Continuous Transaction Incident Monitoring Problem, Goals, and Solution March 11, 2004

1. The Last Line of Defense Continuous Transaction Incident Monitoring Problem, Goals, and Solution March 11, 2004

2. Agenda • The Problem • The Solution • Technical Examples of CTIM • Goals Oversight Proprietary and Confidential

3. The Problem • According to industry norms: • Corporations typically lose 1-6% of every dollar to fraud and errors • Average impact of a single fraud: $2M • Average fraud duration before detection: 18 months • Typical fraud detection technique: Accidental or whistle-blower • 1.5 - 2% of all payments are duplicates (errors). 20% of those erroneous payments are never recovered. • Implementation of the controls and reporting requirements within SarBox, GLB, Patriot Act, etc. are challenging and expensive • Business systems are at significant risk • Highly dynamic and open architectures • 1000’s of primary internal users and access points • Millions of secondary threats via the customer, partner, and provider access points • Security, audit, and business controls programs typically lag technology adoption resulting in a significant operational risk gap Never have the consequences of poor or misaligned, security, audit, and business management been so great Oversight Proprietary and Confidential

4. Highest Value Lowest Value The Problem (Cont.) An “Inside-Out” Fraud-Control Perspective Resource Host Perimeter Network Perimeter Firewalls HIDS AuthenticatedUsers Customer Financial Management System Router Privileges NIDS Access Controls 5% Investment 25% Investment 70% Investment Significant “insider-threat” return-on-investment is achieved through Continuous Transaction Incident Monitoring Oversight Proprietary and Confidential

5. Default Point #2: The enterprise application extends from the user interface, through the network and hosts, to the data Point #3: The highest valued assets are at the data level and these are most vulnerable Industry Company The Problem (Cont.) Point #1: There is no traditional perimeter (multiple entry points) User InterfaceLayer Web ServerLayer Data Layer Perimeter DefenseLayer Business RulesLayer $ $ $ RuleData Eaves DroppingPoor Authentication Cross-SiteScripting Spoofing/Trickery Monitoring/Hijacking Allowed / Authorized Traffic Buffer OverflowDefaults SettingsString FormatHidden Services Parallel orSupport Application InsiderDiversion of fundsCheck tamperingShell organizationsPhantom employeesGhost Vendor Buffer OverflowsCharacters(Meta and Null) Thousands of discreet financial transactions occur weekly with no enforceable system controls or monitoring Oversight Proprietary and Confidential

6. Forensics & Fraud Business Analysts Information Security Audit & Control 10100110010010010101 The Solution Continuous Transaction Incident Monitoring • Programmatic Solution • Charter • Policy • Procedures • Organization • Training • Program Linkage/Augmentation • ERP Management • Financial Audit and Compliance • Fraud Control • Information Security • IT and Systems Audit and Controls • Response and Recovery • Risk Management Technology&Techniques Technology Continuous TransactionIncident Monitoring(CTIM) System Governance ReducedLosses ReducedPersonalLiability IncreasedProfits Corporate PolicyGovernment Regulations Industry Standards Data CorrelationIntrusion / Anomaly DetectionBusiness Intel / Analysis ERPFinancial Management Systems CTIM Protects the Business Assets Accounts Receivable Accounts Payable Payroll Oversight Proprietary and Confidential

7. 010010Suspect10010Fraud01100Misuse01Error 010010Insert10010Update0110010Delete010Query 010010Normal10010Irregular011Normal00110Irregu The Solution (Cont.) Oversight™ Collaborative Reasoning Engine Continuous Transaction & Incident Monitoring • Technology Solution • Detects fraud, misuse, and errors • Monitors 100% of selected business transactions • Collects, correlates, and analyzes data from multiple business applications, networked, and external data sources • Supports collaborative reasoning and clue synthesis • Robust case management tools Business TransactionAnalysis Cross FunctionalData Analysis Policy & Scheme Analysis MULTI-DIMENSIONALCLUE SYSTHESIS Accounts Payable HumanResources Accounts Receivable Accounts Payable BusinessTransactions Payroll ERP Systems ERP Sub-Systems ContractsManagement ERP Financial Management System Environment ERP Financial Management Business User Community Multi-source Correlation CTIM is a Hybrid Security, Audit, and Investigations Solution Sample Sources: Business Applications External Sources Network Directories Corporate Telephone System Security Logs Oversight Proprietary and Confidential

8. Default Industry Company Technical Examples of CTIM in Action Threshold Probing: (Valid users tries to see what he/she can get away with). Particularly important in the detection of Ghost Vendor Schemes. Business Process Validation: Rules designed to compare individual transactions, as well as sequences, to your allowed Business processed. Behavior Analysis. (Assessing Standards of ‘Entity Behavior’) User InterfaceLayer Web ServerLayer Data Layer Perimeter DefenseLayer Business RulesLayer $ $ $ RuleData Eaves DroppingPoor Authentication Multi Source Correlation and Analysis. External Sources (Internet) Internal Sources (Phone, email, Time, etc) Oversight Sources (Proprietary Information Sources for validation). Cross-SiteScripting Spoofing/Trickery Monitoring/Hijacking Allowed / Authorized Traffic Buffer OverflowDefaults SettingsString FormatHidden Services Parallel orSupport Application InsiderDiversion of fundsCheck tamperingShell organizationsPhantom employeesGhost Vendor Buffer OverflowsCharacters(Meta and Null) Thousands of discreet financial transactions occur weekly with no enforceable system controls or monitoring Oversight Proprietary and Confidential

9. Default Industry Company Technical Examples of CTIM in Action Threshold Probing: (User attempts to find bypass points in Controls) Transaction Hopping: (Outsiders have successfully compromised the Application and try to ‘learn’ its capabilities). Credential Hopping: (Single Switch long period, indicates a credential that became invalid and substituted. Multi Quick Switches=trying to find credentials with sufficient access). Location Hopping: (Indicates Credential Sharing). User InterfaceLayer Web ServerLayer Data Layer Perimeter DefenseLayer Business RulesLayer $ $ $ RuleData Eaves DroppingPoor Authentication Cross-SiteScripting Spoofing/Trickery Monitoring/Hijacking Allowed / Authorized Traffic Buffer OverflowDefaults SettingsString FormatHidden Services Parallel orSupport Application InsiderDiversion of fundsCheck tamperingShell organizationsPhantom employeesGhost Vendor Buffer OverflowsCharacters(Meta and Null) Oversight provides the ultimate line of defense – Even if the Business Hacker is an outsider who successfully penetratedyour network. Oversight Proprietary and Confidential

10. The Goals Move All Critical Risk Measurements to GREEN • Sample Fraud: • Payroll • Check tampering • Ghost vendors • Phantom employees • Inventory theft • Sales schemes • Sample Errors: • Duplicate payments • Over/Under billing • Shipment misrouting • Improper credits • Improper cost classification • Sample Misuse: • Overrides • Conflict of interests • Separation of duties • Inappropriate cost classification • Privilege misuse • Audit Compliance: • Sarbanes-Oxley • GLB • Patriot Act • Basel II • Internal Policy Misuse-Based Losses Fraud-Based Losses Time Time Error-Based Losses Audit Compliance (SarBox, GLB, Patriot, Basel-II) Time Time Integrated Risk Management – Continuous Transaction Incident Monitoring Oversight Proprietary and Confidential