UBS Rogue Trader Incident Stirs Access Management Speculation

  /     /     /  
Publicated : 22/11/2024   Category : security


UBS Rogue Trader Incident Stirs Access Management Speculation


Details are still sparse, but UBS rogue trader incident sets off identity and access management debate



As very basic details about the massive $2.3 billion rogue-trading incident at UBS begin to trickle out, speculation and scuttlebutt swirl around what exactly broke down within the Swiss finance companys business process and IT system risk management controls. While most IT experts believe it is too early to say what security lessons the industry will learn from the gaffe, many have already extended comparisons to the Societe Generale $6 billion rogue-trading incident incident and believe that the UBS trader might have taken advantage of similar weaknesses within the firms access controls as Jrme Kerviel did at the French firm in 2008.
News of the $2.3 billion loss UBS experienced at the hands of a rogue trader broke late on Thursday last week when the firm put out a short press release explaining that an incident occurred. The next day, law enforcement officials said they had arrested UBS trader Kweku Adoboli in London for fraud. Though UBS is not confirming Adoboli as the culprit, it did yesterday dribble out a bit more information about how the rogue trader acted.
The positions taken were within the normal business flow of a large global equity trading house as part of a properly hedged portfolio, the company said in a statement. However, the true magnitude of the risk exposure was distorted because the positions had been offset in our systems with fictitious, forward-settling, cash ETF positions, allegedly executed by the trader. These fictitious trades concealed the fact that the index futures trades violated UBSs risk limits.
UBS said the employee made unauthorized trades in S&P 500, DAX, and EuroStoxx index futures during the course of three months.
If you look at what this trader has allegedly done, working in different roles inside the organizations, moving from what appears to have been a back-office role into a trading role, it seems like the combination of having the knowledge of how those internal systems work as well as having retained the access is what enabled this, says Jason Garbis, vice president of marketing for identity player Aveksa, who wonders if this was a case of Adoboli getting more access to systems than he should have been afforded during the transition. Often organizations dont have very sophisticated or very rigorous mover processes. When someone changes from role A to role B, they very often dont have a program in place to detect this ad, then automatically set up what is called an access review to have the new manager look at and validate the access to critical applications.
Garbis believes this could end up being a wake-up signal for financial organizations to do a better job reviewing privileges among user roles and also instilling better segregation of duties.
Even if all the access they have is appropriate or tied to their role, maybe someone in that role shouldnt have all that access -- for example, it would make sense to have a rule where someone cant execute a trade as well as approve that trade because it sets a very high-risk scenario, he says.
Until UBS releases more information, the industry can only speculate as to how its roles and access management systems were set up. But experts say it is likely that the problems ran deeper than just identity management.
What you really often see people do in these situations is theyll go and strengthen some point activity, and then its sort of like a bunch of kids walking in the dark at night, and theyve got all the flashlights focused on different rocks, but theres all these dark spots between their flashlights, says Brian Barnier, the author of The Operational Risk Handbook for Financial Companies, an ISACA volunteer and consultant for Value Bridge Advisors. Identity is important, and youve got to think about roles because thats one of the classic things in an insider-trading incident is having authorization for too many roles. But it is also important that we not just go for identity and access management and be all over that without being concerned about all the other systems pieces involved. Otherwise, well have those big, dark spaces that some other rogue trader will be able to exploit.
According to securities fraud expert Louis Straney, no matter what kind of technology organizations is put in place, there is no replacement for actual human supervision. As quickly as you develop an internal system that screens, filters, isolates, or identifies risk, someone will think of a workaround, says Straney, who has written several books on fraud in the financial markets. It really all falls back on the supervision, and this is a massive failure to supervise the trading activity.
Straney believes that one potential lesson from this incident is that financial organizations dont do a good enough job trying to look for and anticipate the loopholes in identity and overall fraud prevention systems. He thinks that much like penetration testers look for network security holes, financial organizations should also have technical and business teams working to test business process and system flaws that would allow massive security lapses, such as the UBS incident.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
UBS Rogue Trader Incident Stirs Access Management Speculation