When executives are making decisions they like to know the best case and the worst case for their decisions so that they can measure risks. This is because from risk comes reward! A government agency that takes no risks, offers no valuable services. A company that takes zero risks will go out of business. Every service/product/deal always has an inherent risk associated with it.
In case you haven't heard, a high profile blogger acting on a tip off identified that pretty much complete access was available to all the internal file shares on the corporate network of New Zealand's Ministry of Social Development (MSD) via their public access kiosk computers. Other interesting facts have come to light such as that vulnerabilities were reported in a penetration test and not acted upon.
I've been engaging by some smaller companies recently and it has given me some insight into what the "best bang for buck" information security activities they should be doing. Here’s a list of some of the fundamental security controls they should consider.
When liaising on projects, as a security architect it’s important to not spring surprises on your project manager. Most project managers tend to react with an involuntary facial twitch to "new requirements", these are often are associated with project delays and cost overruns.
So you are a CIO or perhaps a CRO? Well it's definitely time to hire a Chief Information Security Officer (CISO). Debate still rages as to whether a single position can cover all of the responsibilities for security in a large institution, but the position of CISO is already well established.
Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years.
Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling
So a trader at UBS lost 2.3 billion dollars. To put that in perspective that is $2.3B of cold hard liquid cash that is gone gone gone. UBS announced plans in August to lay off 3500 employees to reduce future expenditure over the next three years by a similar amount (around $2.2B USD). A cynic would ask if there were any risk and compliance personnel headcount in that slash? The current gallows humor joke is that the CEO could have saved $2B by laying off one employee rather than 3500.
There have been at least nine rogue trading scandals in recent memory.
Of note are the following:
• FIRST - Nick Leeson (827M Pounds) at Barings Bank - caused collapse of the bank
• BREAKING 1 BILLION - Toshihide Iguchi ($1.1B) at Resona Holdings
• BREAKING 2 BILLION - Yasuo Hamanaka ($2.3B) at Sumitomo
• BIGGEST - Jérôme Kerviel €4.9B) at Société Générale
• LATEST - Kweku Adoboli $2.3B at UBS
Now before you start trying to drum up some support for your information security endeavors by quoting $2.3B as a potential saving, let's have a look at how information security can and can't help with the issue of fraud.
Firstly the traders were all trusted authorised employees doing what they were employed to do and using systems they were authorised to access, performing activities that were expected. They just escaped their shackles and took larger risks than they were authorised to by finding holes in internal control practices. From my meager research undertaken it appears that timing of activities to evade monitoring practices was common in many of these instances, very similar to "check kiting" or "ponzi schemes".
Good questions to ask if you had the chance of these institutions would be:
• Did any internal control reports detect any irregularities previous to the major incident?
• Was this their first transgression?
• Were they formally counseled in the past?
• Was this gambling outside of their daily limit with or without the tacit approval of management?
• What was the risk management culture like within the organisation?
Let's talk about some traditional information security controls that we could potentially apply to this problem and how they can and can't help us:
Application Security Controls
Application authentication wouldn't have helped, as the traders were authorised users of the trading applications.
Role based access control/implementation of segregation of duties/dual auuthorisation potentially could have helped if front office and back office functions were in the same application. Front office (those rabid trader/gamblers) and back office (confirmation/settlement/accounting/risk management/compliance) functions are required to be independent. Often these systems are not a single integrated application but a number of applications that are interconnected.
Infrastructure Security Controls
Anti-Malware, HIPS and NIPS damn well wouldn't have worked! There's no signature definition for "employee has gone NUTS today!"
A Security Event and Information Management solution definitely wouldn't have helped as the transactions were valid "authorised" application level transactions not platform or network logs or IDS alerts.
If you think you can help with this issue as an information security professional, maybe you should adjust your expectations. Ask yourself these questions;
• Do I understand complex financial instruments?
• Do I understand business processes for trading and how timing and changes in the order of a series of complex activities can subvert internal controls?
• Am I a financial application architect or developer or do I have the influence to persuade a vendor to make changes to an application?
How can you help?
As an information security professional in a financial institution potentially consider some of the following activities, which may actually help:
• Develop friendly relationships with your fraud team and internal audit team
• Help your organisation inventory and risk assess applications and supporting systems. What are the most critical applications and supporting systems?
• Help introduce the concepts of threat modeling and attack trees to your fraud and audit teams. It may help them in designing controls if they start to think like their prey!
• Lobby for the implementation of effective internal controls within trading/treasury applications, this includes:
◦ requirements for controls
◦ documentation of how the controls are to be implemented and monitored. These could include restrictions on daily limits for traders, dual authorisation for high vale trades in the front office and back office real time monitoring and even pattern matching for individuals activities.
◦ testing of controls to make sure they are effectively configured and monitored
• Lobby for fraud monitoring applications and resources for the fraud team
• Lobby for cultural change and employee assistance programs
• Conduct security awareness training, especially focus on the dangers and implications on the individual of sharing passwords/smart cards and the concepts of role based access control/segregation of duties.
• Schedule application security and infrastructure security testing of critical applications. It may help if once the internal controls are implemented that they can't be bypassed with a web proxy and some parameter manipulation.
As always I welcome your feedback and encourage you to share your experiences!