Guarding against the rogue element

Last week it emerged that German tax authorities allegedly paid 5m Euros to an anonymous informant to supply information about clients who had accounts at the well known Lichtenstein bank, LGT Group.

The UK's tax authority also confirmed that it had paid for data on British citizens with accounts in the tax haven, according to reports.

LGT Group said ‘like every other financial institute, it is not immune to the under-hand activities of individual persons.’ We’re talking about a country that has no measurable organized crime and common crime such as robbery and assault is unknown, and yet even poor old Lichtenstein is not immune to highly sensitive data finding its way into the wrong hands. Additionally the bank stated that ‘security precautions to protect the private sphere of clients have been continually enhanced to conform to the latest technology over the years and there are no grounds to indicate that client information has been stolen since 2002.’

This latter statement is extremely bold especially since it is absolutely certain that LGT Group has not had complete auditability of their privileged IT accounts or embedded application accounts since 2002. So how can they be sure that their IT staff have not been viewing confidential data during this period?

One of the most frequently recurring scenarios in the financial sector today is the lack of control and accountability within IT. Whether it’s SocGen or LGT, the problem is frequently down to a failure of IT controls and a failure to control access to highly sensitive information by unauthorised staff.

Organizations need to take great care to ensure that sensitive information is not accessible to staff without proper controls. As enterprise networks continue to become increasingly accessible, so do the risks rise that information will be accessed by staff who are not authorised to do so.

What many organizations seem to fail to appreciate is the power that IT staff have. Because of the nature of their work, they are frequently granted privileged access to systems and this access is frequently anonymous. In spite of hundreds of millions of Euros being invested in strong authentication such as biometrics, tokens and the like, the privileged access to systems does not cater to these security techniques but relies heavily on static passwords that are shared by many staff.

So what can be done?

Take control of your privileged accounts

The first step that should be taken is to implement an effective privileged password management solution. This provides an organization with complete control over privileged accounts and gives the means to enforce policies such as one-time passwords for administrative tasks.

Secure your embedded application accounts

“What many organizations forget is that when you have access to the system you have access to the data.

Today’s Enterprises have complex IT environments where information is exchanged between multiple systems and applications automatically. When these systems and applications communicate with each other they have to identify themselves which they do through users’ ids and passwords written in the code. Not only are these rarely if ever changed but software engineers writing the code find it extremely simple to masquerade as an application to access sensitive data. One answer is to change these embedded accounts regularly.

Although controlling privileged and embedded accounts is a start, the problem goes deeper. What many organizations forget is that when you have access to the system you have access to the data. As in the case of LGT no one is ‘immune to the criminal activities of individual persons.’ So securing your highly sensitive data is of utmost importance

Many organizations focus on the security of data at motion but this is rarely where the biggest risk lies. Here are some practical suggestions that can be easily implemented.

Protect Data at Rest

The cornerstone of protecting storage while at rest is encryption and visibility. Encryption ensures that the data is not readable and the data should only be visible to those who have the appropriate permissions.

Data must be tamper proof

This can be achieved by the integration of authentication and access control that ensures that only authorised users can view or change the data. Comprehensive auditing and monitoring capabilities are essential for security for several reasons. It allows the enterprise to ensure that its policy is being carried out. It provides the owner of the information with the ability to track the usage of its data so there are no surprises. Thirdly, it is a major deterrent for potential abusers, knowing that auditing and monitoring can help in identification.

Be Forewarned

Ensure that whenever sensitive data is accessed an email notification is sent to the appropriate staff to advise that a file has been accessed. Again this can be implemented again quite simply and ensures that if there are ‘criminal activities of individual persons’ going on it will be noticed immediately.

Calum Macleod is director of Western Europe, Middle East and Africa for Cyber-Ark, www.cyber-ark.com