The Power of One
Think a single person can't put your whole company in jeopardy? Think again
February 1, 2008
5:25 PM -- When you're handling security in a corporate environment with dozens -- even hundreds -- of employees, it may seem like one person doesn't make much difference one way or the other. If the perimeter is secure, the thinking goes, there's a limit to the damage that a solitary employee or hacker may cause.
This week, however, the industry has gotten some hard lessons -- some very hard lessons -- in the vulnerabilities that one person can create.
We begin our lessons, inevitably, in France, where a 31-year-old junior trader at the Societe Generale bank apparently was able to manipulate unlimited funds and derivatives trades, building up a $73 billion position and losing some $7 billion before his activities were finally detected and stopped. (See Societe Generale: How Did It Happen?)
While auditors blame poor validation processes for the Societe Generale fiasco and conspiracy theorists say the trader could not have acted alone without detection, security pros focus in on what they know: that passwords were easily guessed and stolen. If the company had been more vigilant about access control and password creation, they say, the trader would never been able to hide his actions.
But all of these arguments overlook the elephant in the room: A single employee with knowledge of the bank's systems and practices was able to create an unprecedented fraud, largely of his own doing. One individual was able to slip past auditing controls, financial controls, and IT security controls, wreaking havoc not only within the bank, but across markets worldwide. Just knowing that such a thing could happen is enough to keep security managers awake at night.
But such an event might not be driven entirely from inside the company. This week, researchers and vendors also raised a red flag to warn enterprises about "whaling" -- the practice of targeting top executives and decision-makers with phishing attacks that could fool them into making the wrong online decision. (See Researchers, Vendors Gear Up for Whaling Attacks.)
Now, most whalers are simply targeting top executives because they are the most likely to have big bucks. But what's scary is that phishers also seem to recognize the top executive's ability to uniformly command entire groups of users to make dangerous online decisions, too. In time, whaling might allow a criminal to leverage an attack on a single individual -- the corporate executive -- to execute exploits that extend across an entire company.
Both attackers and defenders are beginning to recognize the power of the individual. Earlier this week, we reported on a new round of Cross-Site Request Forgery (CSRF) attacks that could frame a single innocent user for exploits conducted by a external hacker. We also saw how attackers could masquerade as a single blogger to deliver malware across the Web. (See Exploit Could Taint Forensics and Attackers Abuse Google Blogger .)
We also saw how concerns about how the power of individual users may lead to blanket policies that restrict the access of all users. It's likely that many end users in the U.S. federal government aren't too thrilled about the termination of administrative rights under Windows, but the feds are concerned that one user with that much online power could lead to trouble, from inside or outside the organization. (See Feds Say 'Adios' to Admin Rights on Windows.)
If nothing else, this week has taught us that a single individual does matter, both to the enterprise and to those who might attack it. When it comes to security, even one person is too much to overlook.
— Tim Wilson, Site Editor, Dark Reading
You May Also Like