Insiders Still Thwart Database Controls Without Supervisory Support
FINRA fines Citigroup for missing suspicious behavior of employee who bilked customers of $750,000 during eight years
Even as financial institutions hone their security technology portfolios with advanced database activity monitoring (DAM) implementations, improved fraud detection software, and other tools to sniff out bad behavior from within, malicious insiders will still manage to swindle their employers when all of that technology isn't supported with the right business processes. And when that happens, no amount of check-box compliance implementations will keep regulators from putting the hammer down hard in the form of fines and public embarrassment.
Case in point is the recent name-and-shame campaign by the Financial Industry Regulatory Authority (FINRA) against Citigroup. FINRA recently announced that it was fining Citigroup $500,000 for failing to keep track of an employee who managed to steal almost $750,000 from 22 customers during the course of eight years.
A sales assistant at a branch office, Tamara Moon, stole money from the elderly, people with Parkinson's disease, and even her own dad. And she managed to keep up her thieving ways despite exception reports that popped up for her superiors detailing conflicts in new account application information. Similarly, her supervisors did not spot red flags from suspicious transfers between unrelated accounts.
"Citigroup had reason to know what she was doing and could have stopped her," says Brad Bennett, executive vice president and chief of enforcement for FINRA.
The case at Citigroup is indicative of the need for more thorough continuous monitoring practices within the industry, says John Rostern, managing director of the New York office of security and compliance consultancy Coalfire Systems.
"The type of monitoring that's typically employed these days is inconsistent at best and, in many cases, manually driven," Rostern says. "The introduction of continuous controls monitoring where you're not doing statistical sampling, but you really are looking at the wider population and gaining visibility into exceptions as they occur, is important given the amount of data that's flowing through systems and the number of people who are in those outlier areas, like branch offices."
Rostern also believes that organizations need to think more critically about how existing implementations of DAM tools can better track user behavior to spot fraud as early as possible.
"Database activity monitoring has been implemented in financial services more widely than elsewhere, but how is it actually being used? That's the big question we need to ask," he says. "It is great that you put this tool in place to do database access monitoring, but what are you doing with the data? How are you monitoring it? It is really important to think about the procedural context within which the tools are implemented."
Similarly, some experts believe that organizations need to also improve the way that DAM tools are linked to identity management tools to better track user behavior across systems.
"The reality is that many of the security organizations out there are really system-centric: database, application space, or network," says Frank Villavicencio, executive vice president of Identropy, an identity and access management managed service provider. "But they need to evolve into an identity-centric model to increase visibility and tie activity to a human. That's where this idea of identity activity monitoring comes into play. You correlate behavior against identity data so that you know that a particular user is accessing the database, but also that same user seems to have logged in from home on a Saturday or from the building at a late hour to do it." While technology is important, Richard Mackey, vice president of consulting at SystemExperts, says the Citigroup incident shows how problems with the humans controlling the levers are the most important to solve when fighting fraud.
"The business controls, rather than the technical controls, are really supposed to be watching for this," Mackey says. "It turns out that there were a number of suspicious incidents associated with these accounts, but they allowed the sales associate to explain them away. For example, money was moved between accounts that had no relationships between them. Those were actions that were supposed to alert higher-ups to look more closely at any of the internal employees and any of the customers involved in those transactions, and they never followed through on that."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024