Societe Generale: A cautionary tale of insider threats

By Bill Brenner, Senior News Writer 31 Jan 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The $7.2 billion in fraud a rogue trader carried out against French banking giant Societe Generale wasn't an attack against a flawed operating system or application, the kind of threat enterprise IT shops are constantly warned about. Instead, security experts say the incident illustrates something potentially worse -- the damage that can ensue when a trusted insider with sinister ambitions learns the inner workings of the company network.

The fact that this person had knowledge and system credentials to bypass controls underscores the need for more effective technically-based and policy-governed measures. Ken Pfeil, head of information security, Americas Region of WestLB AG

For IT security professionals, the incident is a lesson on the importance of internal controls, regular security reviews and keeping tabs on what users are up to. But even if a company has all the right security controls in place, industry analysts say the sobering fact is that a company can still fall victim to this sort of thing.

"It's still too early to know exactly what went wrong, if there were specific controls that just didn't work or that [the trader] found an area of exploitation outside of that which was controlled," said Gartner analyst Jay Heiser. "Early suggestions from what I've seen are that there were controls and that the alarms sort of went off" but that security personnel missed the warning signs at the time, Heiser said in an email exchange.

Abused passwords
Societe Generale acknowledged last week that Jerome Kerviel, a 31-year-old trader, racked up a mountain of fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity. The bank said in a Web site statement (.pdf) that the trader had a "very good understanding of all of Societe Generale's processing and control procedures. In 2005 he became a trader in the arbitrage department [and ultimately] misappropriated the IT access codes belonging to operators in order to cancel certain operations."

French prosecutors announced Monday that they'll pursue four charges against him, including breach of confidence, misrepresentation and illegal use of logins. Ironically, Kerviel isn't accused of trying to steal company secrets and sell them to competitors or black marketers, as is usually the case with malicious insiders. Instead, he was simply trying to get recognized as an outstanding trader and earn the respect of colleagues, according to published reports.

Ken Pfeil, head of information security for the Americas Region of WestLB AG, a German-based bank with 5,000 employees, said it's difficult to speculate on what could have prevented the incident. But, he said, the fact that Kerviel had passwords to systems he shouldn't have had suggests the bank did not do periodic reviews of their user access rights.

"There's a reason that banks have controls," Pfeil said in an email exchange. "The fact that this person had knowledge (and system credentials) to bypass controls underscores the need for more effective technically-based and policy-governed measures."

Insider threats: Five common insider threats and how to mitigate them: Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain. DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says. What are the proper procedures for handling a potential insider threat? In this SearchSecuity.com Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

Martin McKeay, a well-known security consultant, blogger and podcaster, said in an interview Monday that the bank may have had a good security program in place, but that all the security technology and policies in the world won't necessarily help if an employee is in a position to figure out the process and disable the alarms.

"Unless they had someone doing penetration tests on all their systems and procedures, I don't see how this could have been avoided," he said. "This is a straightforward case of old-fashioned fraud, with a trader who knew the systems and how to take advantage of them. It does drive home the point that the insider threat may not be the most common form of attack, but it can be the most damaging."

Clear-cut security lapses
Though some may see Societe Generale as a victim, Burton Group analyst Bob Blakley believes the bank had some clear-cut security deficiencies other IT shops should study and learn from. He said it's amazing that Kerviel was able to do what he did without triggering any of the internal security alarms.

"Regardless of how good he might have been at using the computer system, very simple controls should have been in place to prevent it," Blakley said. "The second thing is that, according to some of the reports I've read, he worked in the risk management office before he was a trader."

If that turns out to be true, Blakley said, the bank used bad judgment. It might be acceptable to let traders move into risk management because they understand the fraud someone might try to perpetrate and can help design procedures to prevent it, but moving someone from risk management to trading is a dangerous idea because that person knows the strengths and weaknesses of the oversight system, he said.

Lessons learned
Blakley said there are some simple lessons in all this:

First, there must be a process of dual control, where no one trader is allowed to act alone. Important transactions should always be proposed by one individual and approved by another so that a conspiracy of at least two people would be necessary to do the company harm.

Second, the IT shop should never operate under the assumption that most users are good guys. "When you design a security system, it has to be done under the assumption that every user is the worst person imaginable," he said.

Heiser said another important lesson is to expect that bad things can happen when a company pushes employees too vigorously to take risks.

"If you encourage people to take risks, then they will take risks," he said.

Tags: Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats CISOs take measured steps to reduce social media risks Information security book excerpts and reviews Schneier-Ranum face-off, part 2: Social networking Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary