What can CISOs learn from the Societe Generale debacle
It is astounding, and in the words of Societe Generale’s chairman and chief executive, Daniel Bouton “unbelievable” that a person could single-handedly circumvent the security of France’s second largest bank to cause so much damage. This event brings to bear what security professionals have been saying for years – focus on the insider threat. Mr. Kerviel cost the bank $7.2 billion by making huge unauthorized trades that he hid for months by allegedly hacking into the computers of the bank and creating fraudulent transactions to hide his tracks. The combined trading positions he built up totaled some €50 billion, or $73 billion. While this level of exposure going unnoticed boggles the mind, none of it could have happened without a fundamental failure of information security controls.
Here are ten lessons for us security folks to pass on to our executive teams.
· Security is first and foremost a people problem: Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won’t necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.
· Monitor privileged access: I have had many conversations with CISOs who are reluctant to monitor their system administrators and privileged access users because they feel that there is a level of trust that exists between them and they may send of a wrong signal by monitoring them. Although a majority of people are trustworthy, trusting your privileged users is not a defense that will hold in any court. You have to design security systems based on the assumption that every user is a malicious user.
· Policies without implementation are worse than not having policies. I’m sure Societe Generale had a policy of not sharing passwords and mechanisms to encrypt or mask the passwords. So how was Mr. Kerviel able to gain access to not one but multiple passwords? Having a policy creates a liability for the organization to ensure that it is implemented and gives the organization a false sense of security.
· Everyone is not after the money. One perpetuating myth about hackers is that they are all after financial gain. This may or may not be true. In Societe Generale’s case French prosecutors announced that they’ll pursue four charges, including breach of confidence, misrepresentation, and illegal use of logins. The company is not charging Kerviel of trying to steal company secrets or financial fraud. All he wanted was to be seen as an exceptional trader, an astute market player.
· Policy, Implementation, and Audit should stay separate. We often forget that people who set the policy should not be the ones implementing or auditing it. Although all these groups work together to ensure the security of the organization, insider knowledge in one area should not be shared with other areas. This was clearly not considered when Kerviel moved from the auditing department to the department he audited (i.e., trading).
· You don’t need to be a genius to “hack” into systems. Kerviel was not a security expert nor did he ever claim to be. He had extensive knowledge of the back office processes that enabled him to side step the controls in place. Jerome Kerviel lists Microsoft Office and Microsoft Visual Basic as his only IT-related skills. That is hardly the profile of a “hacker”.
· Access restrictions must be implemented as people move within the organization. Access control processes are not implemented well in most organizations. Companies usually terminate access of employees who leave the company, but for people who change positions within a company, this is often the case. Hopefully Kerviel’s access privileges as he changed positions will be closely scrutinized as part of the investigation.
· Awareness and training serves as the first line of defense. Awareness and training can help reduce a significant amount of risk by informing users of their responsibilities to follow policies and to report suspicious activity. Sadly, this is one area that many organizations ignore. I would be very surprised if there weren’t tell-tale signs of suspicious activity during this episode that a properly trained employee would have been able to spot.
· Consistent monitoring triggers may be a bellwether of a bigger issue. Societe Generale had challenged Kerviel several times about risky operations, and each time he produced fictitious documents to justify himself. Eurex, a derivatives exchange, alerted Societe Generale in November 2007 about the positions taken by Jerome Kerviel. Not heeding these advance warnings and not understanding that they may have pointed to a much larger risk were clearly mistakes.
· It could happen to the best of us. Societe Generale was a leader in derivatives and was considered by some to be one of the best risk managers in the world. The company seemed to understand a lot of elements of risk management really well, but still failed in a critically important area. There is often as assumption that things are more under control than they actually are. A recent Deloitte survey found that 46% of companies surveyed failed to have a formal security strategy in place. Still, 69% said they are "very confident" or "extremely confident" about their organization’s effectiveness at tackling external security challenges.
Sadly, events such as these articulate the point much more effectively than a CISO saying that we should implement security. So we should take this opportunity to remind our executives of how we could be in similar situations if we don’t manage our information risks effectively.