A rogue trader at UBS was arrested in London today. His trades may cost the bank $2B.
For the past two weeks, we've done a series on insider threats. In the UBS case, two things probably occured:
1: The trader was granted excessive privileges: Time is constrained, resources are lacking and it's just too plain easy to say "well, we can't start defining what's allowed and what's not to all users. Let's just give a whole group of people the same privileges." But it's enough for just a single user to abuse these excessive privileges for an organization to suffer a data breach. Consider the case at Diablo Valley Community College. For three years they had the DBAs there modifying student grades. When the breach came to light, they found that out of the 100 users who were granted excessive privileges, only 11 really required them.
2: Not monitoring legitimate users: Once the access controls - setting the appropriate privileges for the different users - is set, it's common enough to say that the work is done. Not quite... even those with legitimate privileges can abuse their rights. Consider, healthcare administrators in LA hospitals providing celebrity health medical records (George Clooney, Britney Spears, Tom Cruise, Octomom, etc.) to journalists.
For the past two weeks, we've done a series on insider threats. In the UBS case, two things probably occured:
1: The trader was granted excessive privileges: Time is constrained, resources are lacking and it's just too plain easy to say "well, we can't start defining what's allowed and what's not to all users. Let's just give a whole group of people the same privileges." But it's enough for just a single user to abuse these excessive privileges for an organization to suffer a data breach. Consider the case at Diablo Valley Community College. For three years they had the DBAs there modifying student grades. When the breach came to light, they found that out of the 100 users who were granted excessive privileges, only 11 really required them.
2: Not monitoring legitimate users: Once the access controls - setting the appropriate privileges for the different users - is set, it's common enough to say that the work is done. Not quite... even those with legitimate privileges can abuse their rights. Consider, healthcare administrators in LA hospitals providing celebrity health medical records (George Clooney, Britney Spears, Tom Cruise, Octomom, etc.) to journalists.
