Information Security Today Home

New Books

IT Control and Audit, Third Edition
IT Control and Audit, Third Edition
IT Control and Audit, Third Edition
IT Control and Audit, Third Edition
Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT Attacks

Lack of Privileged Password Management Can Explain What Went Wrong at Société Générale

by Calum Macleod

French President Nicolas Sarkozy called the events at Société Générale a "large-scale internal fraud", and Daniel Bouton the Société Générale Chairman said the fraud was a "one-off" and denied it was a trading or risk-management fault.

According to reports in the Wall Street Journal, Mr. Kerviel "worked late into the night, essentially burrowing into Société Générale's computers, as he allegedly built a multilayered way to hide his trades by hacking into the computer systems." The bank believes that "Mr. Kerviel spent many hours of hacking to eliminate controls that would have blocked his super-sized bets. Changes he is said to have made enabled him to eliminate credit and trade-size controls, so the bank's risk managers couldn't see his giant trades on the direction of indexes. Mr. Kerviel used the computer log-in and passwords of colleagues both in the trading unit and the technology section."

If anyone had cared to pay any attention to what’s going on in business globally they would have been aware that studies by CERT and law enforcement agencies have proven that up to 90% of incidents in business relating to the loss of assets results from staff that have privileged access to IT systems and applications. It seems that the suspect trader had "in-depth knowledge of the control procedures resulting from this former employment in the middle-office," and "in-depth knowledge of the control procedures" certainly means privileged access to sensitive data.

Another interesting side note from the study is that 57% who were responsible for the fraud should not have had authorized system access at the time of the attack. Many used privileged system access to take technical steps to set up the attack before termination. It seems our Mr Kerviel had knowledge from six years in Société Générale's back office. Apparently he had to "breach five levels of controls to get away with his trades," according to a bank spokesman: a piece of cake for anyone with privileged access.

Some other minor stats that I’m sure that Société Générale would concur with today are 81% of the organizations that are attacked experience a negative financial impact as a result of insider activities; 75% of the organizations experience some impact on their business operations, and 28% of the organizations experienced a negative impact to their reputations.

So why did it happen? The investigations are not complete but Société Générale like many similar organizations most likely do not have effective controls in place to control privileged access to systems and applications.

Privileged user accounts have been aptly characterized as the most powerful accounts defined within an IT enterprise environment. Privilege passwords run on critical applications and servers, operating systems, and databases. Often generic in nature, they include, but are not limited to, generic accounts such as administrator on Wintel platforms, root on UNIX systems, DBA passwords, and hard-coded passwords found in application scripts throughout an enterprise. If the password becomes known, multiple systems--and businesses--are at risk. And these accounts cannot be managed by classic SSO solutions.

Today, in most organizations, we find that people use the same password value for many systems and devices. This reuse creates a common security hole that can be exploited by anyone who has had access to the systems. System intruders use valid credentials to log in as a privileged user and a target system because the privileged password was either the default value provided by the manufacturer or was very weak, easy to guess, or it simply hasn’t been changed in years.

While all of the platforms accessed via a privileged password are critical and vulnerable, a particularly area of vulnerability are embedded application passwords in applications such as Websphere, Weblogic, and many other application servers. When two unattended software applications connect, they require a username and a password, which are often stored in clear text or embedded in the application code, configuration file, or script.

In many cases an application credential file can be simply copied from an application server and the passwords can be deciphered in a matter of minutes via the Internet. A recent Cyber-Ark password survey revealed that 20% of enterprises have more than 1,000 applications and that 42% of enterprises reported that they never change these passwords. This situation poses serious security risks and an untold number of compliance violations as these powerful, embedded passwords are gradually distributed undetected throughout an organization

In a recent Garter report they conclude "that too many organizations and too many users have permanent and full super-user, root or administrator privileges, a gaping vulnerability that exposes mission-critical systems to accidental harm and malicious activity. This can be addressed by using the privileged password management tools.

It is very likely that Société Générale IT security staff was aware of their vulnerability since this has been one of the main audit findings in most if not all financial institutions over the past three years, and many organizations have acted to address this gaping hole in their organizational security. It would not appear that this was the case at Société Générale. Either the issue had not been identified by the auditors or it had not been addressed by IT Security: who knows? We can only guess at this stage, but it does seem one of the more plausible reasons why this was allowed to happen.

The bottom line is that there is not an organization that is not vulnerable to an attack, either through deliberate targeting or through the failure of IT security staff and auditors who in the interests of saving a nail in their budget are prepared to risk the Kingdom.

Société Générale should serve as a wake-up call to any organization that has not addressed the issue of Privileged Password management and Application Password management and if what’s happened at Société Générale doesn’t serve as a warning to others to address what Burton Group refers to as the "Seedy Underbelly of Identity," then it’s only a matter of time till the next Kingdom goes down in flames.

So goes the old saying, "For the lack of a nail a Kingdom was ultimately lost..." For the lack of effective IT security it’s likely a bank may be lost and with it the assets of tens of thousands of investors.


About the Author
Calum Macleod is the European director of Cyber-Ark Software. He has more than 30 years of experience in the IT industry. Prior to joining Cyber-Ark, he was a public key infrastructure and virtual private network solutions consultant, as well as a business development and product manager in several U.S. and European companies.

 
Subscribe to Information Security Today





Powered by VerticalResponse

Share This Article

Mixx it digg


© Copyright 2008-2009 Auerbach Publications