January 31, 2008, 11:32 AM — Société Générale disclosed
last week that unauthorized trading by one of its employees had cost it
$7.1 billion. Beyond the rogue trader, where does the blame for the scandal
lie?
French President Nicolas Sarkozy called the events at Société
Générale a "large-scale internal fraud", and Daniel
Bouton the Société Générale Chairman said the fraud
was a "one-off" and denied it was a trading or risk-management fault.
According to reports in the Wall
Street Journal, Mr. Kerviel "worked late into the night, essentially
burrowing into Société Générale's computers, as
he allegedly built a multilayered way to hide his trades by hacking into the
computer systems." The bank believes that "Mr. Kerviel spent many
hours of hacking to eliminate controls that would have blocked his super-sized
bets. Changes he is said to have made enabled him to eliminate credit and trade-size
controls, so the bank's risk managers couldn't see his giant trades on the direction
of indexes. Mr. Kerviel used the computer log-in and passwords of colleagues
both in the trading unit and the technology section."
If anyone had cared to pay any attention to what’s going on in business
globally they would have been aware that studies
by law enforcement agencies and Carnegie Mellon University’s Software Engineering
Institute CERT Program have proven that up to 90% of incidents in business relating
to the loss of assets results from staff that have privileged access to IT systems
and applications. It seems that the suspect trader had “in-depth knowledge
of the control procedures resulting from this former employment in the middle-office,"
and “in-depth knowledge of the control procedures” certainly means
privileged access to sensitive data.
Another interesting side note from the Carnegie Mellon study is that 57% of
those who were responsible for the fraud should not have had authorized system
access at the time of the attack. Many used privileged system access to take
technical steps to set up the attack before termination. It seems our Mr Kerviel
had knowledge from six years in Société Générale's
back office. Apparently he had to “breach five levels of controls to get
away with his trades” according
to a bank spokesman -- Piece of cake for anyone with privileged access!
Some other minor stats from the Carnegie Mellon report that I’m sure that
Société Générale would concur with today are that
81% of the organizations that are attacked experience a negative financial impact
as a result of insider activities; 75% of the organizations experience some
impact on their business operations, and 28% of the organizations experienced
a negative impact to their reputations!
So why did it happen? The investigations are not complete but Société
Générale like many similar organizations most likely do not have
effective mechanisms in place to control privileged access to systems and applications.
Privileged user accounts include some of the most powerful accounts defined
within an IT enterprise environment. Privilege passwords run on critical applications
and servers, operating systems, and databases. Often generic in nature, they
include, but are not limited to, generic accounts such as administrator on Wintel
platforms, root on UNIX systems, DBA passwords, and hard-coded passwords found
in application scripts throughout an enterprise. If the password becomes known,
multiple systems – and businesses - are at risk. And these accounts cannot
be managed by classic SSO solutions.
