Societe Generale bolsters internal controls, discovers second insider

By Robert Westervelt, News Editor 27 May 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

French banking giant Societe Generale issued a report Friday into how a rogue trader carried out more than $7 billion in fraud and ways the bank is bolstering security and internal control procedures to prevent future problems.

The capacity of the information technology department to respond to all of the demands will be a determining factor in the program's success. Board of Directors Societe Generale

The Societe Generale report, written by PricewaterhouseCoopers and a special committee of the bank's board of directors, found that security system upgrades and new procedures were being deployed on schedule. The design phase of the program is nearly complete and the upgrades are expected to be rolled out over the course of two to three years.

Societe Generale acknowledged in January that Jerome Kerviel, a 31-year-old trader, used his knowledge of the bank's processing and control procedures to conduct fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity.

The bank's investigation also found that Kerviel had an assistant who entered a large number of fraudulent trades into the bank's systems. The bank calls the assistant a "middle office operational assistant," and said that the person entered at least 15% of Kerviel's fraudulent trades. The person had knowledge of the bank's operations division and was able to turn off any triggered alerts as a result of Kerviel's trades. An email message between Kerviel and his assistant was also discovered referring to the fraudulent trades.

Insider threats: Societe Generale: A cautionary tale of insider threats The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares. Five common insider threats and how to mitigate them: Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain. DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says. What are the proper procedures for handling a potential insider threat? In this SearchSecuity.com Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

Since the discovery of the fraud in January, the bank began bolstering its internal controls starting with security training for traders and support staff. The bank is also revoking traders' write-access rights to middle office IT applications.

According to the report, Kerviel's fraudulent activity began in 2005 and took on massive proportions beginning in March 2007. The report characterizes oversight by Kervie's trading manager and direct supervisor as "weak," resulting in little accountability of all the trades he conducted.

"His new manager did not carry out any detailed analysis of the earnings generated by his trades or of their positions, thereby failing to fulfill one of the main tasks expected from a trading manager," according to the committee's findings.

In addition to internal processes, the bank said it was making "significant investments" in IT security to bolster applications and network infrastructure to detect problems and track actions carried out by the end-user. The bank will roll out a system designed to control and monitor the consistency of a user and the workstation used in a given day. A flaw discovered in the bank's Equities division transactional system is also being patched.

End-users have too many passwords for various applications and systems, according to the report. Some users were saving their passwords within spreadsheets and automatically logging into systems. The IT department will bolster management of user accounts and deploy a new authentication system to address the security gap. To reduce the number of passwords that one person needs to access sensitive applications, a software package will be rolled out and in place by 2009 so users can save their passwords securely.

A Societe Generale board of directors concluded that the bank's IT department would be under great pressure to implement internal control procedures and deploy security technologies.

"The capacity of the information technology department to respond to all of the demands will be a determining factor in the program's success," the committee said. "The bank will therefore have to recruit, train and integrate experienced employees."

Tags: Security Awareness Training and Internal Threats,  Identity Theft and Data Security Breaches,  Password Management and Policy,  Enterprise User Provisioning Tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary