Abstract
The objective of this paper is to identify, discuss
policy issues, vulnerabilities, risks, and internal controls at Société Générale,
a France based banking organization. The paper's mission is to investigate the
recent security breach within the bank in 2008, which led to a $7 billion loss
in financial assets. The strategic analysis of this investigation will be
carried out by developing a risk assessment of the entity. Furthermore, a
vulnerability assessment will be carried out to determine the target vector
that was exploited by the attacker. Finally, an internal control analysis will
be conducted to determine how effective its internal controls are and what
loops therein. The result of the analysis will help the firm implement a sound
and robust security policies and
countermeasure to ensure the Confidentiality, Integrity, and Availability of
the data and the data infrastructures.
Introduction
Société
Générale is among the largest banks in Europe, the bank was established in by a
group of entrepreneurs in 1864 with the aim of promoting the development of
trade and industry in France (societegenerale.com, n. d). For more than a
century, the firm has evolved as an innovative oriented entity with the goal of
ensuring customer's satisfaction. This attribute can be found in its value statement which pride the firm's value as
ensuring customer's satisfaction through innovation, team Spirit,
responsibility, and commitment. It is part of the activities of any financial
entity to keep customers records, which has led banks to employ different
physical security measures to limit access to sensitive customer and banking
information. However, the introduction of the internet in 1990 by Tim
Berners-Lee invented the World Wide Web.
The
"web helped popularize the Internet among the public, and served as a
crucial step in developing the vast trove of information that most of us now
access on a daily basis" (history.com, 2013) and changed the ways business
entities operates. The introduction of the World Wide Web (www) created a new
spectrum of opportunities for organizations to expand its' business ecosystem.
Nonetheless, these activities also created new vulnerabilities for firms who
are mostly inept to information system security. These vulnerabilities have led
organizations implement several countermeasures and policies that ensure the
integrity of its information system. Such strategy includes implement a well-crafted
Information System Security and Information System Security Policies.
The
Information System Security policies stipulates specific procedures, guidelines, framework, and government information
security laws and regulations to ensure the firm's data assets are secured. It
is the job of the Chief Information Security Officer to develop and implement
information security programs. Essentially, it is the responsibility of the
CISO to implement policy procedures designed for the information infrastructure
of the company, with the approval of top management. It is most imperative for
financial institutions like the Société Générale to ensure it has a stringent
information security and security policies in place to establish customer's confidence
in transacting business with the bank.
Ensuring the privacy of customers' data is
essential to the realization of financial institution's strategic objectives
and mission. To attain this objective, firms craft effective controls that
mitigate any vulnerabilities to its data assets or operations, such controls
include drafting and implementing a sound cybersecurity policy. However, the
recent uncovered fraud of $7.14 billion at Société Générale in 2008 shows that
either this measure was not in place or defective. The primary objective of
this security evaluation for Société Générale is to expose the weaknesses in Société
Générale security framework and prescribe necessary security controls to secure
its information asset.
Background
On
the 24th of January 2008, the French bank Société Générale informed its
stakeholders that it has "uncovered $7.14 billion fraud — one of history’s
biggest — by a single futures trader whose scheme of fictitious transactions was discovered as stock markets began to
stumble in recent days" (nbcnews, 2008). Per Count records, it was uncovered that the trader has no concise
motive for the fraud nor was it motivated by personal gain. Before the fraud, Société
General was already experiencing financial strain which led it to seek $8.2
billion United States Dollars from the European Union in Capital.
Investigations revealed that the fraud has been ongoing since 2007 via an
elaborate scheme of fictitious transactions. The trade was able to use its
identification from a previous position within the firm to escalate privilege
to administrator's level to make changes to the information system. The
elevated privilege allowed the trader to conceal its activities with the
system.
The
trader's primary function involves basic future hedging on European market
indexes i.e. the trader predicts by betting on the market's future earnings.
Per Incident response findings, the trader has been betting on future European
earnings falling then, he changed his betting to a rising market index at the
beginning of 2008 (nbcnews 2008). Additionally, the trader's prior knowledge of
the bank's accounting office allows him to understand the firm's risk
mitigation strategy and its vulnerabilities, which allowed the trader to breach
five levels of control. The trader could bypass system security and alarm
system to set up fake counter trades which will not trigger the alarm system to
his activities. The trader not only escalated his user privilege, he was also
able to exceed the scope of trade by betting on complex financial instruments
against the bank's policy. Per Axel Pierron, a senior analyst at Celent, the
"situation reveals that banks, despite the implementation of sophisticated
risk management solutions, are still under the threat that an employee with a
good understanding of the risk management processes can get around them to hide
his losses” (nbsnews, 2008). At the end of the fraud investigation, analysis of
the breach showed that the trader carried out one thousand fraudulent trades
without being detected by the security teams at Société Générale.
Vulnerability
Assessment
The
fraud at Société Générale led to the firm establishing a Computer Emergency
Response Team (CERT). It is the objective of the CERT to analyze, monitor,
respond, alert and report any cybersecurity breach and create information
security awareness (Societegenerale.com, (n. d). The Bank' CERT determined that
the fraudulent activities started in 2005. However, lack of/inaction and weak
incident response plan allowed the fraud to go on for two years without being
detected or stopped by the Incident Response Team (IRT). The analysis of the
incident shows that the trader (Mr. Jerome Kerviel) had in-depth knowledge of
the Bank's risk monitoring systems which allowed him to bypass it and clean his
data footprint on the Bank's log file. Additionally, the trader accused the
bank of being aware of his activities but turned a blind eye so long as he
meets his trade return quota. Per the trader, he's superiors would approach him
saying "Hey, cash machine, how much did you earn today?" (Iskyan, K.,
2016). On several occasions, the trader broke company maximum hedging fund
buying amount.
For instance, the rogue trader purchased 30
billion euros worth of “Eurostoxx pan-European stock index futures contracts,
18 billion euros of Germany’s DAX futures and 2 billion euros of London’s FTSE
futures” (Iskyan, K., 2016). To cover his track, the trader buys a long-time
hedge positions and offset it with a short one which counter-balance the trade
and will not trigger the illegal trade. Although, the bank has a risk threshold,
the trade could circumvent the security policy of the bank by manipulating the
risk software thereby making the higher risk betting while the firm though he
was making a smaller trade for higher yields (Iskyan, K., 2016). Mr. Kerviel
would break the security of the bank's fraud detection system by creating
varying fake accounts to hide his actions. The Société Générale fraud incident
was labelled the biggest single fraud case in modern history, this is largely
due to several lapses in cybersecurity culture and enforcement by the
bank. Some of these lapses includes poor
group policy implementation, privilege escalation, inefficient access control,
authentication failure, weak Acceptable Use Policy, enforcement, and corporate
security awareness culture.
Recommendations
The
fraud at the Société Générale shows an internal control that failed at
different levels. Besides, it is imperative for firms who deal with financial/
customer information to realize the need to set up different internal control
to ensure there are different fail-safe securities at different levels of the
organization. It is also imperative for these firms to adopt a proactive
approach to information security rather than a reactive approach. Subsequently,
such controls enable a firm to detect a breach of its security policies ahead
of time. It also allows the organization enough time to take necessary
corrective actions to mitigate such risk before such risk spread to other parts
of the organization. Therefore, the analysis of Société Générale shows gave us
an insight on how Société Générale can better protect it to ensure the
likelihood of such breach occurring is zero-to-non, hence, we propose the
following security frameworks be adopted by the bank:
Information
Sharing: Adopt an information report sharing process between
all subsidiaries of the bank. It means
the bank must establish a Computer Emergency Response Team (CERT) in all its
regional headquarters, which allows for proper monitoring of sanctioned and
unsanctioned activities and take appropriate measures in the event of a
security breach. Furthermore, sharing of reports between different regional
headquarters allows for the separation of duties and check and balances between
these headquarters.
Separation
of Duties: the analysis of the incident shows that a single
trader can determine the amount it can bet on a hedge fund without consulting
any superior to confirm it does not exceed the quota set by the bank.
Therefore, it is the recommendation of this study that a hierarchy of
authorization be set to ensure no rough trader can exceed his/her trading quota
without authorization from a supervisor with approval from the department head.
Awareness
Training: The incident at Société Générale shows a deficient
cybersecurity awareness culture at Société Générale. Therefore, we recommend
that security awareness training program for all employees, such awareness
program must address new cyber threats to the information assets of the bank,
it also allows the firm record and monitor compliance level of its employee. In
effect, it ensures employees are able to detect security breaches immediately
and report to the appropriate team to activate necessary countermeasures.
Access Control: One of the loops
exploited by the trader was an elevated access to sensitive information. Therefore,
an effective access control must be implemented in a logical and physical
control to its information system. Further, in the event an employee is moved
to a different unit, region, or terminated; such employee's access right must
be revoked and the passwords changed. Also, access control list must be changed
to ensure no former employee still has access to sensitive information and all
access based strictly on employee's job function, therefore, limit privilege
escalation.
Defense-in-depth:
Société Générale must adopt a multi-layered information security approach. Per
OWASP, such approach ensures the that when one security mechanisms fail, other
security mechanisms can mitigate such breach. It is imperative that a DiD
approach is adopted by Société Générale since one of the attack vector
exploited by the trader was a weak security structure in the bank
Data Classification: Per NIST
recommended guidelines, data must be classified according to the level of
importance of the information and the impact on the business. NIST
SP800-122,2010 personal identifiable information (PII) stipulate that the data
be classified as a low, medium, and high classification which allow the firm to
prioritize data according to its classification and limit exposure to the risk
of breach. All financial services types must also be classified per the service
type and the employee's position and access level.
Multi-factor
authentication: Société Générale must implement a
multi-factor authentication that ensures the integrity of its data assets. This
means that before access is, granted, more than a single method of
authentication will be required from the user before access is granted and
verify the identity of the user and ensures non-repudiation.
Encryption
Standard: It is imperative that the Société Générale adopt a
more secure encryption standard. Therefore, we recommend the bank adopt the
American encryption standard instead of the European International Data
Encryption Algorithm that uses a 128-bit encryption key. The Advanced
Encryption Standard of the United States, however, uses a 256-bit encryption
key which ensures confidentiality of the data assets.
Patch
Management: Société Générale must adopt a patch management
system that ensures any vulnerability within its information infrastructure is
patched in a timely manner. Furthermore, such patch management ensures
vulnerabilities are checked and penetration testing is run on its data
infrastructure for integrity. Such patch management must also include Intrusion
detection system and Intrusion prevention systems and firewall (internal and
external facing firewall). The client-facing firewall ensures all source
addresses, client-specific queries, and lateral movement by a client are known
and monitored. It also helps creates security policies around the query
patterns.
Regular
Security Auditing: Regular security auditing ensures all
activities and log files are analyzed against security baselines and any
non-compliance system is patched to meet compliance. An external security auditor
must at least once a year audit the security infrastructure of Société Générale
to meet its internal controls and government regulations.
Penalty
for non-compliance: A more stringent noncompliance policy
must be drafted and communicated regularly to all users. Additionally, users
must be made aware of the penalty for non-compliance ranging from legal
prosecution to internal discipline depending on the on the guidelines outlined
in the information security policy of Société Générale.
Conclusion
As mentioned
earlier, the introduction of the internet has exposed firms to a new spectrum
of threats both from within and from outside its organizational control.
Therefore, it is imperative for Société Générale to adapt to this changing
business environment by adopting the necessary measure that ensures continuity
of its business operations via proper implementation of the information
security framework. The security incident in 2008 was not the first of its kind
although the largest. The incident shows that although firms are aware of
threats to its data integrity, little effort is put into ensuring its data
asset is safe for malicious actors. The security breach at Société Générale was
a wake-up call not just for Société Générale but, all organizations. However,
we believe that a proper implementation of the above recommendation will help
limit the likelihood of such incident occurring again.
References
History.com,
(2013). Who invented the internet? Retrieved from:
https://www.history.com/news/ask-history/who-invented-the-internet
Iskyan,
K., (2016). This is how the world’s most
“successful” rogue trader operated. Retrieved from: https://stansberrychurchouse.com/education/investment-education/this-is-how-the-worlds-most-successful-rogue-trader-operated/
nbcnews,
(2008). French Bank blames trader for $7 billion fraud. Retrieved from: http://www.nbcnews.com/id/22818054/ns/business-world_business/t/french-bank-blames-trader-billion-fraud/
NIST,
(2010). SP 800-122. Retrieved from:
https://csrc.nist.gov/publications/detail/sp/800-122/final
OWASP,
(n. d). Defense in depth. Retrieved from: https://www.owasp.org/index.php/Defense_in_depth
Societegenerale.com,
(n. d). CERT: Société Générale.
Retrieved from: https://cert.societegenerale.com/en/missions.html
Societegenerale.com,
(n. d). Our Values. Retrieved from: https://www.societegenerale.com/en/about-us/our-identity/our-values
No comments:
Post a Comment