2014-09-03 cybersecurity and computer crimes

Thrive. Grow. Achieve.

Cybersecurity and Computer Crimes: The Human Element

Leslie C. Kirsch, CFE, Manager, Raffa P.C.

September 3, 2014

CONTENTS

•COMPUTER CRIMES

•CYBERSECURITY

•SOCIAL ENGINEERING FRAUDS

•OTHER TECHNOLOGY-ENABLED FRAUDS

•EMERGING ISSUES

Cybersecurity and Computer Crimes: The Human Element | 2

COMPUTER CRIMES

DEFINING COMPUTER CRIME• What is a computer crime? According to U.S. Department

of Justice, “any illegal act for which knowledge of computer technology is used to commit the offense”– Very broad definition can include anything from cyberstalking to

embezzlement– Many traditional frauds can be conducted using or targeting a

computer; “computer-aided fraud” involves the use of a computer to commit a fraudulent act

• Who commits computer crimes? Anyone can commit a computer crime; it’s not limited to hackers and professional thieves anymore

• How are computer crimes prosecuted? There are a variety of state, federal, and international laws governing computer crimes; because computers allow remote access, the perpetrator does not need to be in the same area as the targeted computer


COMPUTER CRIMES

BASIC ELEMENTS OF COMPUTER FRAUD

• State and federal laws are inconsistent and somewhat behind the times on computer crime issues. However, there are three basic elements that are fairly consistent across different statutes. The perpetrator of a computer fraud must:– Knowingly access or otherwise use a computer– Without authorization, or exceeding authorization– With intent to commit a fraudulent or otherwise criminal act

• Be aware, with computer crimes, international law may matter! Electronic information may pass through computers in other countries en route to its final U.S. destination


COMPUTER CRIMES

MODERNIZING OLD CRIMES


COMPUTER CRIMES

TYPES OF COMPUTER-AIDED FRAUD

• Manipulating computer inputs: Putting false transactions into the system, modifying actual transactions, or removing transactions

• Manipulating programs: Changing the instructions the program uses to process data, e.g. skipping audit trails, altering rounding of bank transactions (Superman III)

• Tampering with computer outputs: Tampering with end result of computer processing – reports and files; includes theft of confidential information


COMPUTER CRIMES

INTERNET FRAUD

• The Internet is a playground for fraudsters because it is (1) unsecured, (2) anonymous, (3) unregulated, and (4) temporal

• Tools for fraudsters are widely available on the Internet– Company websites for spoofing uses– Encryption programs– Steganography programs (hide documents within a picture)

• Sentencing for computer crimes can be very harsh, but there are few qualified federal investigators, compared to non-computer crimes


COMPUTER CRIMES

COMPUTER CRIME LAWS

• Computer Fraud and Abuse Act of 1986: Criminalizes intentional unauthorized access to a “protected computer” that causes a loss over $1,000 – a computer that is exclusively for the use of the U.S. government, a financial institution, or affecting interstate commerce

• Electronic Communications Privacy Act of 1986: Makes it illegal to intercept stored or transmitted electronic communication without authorization

• Digital Millennium Copyright Act of 1998: Prohibits circumventing a technological measure designed to protect a copyright


CYBERSECURITY

CYBERSECURITY RISK ASSESSMENT

• Burden for protecting your network is always going to lie partly with the end users – identify what knowledge gaps exist for employees and/or clients– Users knowingly or unknowingly override even the best controls

• Consider who would be considered “trusted” to access your network and the mechanisms they use to connect

• Since you can’t prevent all attacks, start thinking about how you can detect an attack and how fast you can respond!


FIREWALLS

• What is it? A software/hardware based security system that controls incoming and outgoing network traffic

• How does it work? It analyzes the data that is trying to move through the system based on set rules for what is “trusted” and what is not– Whitelist: A list of users that are trusted; if you’re not on the list,

you won’t be granted access.– Blacklist: A list of users that can’t be trusted; if you are on the

list, you won’t be granted access

CYBERSECURITY


CYBERSECURITY

FIREWALLS

• When setting network security, you need to consider whether you are just trying to block unsafe sources from OUTSIDE your network, or whether you want the added security of blocking potentially unsafe traffic WITHIN the network

• If all your efforts are spent keeping bad actors out, then you may be more vulnerable once they’ve gotten in (and they will get in eventually)


CYBERSECURITY

INTRUSION DETECTION AND PREVENTION

• Intrusion detection system: Monitors network or system activities to identify malicious activities or policy violations, producing a report

• Intrusion prevention system: In addition to detecting intrusions, attempts to block the unauthorized access attempt

• There can be a lot of “noise” in intrusion detection – learn to sort the noise from the true threats


CYBERSECURITY

DENIAL OF SERVICE (DOS) ATTACKS

• What is it? An attempt to make a machine or network unavailable to intended users – most commonly seen shutting down a website

• How does it work? Often, the target is bombarded by an overwhelming volume of data that it is forced to process – this slows it down so much that it can’t respond to real users trying to reach it

• First major distributed denial of service attack was committed in February 2000 by a 15 year old Canadian boy (nicknamed “Mafiaboy”), who brought down Yahoo!, CNN, eBay, Dell, and Amazon


CYBERSECURITY

DICTIONARY ATTACKS

• What is it? An attempt to crack a password by guessing using hundreds or millions of likely possibilities, such as the words in the dictionary

• How does it work? Most people tend to choose passwords that are relatively short and use words found in dictionaries, or slight variations (adding a digit or special character)

• Software that aids in dictionary attacks is readily available

• “Strong” passwords can defeat these attacks – simply putting an unexpected character in the middle of the word means the dictionary will not be able to catch it


CYBERSECURITY

MALWARE

• What is it? A variety of hostile or intrusive software programs designed to disrupt systems, gather information, or gain unauthorized access.

• Ways to transmit it:– Viruses– Worms– Trojan horses– Rootkits

• What can it do once it’s there?– Botnets– Keyloggers– RAM scraper– Ransomware– Spyware– Adware– Remote AdministrationTools

• Malware overwhelmingly targets Windows-based computersCybersecurity and Computer Crimes: The Human Element | 15

CYBERSECURITY

MALWARE

• But how does it actually get onto a computer? – People let in through!

• Knowingly downloaded

• Autorun from an external media storage device, including CDs, DVDs, flash drives, or external hard drives

• Public wi-fi networks or hotel networks

– Exploiting security defects in operating systems or individual applications


CYBERSECURITY

VIRUSES AND WORMS

• Virus – attaches to executable software and replicates when run by inserting copies of itself into other programs and files, usually performing some harmful activity

• Worm – replicates to spread to other computers, does not need to attach to an existing program

• “The first worm” – the Morris worm, created in 1988 by a Cornell grad student to “measure the size of the internet,” it inadvertently caused millions of dollars in damages and resulted in the establishment of CERT

• Modern viruses and worms are usually designed to take control of a user’s computer for nefarious uses, including:– Sending email spam– Hosting contraband data, such as child pornography– Executing distributed denial-of-service attacks


CYBERSECURITY

TROJAN HORSE

• A program that invites the user to run it, concealing its harmful code

• Code might take effect immediately, or it may lie in wait and unleash its payload later

• A common delivery method for spyware, bundled with a desirable software download that a user wishes to install

• May provide remote access for someone, crash the computer, steal data, install other software, access webcam, or join the computer to a botnet


CYBERSECURITY

ROOTKITS

• A program designed to conceal a malicious program by modifying the user’s operating system, very hard to remove

• Can keep a process from showing up in the “Processes” list in the system’s Task Manager or hide the files that contain the malicious program

• May also contain code to prevent the program from being uninstalled, for instance, by running duplicates of itself

• Also describes some “desirable” programs that:– Conceal cheating in online games– Circumvent CD/DVD copyright protection– Provide anti-theft protection to monitor/disable/wipe remotely– Bypass Microsoft Product Activation


CYBERSECURITY

BOTNETS

• What is it? A group of Internet-connected computers controlled by a master machine

• Created when malicious programs gain control of some or all of computer’s functions

• Used for:– Sending out spam emails– Denial-of-service attacks– Recruiting more bots– Cheating in online poker (I can see your cards)

• A botnet controller may rent out the privilege of using the botnet for a “reasonable” price


CYBERSECURITY

KEYLOGGERS

• A piece of software or hardware that (secretly) records the keys struck on a keyboard

• Most malicious versions allow remote access to a user to obtain the locally recorded keylogs or uploads/emails the data to another location

• Can be used by a hacker to obtain authentication credentials or other sensitive data (e.g. trade secrets)


CYBERSECURITY

RAM SCRAPERS

• Gets onto point-of-sale (POS) terminals at retailers using any of the methods of entry already discussed

• Searches the RAM (“temporary” memory) on the POS terminal, where credit/debit card data is stored in a less protected for while it waits to be processed

• When the data is found, it gets uploaded to remote servers where the hackers can read it and profit from it

• Responsible for the major Target data breach of 2013– Hackers may have stolen an HVAC contractor’s credentials in

order to get through Target’s first layers of security


CYBERSECURITY

RANSOMWARE

• A type of malware that restricts access to the infected computer system and demands that a ransom be paid for the restriction to be removed– Can be by encrypting all the files on the hard drive or by locking

the system and displaying a payment message

• Enters the system like any other malware, then installs a program that will prevent easy computer access

• Victim usually told to pay through a wire transfer, premium-rate text message, or an online service

• Also known as “scareware” and “cryptoviral extortion”


CYBERSECURITY

RANSOMWARE


CYBERSECURITY

SPYWARE

• Software that gathers information about a person or organization secretly and sends it to someone else

• Can collect any kind of data, including authentication credentials, surfing habits, and bank information

• May change computer settings, including browser and software settings

• A number of “anti-spyware” programs actually install spyware!


CYBERSECURITY

ADWARE

• Software that renders advertisements to generate revenue for the creator of the adware

• Advertisements may pop up at any time when using the computer, not necessarily only when surfing the internet

• “Typhoid adware” – a new form of adware that doesn’t require installation of a program in order to display advertisements, it uses non-encrypted wireless connections from WiFi hotspots


CYBERSECURITY

REMOTE ADMINISTRATIONTOOLS

• Lets a hacker take complete control of your computer’s functions (– Turn on your webcam and record you (keep an eye on the light)– Open and close CD drives– Open windows– Browse files– Play sounds– Keylogging

• Requires basically no technical knowledge, entire online forums are devoted to providing the tools for it

• Some “ratters” claim to just do it “for the thrill,” but some use what they find to blackmail victims


CYBERSECURITY

MALWARE – HOW TO PROTECT YOURSELF

• Never open an unexpected email attachment!• Have up-to-date antivirus software! Malware is constantly

evolving, so you need active licenses and updated virus definitions to keep up.– Enable real-time protection – that means each file is scanned as

it is downloaded and quarantined until it passes the scan• Set appropriate user privileges – limit the number of

administrator as much as possible to stop malware from spreading if it does reach the computer

• Remove software you aren’t using – every piece of software on a computer is an opportunity for targeted exploits

• Make sure software you are using is patched and up-to-date• Make regular backups that are kept separate to keep them

from being destroyed by a virus


SOCIAL ENGINEERING FRAUDS

PRETEXTING

• What is it? Creating and using an invented scenario against a target victim to increase the change they will divulge secret information or perform a desired action

• Fraudsters use it to trick people into divulging passwords, password hint information (e.g. favorite sports team), account information, or gain trust

• On the internet, pretexting is simplified – there is no body language or verbal cues to give away the con

• Social media websites help pretexters – if you are providing a lot of information about yourself, it is easy for someone to pretend to be trustworthy



PHISHING

• Phishing: An attempt to obtain information like usernames, passwords, and banking information by pretending to be a trustworthy entity in an email sent to a large group of people– Sometimes directs users to enter credentials into a fake website that

looks very much like the real website– To avoid text filters, phishers may use images instead of words– May even send a target to enter information by phone to enter account

numbers and PINs• Spear Phishing: Targeted phishing attempt directed at specific

individuals or companies, often backed by an awareness of personal information to increase odds of success

• Whaling: Targeted phishing attempt directed at senior executives or other high profile targets within businesses, who are likely to have high levels of access or power

• Clone Phishing: Duplicates a legitimate email, but changes a hyperlink or attachment to something malicious; often uses the phrase “UPDATED” in subject line



PHISHING – HOW TO PROTECT YOURSELF

• The first defense is training to recognize phishing attempts. – Always assume requests to confirm any of your personal

information are fraudulent– Most legitimate emails from business contain a piece of

information not available to phishers, like your name. Be wary of generic emails with addresses like “Dear Customer”

– Never click on hyperlinks in these emails. If you have concerns, manually type the website address that you know to be accurate into your browser bar

• Software and anti-spam filters can help protect you – do not override quarantines your filter applies!



PHARMING

• An attack that redirects one website’s traffic to another site

• Used for identity theft – redirect traffic from a website that requires a user to log in and you can steal their credentials

• Anti-virus software and spam filters cannot protect against it

• Pharming can target an individual computer or a router, changing it so that when you enter the address of a legitimate website, you are directed to another website under a fraudster’s control



PHARMING – HOW TO PROTECT YOURSELF

• Can be very difficult to identify and avoid – pharming is commonly the result of malware intended to corrupt the way your computer access the internet

• Make sure that you are accessing secure web connections for sensitive information, indicated by https:// instead of http://

• Always make sure that personal wireless networks require a strong password for access – do not allow free access, use the default password, or use a simple password that can be hacked using a dictionary attack



BAITING

• An attacker leaves an infected external storage device in a public location with a legitimate-looking (and interesting) label, then waits for a user to access it

• As soon as a user accesses the storage device, malware is installed on the user computer, taking advantage of auto-run

• Can also be something like a “free iPod” that compromises the computers it is used on



BAITING – HOW TO PROTECT YOURSELF

• Never use an unknown external storage device!

• Turn off autorun on your computer

• Disable external storage device access, period



SOCIAL ENGINEERING – HOW TO PROTECT YOURSELF

• Never give out sensitive information by phone/email, etc

• Provide physical security, require employees to wear badges and guests to be escorted

• Don’t type in passwords with anyone else present

• Lock and monitor the mail room, if you have one

• Lock phone closets and server rooms

• Control overseas/long-distance calls

• Keep trash in secured/monitored areas; institute shredding and electronic device destruction policies

• Require that sensitive/confidential documents be locked up


OTHER TECHNOLOGY-ENABLED FRAUDS

ROGUE SECURITY SOFTWARE

• Commercial programs that claim to remove malware, but actually install it

• Most require a user to make a decision to install the software, then usually has an attached Trojan horse

• Often through fake websites that notify you that “your machine is infected” and suggest a “trial download”



FRAUDULENT HOTSPOTS

• Fraudsters set up a bogus public WiFi hotspot in areas where legitimate hotspots are common, like hotels, airports, and cafes

• When people use the hotspot, the fraudsters are able to access email, accounts, and software

• In London, multiple bankers’ accounts were hacked this way; the hackers used the bankers’ email accounts to request transfers of funds worth millions of dollars!



CHARGEBACK FRAUD

• When a fraudster takes advantage of credit card processing times to order goods with express shipping, then cancels the transaction after shipping to prevent payment

• Online transactions are considered “card-not-present” transactions, which puts the loss burden on the seller – who also likely has to pay a “chargeback fee” to the credit card processor (the card issuer has the loss burden normally)

• The “Card Security Code” on new credit cards is partly to combat chargeback fraud – it requires the holder to have physical access to the card to provide the number



CATFISHING

• A “catfish” creates fake personal profiles on social media sites

• Used to pursue deceptive online romances

• The most famous victim: Notre Dame linebacker Manti Te’o


EMERGING ISSUES

CREDIT CARD CHIPS

• Chip & PIN – cards have built-in chips, the cardholder must enter a PIN at the time of purchase to approve the purchase

• Currently in use throughout Europe

• Replaces the magnetic strip/receipt signature combination– Magnetic strip data can be easily stolen with a card reader– Since a signature is easily faked, thieves can make purchases

immediately

• In Europe, it shifts liability burden to the customer, since theoretically the only way unauthorized activity occurs is if the PIN is shared– In the U.S., the Electronic Fund Transfer Act of 1978 doesn’t

allow the legal liability to shift the same way


EMERGING ISSUES

CREDIT CARD CHIPS

• Why is the current system vulnerable?– Magnetic stripes are at risk from card skimmers!– It’s easy to steal just a credit card number, and it costs very little

money to construct a magnetic stripe card


EMERGING ISSUES

CREDIT CARD CHIPS

• So why isn’t the U.S. already using them?– The cards themselves are much more expensive for the issuer to

produce and distribute: $2 vs. $15-20– New infrastructure costs a lot for retailers– Current law allows tax write-offs for the issuer for portion of fraud

losses (50%), the rest are generally passed along to customers through fees and service charges

• Do they really reduce fraud?– In-store fraud plummeted in the U.K. when the cards were first

introduced– Card-not-present transactions still occur– More complex equivalents to card readers still exist– Secondary purchase method is still magnetic strips on chip cards

• Fraud always catches up!


EMERGING ISSUES

“SMART DEVICE” HACKING

• Everyone has “smart” phones, which means we’re all carrying around tiny computers

• We’re not used to thinking of our phones as a vulnerability, but they are very susceptible to fraud

• Why is your phone such a target?– You probably use it for business and personal matters, so it could

have data that impacts both– It’s easy to hide malware in an application download– A controlled phone can send premium text messages– Automatic connections to public wi-fi makes you vulnerable

• Smartphone-related identity theft is on the rise!


EMERGING ISSUES


• Increasingly, we’re being offered Internet-connected devices for all aspects of our lives– Home automation – remote control of lights, blinds, garage

doors, security systems– “Smart” refrigerators– Internet-enabled baby monitors

• If it’s on the internet, it is vulnerable to hackers– Many of these new devices are designed without consideration

for security, since they’re not items that traditionally require security!


EMERGING ISSUES



EMERGING ISSUES

DIGITAL CURRENCIES


EMERGING ISSUES

DIGITAL CURRENCIES

• Do they matter?– The short answer: Maybe, kinda, who knows…– The long answer:

• They’re potentially revolutionary, but nobody knows what to expect

• The technology that underlies the currency can do a lot more than just exchange money, in theory at least

• But right now, they make up such a small portion of the global economy that they don’t really matter much

– They definitely matter when it comes to law enforcement, because they change the money laundering game completely!

• They’re easy to disregard as “fake” money, but in a lot of ways they’re as real as fiat currency…


EMERGING ISSUES

DIGITAL CURRENCIES

• Admittedly, it’s very hard to take a currency seriously when it’s based on an internet meme of a shiba inu...


EMERGING ISSUES

DIGITAL CURRENCIES


EMERGING ISSUES

DIGITAL CURRENCIES

• What are they? Digital currencies that are based on cryptography (computer-based encryption)– Decentralized– Non-government– Generally pseudonymous (not anonymous)– Cap on total volume that can ever exist of each currency

• How many different kinds are there? As of August 2014, 471 different digital currencies exist– Bitcoin dominates the digital currency market, it has more market cap in

dollars than all the other currencies combined ($6 billion)– www.coinmarketcap.com

• Who uses them (right now, at least)? – Sadly, criminals! (criminals are often early adopters)– Speculators, like commodities– Technology enthusiasts/early adopters, working toward legitimacy


http://www.coinmarketcap.com/

EMERGING ISSUES

DIGITAL CURRENCIES

• How does it work (generally, at least)?– Currency is “mined” by computers based on the underlying algorithm

• It’s about performing a computation that fits the cryptocurrency’s security algorithms (like finding a new prime number)

• If you uncover something new, you get a share of your discovery’s value and it gets added to the “public ledger”

– Pseudonymous wallet – an ID that only you know that stores your cryptocurrency, either local or online

• One person can have many wallets, to maintain greater anonymity• Cryptocurrency exchanges generally don’t want to know who you really

are, they don’t function like banks• Taking your wallet offline is called “cold storage” and is meant to protect it

from theft, but the computer device used to store it is still physically vulnerable to damage or theft (you can have backups)

– Public ledger – a fully public list of all transactions that have ever occurred, published with wallet IDs only

– To make a transfer, you tell your business partner your wallet, and they use an exchange to send you the requested funds


EMERGING ISSUES

DIGITAL CURRENCIES

• Bitcoin and the “Silk Road”– What is “Silk Road”? An online marketplace in the “Deep Web”

that is known as the “Amazon.com of illegal drugs”• Run by the “Dread Pirate Roberts”

• Shut down by the FBI on October 2, 2013; arrested the Dread Pirate Roberts - Ross William Ulbricht – for murder-for-hire and trafficking

• By November 6, 2013, back up and running, under the leadership of the new “Dread Pirate Roberts” (big fans of The Princess Bride, surely!)

– All Silk Road transactions were made in bitcoins– At that time, there were 11.75 million bitcoins in circulation – Silk

Road had done 9.5 million in bitcoin activity before it was shut down!

– FBI seized the Bitcoins of the site and Ulbricht, making them the holders of the world’s biggest single Bitcoin “wallet”


EMERGING ISSUES

DIGITAL CURRENCIES

• What are the benefits? Why are people excited?– “Pure” economy – since the supply cannot be manipulated, there

is no such thing as a central banker to exercise monetary policy– Doesn’t rely on “trust” in the transaction processing– Extremely low transaction fees, especially compared to money

orders, which matters a lot to impoverished nations• Decentralization means that you can make a transfer anywhere at

any time as long as you have internet access

– Can’t be stolen (in theory, at least)– For law enforcement, pseudonymity can be a huge blessing –

once they know one bad actor, they can trace to a lot of others• Cryptocurrencies are hard to seize though, since they’re not held by

an intermediary like a bank

• But, you can’t totally “hide” cryptocurrencies in physical space – no stashing Dogecoins in your mattress! If I find your wallet(s), then I have all your money…


EMERGING ISSUES

DIGITAL CURRENCIES

• What are the drawbacks?– If someone attaches you to your wallet ID, they can see every

transaction you have ever engaged in (so much for surprising your spouse on their birthday!)

– You can’t actually remove “trust” from monetary transactions – you have to trust your business partners, right?

– Right now, price fluctuations mean they’re highly volatile (watch for pump and dump schemes)

– Hard to exchange for “real-world” services and fiat currency– Highly reliant on the activities of exchanges to transfer into real

money – exchanges use technology that is less secure than the actual cryptocurrencies

– Virtually unregulated, so consumers are not protected• Transaction are irreversible – if you are a victim of fraud, you have really

no recourse whatsoever, unlike your current banking/credit cards

• If your exchange/bank is attacked, you can lose everything (e.g. Flexcoin)


EMERGING ISSUES

DIGITAL CURRENCIES

Bitcoin Volatility from September 2013 – August 2014


EMERGING ISSUES

DIGITAL CURRENCIES

• A Cautionary Tale: The Mt. Gox Bankruptcy– One of the biggest Bitcoin exchanges– CEO has a less than trustworthy history– November 2013 – withdrawals stop processing correctly– Feburary 2014 – Mt. Gox claims that a bug in the Bitcoin programming

results in theft of 850,000 Bitcoins (7% of coins -$1B)– February 28, 2014 – Mt. Gox declares bankruptcy– When was the money taken?

• Well, the CEO moved 400,000 bitcoins around in June 2011• From 2011-2013, Mt. Gox wouldn’t provide any financial information• Looks almost like a traditional lapping scheme

– Who took the money?• The explanation provided by Mt. Gox doesn’t make technical sense• Back in July 2011, another exchange mysteriously “lost” all their deposits,

then “recovered” 49%, which were given back to depositors• Mt. Gox “found” 200,000 Bitcoins on March 20 2014

– Liquidation proceedings are going forward in Tokyo


EMERGING ISSUES

DIGITAL CURRENCIES

• New payment mechanism tend to have a lot of fraud in their early days (just look at Paypal)

• Cryptocurrencies need to take fraud seriously as a threat in order to address it and gain acceptance

• Remember, Bitcoin may fail, but someday the cryptocurrency equivalent of Google will come along…


QUESTIONS AND ANSWERS



HOW CAN RAFFA ASSIST YOU IN PREVENTING AND DETECTING FRAUD?

A resource for the nonprofit community to help organizations effectively manage risk and better ensure

the prevention and detection of fraud.

VISIT US AT WWW.RAFFA.COM/FRAUD



OUR WEEKLY NEWSLETTER

OU



Are you threatened by fraud, litigation or insolvency?

Are you selling your business, transferring assets or structuring a new venture?

Raffa forensic accounting experts will do more to assist you in these challenging circumstances.

Forensic Accounting Services Group

Our Team’s Services:• Fraud Investigations & Prevention• Litigation Support & Expert Testimony• Business Valuation & Due Diligence• Insolvency & Reorganization



How We Empower You• We identify and mitigate fraud risk by performing a fraud

risk assessment

• We provide fraud investigations if you are, or suspect you are, a victim of fraud

• We provide litigation support, expert testimony and forensic accounting services in business disputes, financial investigations, bankruptcies, arbitrations and mediations

• We analyze, investigate and interpret complex transactions to provide an understandable, well-researched and unbiased valuation of your business or organization

• We have expertise in restructuring and turnaround management for underperforming organizations

Forensic Accounting Services Group



Fraud Investigations & Prevention

• Fraud examinations and internal investigations

• Fraud risk assessments• Review of internal controls and

management practices• Financial statement

misrepresentations• Background and workplace

investigations• Computer forensic analysis,

imaging, data mining and recovery

• Reconstruction of accounting records

• Continuous audit services• Anti-fraud consulting and training

Forensic Accounting Services GroupLitigation Support & Expert

Testimony

• Lost earnings and profits• Lost value• Breach of contract• Breach of fiduciary duty• Business interruption• Contract costs and claims• Tortious interference• Patent infringement• Professional malpractice• Shareholder disputes• Theft of intellectual property• Wrongful termination• Wrongful death



Business Valuation & Due Diligence

• Mergers, acquisitions and divestitures

• Marital dissolution• Partner/shareholder disputes• Estate and gift tax planning• Financial reporting• Compensation related• Employee stock ownership plans

• Benchmark studies• Financial modeling

Forensic Accounting Services GroupInsolvency &

Reorganization• Viability analysis and survival

assessment• Strategic restructuring• Cash flow analysis and forecasting• Liquidation analysis• Evaluating creditor and debtor

positions• Restructuring debt• Interim management services,

including Chief Restructuring Officer

• Preparing plans of reorganization and disclosure statements

• Pre-bankruptcy planning and post-filing compliance

• Bankruptcy litigation consulting to trustees

• 9 years of fraud investigation and financial audit experience

• Started career with U.S. Government Accountability Office’s Forensic Audits and Special Investigations Unit

• Led forensic audits and investigations on a variety of topics, including: Federal contractor/grantee eligibility fraud and integrity issues; federal tax collection program integrity; abuse of government purchase cards, travel cards, and premium class travel privileges; employment of sex offenders and child abusers at schools and child care facilities; passport application fraud; manufacture and marketing of herbal dietary supplements

• Designed innovative analytical strategies and investigative techniques to identify fraud indicators in complex datasets, using software packages such as IDEA and SAS

• Identified, investigated, and ultimately referred hundreds of cases of potential fraud, waste, and abuse to federal authorities for administrative action

• Led multiple undercover operations of varying complexity and political sensitivity

• Drafted numerous congressional testimonies and publicly available audit reports

• Designed and implemented internal quality assurance policies and procedures

EDUCATION & CERTIFICATIONS

• Bachelor of Science, Accounting – University of Maryland, College Park

• Bachelor of Science, Finance – University of Maryland, College Park

• Designated as a Certified Fraud Examiner (CFE) by the Association of Certified Fraud Examiners

• SAS Certified Base Programmer for SAS 9

BIOGRAPHY


Leslie C. Kirsch, CFE

ManagerRAFFA, P.C.1899 L STREET, NWWASHINGTON, DC 20036

TEL. 202-955-7204FAX [email protected]

2014-09-03 cybersecurity and computer crimes

Documents