-of-life, but unfortunately our fab-four remain customers of the nearby intensive care unit and are unavailable for consult for the duration of the rehearsal.
Upper management continues to fume that none of this would have happened if only George he drove a Beetle (of the VW variety) given that they are "air cooled". Management has been given "alone time" to hone their risk-analysis skills and therefore their guidance is unavailable for the duration of the rehearsal. "Techies" must rely solely on DR docs and their best judgement for all decision making.
As you arrive at the office, please head straight to the recovery site (conference room 3) with whatever you happened to bring home overnight.
Do not retrieve anything from your desk because the rest of the building is "unsafe for occupancy". Injured parties are invited to attend, but may not participate under fear of finding themselves mummified as per the scenario.
A few of the obscure details here... That which is to be recovered is specified, but depends on the DR docs to figure out the details and we generally picked a few people to "sit out". As we got more experienced at recovery on a given system, those most expert in that system were less and less likely to be allowed to participate.
We have also used a "Dungeons and Dragons" format in cases that are more "Incident Response". In these, clues and critical details are slowly disclosed in response to questions from the room. "Backdoors and Breaches" is a commercially available card deck to facilitate these exercises.
Another fun one was when we hid an unauthorized access point and asked people to find it.