The huge losses reported by French bank Société Générale,
apparently caused by a rogue trader with inside knowledge of the bank's procedures,
don't necessarily point to an IT systems failure but rather to poor management
of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent
trading position in the bank's computers that ultimately caused it to lose around
€4.9 billion (US$7.3 billion).

Kerviel achieved this by, among other things, misappropriating computer passwords,
the bank said. It has revealed few other technical details of what caused the
losses.

Management of passwords, including rescinding the old passwords of employees
who move to different positions within the bank, or modifying the level of access
those passwords allow, is often a task given to the lowest-level IT worker.

"It's dull and routine 99 percent of the time, but a vital backstop,"
said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should
conduct more frequent reviews of password policies, he said.

In some cases, it may not have been the security of the passwords themselves
that posed a problem, but rather the access those passwords allowed, said Ian
Walden, professor of information and communications law at Queen Mary, University
of London.

Organizations tend to think of access as being binary in nature: you get access
to it all, or you don't, Walden said. In reality, there are many more levels
of access. "In modern, complicated systems, the granularity has to be much
more sophisticated."

To make the best use of systems with advanced access controls, the IT department
must have a thorough understanding of how the business works and where there
is risk.

IT departments and business managers have yet to find a way to wrap security
into business processes so it is not an impediment, Walden said.

"IT in a company is not given a sufficient status," Walden said.
"What's shocking is you would have thought that the financial sector was
more sophisticated than this, but it still tends to be the case that security
is an add-on and a block, something you've got to live with but you don't have
to like, rather than being viewed as an integral part of the business structure."

Workers should be able to do their job without having to share passwords when
someone goes on holiday, and the IT department should not make it harder for
people to perform their duties, Walden said.

In one extreme example at telecommunications company BT, one employee didn't
have the right to use a computer at all, but he found it helped him do his job,
Walden said.

"By the time he was found, he had 90 passwords of different employees,"
Walden said.

It's possible that financial institutions could use biometric systems, such
as fingerprint scanners, to provider an added layer of security, McDowall said.
Those systems, however, are expensive. Also, the sometimes-finicky fingerprint
scanners may not be appropriate in a frantic trading environment, McDowall said.

Questions remain about how Kerviel's losses could be so high given his job
as relatively low-level trader. But Kerviel's career progression in 2005 from
the bank's back office to the front office -- where he would have had access
to client accounts -- is also troubling since he would have gained greater knowledge
on the bank's inner controls, McDowall said.

As an arbitrage trader, Kerviel made money off price differences between different
financial products. Société Générale said Kerviel
balanced real and fake trades in order to avoid setting off internal alarms.

Kerviel has been described in some press reports as a computer genius. However,
most attackers used unsophisticated methods for exploiting systemic vulnerabilities
in applications, processes and procedures, according to the 2005 "Insider
Threat Study" by Carnegie Mellon Software Engineering Institute.

That report notes that sophisticated tools are also used in some attacks, which
would demand that internal financial systems need to be designed on a more defensive
footing.

Programmers should code under the assumption that a hacker or employee will
use every means in order to break in, said Ben Rothke, senior security consultant
at BT's International Network Services.

"The underlying issue is that many systems are designed to stop honest
people from making mistakes, but do not take into account those with malicious
intent," Rothke said.

It makes insider jobs one of the toughest to defend against. The psychological
profile of an insider tends to be a disgruntled employee who feels wronged by
the company, according to the Insider Threat Report.

That in turn can lead to a suspicious behavior such as staying late at work,
which paradoxically might only signal a committed employee.

"It's always the insider," Rothke said. "It's often harder to
steal US$10,000 from a bank than $10 million."

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine