Security Lessons Learned from Société Générale

In January 2008 was an incident in which the bank Société Générale lost approximately €4.9 billion closing out positions over three days of trading beginning January 21, 2008, a period in which the market was experiencing a large drop in equity indices. The bank states these positions were fraudulent transactions created by Jérôme Kerviel, trader with the company. The police stated they lack evidence to charge him with fraud and charged him with abuse of confidence and illegal access to computers. Kerviel states his actions were known to his superiors and that the losses were caused by panic-selling by the bank.

Jérôme Kerviel combined several fraudulent methods to avoid the controls in place [3]:

• firstly, he ensured that the characteristics of the fictitious operations limited the chances of a control: for example he chose very specific operations with no cash movements or margin call and which did not require immediate confirmation;
• he misappropriated the IT access codes belonging to operators in order to cancel certain operations;
• he falsified documents allowing him to justify the entry of fictitious operations.
• he ensured that the fictitious operations involved a different financial instrument to the one he had just cancelled, in order to increase his chances of not being controlled.

How the fraud was uncovered:

Friday January 18th

• Abnormal counterparty risk on a broker is detected several days earlier. The explanations provided by the trader result in additional controls.
• On January 18th, the trader’s superiors are informed and in turn they alert the management of the division.
• In the afternoon of January 18th, it appears that the counterparty for the recorded operations is in fact a large bank, but the confirmation e-mail raises suspicions.
• A team is immediately created to start investigating the situation.

Saturday January 19th

• Management cannot obtain a clear explanation from the trader.
• The large bank in question does not recognise the operations.
• The trader finally acknowledges committing unauthorised acts and, in particular, creating fictitious operations.
• The investigation team starts piecing together his real position.

How global economy potentially impacted:

On January 21, 2008, European stock markets suffered heavy losses of about 6%. The sharp fall, which was followed by an emergency cut in the federal funds rate by the United States Federal Reserve on the following Tuesday (US markets were closed on the Monday for Martin Luther King Jr Day), came as Société Générale tried to close out positions built up by Kerviel.

This has led to speculation that stock market turbulence caused the Federal Reserve Board to cut the rate. A Federal Reserve spokesperson denied the central bank knew of Société Générale's situation when it made its decision.

It is estimated that over the period the total trading in futures and the cash market for the Euro Stoxx 50 was €544 billion. This would make the unwinding of Kerviel’s position account for five per cent or less of overall activity. Société Générale's investment banking chief, Jean-Pierre Mustier, acknowledged that the three days of forced selling played a role in the market's overall decline, but characterized that impact as "minimal".[2]

Jeremy Epstein wrote a good article in IEEE security & Privacy magazine [1] about security lessons learned from Société Générale fraud by Jérôme Kerviel.

Jeremy highlighted security lessons that we should learn from this fraud. Some of them as follows:

1. Low tech attacks are easier
2. Logs are only useful if they’re examined

“Societe Generale has taken several steps to tighten controls following an internal report into what went wrong in the Kerviel case. The report noted 74 red flags raised on Kerviel's trades that failed to sound the alarm — he was spotted only on the 75th." [4]

3. Don’t rely on secrecy for security
4. We’re looking at the wrong things
5. Rights revocation must be tied to role assignments
6. Social engineering is a threat
7. Don’t believe everything you read

“Kerviel apparently used his experience working in Société Générale's compliance department to exploit both human and technological weaknesses. He crafted fake e-mails detailing order requests from supposed clients” [5]

8. Cutting staffing costs can backfire
9. Features without assurance are ineffective

“The bank says Kerviel faked hedging transactions across a range of financial instruments. They weren't spotted because Societe Generale's back office controllers monitored the trading of individual products separately.” [4]

10. Insider attacks (usually) have motivation

References:

1. IEEE Security & Privacy

2. Wikipedia

3. Société Générale

4. New York Times

5. BusinesWeek

Information classification

It is very important topic and needs some attention as It is part from your information security management programme/framework. Initially when I started to identify the security controls required for each information I found it is subjective rather than objective opinion. I started to read more about the matter and I found that we need to have information security classification scheme in place which will extreme to make the judgement objective.

Information classification is the conscious decision to assign a level of sensitivity to information as it is being created, amended, enhanced, stored, or transmitted. The classification of the information should then determine the extent to which the information needs to be controlled / secured and is also indicative of its value in terms of Business Assets.

May be we need to know why we need to classify the information. Information classification helps us to know needed security controls and processes, Protecting less value information or public document/information isn’t like protecting confidential information.

Information classification challenges:

1- Difficulty to establish a practical information classification scheme.

2- Lack of guidance and best practice for communicating the level of confidentiality and integrity.

3- Difficulty to identify security controls for classified information.

4- Lack of understanding about how to run information classification programme.

What we need to do:

1- Develop information classification scheme

2- How to communicate built information classification scheme.

3- Build security control matrix based on information classification scheme.

4- Measure Information classification scheme effectiveness and efficiency.

First we need some sort of information classification scheme and currently I have the following classification as suggested from ISF survey:

Public, Internal, Restricted and Secret

But which factors we can use to determine accurate information classification:

• Level of confidentiality.
• Legal & regularity requirement.
• Changes to the content over time.

Second start to make this classification model in use, by putting label on the document shows classification level of the document, build information classification awareness programme and make sure that SLA contains information classification responsibilities and accountabilities.

Third start to build security control matrix for each stage to the information, such as in the creation, processing, Transmitting, Storage and disposing of the information.

References:

1) Information Security Forum

2) Employee's Guide to Security Responsibilities

3) Security Education, Awareness, and Training from Theory to Practice , By C A Roper, Joseph J.

Information Security strategy

Let’s first define what Information Security strategy is:

Information Security Strategy is a plan of actions that takes the information security function from mission to vision.

Information security function is seen as a fire-fighting and overhead cost, for that there is a need to change this image and information security profile in the organisation.

Building an information security strategy is very important to the business for the following reasons:

• Optimising resources and prioritising tasks for information security functions.
• Risk management in the organisation become more effective.
• Improve communication with organisation’s executives as strategy is the common language to them.
• Raise information security profile in the organisation.
  

When we start to build our information security strategy we should put in our mind the following:

• The information security strategy should align with and contribute to achieve the organisational strategy.
• Information security strategy has three distinct aspects (supporting the business, defending against threats and raising the profile in the information security function)
• Standard strategy tools and techniques (such as value chain analysis, risk analysis and strategic mapping) could be used to build it.

Reference: ISF & IsecT dotcom