At the podcaster meeting up at Shmoocon 2010 an interesting conversation ensued about the lack of business acumen among penetration testers. "Penetration testers don't understand business and don't know how to talk to our executives" was the charge. (IMHO it is my job as the CISO's job to translate haxor geek speak into boardroom geek speak, but thats another subject) Regardless of whether the charge is accurate, it does benefit the penetration tester to have a basic understanding of how the CFO, auditors and others with a financial background tend to looks at things. This is my attempt to explain their view of the world in term we understand.
For the penetration tester gaining remote access is a two step process. 1) Load malware on the remote host. 2) cause malware to execute. If you have one, but not the other, the system is "safe" from attack. In the financial world, for the GL-Hacker (General Ledger Hacker) they also have a two step process. 1) Affect the transfer of funds between the company and a third party (banks, vendors, employees, credit card companies) 2) Make the appropriate adjustment on the general ledger. If they can do one, but not the other, the company will notice the funds are missing during their "reconciliation process" where they compare the balance of the two systems. Accountants, auditors and CFO's tend to assume that system controls such as authentication, confidentiality and integrity (Yes, I know the A in CIA is availability) are in place and functioning properly. That is our job. They focus on the authorizations given to an account to determine if they allow both functions a GL-Hacker requires (transfer funds, adjust ledger).
With that in mind lets look at some of the major components (sub-ledgers) of a general ledger that are often targets of fraud and how the GL-Hackers tries to manipulate them.
Accounts Payable (IE Money we owe)
Accounts Payable generally have two major components. One for "Purchase Orders" where you are paying vendors for good and services and a "financial transactions" process. Not all vendors will accept checks or payments through traditional means and not all business transactions go through the Purchase Order process. Items such as mergers and acquisitions and other one time executive initiatives are often done via a wire transfer and are done through the "financial transactions" process. The PO process tends to be very well structured and monitored where as the transactions process, by it's nature as a one off process and more often susceptible to fraud. Within the Accounts payables system you often see the following vulnerabilities.
- Can the same person create a vendor and issue them a check?
- Can someone change the banking information on the vendor master file, generate a payment (IE Approve the PO) and change bank information back?
- Are wire transfers confirmed before they are executed? Could the cleaning crew pick up a completed "wire transfers" form with executive signatures from someones inbox, make a copy and perform a "fund transfer replay attack" with a different destination IP address?
This is pretty self explanatory. We should all be pretty familiar with the fact that employers can send us money and other financial benefits such as 401k and medical disbursements. Payroll can have similar issues. The person who can create an employee and edit their direct deposit and or benefits information should not have the ability to start or end their active employment (IE pay them)
- Ghost employees. Can someone create an employee record and activate their payroll?
- Incorrect termination dates. If someones last day is the 10th, can HR edit their direct deposit information on the 10th and let payroll run until an end of month termination date.
- Rogue benefits - Can HR edit their own pay rate or bonus? Can they add 401k or other benefits they may not be entitled to?
Accounts Receivables - (Money we are collecting)
We are collecting money here, so its all good right? Not really. There are a couple of things to watch for here. First, does all the money you collect make it to the bank or does it end up in an employees pocket. Second think to worry about is the "account adjustments" such as refunds or chargebacks. The money issue is again solved by separating the lock from the key. The person who collects the money isn't the same person who posts how much money you should have received to the ledger. For refunds and chargebacks, the person who authorizes a refund should not be the same person who determines where the refund goes. A chargeback occurs when a customer disputes a credit card charge on their bill. In those cases the business is required to prove the transaction is legitimate.
- Can an single person edit the banking or credit card number on an account, issue them a refund and then change the information back?
Like hacking computer systems, the number of ways a GL-hacker can commit fraud is only limited by their imagination and their understanding of the system they are attacking. Having good auditors who understand the system and can look at it in terms of how an attacker might game the system is essential to the success of a good risk management program. Accountants rely on logs, monitoring and separating the two essential elements of the attack to protect their systems. Wow.. that sounds familiar.
So there you go, maybe hacker and accountants aren't that different after all. We just have different "geek" speak. We talk in three letters acronyms "SSL, TCP, GRE and SSH" They talk in two "FI, AR, AP, GL". Information Security is pretty new compared to accounting. I think you'll find that by adopting some of their language or at least understanding some of it, you are able to effectively communicate risk and influence change during your next pen test.