Survey discovers access control problems at many firms

By Robert Westervelt, News Editor 04 Feb 2008 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Data leakage as a result of internal threats can be minimized with good access governance, according to experts and IT security pros. But many senior executives are failing to heed the advice, according to a recent survey.

It seems like many organizations are having much difficulty in getting to the point of execution with an access governance plan. Larry Ponemon, founder and chairman, Ponemon Institute

"It seems consistent that access rights aren't being managed particularly well and it seems like many organizations are having much difficulty in getting to the point of execution with an access governance plan," said Larry Ponemon, founder and chairman of the Ponemon Institute.

Ponemon and Waltham, Mass.-based access management vendor Aveksa Inc. recently surveyed 700 IT pros, 74% of whom said that senior management didn't understand the risk of inappropriate user access and the resources needed to prevent compliance and business risks.

The 2008 National Survey on Access Governance was released only a week after a rogue trader—a trusted insider—used stolen passwords and his knowledge of various financial systems to allegedly carry out $7.2 billion in fraud against French banking giant Societe Generale. While the banking scandal boldly highlights that the threat from insiders is real, Ponemon warns that employees usually don't have criminal intent. Employee error resulting from inappropriate access rights also results in increased risk from data exposure, Ponemon said.

"It's not just that bad people are doing bad things, but good people make mistakes and look at information that they don't need," Ponemon said. "If you look at the history of access, once you get it, it's hard for a company to revoke it because, culturally, people see it as an insult."

Intellectual property, customer information and general business information are identified as being most at risk, according to the survey.

Organizations are also not able to keep pace with changing user roles that result from transfers, terminations or revisions to job responsibilities, Ponemon says, because business units don't collaborate with security, audit and compliance teams. Only 57% of those surveyed said such groups in their organizations are working together.

"All of the pieces of the puzzle have to get implemented properly," Ponemon said. "Good access governance begins with good policies. Once those policies are created, they must be enforced in a consistent fashion."

Access governance, insider threats: Societe Generale: A cautionary tale of insider threats The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares. Drafting data classification policies and guidelines: Shon Harris suggests ways to draft an internal procedure on how to handle confidential data. Should employees have local admin rights? While it may save you time, granting users local administrator rights also puts your organization at risk.

Many high growth firms are also having trouble classifying data and getting a grip on access rights at the individual level because of changing business roles and responsibilities. Of those surveyed, 73% reported that their organizations determine risk to information based on the inherent risk of different data types rather than based on users' role or function (33%).

Ponemon said access governance needs to take into consideration more than just the type of data users handle. Firms should assign access rights based on job function, he said.

But only 27% of respondents believe that their ability to assign access rights based on job function is excellent or good, while 55% of respondents described their ability as either poor or nonexistent.

Data within business unit applications are most at risk as a result of poor access governance. Customer Relationship Management and revenue generating applications are also vulnerable because they typically contain significant amounts of customer information.

Tom Kellermann, vice president of security awareness at Core Security and former head of cyber intelligence and policy management at the World Bank called the French bank scandal a result of failure of sound security practices from within the organization. Most banks focus on the perimeter, he said. Good access governance could have thwarted the incident at Societe Generale or at least triggered an alarm.

"They're too reliant on something we all know–-passwords, passwords, and passwords," Kellermann said. "There's very little comprehension that certificates and certificate authorities can be compromised."

Tags: Secure user and consumer authentication methods,  Data breaches and prevention strategies,  Risk assessment and management in financial institutions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure user and consumer authentication methods Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Risk assessment and management in financial institutions New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary