French President Nicolas Sarkozy called the events at Société Générale a "large-scale internal fraud", and Daniel Bouton the Société Générale Chairman said the fraud was a "one-off" and denied it was a trading or risk-management fault.
According to reports in the Wall Street Journal, Mr. Kerviel "worked late into the night, essentially
burrowing into Société Générale's computers, as he allegedly built a multilayered way to hide his trades by hacking
into the computer systems." The bank believes that "Mr. Kerviel spent many hours of hacking to eliminate controls that
would have blocked his super-sized bets. Changes he is said to have made enabled him to eliminate credit and
trade-size controls, so the bank's risk managers couldn't see his giant trades on the direction of indexes. Mr.
Kerviel used the computer log-in and passwords of colleagues both in the trading unit and the technology section."
If anyone had cared to pay any attention to what’s going on in business globally they would have been aware that
studies by CERT and law enforcement agencies have proven that up to 90% of incidents in business relating to the
loss of assets results from staff that have privileged access to IT systems and applications. It seems that the
suspect trader had "in-depth knowledge of the control procedures resulting from this former employment in the
middle-office," and "in-depth knowledge of the control procedures" certainly means privileged access to sensitive data.
Another interesting side note from the study is that 57% who were responsible for the fraud should not have had
authorized system access at the time of the attack. Many used privileged system access to take technical steps to set
up the attack before termination. It seems our Mr Kerviel had knowledge from six years in Société Générale's back
office. Apparently he had to "breach five levels of controls to get away with his trades," according to a bank
spokesman: a piece of cake for anyone with privileged access.
Some other minor stats that I’m sure that Société Générale would concur with today are 81% of the organizations
that are attacked experience a negative financial impact as a result of insider activities; 75% of the organizations
experience some impact on their business operations, and 28% of the organizations experienced a negative impact to
their reputations.
So why did it happen? The investigations are not complete but Société Générale like many similar organizations
most likely do not have effective controls in place to control privileged access to systems and applications.
Privileged user accounts have been aptly characterized as the most powerful accounts defined within an IT
enterprise environment. Privilege passwords run on critical applications and servers, operating systems, and
databases. Often generic in nature, they include, but are not limited to, generic accounts such as administrator
on Wintel platforms, root on UNIX systems, DBA passwords, and hard-coded passwords found in application scripts
throughout an enterprise. If the password becomes known, multiple systems--and businesses--are at risk. And these
accounts cannot be managed by classic SSO solutions.
Today, in most organizations, we find that people use the same password value for many systems and devices. This
reuse creates a common security hole that can be exploited by anyone who has had access to the systems. System
intruders use valid credentials to log in as a privileged user and a target system because the privileged password
was either the default value provided by the manufacturer or was very weak, easy to guess, or it simply hasn’t been
changed in years.
While all of the platforms accessed via a privileged password are critical and vulnerable, a particularly area of
vulnerability are embedded application passwords in applications such as Websphere, Weblogic, and many other
application servers. When two unattended software applications connect, they require a username and a password, which
are often stored in clear text or embedded in the application code, configuration file, or script.
In many cases an application credential file can be simply copied from an application server and the passwords
can be deciphered in a matter of minutes via the Internet. A recent Cyber-Ark password survey revealed that 20% of
enterprises have more than 1,000 applications and that 42% of enterprises reported that they never change these
passwords. This situation poses serious security risks and an untold number of compliance violations as these
powerful, embedded passwords are gradually distributed undetected throughout an organization
In a recent Garter report they conclude "that too many organizations and too many users have permanent and full
super-user, root or administrator privileges, a gaping vulnerability that exposes mission-critical systems to
accidental harm and malicious activity. This can be addressed by using the privileged password management tools.
It is very likely that Société Générale IT security staff was aware of their vulnerability since this has been
one of the main audit findings in most if not all financial institutions over the past three years, and many
organizations have acted to address this gaping hole in their organizational security. It would not appear that
this was the case at Société Générale. Either the issue had not been identified by the auditors or it had not been
addressed by IT Security: who knows? We can only guess at this stage, but it does seem one of the more plausible
reasons why this was allowed to happen.
The bottom line is that there is not an organization that is not vulnerable to an attack, either through
deliberate targeting or through the failure of IT security staff and auditors who in the interests of saving a
nail in their budget are prepared to risk the Kingdom.
Société Générale should serve as a wake-up call to any organization that has not addressed the issue of Privileged
Password management and Application Password management and if what’s happened at Société Générale doesn’t serve as
a warning to others to address what Burton Group refers to as the "Seedy Underbelly of Identity," then it’s only a
matter of time till the next Kingdom goes down in flames.
So goes the old saying, "For the lack of a nail a Kingdom was ultimately lost..." For the lack of effective IT
security it’s likely a bank may be lost and with it the assets of tens of thousands of investors.
About the Author
Calum Macleod is the European director of Cyber-Ark Software. He has more than 30 years of experience in the IT industry. Prior to joining Cyber-Ark, he was a public key infrastructure and virtual private network solutions consultant, as well as a business development and product manager in several U.S. and European companies.
