Updated:

Société Générale Bank: Effective Security Controls Report (Assessment)

Exclusively available on Available only on IvyPanda® Made by Human No AI

Introduction

Société Générale Bank was established in 1864 in France by a caucus of moguls and investors with the aim of improving and bolstering their commercial ventures. Over the years, the bank has tremendously improved its financial outlay. This has enabled it to extend its presence in many nations. Today, the bank is among the successful financial institutions globally.

The bank offers retail banking, savings schemes and intercontinental banking services. Thus, the bank handles thousands of varied transactions daily. Despite its success in the corporate arena, it has experienced a myriad of fraudulent cases which have affected its corporate profile and are likely to retard its future growth. This paper identifies and discusses the policies, vulnerabilities, risks and internal controls of Société Générale.

Fraudsters have pervaded the financial sector with the banking subsector being the hardest hit. It has been quite challenging to track fraudsters because they apply sophisticated technologies which banks cannot keep pace with. In simple terms, bank fraud refers to the unlawful mechanisms of accessing or being in possession of money or other properties that belong to a financial company. Bank fraud can also be practiced in form of receiving money from shareholders by purporting to be a genuine financial institution. Destabilization of the financial base of an organization is one the most devastating effects of fraud.

With reference to the banking sector, fraud can lead to a mass exodus of potential depositors who may no longer trust the bank with their savings. Second, fraud can cause serious liability to a bank; hence, culminating into a collapsed bank situation. Fraud in the bank can either be conducted by the staff or outsiders. In some cases, the two can conspire to siphon out assets and money from the bank.

“The most serious incidence of fraud that Société Générale has ever witnessed occurred on 24-1-2008, when Jérôme Kerviel (a single futures dealer) allegedly lost close to US$7.2 billion” (NBC News, 2008). This was the worst case of fraud the bank has suffered since its inception (CBS News, 2009). Kerviel is believed to have coordinated and executed a chain of fake transactions, which the bank could not trace.

The management of the bank revealed that Kerviel exploited every loophole to hack the computer operations at the bank. He mainly focused on tampering with security control systems to pave way for his illegal transactions. The changes Kerviel effected on the computer systems helped him to get rid of credit controls; hence, the risk personnel could not easily track his huge transactions.

He was also reported to have stolen the secret codes of his workmates that served at the trading section and department of technology. Kerviel possessed vast technical control procedures that enabled him to manipulate the security installations. Thus, he was able to access important information that was out of reach to many employees. Having served in the back office for roughly six years, Kerviel learnt how the control systems of the bank operated. Finally, he gained privileged access codes that he used to eliminate five control systems before executing his transactions.

An in-depth security analysis of the fraud incident revealed that lack of proper information control systems prompted the hacking of the privilege codeword. Privileged user accounts are one of the most secure IT venture settings, and are used to secure sensitive databases and servers.

The secret codes are “generic in character; they encompass, but are not restricted to generic accounts such as administrator on Wintel platforms, root on UNIX systems, and hard-coded passwords” (Bishop, 2009, p. 345). One disadvantage of this kind of data security system is that in case the secret code is revealed to many individuals, several operating systems can easily be hacked.

The bank was probably using a single security code to secure several systems. This kind of security system creates loopholes, which can easily be misused by fraudsters. System prowlers apply authentic codes to access systems just like privileged users. They like attacking systems because they are often secured using weak secret codes that can easily be conjectured or have remained unchanged for a long time. An application like Weblogic that is secured with embedded privileged secret codes has high chances of being hacked.

Reviewing Current Policies

The establishment of appropriate and reliable security policies at Société Générale needs a clear approach that will facilitate the identification of the current computer vulnerabilities. The status of the current security policies can be established by analyzing current documents and detecting parts of the system that lack appropriate policies. “The critical areas of the system that need to be reviewed include: physical access controls, network security policies, data security policies and contingency and disaster recovery plans and tests” (Gollmann, 2011, p. 123).

“In addition, documents that have confidential data like computer BIOS secret codes, router configuration secret codes and access control documents should also be reviewed” (Gollmann, 2011, p. 125). Examining the security requirements of Société Générale should also involve finding out the extent of its exposure to known threats. This analysis encompasses identifying the nature of the bank’s assets because they determine the type of risks it should be protected from.

It is also important to list the potential risks because it enables the security personnel to determine techniques such as email hacking and viruses that can be applied in the attack. Therefore, the security personnel at Société Générale Bank should improve their skills of tackling such challenges.

Improving Security Strategies

A good security system is supposed to include both proactive and reactive approaches. A proactive strategy has a number of procedures that mitigate potential security risks and build up emergency plans. Determining the destruction that an onslaught will cause on a given data assists in creating a strategy that is proactive. On the other hand, a reactive plan assists in examining the extent of damage on a system after it has been hacked. This helps in making decisions such as repairing the corrupted system or implementing emergency plans.

The first step towards securing the system is developing effective mechanisms for identifying potential risks and developing mechanisms to resist the potential risks. Start by securing the system against common threats. It is easier to prevent threats than to reconstruct the system after an attack.

All potential threats that may destabilize the system should also be scrutinized by the security administrators. These potential threats include malevolent prowlers, non wicked threats, and natural calamities. Consider all of the possible threats that cause attacks on systems. Most of the attacks are caused by employees.

Reactive Strategy

A reactive strategy could offer the best solution to deal with the fraud case at Société Générale because the proactive strategy failed to secure the system.

The reactive plan identifies the procedures that should be followed during and after intrusion. “This strategy detects the extent of the destruction caused and the loopholes that were taken advantage of in the attack, it establishes why it occurred, refurbish the spoilt systems, and execute an eventuality plan if available” (Pfleeger, 2008, p. 657). Reactive and proactive strategy work hand in hand to buildup security controls to mitigate intrusion and the destruction caused during such incidences.

Assess the Damage

Identify the destruction that occurred during the intrusion. This process should be executed very quickly so that reconstruction of the system can commence as soon as possible.

Establish the Source of the Damage

This can be achieved by analyzing the system logs because they give clue about the origin of the attack. System and audit logs can also be examined because they are also instrumental in tracing the source of an attack.

Repair the Damage

Reconstruction of the system should be done immediately after detecting the source of the attack to facilitate the execution of usual operations and whatever information misplaced during the interruption.

Document and Learn

Where feasible, all attack situations must be analyzed and documented to identify the most appropriate security steps and controls that can secure the system. The security group should handle cases such as insider attacks and viruses. Such efforts generate skills that a company can apply and data to give out before and after incidents.

In addition, the security team is supposed to examine any unfamiliar occurrence which may involve system controls. Documentation must encompass all the facets of the attack which can possibly be identified. Documentation will assist in adjusting proactive strategies for curbing potential intrusion or reducing destructions.

Implement Contingency Plan

If there is a contingency arrangement, it can be put into operation to avoid time wastage and to maintain business operations. In a situation whereby there is no emergency plan, create a suitable plan based on the evidence from the previous step.

Review Outcome

“Examining the outcome is important and should involve: loss in efficiency, information or mislaid, and the used to reorganize the system” (Pfleeger, 2008, p. 678). If possible, list the type of attack, its source, the mechanisms that were used to execute it, and the loopholes that were exploited.

Review Policy Effectiveness

If there are policies to guard against an intrusion that has occurred, they must be examined, reviewed and tested out for their efficiency. New polices must be created if they have not been used before to reduce potential attacks.

Amend Policy Properly

If the policy is of poor quality, it must be upgraded properly. Updating of polices should only be undertaken by an authorized personnel that deals with system securities. Moreover, a security policy can be configured in a manner that it only allows the users to access the system during the normal working hours. This reduces hacking incidences.

Conclusion

The security managers of Société Générale should determine the amount of time and resources that can enable them to create effective security controls. Apart from setting up an efficient security strategy, security auditors need to realize that security is a full time need in the organization. Hence, they should always update their security system regularly.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2018, June 19). Société Générale Bank: Effective Security Controls. https://ivypanda.com/essays/cyber-security-assessment/

Work Cited

"Société Générale Bank: Effective Security Controls." IvyPanda, 19 June 2018, ivypanda.com/essays/cyber-security-assessment/.

References

IvyPanda. (2018) 'Société Générale Bank: Effective Security Controls'. 19 June.

References

IvyPanda. 2018. "Société Générale Bank: Effective Security Controls." June 19, 2018. https://ivypanda.com/essays/cyber-security-assessment/.

1. IvyPanda. "Société Générale Bank: Effective Security Controls." June 19, 2018. https://ivypanda.com/essays/cyber-security-assessment/.


Bibliography


IvyPanda. "Société Générale Bank: Effective Security Controls." June 19, 2018. https://ivypanda.com/essays/cyber-security-assessment/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1