How Hackers Will Hijack Your Accounting System

When finance and accounting professionals worry about computer security, they may think about stolen laptops, purloined passwords, or lost backup drives. But, few worry about hacker attacks against their accounting system software, the kind of attacks that could bring down an entire business or even up-end part of the global accounting system.

Well, start worrying.

A pair of computer science security experts has unveiled new research that shows just how easy it might be to crack into such commonly used software systems as SAP, Oracle, or even QuickBooks, Sage or Microsoft’s Dynamics.

If hackers were able to manipulate the world’s accounting systems, governments and corporations would be in a frenzy Guess what? Hackers can and will, according to Tom Eston and Brett Kimmel of SecureState, a computer security company, in a white paper explaining their Project Mayhem in detail. The so-called proof-of-concept paper was presented at the global Black Hat convention of security professional in Abu Dhabi in 2012.

They say accounting fraud by hackers could be easy and potentially undetectable.

Typically accountants wouldn’t think malware could manipulate accounting systems,” Brett Kimmell, SecureState Risk Management Manager, tells CPA Trendlines. “We have shown it is possible.”

CFOs and controllers need to consider how they would handle a situation where a piece of malware made journal entries in their company’s accounting system under the CFO’s or controller’s User ID,” Kimmell says, adding that IT controls Controls and back-end accounting controls need to be strengthened. “There are too many unique attacks that could occur,” he says.

Remote access software is a potential target for bad actors to gain entry and take control of a machine

Kimmell and Eston describe manipulating the major financial accounting systems used by corporations large and small to show the importance of good information security and accounting controls. “We identify ways to manipulate accounting systems for financial gain, demonstrating real-world mass accounting systems fraud.”

They have identified multiple ways to manipulate accounting data and misappropriate funds. The research focuses on middle tier accounting systems used by mid-sized and large corporations. “Breaking into a company’s internal network is a trivial task for most moderately skilled penetration testers and attackers, they say. “The typical methodology usually begins with finding the ‘low hanging fruit.’ such as weak Windows domain passwords, open Apache Tomcat and JBoss administration interfaces and the penetration testers’ best friend, the exploitation of the elusive MS08-067 vulnerability. “

They go on:

Once administrator level accounts have been compromised, the attacker starts looking for data on company systems. The standard fare usually includes employee passwords, SSNs, PCI cardholder data, PHI, and other data items deemed sensitive or confidential by the company. Typically, this data is found on file shares, email systems and of course, databases.”

Aside from a screenshot or two of the sensitive information, it’s very rare to find penetration testers provide a proof of concept attack to show the damage that gaining access to this information could do.

What separates the moderately skilled penetration tester from the expert penetration tester is finding and showing the manipulation of the accounting and financial systems of the company.

If an attacker can control and manipulate the accounting system of the company to commit mass systems fraud, it can create more devastating and long term consequences for the company. Changing or manipulating financial data is just the beginning.

As a professional penetration tester, you  must be able to demonstrate more advanced attacks to show real impact to the business.

Detecting advanced attacks like these created by technical means relies on the accounting controls instead of the technical security controls.

Moreover, is the accounting staff capable of implementing a set of controls that would detect fraud when resources are limited in many small and mid-sized companies? Small to mid-sized companies lack total control over their financial processes. Given the volume of accounts in a typical accounting general ledger, it is unlikely accounting departments are reconciling every account each month.

50% of small companies either don’t reconcile their bank accounts or don’t do it properly. This is the most critical control to detect check fraud.

But even with proper bank reconciliation, funds can be diverted without immediate detection. Fraud attacks could last for months or years. Getting caught depends on the skills and resources available and whether an audit is performed or not.

Cyber-security is a major issue today, organizations and government institutions need to be vigilant in how periodic they perform their system audit, especially in where user Sensitive data is concerned. Hackers are always ahead of the game, with sophisticated hardware and software including skills applied to penetrate and how malware is written and customized to alter a system, today, it is careless for organizations to fail detect intrusions into their systems, especially those ones that manipulate data and information flow.

You can add on this article via comments below, let us share for a safer web/internet experience .

kivuti kamau

Data Modelling, Design & Development

Press ESC to close