Interview: What Went Wrong at Societe Generale?

Breakdown of IT security and controls underscores the need for security to act as a business partner, says BearingPoint managing director

How did billions of dollars worth of fraudulent trades escape the notice of one of the largest financial services companies in Europe? Increasingly, it looks as if poor IT security and controls allowed trader Jerome Kerviel, with or without accomplices, to make trades that cost the French bank more than $7 billion. (See our news coverage.)

To get insight on the misfortune of Societe Generale, what it says about security and risk, and what security practitioners can learn from the bank’s plight, CSOonline.com looked to J.R. Reagan, the managing director and global solution leader for risk, compliance and security at management and technology consultancy BearingPoint.

CSO: Do you think Societe Generale suffered from lack of controls, or lack of security for controls?

J.R. Reagan, managing director and global solution leader for risk, compliance and security at BearingPoint: It’s a good example of how the insider threat can become the bigger issue in some companies. Much time is spent on protecting the external threat, and rightly so, but the internal threat can be even larger in terms of risk to the company.

Financial institutions are made up of people in audit, compliance, financial risk and security. They don’t always talk to each other. Even if controls are put in place, the enforcement and automation of those controls isn’t well coordinated between those departments. Societe Generale is a good example of how the gray areas between those activities can be taken advantage of.

CSO: In your opinion, there is a gap between having these controls in place and actually securing them properly?

Reagan: Yes. For example, a company might have in place controls for password management but not enforce them, or the financial risk department might put password management in place but not be evaluated by the security side to make sure no one can break in. Those are the holes we’re talking about.

CSO: Is it more likely that Jerome Kerviel was able to bypass security and obtain access to the systems he did through social engineering, or some other way?

Reagan: He had knowledge of the back office. The other factor at play here is that in most organizations, anywhere between 50 and 60 or 70 percent of passwords are old--those that haven’t been purged from the system after people leave. Someone who has knowledge of the back office could easily use that to their advantage to gain access. In that case, there’s not a lot of need for social engineering.

CSO: What do you think about the fact that single-factor authentication was the level of security in place at Societe Generale, given the fact that most security practitioners would agree that level of security is not exactly safe?

Reagan: It certainly highlights the way in which security is viewed in an organization. Most security shops aren’t viewed as business partners. With something like dual-factor authentication, its necessity to reduce internal risk hasn’t been well articulated; it’s often positioned as “we just have to do this because we have to.” Also, in the case of Societe Generale, their activities deal with high volume, high velocity, and quick tempo trading of stock. Having dual-factor authentication would slow them down, and the business wouldn’t put up with something like that. The security team needs to explain the risk exposure and the possibility of losing billions in fraudulent trades if security is not adequately addressed. But most security guys aren’t well enough in-tune with the business to be able to articulate a business case like that, so it falls on deaf ears.

CSO: How would someone be able to get away with this for such an extended period of time?

Reagan: Regardless of how many different anecdotes come out of the story, it all leads back to what controls were in place and how could it have been detected. Maybe the policy was there, but there was no automation to enforce it. Or maybe there was some automation, but it wasn’t well coordinated between departments. It’s definitely a good example of how security has to be more of a partner with the other organizations. It can’t act alone, and I think that’s what happened here.

CSO: Does it seem possible for one person to do what Kerviel allegedly did, or does it seem likely he had help? How would controls and security impact each of those scenarios?

Reagan: Although I can’t speak to the specifics of what happened at Societe Generale, it’s possible that one person could actually commit something like this, as it is a very unique environment. Because it is investment banking with large volume of trades, if the trades were not properly hedged, it could lead to large losses in a short amount of time generated by one person. Additionally, if someone had knowledge of internal controls, access to passwords, etc., this could enable a very complex scheme to be propagated for a prolonged amount of time.

CSO: What does security need to do to become a bigger part of the overall company?

Reagan: First and foremost, the security folks have to understand the business. The CIO function went through this transformation a few years ago, but the security arm isn’t quite at that best practice level yet. In cases like that of Societe Generale, it’s about understanding what transactions could really be exploited for an insider threat to be damaging, and determining how security would help in terms of either log analysis, or checking to see if passwords were being used in simultaneous transactions. It’s about using more automation and applying security to the internal controls the business has put in place.  

Identity management is also becoming a core function in every enterprise, and certainly that’s important in this case. The IDM strategy really has to be just that, a strategy. It can’t be viewed just as a technology in the corner that’s being tied to internal controls. If you’re going to implement single sign-on, you’re going to have more access to more things, but you have to make sure the controls match that.  

The last thing practitioners need to remember is that in many ways security is detail. Little things add up to big things. That was the case here, where people detected anomalies, but because of the volume of what needs to be done on a daily basis, little things often get ignored. And that’s a problem because fraudsters will exploit little things before the big things. Being able to heed those warning signs and prevent those gaps in the infrastructure from opening up is very important.  

CSO: What can we learn from Societe Generale?

Reagan: Security truly has to act as a business partner. Right now, they aren’t speaking the language of the business and that’s why they get dismissed. They aren’t going to be an important part of IDM and controls if they can’t communicate how they can contribute and why they need to contribute. They need to act not just as technology partners, but as business partners.

Staff Writer Katherine Walsh can be reached at kwalsh@cxo.com.

Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline