Calum Macleod European Director CyberArk

Working for the taxman took on a whole new meaning last week when it emerged that the German Tax Authorities “allegedly” paid five million Euros to an anonymous informant to supply information about clients who had accounts at the well known Liechtenstein bank, LGT Group. I don’t know if this was five million tax free or after tax, but in any case, it certainly makes for an interesting career opportunity. I know someone who’s been “stashing it away” in Cyprus and Switzerland for years and claiming that they can’t work - I’m open to offers!

So how did it happen that this information got into the hands of those honest people at the tax department? Well it seems as the LGT Group says “like every other financial institute, it is not immune to the under-hand activities of individual persons.” Now we’re talking about a country that has no measurable organized crime and common crime such as robbery and assault is unknown, and yet even poor old Lichtenstein is not immune to highly sensitive data finding its way into the wrong hands! Additionally the bank states that “security precautions to protect the private sphere of clients have been continually enhanced to conform to the latest technology over the years and there are no grounds to indicate that client information has been stolen since 2002.”

This latter statement is extremely bold, especially since it is absolutely certain that LGT Group have not had complete auditability of their privileged IT accounts or embedded application accounts since 2002. In other words how can they be sure that their IT staff has not been viewing confidential data during this period? The answer is that they can’t be sure.

One of the most frequently recurring scenarios in the financial sector today is the lack of control and accountability within IT. Whether it’s Société Générale or LGT, the problem is frequently down to a failure of IT controls and a failure to control access to highly sensitive information by unauthorized staff.
An organization should never underestimate the potential damage in case of exposure or loss of confidential data. This is the reason why organizations need to take great care to ensure that sensitive information is not accessible to staff without proper controls. Securing data while it’s at rest is crucial. As enterprise networks continue to become increasingly accessible, so do the risks that information will be accessed when it’s at rest by staff who are not authorized to do so – or maybe the 007 tax detective masquerading as a service engineer  who’s just come in to make that essential maintenance upgrade.

What many organizations seem to fail to appreciate is the power that the IT staff has. Because of the nature of their work, they are frequently granted privileged access to systems and this access is frequently anonymous. In spite of hundreds of millions of dollars being invested in strong authentication such as biometrics, tokens and the like, the privileged access to systems does not cater for these security techniques but rely heavily on static passwords that are shared by many staff. So what can be done?
 
1.      Take Control of Your Privileged Accounts
The first step that should be taken is to implement an effective Privileged Password Management solution. This provides an organization with complete control over privileged accounts and gives the means to enforce policies such as one-time passwords for administrative tasks.

2.      Secure Your Embedded Application Accounts
Today’s enterprises have complex IT environments where information is exchanged between multiple systems and applications automatically—well actually somebody wrote some code to make it happen. When these systems and applications communicate with each other they have to identify themselves which they do through users’ IDs and passwords written in the code. Not only are these rarely if ever changed but if I happened to be the guy writing code at LGT, I would find it extremely simple to masquerade as an application to access sensitive data. So change these embedded accounts regularly.

The problem doesn’t stop there. Although controlling privileged and embedded accounts is a start, the problem goes deeper. What many organizations forget is that when you have access to the system, you have access to the data. It’s no use leaving your valuables lying around on servers and think they’re safe because you locked the front door. As in the case of LGT, no one is “immune to the criminal activities of individual persons.” So securing your highly sensitive data is of utmost importance
Many organizations focus on the security of data at motion but this is rarely where the biggest risk lies, Solutions that encrypt data in transit, including VPNs, and multipurpose security appliances, which incorporate IDS, IPS, firewalls, anti-virus programs, and other security technologies into a single device can do a great job to make sure your data is secure in transit but they offer no solution to the problem of securing data at rest. So here are some practical suggestions that can easily be implemented.

1.      Protect Data at Rest
The cornerstone of protecting storage while at rest is encryption and visibility. Encryption ensures that the data is not readable and thus maintains its confidentiality and the data should only be visible to those who have the appropriate permissions. In other words, IT staff rarely if ever need access to data, so why give them access! They don’t need to know it exists.

2.      Data Must be Tamper Proof
This can be achieved by the integration of authentication and access control that ensures that only authorized users can view or change the data. Comprehensive auditing and monitoring capabilities are essential for security for several reasons. It allows the enterprise to ensure that its policy is being carried out. It provides the owner of the information with the ability to track the usage of its data so there are no surprises from the taxman. Thirdly, it is a major deterrent for potential abusers, knowing that tamper-proof auditing and monitoring can help in identification. At the moment no one knows the identity of the individual who compromised LGT and its clients. It would have been so easy to have done this!

3.      Be Forewarned
Ensure that whenever sensitive data is accessed, an email notification is sent to the appropriate staff to advise that a file has been accessed. Again, this can be implemented again quite simply and ensures that if there are “criminal activities of individual persons” going on it will be noticed immediately.
So now that governments are starting to work on a commission basis for tax investigators it’s time that you took the steps to at least make them earn their money!