Notes on a trading scandal: What went wrong at Société Générale?

Société Générale disclosed
last week that unauthorized trading by one of its employees had cost it
$7.1 billion. Beyond the rogue trader, where does the blame for the scandal
lie?



French President Nicolas Sarkozy called the events at Société
Générale a "large-scale internal fraud", and Daniel
Bouton the Société Générale Chairman said the fraud
was a "one-off" and denied it was a trading or risk-management fault.

According to reports in the Wall
Street Journal, Mr. Kerviel "worked late into the night, essentially
burrowing into Société Générale's computers, as
he allegedly built a multilayered way to hide his trades by hacking into the
computer systems." The bank believes that "Mr. Kerviel spent many
hours of hacking to eliminate controls that would have blocked his super-sized
bets. Changes he is said to have made enabled him to eliminate credit and trade-size
controls, so the bank's risk managers couldn't see his giant trades on the direction
of indexes. Mr. Kerviel used the computer log-in and passwords of colleagues
both in the trading unit and the technology section."

If anyone had cared to pay any attention to what’s going on in business
globally they would have been aware that studies
by law enforcement agencies and Carnegie Mellon University’s Software Engineering
Institute CERT Program have proven that up to 90% of incidents in business relating
to the loss of assets results from staff that have privileged access to IT systems
and applications. It seems that the suspect trader had “in-depth knowledge
of the control procedures resulting from this former employment in the middle-office,"
and “in-depth knowledge of the control procedures” certainly means
privileged access to sensitive data.

Another interesting side note from the Carnegie Mellon study is that 57% of
those who were responsible for the fraud should not have had authorized system
access at the time of the attack. Many used privileged system access to take
technical steps to set up the attack before termination. It seems our Mr Kerviel
had knowledge from six years in Société Générale's
back office. Apparently he had to “breach five levels of controls to get
away with his trades” according
to a bank spokesman -- Piece of cake for anyone with privileged access!

Some other minor stats from the Carnegie Mellon report that I’m sure that
Société Générale would concur with today are that
81% of the organizations that are attacked experience a negative financial impact
as a result of insider activities; 75% of the organizations experience some
impact on their business operations, and 28% of the organizations experienced
a negative impact to their reputations!

So why did it happen? The investigations are not complete but Société
Générale like many similar organizations most likely do not have
effective mechanisms in place to control privileged access to systems and applications.

Privileged user accounts include some of the most powerful accounts defined
within an IT enterprise environment. Privilege passwords run on critical applications
and servers, operating systems, and databases. Often generic in nature, they
include, but are not limited to, generic accounts such as administrator on Wintel
platforms, root on UNIX systems, DBA passwords, and hard-coded passwords found
in application scripts throughout an enterprise. If the password becomes known,
multiple systems – and businesses - are at risk. And these accounts cannot
be managed by classic SSO solutions.

Today, in most organizations, we find that people use the same password value
for many systems and devices [see the IDC Whitepaper on Privileged
Password Management]. This reuse creates a common security hole that can
be exploited by anyone who has had access to the systems. System intruders use
valid credentials to log in as a privileged user and a target system because
the privileged password was either the default value provided by the manufacturer
or was very weak, easy to guess, or it simply hasn’t been changed in years.

While all of the platforms accessed via a privileged password are critical
and vulnerable, a particularly area of vulnerability are embedded application
passwords in applications such as Websphere, Weblogic, and many other application
servers. When two unattended software applications connect, they require a username
and a password, which are often stored in clear text or embedded in the application
code, configuration file, or script.

In many cases an application credential file can be simply copied from an application
server and the passwords can be deciphered in a matter of minutes via the Internet.
Cyber-Ark’s 2006
Privileged Password Survey revealed that 20% of enterprises have more than
1,000 applications and that 42% of enterprises reported that they never change
these passwords. This situation poses serious security risks and an untold number
of compliance violations as these powerful, embedded passwords are gradually
distributed undetected throughout an organization

A recent Garter
report concluded “that too many organizations and too many users have
permanent and full super-user, root or administrator privileges, a gaping vulnerability
that exposes mission-critical systems to accidental harm and malicious activity.
This can be addressed by using the privileged password management tools.

It is very likely that Société Générale IT security
staff was aware of their vulnerability since this has been one of the main audit
findings in most if not all financial institutions over the past 3 years, and
many organizations have acted to address this gaping hole in their organizational
security. It would not appear that this was the case at Société
Générale. Either the issue had not been identified by the auditors
or it had not been addressed by IT Security – who knows, we can only guess
at this stage but it does seem one of the more plausible reasons why this was
allowed to happen.

The bottom line is that there is not an organization that is not vulnerable
to an attack, either through deliberate targeting or through the failure of
IT security staff and auditors who in the interests of saving a nail in their
budget are prepared to risk the Kingdom.

Société Générale should serve as a wake-up call
to any organization that has not addressed the issue of Privileged Password
management and Application Password management and if what’s happened at
Société Générale doesn’t serve as a warning
to others to address what Burton
Group refers to as the “Seedy Underbelly of Identity” then it’s
only a matter of time till the next Kingdom goes down in flames

"For the lack of a nail a Kingdom was ultimately lost..." So goes
the old saying. For the lack of effective IT security it’s likely a bank
may be lost and with it the assets of tens of thousands of investors.