Network World - In 1992, a British bank sent an employee to Singapore to launch and manage its trading operations. The employee engaged in speculative derivatives trading which counted on the Japanese market remaining stable. Unfortunately for him, the Kobe earthquake in 1995 sent the Nikkei into a state of volatility. His risky trades led to $1 billion in losses for the bank.
The employee was Nick Leeson and his actions led to the fire sale of a household name in the British banking industry, Barings Bank, for just 1 GBP in 1995. The problem? Leeson simultaneously held roles as office manager, trader, and IT guy, which allowed him to hide his losses in old error accounts and avoid detection for four years.
Fast forward a decade to 2005. An employee of a global French bank is transferred from a middle-office role in compliance to a front-office role as a trader. In 2007 he begins using a bogus account portfolio to hide risky trades and significantly exceeds his trading limits. In 2008 the bank finally detects the problem but by then the losses exceed $7 billion.
The employee is the now infamous insider Jerome Kerviel who worked for Societe Generale, ranked 43rd on Fortune’s 2008 Global 500 list. The problem? While Kerviel used several ploys such as small trades in high frequency to avoid tripping alert thresholds, the fundamental problem was the same as in the Barings Bank case. Kerviel continued to have access to accounts from his previous role in the compliance and controls division which a trader should never have had.
Both incidents are classic examples of failure to enforce “separation of duties”, a common enabler of insider threats. When it comes to insider threats — or even other cyber threats -- you’ve probably heard over and over, “the clues were in the logs, if only they were picked up!”
Well, often the clues aren’t enough. Consolidation of logs is certainly the first step, but to use those clues and detect separation of duties violations or other insider threats, there are four other important technical challenges that must be addressed:
* Missing user context. Router logs may have shown traffic from Jerome Kerviel’s desktop to a server he was not supposed to access as a trader. However these logs would only contain IP addresses and the same is true for many other sources. To leverage such clues, the source IP address would need to be mapped back to Kerviel as the owner.
* Bridging user identities. As an IT manager Nick Leeson had direct access to backend servers. As a trader he had application accounts. The combination enabled him to create bogus accounts and hide his trades. In this case, accessing logs would only provide partial clues specific to each credential and the underlying application. Simply put, unless you can link log activity from separate credentials to an actual user, many insider threats will go undetected.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
