Wednesday, January 30, 2008

Societe Generale .. messed up information security controls

They say that they have SIX levels of controls.... so were the controls working ? or were they drunk (or disabled to allow easy access) for over a year.

And what were the auditors doing !
And the managers to whom M Kerviel reported.

Obviously Societe Generale team has no clue about the concept of Segregation of Duties, or Identity Management at the first level. One would expect that SOD would be in place and responsibility levels would be established. There seems to be no limit on the transaction value which an individual can transact and to top this sad state of affairs, there is no oversight on the actions of the trader.

The the spirit of Governance is sorely lacking in terms of communication, in terms of transparency since this is a public institution, in terms of (seemingly) witch hunting, in terms of absolving the Chairman of any responsibility in the affair. The basic tenet of good governance is that the bosses are responsible for EVERY MESS as much as they are responsible for every win, and that they have to know what is going on in the organization, especially when the risk is so high.

Incident Management sucks - their Communication plan is all messed up. Every statement has been made when their knee jerked. Statements do not seem to be backed by any investigation and just make allegations. Then there are mis-statements like the correction of the original amount of $ 7.1 bn being split into 5.1 from the trade and 2 from the sub-prime exposure.

Their reputation is already in the pits, and with these gaffes, they are just making themselves look sillier and sillier. If bank chairmen are such, I think I can do a better job

Risk Management ... does it exist outside their policy book ? They claim to have the most sophisticated risk management system, but does it exist in practice ? That is the catch and this is how it is everywhere. Policies are made along with loud noises but then what ? Does the policy move into practice and is the practice sustained, is the billion dollar question. Everyone wants to know how this works at SG and it is anyone's guess if these guys are going to share their sob story.

The jury is out on this ......... a trader is exposed for about $ 50+ bn which is enough to wipe out the bank. And NO ONE IN THE BANK KNOWS ! So does he not report to anyone. Are there no pay-outs or pay-ins which have to be entered into the books of account, no checks to issue, no payments to acknowledge - do we assume that he made the trade, then HE wrote up the books of account and then HE signed any check / voucher. In other words he (a junior trader) ran the bank department or HE was the department.

We do know that red flags were raised about his positions, so was his work put under review and was a limit set to his activities.

......... there is much much more here and it will be a great drama which will unfold over the next few days / weeks. We have the first statements from the 'rogue trader' and as he talks and as the police investigate at SG we shall see and hear a lot more.

The article on the BBC website is an interesting read. SocGen Unhedged, by Robert Peston

Societe Generale ... lies, lies and all lies

So Societe Generale lost 7.1 bn last week, then restated this to $ 5.x bn because 2.x bn was a loss from the sub-prime plague.

And it was a rogue trader who opened SG's purse but was it a rouge rat who cast the sub-prime spell on them ? Who has been blamed for this ?

Daniel Bouton, the bank Chairman, is on a panhandling trip to get $ 5.x bn and keeps his job, while his resignation is still on the desk. A moral resignation nevertheless which was honorably presented the moment the s%6t hit the ceiling.

Consider the lies which has been hogging the news :

First it was "Rogue trader defrauds the bank of $ 7.1 bn"

There was no defrauding the bank. This guy was doing his job, a and that too too independently. There was no one checking his work ! Cool........ give me the bank treasury and I will also play the stock exchange at will.
Hey what happened to the 7.1 bn - now it is only 5.1 bn ! the other 2 bn is actually the hit SG got from the sub-prime exposure and sorry the Chairman goofed up in his communication to the Prime Minister and the Central Bank and the public and shareholders at large.
Its okay this is just a couple of billion here or there ! So what if I just messed the European market a tad while squaring all holdings.

And he was "a junior trader, recently promoted from the back office. so he has intimate knowledge of the systems and easily circumvented controls"

Another white lie - he has been trading since 2005 (?) so that is pretty recent ! Three years on the trading desk and he contributed €1.5 bn to the bank kitty with his trading profits last year. Pretty cool performance for a junior trader and I am sure there was a lot of Champagne and partying at the end of the year when the numbers came in. Will you be surprised to find that the Chairman sent a case of Dom alongwith a card ?

The Chairman said that he did not know him...

OK we shall take it at face value. The Chairman is not supposed to know everyone in the bank. And considering how loose the controls at SG are, I am apt to believe that there are hundreds / thousands of traders betting the banks pants everyday and making a billion plus for the bank every year.

The French government wants to protect this institution from takeover without realizing that it will be good for their health if this is allowed. At least the new owners will bring in a training program on 'Better Communication Skills for Chairmen"

I seem to be forgetting the information security and risk management aspect of this episode .... and will cover this in the next post.

Wednesday, January 16, 2008

A Security Incident looked at closely

Incident Response, Handling, Management and Post-Incident actions are crucial to any Security program and this is a well recognized fact. Many companies do not test their systems, many do tests using internal 'gurus' who are generalists or hobbyists, some do it for the sake of meeting a regulatory requirement and so on. And unfortunately there are attacks and then there are attacks which are undiscovered.

And there was the mother of all compromises - the TJX Maxx incident which went undetected for more than a year.

A very interesting 'anatomy' of a hack was published and provides a situational view of what is happening and what to do.

Anatomy of a hack attack
Sally Whittle
Published: 07 Jan 2008 16:39 GMT

With the help of security experts, we recreate a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case.

(the print version of this article is here)

It will be to the advantage of the security organization to build a culture of proactive security and to continuously update and test their responsiveness to incidents. The security officers must also participate in meetings with law enforcement agencies to be informed about ground realities and any happenings which may affect their organization too.


Tuesday, January 15, 2008

Education system should include IT Security

Education is key to building a culture of respect for the system in which we live, for nature, for our fellow beings and for all that which is not ours. This does not mean that I should not respect what is mine !

To get back to the subject of this post... I mentioned the need to "reorient" education at all levels and today and this is what the MP is talking about and thats the way to go.

MP: Children must be taught IT security
Tom Espiner
Published: 10 Jan 2008 16:55 GMT

The UK government has said that young people need to be educated about IT security.

Minister of state for schools and learners Jim Knight told on Wednesday that, as there is increasing online interaction between schools and parents, young people need to know about the possible dangers of IT security being compromised.

I remember Moral Science classes in school where we were taught the virtues of honesty and loving my neighbor, respecting my elders et al. This shaped me into a responsible human being and I believe that the same values are needed when we are talking about computing and internet usage.

12 year olds are trading viruses !

14 year olds are arrested for screwing up a public transport system !! The kid(s) thinks this is fun when grown ups run around crazy just because he / she pressed the enter key without anyone being wiser.

Yes there is the need to include ethical computer usage and it has to start young. It is a recognized fact that training and awareness are the most effective tools in any Information Security implementation, and the same solution has to be brought into the system.

Maybe I shall make a check to see how many management or technology courses include ethical computing as part of their curriculum......... fodder for my next post.

Dinesh Bareja
"ramble securely"