Imperva: FDA Chemist arrested for access rights abuse and insider trading
April 2011 by Noa Bar-Yosef, Senior Security Strategist at Imperva
A Food and Drug Administration (FDA) chemist and his son were charged yesterday with Insider Trading. The chemist was granted access to confidential data regarding drug approval reviews. The chemist, it turns out, had access to a database. The chemist then abused these privileges to purchase advance stock of those companies granted approval. According to the report, the chemist was able to profit $3.6 million.
Noa Bar-Yosef, Imperva’s Senior Security Strategist comments, “It’s only March but it seems 2011 is shaping up to be the year of the Insider. Wikileaks was just the tip of the iceberg. But low and mid-level employees have caused enterprises serious harm.”
Bar-Yosef continues, “When discussing data theft, we usually talk about hackers penetrating the networks of a company. However, we need to also consider the insider threat – people who are granted, by the employer, access to the organization’s sensitive data. It is not clear whether the chemist had to access those documents in order to perform his job or whether mistakenly granted access to documents he should have not had permission to view (i.e. excessive privileges). It does not matter. The result in this case is the same. The employee abused his privileges for an unfair advantage.”
Noa’s advice would be:
At first glance this seems like a lost case – maintaining and keeping control of an access control list across all the organization seems a nearly impossible task. So how would you be able to protect against such an individual who to begin with has access privileges to the document? Let’s consider behavioural analysis. An automated process could learn the behaviour of an individual and construct a profile based on certain parameters such as:
What data was accessed and was it necessary to perform the job?
How many times a file, or a certain database table, was accessed?
When was the data accessed and how much data was viewed or removed?
Any deviation from this profile, or any access above a certain threshold limit, should raise an alarm.
Bar-Yosef concludes “The chemist was eventually caught: ‘He was allegedly recorded by security software early this year accessing a confidential database on drug applications’. This is an example of how the access control works. A move outside of the normal required behaviour should sound the alarm. It’s just a shame that in this case it took the FDA five years to figure this one out. Had controls been put up sooner they would have saved themselves a lot of embarrassment.”