Naming Risks
Jerome Kerviel seems to be on the edge of getting a risk named after him. This is not the sort of distinction that will make his mummy proud, but it is a distinction nonetheless. About the only other named risk I can think of immortalises the otherwise obscure Herstatt Bank closed by regulators in 1974 before it had paid out on its forwards settling that day.
Kerviel's activities are set out in the Mission Green report, and if you were following the story at the time, it's interesting to see how wrong the initial spin was: He wasn't stealing passwords, he wasn't modifying control spreadsheets. He was exploiting his back office knowledge, but at a higher level: he knew how to use cancellations and corrections -- all the points where control can't be watertight because trading isn't -- to get his positions off the records, and he'd been doing it for some time. (It was only right at the end that he started to fake forwarded email -- nothing complicated, just editing a real forwarded email.) So this gives us a useful term: Kerviel risk is exploitable vulnerabilities -- uncompleted cycles of review and follow-up -- in a control system. A short name for a rather complicated concept, so maybe it'll stick.
No this definition means that Kerviel's name is not correct for authentication-abused-to-approve-fraudulent-actions risk. But Jagmeet Channa has come along just in time to help us out. He stole a couple of passwords to approve his multi-million pound transfers to his accomplices in N. Africa and Manchester.
The problem is figuring out what risk we're naming here. Channa's not talking so we can't tell if it's:
- Password stealing? -- he certainly did, but maybe that's not the point
- Inserted Insider?
- Coerced Insider?
- Criminal Mastermind who recruited outside help?
And what makes this a security story? Well, the investigation started by interviewing the colleagues whose passwords Channa used. Don't fancy being in an interview like that? Then guard your password.
No comments:
Post a Comment