Wednesday, August 25, 2010

The Priviledged Abuser

How to protect yourself when your most trusted insiders go bad

Breaches of security by a privileged user are usually hushed up, but sometimes the damage is way too big to sweep under the rug. In January 2008, Societe Generale, the second-largest bank in France, reported that a 31-year-old trader named Jerome Kerviel had made unauthorized trades of European equities futures that caused the bank to lose $7.6 billion and exposed it to risks amounting to billions more.

How could such liability have gotten so enormous without supervisors becoming aware of it?

The bank characterized Kerviel as a "computer genius" who was able to evade internal monitoring because of the knowledge he had acquired while working for five years on the bank's security systems.

A Compliance Mentality

Companies make themselves more vulnerable than they realize. They usually don't vigilantly monitor those they trust with privileged access. Often, privileged access is not rescinded when it is no longer necessary.

Moreover, a disgruntled employee who knows he maybe terminated may create a back door into the organization's system, which he can use later to create mischief. Even though disgruntled employees almost always give warning of their hostility by overt cantankerous behavior, according to security professionals, in many cases this evidence is ignored.

In addition, companies tend to think of security in terms of protecting organizations from attacks by outsiders rather than insiders. Another source of vulnerability is "privilege creep". That's when an administrator is granted certain privileges and retains them even after his or her role changes and the privileges are no longer necessary.

Typically, access is rescinded less frequently and far less vigilantly than it is granted. Such vulnerabilities are easily overlooked if a company has a compliance mentality rather than a risk-based approach to security.

The compliance mentality slaps technical fixes onto the network in order to meet regulations. The company may be compliant, but not necessarily secure.

No comments: