Payroll Fraud – How Snare helps you find the crooked insider using Database Activity Monitoring

The Cost of Payroll Fraud (in the billions)

As payroll has increasingly become a dedicated function in the finance and accounting arena, and as regulation in the payroll segment increasingly means that payroll processing has become an IT function, additional risks have been introduced into this high dollar risk arena.

Risks in payroll include out of date payroll systems, non-compliance, and fraud – particularly from insiders with access to back-end databases.

One of the key risks is the lack of visibility into those who have access to the databases and what changes they have made. Usually, this is a very specific area and IT generally and IT Security specifically may not have a good way to see what’s happened inside of the database.

The Australian Payroll Association, in an August 23, 2020 article says the Federal Bureau of Investigations (FBI) reported that between 1 January and 30 June 2019, payroll diversion increased by 815 per cent and that in the past three years, fraud has exceeded $26 (US) billion dollar in losses. The majority of payroll fraud falls into one of three perpetrator categories – employer, employee or third party.

Detecting Payroll Fraud

PwC’s 2020 Global Economic Crime and Fraud Survey revealed 37% of fraud was internal, including 34% by middle managers, 31% by operations staff, and 26% by senior management.

Fraud might also be executed through the creation of “ghost” employees, fake timesheets or maintaining ex-employee records to funnel salary payments into fraudulent accounts. Perpetrators may create false suppliers, and reimbursements for authorised contractors to provide services at inflated rates.

Australia’s most famous payroll fraud case is probably the Clive Peeters case, where the company payroll manager reportedly stole over AUD$19M from her employer over a two-year period.

The solution?

A Database Activity Monitoring (DAM) solution like Snare MSSQL Agent can track sensitive data access, mask sensitive data from anyone inspecting log data (so they cant see the actual data in the database), and provide separation of duties between DBA’s, Sysadmins and forensic investigators.

Our own Snare CISO, Steve Challans says:

“There are many areas of a database that users can interact with. Good applications tend to have their own role based access controls in place to control what a user does and prevent them from doing anything malicious to the database and its contents. 

However, there is another class of users that have direct ODBC access and/or DBA/Sysadmin privileges that can override technical controls and make changes to the databases and its data. Activities such as ‘create table, drop table, and adding columns’, are structural and schema-related, while ‘insert, update, delete, and select’ are data-related. Having someone perform unauthorised data changes affects the integrity of the data, so the business can make bad or wrong decisions with the misleading data now being used. Copying data and data exfiltration is another problem with leaking sensitive personal or financial information or company secrets. There have been many instances of a bad employee making database changes to change the payroll or HR system for nefarious needs. In other cases, there has been a breach of some sort and the hackers have gained access to the DBA accounts to access or exfiltrate data from the customer’s database systems –  causing great damage to the business.”

Database Activity Monitoring


Gartner defines Database Activity Monitoring (DAM) as a suite of tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behaviour, with minimal impact on user operations and productivity.

Monitoring databases is critical when manipulation of data in those databases can result in financial loss. DAM can contain data from network-based monitoring, as well as native audit information to provide a comprehensive picture of database activity. This data can be used to report on database activity, support breach investigations, and alert on anomalies.

DAM helps businesses address regulatory compliance mandates like the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), U.S. government regulations such as NIST 800-53, and EU regulations.

Monitor Activity with Snare’s Microsoft SQL Agent

Snare’s specialised Microsoft SQL agent allows the customer to be very granular with the monitoring of the SQL activity within a single database or an entire instance that covers multiple databases.

Individual users or classes of users such as the DBAs that have the SYSADMIN role can be monitored. Specific settings can be used to collect information on specific database, tables with sensitive data, or specific commands run in the database. This reduces the noise of general monitoring of all user activity on the SQL environment.

The Snare agent works on all current versions of SQL server, on windows platforms, and is cluster-aware to cover off the more complex, highly available needs.

Some other tools can generate enormous amounts of log data which can overwhelm some systems. The Snare agent can be tuned to collect the specific user activity and filter out the rest of the noise.

If you would like to learn more about Snare’s Database Activity Monitoring solutions or about our suite of log collection and management solutions, including Snare Central and Snare Agents, reach out to us. Our team has helped over 4,000 companies around the world protect their logs and prevent cases of payroll fraud.

/by

Do you trust your cyber security supply chain?

Creating a Secure Cyber Security Supply Chain

We all know the importance of maintaining a solid cyber security capability and maintaining a secure cyber posture. We all know the stats about malware, ransomware, cyber IP Theft, data breach fines, and compliance mandates. I don’t think there’s anyone left that does not understand that they need to be cyber secure.

One of the big questions that remains is simply this: “Who do I trust?” And this extends into the supply chain for your service providers and vendors of both software and hardware.

“All organisations should consider cyber supply chain risk management”. – The Australian Cyber Security Centre (ACSC)

The National Cyber Security Centre in the UK (NCSC) documents the type of attacks that could occur through a third party software provider, including compromise of industrial control systems on critical infrastructure.

In the US, the Federal Government has introduced the Cyber Security Maturity Model (CMMC) to mandate minimum security posture for all suppliers to government to assess and enhance the cybersecurity posture of the Defense Industrial base. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Outside of government, there are still very few companies that set business standards for their suppliers or truly understand the security implications of the vendors that they might choose – especially if they are choosing  based on price. Choosing an open source product written by unknown contractors in Eastern Europe or Asia may not be the best answer.

It’s a topic to take seriously and to consider in great detail when choosing who to trust to assist your organisation maintain a secure environment.

So how do I choose?

Obviously, a reasonable start is some form of certification. This could mean an ISO27001 certification, certification of compliance with the CMMC (when that becomes more available) as well as certification of the actual product.

The team at Prophecy are deep into an ISO27001 project that will see us certified to this international standard as well as preparing for CMMC certification to enable us to continue to supply the Defense sector in the United States. We have also had our software verified by a third party company that specialises in vulnerability assessment. We have used Veracode and have had both Snare Enterprise Agent and our Agent Manager attain “Verified“ level. (Read here for more information on Prophecy’s Verified status)

Linked to this is risk from open source software – particularly in relation to the tracking use of open source components as new versions become available and older components might have vulnerabilities that remain unpatched. You only need to look to the Equifax breach to see how this can be a significant challenge to manage and one that can have massive consequences. Other issues include projects that might have value now but decrease as active involvement decreases and/or a lack of visibility into who is contributing to open source projects and where they might be coming from.

Why is sovereign capability important?

In a global market with players from almost every country, it is critically important to look at capability from home as well as from those countries that have a level of integration and acceptance when it comes to cyber maturity, cooperation around defense and intelligence, as well as protections for IP and trademarks. Obviously, local companies usually have created the IP that you will be deploying in your environment and have local support in your time zone and in your language an understand the local regulatory and legal environment in which you operate. They will be there is you need them and in your legal jurisdiction if something really goes wrong.

In addition to this, sovereign capability will drive the growth of jobs and the economy – which is very important after the disruptions to the global economy due to COVID)and potentially also drive exports. Snare software, for instance, is developed in Australia with Australian resources and we generate nearly 80% of our revenue outside Australia.

To expand this our slightly further you could then also look to those geographies that have formal alliances. Like the Five Eyes countries as an example.

The Five Eyes

The Five Eyes is an intelligence sharing alliance comprising Australia, Canada, New Zealand, The UK and the US.  This is a formal agreement on intelligence sharing at an intergovernmental level and is a factor that could be considered in choosing a vendor if they are based in one of these geographies and are used by government or defense agencies in those countries.

This also shows the importance of secure supply chains as any supplier to these agencies could potentially introduce vulnerabilities that could possibly allow access into other agencies in other geographies.

If you are a trusted supplier to any of these agencies then that’s a good recommendation for the commercial world too.

Snare was developed by defense personnel for defense purposes and we have many military and defense agencies and defense suppliers using our software around the globe as Snare has been trusted for Centralised Log Management for decades.

So what do you do if you aren’t sure where your providers are headquartered or need to take steps to ensure your supply chain is trustworthy?

There’s a lot to take in here but in essence its all about trust.

Start by asking if your suppliers have the following:

  • Speak my language, reside in my time zone, have developers I know and a legal framework I can work with and use?
  • Are they trusted by government in my country or in countries that have a level of engagement and cooperation with my own?
  • If they are an international company do they have a team in my country that is bound by our laws?
  • Is the IP protected by law and do I have protections in the license to use the software?
  • Can I be comfortable that I am not introducing risk by choosing a vendor when I am trying to reduce risk?

If you have questions about your supply chain or want to speak with our expert team about implementing Snare’s suite of services as a part of your trusted supply chain, reach out. We are trusted by over 4,000 companies across the globe for log management and can help you create a stronger cyber security infrastructure during a time when it is more important than ever to trust your vendors and your partners.

/by

Creating the Ideal Cybersecurity Blueprint: Why Log Management Is Critical in Preventing Major Fines and Long-Term Security Issues

Creating the Ideal Cybersecurity Plan

When it comes to creating your company’s cybersecurity plan, the focus tends to be on perimeter security products. These will generally include unified threat management systems and email gateways, endpoint detection and protection products, identity access and privilege access products, and security awareness training systems. These security products are easy to evaluate and demonstrate when it comes down to proving a quantifiable return on investment.

These products and solutions are essential in creating a solid infrastructure, but there are some critical components missing when only focusing on the perimeter.

Is log management in your cybersecurity blueprint?

If we use an analogy of a house, these traditional cybersecurity products are like your kitchen, your bathroom, or bedrooms. They are easy to see and easy to attach a value to, but it’s what you can’t see on the surface that really impacts the value, safety, and longevity of a home. If your foundation, wiring, plumbing, and electrical systems are compromised, you will have BIG (and very expensive) problems. What happens if every time you plug an appliance into the wall, it blows a fuse? Or if any time you turn on your air conditioning, your entire electrical system and power is shut down. Each of these events has the potential to compromise the safety of your home, damage the infrastructure, or lead to very costly fixes.

Those events – like plugging in a cord or turning on an appliance – are what putting in a USB, clicking on a file, or logging into a device are in cybersecurity. One event can turn into a costly compliance fine or even invite intruders into your system; and in both analogies, letting in strangers is a worst-case scenario.

Event data is your foundation.

So how do you protect your house?

Imagine if one of those events in your home led to shutting off the power. The easiest way to fix the problem is to narrow down where the problem originated and then to head over to your circuit breaker to fix the problem…

(back to cybersecurity)

That central tool to collect all of your logging events and manage the data is a centralized log management system – we call ours Snare Central.

A centralized event logging tool does not “prevent” a cybersecurity breach or attack. It can, however provide several key features that ensure that your security posture is robust.

A SIEM or ELM is essential and required technology for any organization that must comply with many regulations such as PCI DSS, HIPAA, NERC/FERC and ISO 27001. It is also necessary for any organization to have a centralized logging tool to bolster their security.

Collecting all event data from all devices within your organization, as well as some of the security applications like mobile devices, endpoint management, and firewalls will enable an organization to baseline normal activity. The Snare Central dashboard (see below) provides a visual representation of activity, so if a spike occurs, you can drill down into the action to spot nefarious activity or spot holes in the foundation of their organization.

In the event of a breach, one of the first things that will be required to review in-depth all the log files to pinpoint when and where the initial breach took place – did an end-user open an email and launch malware or attach a USB stick to their desktop and copy data? If you are only collecting from servers and security devices, you may miss an important event in your discovery.

Also, retaining this information is essential.

Going back to the home analogy, if you ever want to sell your home, most buyers will want to know what repairs were done to critical aspects of your home – wiring updated, plumbing repairs, and yes patching to the foundation of your house.

For the security team having the ability to review historical data can address any potential problems going forward.

Centralized event logging is not new, it is not sexy, but it should be part of the foundation of your security framework when it comes to your organization.

 

Talk to our team about adding or upgrading your log management solution

Want to learn more about how Snare’s suite of log management and collection solutions can help your company? Reach out to us here.

 

/by