How one DR disaster can lead to other disasters
Hurricane Harvey devastated much of Harris County Texas, last year. During the aftermath of the hurricane, repairing the city was top priority.
While the County was worried about disaster recovery another disaster had occurred. “Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc. The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.”
According to govtech.com, the county sent the money out two weeks later on October 12th, only to scramble on how to get the money back. Luckily the county was notified that Fiona Chambers was not an accountant at D&W Contractors. Harris County did get their money back; however, this started a debate within the county over its cyber and financial security.
These kinds of opportunistic attacks happen all over, including in Northeast Ohio. Using Harris County’s public example, we asked ASMGi’s Ted Kozenko, our Senior Governance, Risk and Compliance Consultant, how he would assess a similar situation. Given that Harris County is the third largest county in the United States, any county could be vulnerable.
- If you were the CISO of Harris Country how would you approach this situation?
While this could be a security breach, this is more of a financial issue. Knowing that most employees do not want to harm their organization, a CISO could work with the CFO to develop processes and procedures for sending payments. There are business-as-usual payments and emergency payments. Once a vendor is vetted, that relationship becomes part of an organization’s regular business. Invoices from and payments to the vendor are received and made without problems. Emergency situations like the Hurricane Harvey situation should be treated with a heightened awareness for fraud potential.
- Was this attack due to an employee problem or a technical vulnerability?
This could have been a combination of an employee problem and a technical vulnerability. While not stated in the article, the employee may have been following then-current procedures to release the funds. The payment system may not have a supplemental threshold criteria defined to hold payments for verification. Not wanting your name associated with delaying such an important check is a reason people fall for such scams. Emails can look extremely legitimate and sender’s addresses can be spoofed. Using filters on the email systems may have prevented this incident.
- What technical, employee, policy or layer approach could be most effective for this situation?
In the ideal world, this would be a layered combination of all three. Technical controls like the ERP workflows allow multiple people to verify payments. Employee procedures and awareness training can help mitigate scams like Business Email Compromise (BEC). Policies like dual signature checks and out-of-band account and contact verifications compliment procedures. Employee training through tools like KnowBe4 can help raise awareness on how to spot BEC and other phishing scams. Out-of-band verification is contacting a known representative of the vendor or bank at a phone number that is not one provided in the possible scam.
Involving law enforcement is a good practice. Investigations can be kept private.
Additional BEC information is available from the FBI at https://www.fbi.gov/news/stories/business-e-mail-compromise. Processes for filing reports are at the FBI’s Internet Crime Complaint Center (IC3) https://www.ic3.gov/media/2015/150827-1.aspx.
- What would the technical solution be, to reduce the risk of this happening again?
A technical solution could be an automated workflow of payment approvals that have to be completed by different people prior to sending any payment. Larger ERP systems have functionality that can allow the creation and auditing of such workflows. Depending on the banking capabilities, it may be possible to check the age of the destination account, which can raise flags for new accounts. Adding extra technical controls for out of state or internet banks, services like PayPal or Western Union, or working through your bank’s anti-fraud departments can also help.
- How effective would this technical solution be?
While technical solutions may create efficiencies, they are only as good as the programmed workflow. They are effective but still should be dependent on human inputs and outside verifications.