When deploying security technology, there are a few essential things to consider.
So, there is a tendency in our industry to focus on the new, interesting and ultimately irrelevant - the boring-but-important tasks too often get neglected. Consider the following example.
Lots of organisations focus on the potential risk of bringing new technologies, applications and infrastructure into the enterprise, overlooking the security of systems already in production - systems that represent the majority of real risk to the organisation.
So a trader at UBS lost 2.3 billion dollars. To put that in perspective that is $2.3B of cold hard liquid cash that is gone gone gone.
Have you ever noticed that nothing really happens in security until a security incident occurs?
Well this week was quite eventful in the information security blogosphere and twitterverse to say the least. The story of the compromise of the Diginotar certificate authority was revealed and even more interestingly the CISO of Oracle launched a thinly veiled attack on Veracode, a provider of source code analysis services and a diatribe against 3rd party assessment of Oracle's products
So a trader at UBS lost 2.3 billion dollars. To put that in perspective that is $2.3B of cold hard liquid cash that is gone gone gone. UBS announced plans in August to lay off 3500 employees to reduce future expenditure over the next three years by a similar amount (around $2.2B USD). A cynic would ask if there were any risk and compliance personnel headcount in that slash? The current gallows humor joke is that the CEO could have saved $2B by laying off one employee rather than 3500. There have been at least nine rogue trading scandals in recent memory. Of note are the following: • FIRST - Nick Leeson (827M Pounds) at Barings Bank - caused collapse of the bank • BREAKING 1 BILLION - Toshihide Iguchi ($1.1B) at Resona Holdings • BREAKING 2 BILLION - Yasuo Hamanaka ($2.3B) at Sumitomo • BIGGEST - Jérôme Kerviel €4.9B) at Société Générale • LATEST - Kweku Adoboli $2.3B at UBS Now before you start trying to drum up some support for your information security endeavors by quoting $2.3B as a potential saving, let's have a look at how information security can and can't help with the issue of fraud. Firstly the traders were all trusted authorised employees doing what they were employed to do and using systems they were authorised to access, performing activities that were expected. They just escaped their shackles and took larger risks than they were authorised to by finding holes in internal control practices. From my meager research undertaken it appears that timing of activities to evade monitoring practices was common in many of these instances, very similar to "check kiting" or "ponzi schemes". Good questions to ask if you had the chance of these institutions would be: • Did any internal control reports detect any irregularities previous to the major incident? • Was this their first transgression? • Were they formally counseled in the past? • Was this gambling outside of their daily limit with or without the tacit approval of management? • What was the risk management culture like within the organisation? Let's talk about some traditional information security controls that we could potentially apply to this problem and how they can and can't help us: Application Security Controls Application authentication wouldn't have helped, as the traders were authorised users of the trading applications. Role based access control/implementation of segregation of duties/dual auuthorisation potentially could have helped if front office and back office functions were in the same application. Front office (those rabid trader/gamblers) and back office (confirmation/settlement/accounting/risk management/compliance) functions are required to be independent. Often these systems are not a single integrated application but a number of applications that are interconnected. Infrastructure Security Controls Anti-Malware, HIPS and NIPS damn well wouldn't have worked! There's no signature definition for "employee has gone NUTS today!" A Security Event and Information Management solution definitely wouldn't have helped as the transactions were valid "authorised" application level transactions not platform or network logs or IDS alerts. If you think you can help with this issue as an information security professional, maybe you should adjust your expectations. Ask yourself these questions; • Do I understand complex financial instruments? • Do I understand business processes for trading and how timing and changes in the order of a series of complex activities can subvert internal controls? • Am I a financial application architect or developer or do I have the influence to persuade a vendor to make changes to an application? How can you help? As an information security professional in a financial institution potentially consider some of the following activities, which may actually help: • Develop friendly relationships with your fraud team and internal audit team • Help your organisation inventory and risk assess applications and supporting systems. What are the most critical applications and supporting systems? • Help introduce the concepts of threat modeling and attack trees to your fraud and audit teams. It may help them in designing controls if they start to think like their prey! • Lobby for the implementation of effective internal controls within trading/treasury applications, this includes: ◦ requirements for controls ◦ documentation of how the controls are to be implemented and monitored. These could include restrictions on daily limits for traders, dual authorisation for high vale trades in the front office and back office real time monitoring and even pattern matching for individuals activities. ◦ testing of controls to make sure they are effectively configured and monitored • Lobby for fraud monitoring applications and resources for the fraud team • Lobby for cultural change and employee assistance programs • Conduct security awareness training, especially focus on the dangers and implications on the individual of sharing passwords/smart cards and the concepts of role based access control/segregation of duties. • Schedule application security and infrastructure security testing of critical applications. It may help if once the internal controls are implemented that they can't be bypassed with a web proxy and some parameter manipulation. As always I welcome your feedback and encourage you to share your experiences!