Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

8/17/2011
04:09 PM
50%
50%

Insiders Still Thwart Database Controls Without Supervisory Support

FINRA fines Citigroup for missing suspicious behavior of employee who bilked customers of $750,000 during eight years

Even as financial institutions hone their security technology portfolios with advanced database activity monitoring (DAM) implementations, improved fraud detection software, and other tools to sniff out bad behavior from within, malicious insiders will still manage to swindle their employers when all of that technology isn't supported with the right business processes. And when that happens, no amount of check-box compliance implementations will keep regulators from putting the hammer down hard in the form of fines and public embarrassment.

Case in point is the recent name-and-shame campaign by the Financial Industry Regulatory Authority (FINRA) against Citigroup. FINRA recently announced that it was fining Citigroup $500,000 for failing to keep track of an employee who managed to steal almost $750,000 from 22 customers during the course of eight years.

A sales assistant at a branch office, Tamara Moon, stole money from the elderly, people with Parkinson's disease, and even her own dad. And she managed to keep up her thieving ways despite exception reports that popped up for her superiors detailing conflicts in new account application information. Similarly, her supervisors did not spot red flags from suspicious transfers between unrelated accounts.

"Citigroup had reason to know what she was doing and could have stopped her," says Brad Bennett, executive vice president and chief of enforcement for FINRA.

The case at Citigroup is indicative of the need for more thorough continuous monitoring practices within the industry, says John Rostern, managing director of the New York office of security and compliance consultancy Coalfire Systems.

"The type of monitoring that's typically employed these days is inconsistent at best and, in many cases, manually driven," Rostern says. "The introduction of continuous controls monitoring where you're not doing statistical sampling, but you really are looking at the wider population and gaining visibility into exceptions as they occur, is important given the amount of data that's flowing through systems and the number of people who are in those outlier areas, like branch offices."

Rostern also believes that organizations need to think more critically about how existing implementations of DAM tools can better track user behavior to spot fraud as early as possible.

"Database activity monitoring has been implemented in financial services more widely than elsewhere, but how is it actually being used? That's the big question we need to ask," he says. "It is great that you put this tool in place to do database access monitoring, but what are you doing with the data? How are you monitoring it? It is really important to think about the procedural context within which the tools are implemented."

Similarly, some experts believe that organizations need to also improve the way that DAM tools are linked to identity management tools to better track user behavior across systems.

"The reality is that many of the security organizations out there are really system-centric: database, application space, or network," says Frank Villavicencio, executive vice president of Identropy, an identity and access management managed service provider. "But they need to evolve into an identity-centric model to increase visibility and tie activity to a human. That's where this idea of identity activity monitoring comes into play. You correlate behavior against identity data so that you know that a particular user is accessing the database, but also that same user seems to have logged in from home on a Saturday or from the building at a late hour to do it." While technology is important, Richard Mackey, vice president of consulting at SystemExperts, says the Citigroup incident shows how problems with the humans controlling the levers are the most important to solve when fighting fraud.

"The business controls, rather than the technical controls, are really supposed to be watching for this," Mackey says. "It turns out that there were a number of suspicious incidents associated with these accounts, but they allowed the sales associate to explain them away. For example, money was moved between accounts that had no relationships between them. Those were actions that were supposed to alert higher-ups to look more closely at any of the internal employees and any of the customers involved in those transactions, and they never followed through on that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23347
PUBLISHED: 2021-03-03
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
CVE-2021-25315
PUBLISHED: 2021-03-03
A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 ...
CVE-2021-27921
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
CVE-2021-27922
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
CVE-2021-27923
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.