A Lesson in Poor Password Practices
February 11, 2008
French President Nicolas Sarkozy called the recent events at Societe Generale a "large-scale internal fraud." Societe Generale chairman Daniel Bouton said the fraud was a "one-off" and denied it was a trading or risk-management failure.
The Wall Street Journal on Jan. 25 reported that Jerome Kerviel, the Societe Generale equity derivatives trader accused of perpetrating the EUR4.9 billion fraud, "worked late into the night, essentially burrowing into Societe Generale's computers, as he allegedly built a multilayered way to hide his trades by hacking into the computer systems.
According to the Journal, the bank believes that "Kerviel spent many hours of hacking to eliminate controls that would have blocked his super-sized bets. Changes he is said to have made enabled him to eliminate credit and trade-size controls, so the bank's risk managers couldn't see his giant trades on the direction of indexes. Kerviel used the computer log-in and passwords of colleagues both in the trading unit and the technology section."
A study released by Carnegie Mellon University's Computer Emergency Response Team (Cert) in 2006 said that 90 percent of incidents in business relating to the loss of assets result from staff that have privileged access to IT systems and applications. In this case the suspect trader had "in-depth knowledge of the control procedures resulting from this former employment in the middle office," according to a Soc Gen statement, and "in-depth knowledge of the control procedures" certainly means privileged access to sensitive data.
Another interesting note from the Cert report is that 57 percent of those responsible for the fraud should not have had authorized system access at the time of the attack. Many used privileged system access to take technical steps to set up the attack before termination. It seems Kerviel had knowledge from six years in Societe Generale's back office. According to a bank spokesperson, he had to "breach five levels of controls to get away with his trades"--a piece of cake for anyone with privileged access.
Other results from Cert that Societe Generale would likely concur today: Eighty-one percent of the organizations that are attacked experience a negative financial impact as a result of insider activities; 75 percent see some impact on their business operations; and 28 percent have reputational damage done.
How did it happen? The investigations are not complete but Societe Generale, like many similar organizations, most likely does not have effective controls in place to control privileged access to systems and applications.
Privileged user accounts have been aptly characterized as the most powerful in an IT enterprise environment. Privilege passwords run on critical applications and servers, operating systems and databases. Often generic in nature, they include, but are not limited to, generic accounts such as administrator on Wintel platforms, root on Unix systems, DBA passwords, and hard-coded passwords found in application scripts throughout an enterprise. If the password becomes known, multiple systems--and businesses--are at risk. And these accounts cannot be managed by classic single-sign-on solutions.
In most organizations, people use the same password value for many systems and devices. This reuse creates a common security hole that can be exploited by anyone who has had access to the systems. System intruders use valid credentials to log in as a privileged user and target a system because the privileged password was either the default value provided by the manufacturer or was very weak, easy to guess, or simply hadn't been changed in years.
