Security lessons from the SoGen debacle
Jerome Kerviel, the Societe Generale trader that managed to lose more than $7 billion without the bank noticing, is facing charges of fraud and forgery. Security lessons of this debacle abound.
As background Societe Generale, the French banking giant, last week said that Kerviel, a 31 year old unknown within the bank, lost $7.3 billion. Now details have surfaced that Kerviel hacked into computers, used passwords and falsified documents to cover his tracks, according to the Associated Press.
Here's a look at the lessons learned:
Beware the insider: Richard Steinnon, who was all over the SoGen mess last week, correctly notes that the knowledgeable insider can be a nightmare for companies without proper controls.
When I was a white hat hacker for PricewaterhouseCoopers our security assessments were usually done in two phases. There would be an external penetration test followed by an internal check of processes and controls. During that internal check I would examine firewall policies, scan networks, and run various tools on representative servers and desktops. I would also interview key IT staff. It would take about four days to get an insider's feel for operations. And, in every case, I could discover ways to steal from the client company. In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy.
Stiennon's point is interesting. At some level a company has to trust its employees or it becomes a locked down unproductive state. That brings us to the next lesson.
Your internal controls stink. The fact this no-name was able to build positions larger than the bank's net worth indicates that internal controls were sorely lacking. I'd reckon that SoGen was clueless about its internal controls. See Stiennon's take.
AP reports:
Since the bets greatly exceeded the amount of capital he was allowed to risk, Kerviel entered fake and offsetting trades in Societe Generale's computer system that appeared to minimize the odds of big losses, the bank said. The trades were purposely chosen to avoid detection because they did not require cash contributions nor were subject to margin calls, which would require putting up more money if the fake bet soured, it said.
When you evaluate insider threats think about more than the motives. What's notable in this SoGen fiasco is that Kerviel's motivation wasn't all about money. French law enforcement officials told AP that money may have not been the primary motivation. Eluding SoGen's controls became a game. That's common in the security industry.
Intangible effects of security can be large. It's likely that SoGen skipped some controls due to costs or ease of use, but the effects of such shortcuts can be large. For instance, SoGen will now be seen as a bank with control problems. For years, the bank will be seen as bumbling. An in this market, trust is everything. Because SoGen trusted a no-name employee too much via lax controls the bank has to spend a lot of time on crisis communication--all in an attempt to show its well-run enough to hold money.