The $7.2 billion in fraud a rogue trader carried out against French banking giant Societe Generale wasn't an attack...
against a flawed operating system or application, the kind of threat enterprise IT shops are constantly warned about. Instead, security experts say the incident illustrates something potentially worse -- the damage that can ensue when a trusted insider with sinister ambitions learns the inner workings of the company network.
For IT security professionals, the incident is a lesson on the importance of internal controls, regular security reviews and keeping tabs on what users are up to. But even if a company has all the right security controls in place, industry analysts say the sobering fact is that a company can still fall victim to this sort of thing.
"It's still too early to know exactly what went wrong, if there were specific controls that just didn't work or that [the trader] found an area of exploitation outside of that which was controlled," said Gartner analyst Jay Heiser. "Early suggestions from what I've seen are that there were controls and that the alarms sort of went off" but that security personnel missed the warning signs at the time, Heiser said in an email exchange.
Societe Generale acknowledged last week that Jerome Kerviel, a 31-year-old trader, racked up a mountain of fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity. The bank said in a Web site statement (.pdf) that the trader had a "very good understanding of all of Societe Generale's processing and control procedures. In 2005 he became a trader in the arbitrage department [and ultimately] misappropriated the IT access codes belonging to operators in order to cancel certain operations."
French prosecutors announced Monday that they'll pursue four charges against him, including breach of confidence, misrepresentation and illegal use of logins. Ironically, Kerviel isn't accused of trying to steal company secrets and sell them to competitors or black marketers, as is usually the case with malicious insiders. Instead, he was simply trying to get recognized as an outstanding trader and earn the respect of colleagues, according to published reports.
Ken Pfeil, head of information security for the Americas Region of WestLB AG, a German-based bank with 5,000 employees, said it's difficult to speculate on what could have prevented the incident. But, he said, the fact that Kerviel had passwords to systems he shouldn't have had suggests the bank did not do periodic reviews of their user access rights.
"There's a reason that banks have controls," Pfeil said in an email exchange. "The fact that this person had knowledge (and system credentials) to bypass controls underscores the need for more effective technically-based and policy-governed measures."
Martin McKeay, a well-known security consultant, blogger and podcaster, said in an interview Monday that the bank may have had a good security program in place, but that all the security technology and policies in the world won't necessarily help if an employee is in a position to figure out the process and disable the alarms.
"Unless they had someone doing penetration tests on all their systems and procedures, I don't see how this could have been avoided," he said. "This is a straightforward case of old-fashioned fraud, with a trader who knew the systems and how to take advantage of them. It does drive home the point that the insider threat may not be the most common form of attack, but it can be the most damaging."
Clear-cut security lapses
Though some may see Societe Generale as a victim, Burton Group analyst Bob Blakley believes the bank had some clear-cut security deficiencies other IT shops should study and learn from. He said it's amazing that Kerviel was able to do what he did without triggering any of the internal security alarms.
"Regardless of how good he might have been at using the computer system, very simple controls should have been in place to prevent it," Blakley said. "The second thing is that, according to some of the reports I've read, he worked in the risk management office before he was a trader."
If that turns out to be true, Blakley said, the bank used bad judgment. It might be acceptable to let traders move into risk management because they understand the fraud someone might try to perpetrate and can help design procedures to prevent it, but moving someone from risk management to trading is a dangerous idea because that person knows the strengths and weaknesses of the oversight system, he said.
Blakley said there are some simple lessons in all this:
First, there must be a process of dual control, where no one trader is allowed to act alone. Important transactions should always be proposed by one individual and approved by another so that a conspiracy of at least two people would be necessary to do the company harm.
Second, the IT shop should never operate under the assumption that most users are good guys. "When you design a security system, it has to be done under the assumption that every user is the worst person imaginable," he said.
Heiser said another important lesson is to expect that bad things can happen when a company pushes employees too vigorously to take risks.
"If you encourage people to take risks, then they will take risks," he said.